stormkitty | hxxps://www[.]mediafire[.]com/file/na2x8kiftzlsryv/XClient[.]zip/file

Resubmissions

25-12-2024 19:05

241225-xrzb3atjez 10

25-12-2024 19:02

241225-xpzj2stlgm 10

Analysis

max time kernel
642s
max time network
602s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/na2x8kiftzlsryv/XClient.zip/file

Score

10^/10

stormkitty xworm discovery persistence phishing rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

147.185.221.24:45691

Mutex

IrBmNQz2dAEtRA4q

Attributes

Install_directory
%Public%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/4840-331-0x0000000000F90000-0x0000000000FA0000-memory.dmp	family_xworm
behavioral1/files/0x0008000000023d39-341.dat	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/4840-530-0x000000001E900000-0x000000001EA20000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 8 IoCs

pid	Process
3980	XClient.exe
3564	XClient.exe
4972	XClient.exe
5112	XClient.exe
3980	XClient.exe
940	XClient.exe
4300	XClient.exe
4532	XClient.exe

Loads dropped DLL 2 IoCs

pid	Process
4840	XClient.exe
4840	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Public\\XClient.exe"	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
199	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5056	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133796271727605445"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4260	chrome.exe
4260	chrome.exe
4840	XClient.exe
2280	msedge.exe
2280	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
3824	identity_helper.exe
3824	identity_helper.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe
4840	XClient.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4840	XClient.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeDebugPrivilege	4840	XClient.exe
Token: SeDebugPrivilege	4840	XClient.exe
Token: SeDebugPrivilege	4388	XClient.exe
Token: SeDebugPrivilege	3288	XClient.exe
Token: SeDebugPrivilege	4680	XClient.exe
Token: SeDebugPrivilege	3980	XClient.exe
Token: SeDebugPrivilege	4940	XClient.exe
Token: SeDebugPrivilege	972	XClient.exe
Token: SeDebugPrivilege	4528	XClient.exe
Token: SeDebugPrivilege	1076	XClient.exe
Token: SeDebugPrivilege	4376	XClient.exe
Token: SeDebugPrivilege	3472	XClient.exe
Token: SeDebugPrivilege	2388	XClient.exe
Token: SeDebugPrivilege	4232	XClient.exe
Token: SeDebugPrivilege	2772	XClient.exe
Token: SeDebugPrivilege	228	XClient.exe
Token: SeDebugPrivilege	2304	XClient.exe
Token: SeDebugPrivilege	4008	XClient.exe
Token: SeDebugPrivilege	4772	XClient.exe
Token: SeDebugPrivilege	4836	XClient.exe
Token: SeDebugPrivilege	100	XClient.exe
Token: SeDebugPrivilege	2944	XClient.exe
Token: SeDebugPrivilege	3520	XClient.exe
Token: SeDebugPrivilege	3888	XClient.exe
Token: SeDebugPrivilege	3740	XClient.exe
Token: SeDebugPrivilege	4160	XClient.exe
Token: SeDebugPrivilege	508	XClient.exe
Token: SeDebugPrivilege	5108	XClient.exe
Token: SeDebugPrivilege	1812	XClient.exe
Token: SeDebugPrivilege	3564	XClient.exe
Token: SeDebugPrivilege	4972	XClient.exe
Token: SeDebugPrivilege	5112	XClient.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4840	XClient.exe
2844	wordpad.exe
2844	wordpad.exe
2844	wordpad.exe
2844	wordpad.exe
2844	wordpad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 4416	4260	chrome.exe	82
PID 4260 wrote to memory of 4416	4260	chrome.exe	82
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 1256	4260	chrome.exe	83
PID 4260 wrote to memory of 464	4260	chrome.exe	84
PID 4260 wrote to memory of 464	4260	chrome.exe	84
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85
PID 4260 wrote to memory of 548	4260	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.mediafire.com/file/na2x8kiftzlsryv/XClient.zip/file
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc13cbcc40,0x7ffc13cbcc4c,0x7ffc13cbcc58
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1716,i,4024238993833593119,663859742585246629,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1712 /prefetch:2
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,4024238993833593119,663859742585246629,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,4024238993833593119,663859742585246629,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2428 /prefetch:8
  2⤵
  PID:548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,4024238993833593119,663859742585246629,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,4024238993833593119,663859742585246629,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4764,i,4024238993833593119,663859742585246629,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4800,i,4024238993833593119,663859742585246629,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5516,i,4024238993833593119,663859742585246629,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5620,i,4024238993833593119,663859742585246629,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4788,i,4024238993833593119,663859742585246629,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4660,i,4024238993833593119,663859742585246629,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:3584

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2072

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:940

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4840
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Public\XClient.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4836
- C:\Windows\SYSTEM32\CMD.EXE
  "CMD.EXE"
  2⤵
  PID:940
- - C:\Windows\system32\help.exe
    help
    3⤵
    PID:4616
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /f /tn "XClient"
  2⤵
  PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC153.tmp.bat""
  2⤵
  PID:1868
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:5056

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3288

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Users\Public\XClient.exe
C:\Users\Public\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:100

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:508

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Users\Public\XClient.exe
C:\Users\Public\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc136346f8,0x7ffc13634708,0x7ffc13634718
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,10511214670194453671,4223410919652685815,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,10511214670194453671,4223410919652685815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,10511214670194453671,4223410919652685815,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10511214670194453671,4223410919652685815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10511214670194453671,4223410919652685815,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10511214670194453671,4223410919652685815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10511214670194453671,4223410919652685815,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,10511214670194453671,4223410919652685815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3668 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,10511214670194453671,4223410919652685815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3668 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10511214670194453671,4223410919652685815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10511214670194453671,4223410919652685815,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10511214670194453671,4223410919652685815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,10511214670194453671,4223410919652685815,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2240

C:\Program Files\Windows NT\Accessories\wordpad.exe
"C:\Program Files\Windows NT\Accessories\wordpad.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4188

C:\Users\Public\XClient.exe
C:\Users\Public\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Users\Public\XClient.exe
C:\Users\Public\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x320
1⤵
PID:1088

C:\Users\Public\XClient.exe
C:\Users\Public\XClient.exe
1⤵
- Executes dropped EXE
PID:3980

C:\Users\Public\XClient.exe
C:\Users\Public\XClient.exe
1⤵
- Executes dropped EXE
PID:940

C:\Users\Public\XClient.exe
C:\Users\Public\XClient.exe
1⤵
- Executes dropped EXE
PID:4300

C:\Users\Public\XClient.exe
C:\Users\Public\XClient.exe
1⤵
- Executes dropped EXE
PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
1fd2bcf7be677e004a5421b78e261340

SHA1
4e5abd04329ee1ffaebe9c04b67deef17f89ff84

SHA256
f539c848f584add20b43d5daefd614526b67adbf22b0c89eaa7802a8a653cd31

SHA512
929499946e38281bd808b37b362c4a86f3b6382eb1ecd5fc094410d3688906d14a114ca930a2cf38b6241ab734bc5959e6fe541270d47ca9538e82a68c99cc77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
7b5a6b1acea8a83bd88a4fb33140be63

SHA1
72817ce4df15c43fecf995a02b67f959fdaaa5f2

SHA256
228c2f9f27fd0147af308078215a4840d137e6bb3de5be3c278c111d6eae6ea0

SHA512
f247a89258d7444c5e73c0d77791d7e18e6d3dcec4b287d307146182534457d64ae9427e7aa85491647745dbf8432ad7d0195340d636f09a77b0bcb75085eb8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6a2a2a1447cff9e00d06f595df9bc837

SHA1
cf03796ddf5a60b89faeab5198a370d0a5a4b770

SHA256
8c37deb74ff4a88204f78b5fd037caf5164f6cf63488617931964a4e6cc49b16

SHA512
445313ac8c8b7dfd9038f2a07f40ccf800a894c7e3514366e2b59435da42d1b83885fc2fab6a915bf5cc76a9a50635bd7566730de8880d1623bfbbf144a3616e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
256KB

MD5
ef9d03e32f2eb7ce380416b0e5705a3b

SHA1
caefe00f34ef02e11d27512ab0b44266f47a111b

SHA256
21b8c972b07869b7be68e2cad696a56ab16187941bffe24b045fe150e2a4c055

SHA512
4b7c62c7705cc65ca14211055bde3f6a1ba08b2a9a6cf10f1b07ebceff75d51858e194bce0a4a796b981fc2a902a85429edd6285e4c7d9949f7f1f820d7cae49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
36KB

MD5
3b2cf0c7815cdd86962d5b09547f3e62

SHA1
47252e4bb7b5483ad4872047a741fb900094a3cf

SHA256
4cd8d627d698777bb07265eceb441624075dedc642ba144763d78921ccb02258

SHA512
375fb528a0c8f58c881cfb29bc42353bddcdff4e87c2def53a72f5581c84cc6981a8486b315ca022bd4e8680eda4acc84b5bf922a0bc7ab5b668e07128757cfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
11KB

MD5
131bc2d006501ef1a32e024092b1e273

SHA1
0866c46d3165e93d47fa483f7856f769eef4e3a4

SHA256
6972481309e17137a9ff25ec120f99cff1da0633556fdcc8c50b6e307a633b84

SHA512
3f2b94d647e5f31fb837af843b0de149a5ee730cd5f2082396a1ec5c50e7bc5c5ddece478be9cc9dcbd0ef07107cf33180ffc78e1865bec8b8cb77437545ac25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
33d7542b6744afa6dc04370b7a3464bd

SHA1
7e31c80d254680ce504d43993c29e430dd9fb646

SHA256
4b99272b8cbf4029fe41a40314473e1a6985edcb98f81002feb6af67415c016f

SHA512
d9b1a6719d2795f856f33fce56ca60c11741df4a0a3dd44ecf9275a10ff72003bc6e3d27fb16a2330e5db42343344e8b469ad84975a4dcee2dac3be5816d3250

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7a6b01f02ab61fbeeb026c9d801e77ae

SHA1
c29b9216a64673d0eb4f2c79d2d2dd9b1abbe7ca

SHA256
d3c83144a569994a96ab1f2f452961d719dd99e47622660e8b999fd1d8598e87

SHA512
eb77607630fb49cd6311082b9766945afe0112eebd2317a9d5e60c1c640d2c2bd00a1e42f3f7ca60f2a6ba157cb01f4608eee609b65b9f8eb5b3d03cd977cc4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
688e2ab0098d0b76c221eac56d463cb2

SHA1
4b4fa62b3c33aeecf04a030b44ec6cfc49713d02

SHA256
0d5d566f6a8f352784f3fd60b79ecd8491241f672bb3c068d37ef3543bba5c1b

SHA512
f75f89dd47ca5d11963e3fccd48890f40e90aacc1731d11c465d4f1bf8873d580467dda4c55af74a9fcca3daffbe846fecd247708e613522bfbc5e2be89aa18c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
88db17fba90d3257ed6cd19e6529a662

SHA1
5cef00326e6bbaa6c8560b98ee089b0d16d32382

SHA256
63165f539c7d8b1c0b7c699f49ba1fcde459fbc89aaaba9da815171fa03129cb

SHA512
d0f5c84d0ece77a8c9273676535e2bca55f6ce79ed84dcdcc8e1aa4092ba0083dc24d8a1e79949dadbbf051f907d10fc15ea343a6a567b526551f5105bb8a8fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
58915811e4f7d256c5ead4138e1cca80

SHA1
ca13a97d850984b7d77c4b4d645f0b7860bef3d9

SHA256
2ed5bf777b41e5542801450a0cc6a1a7a067ba99104d652e8bec4cdbf9697103

SHA512
0e379d826fc7ea1b64935669d64bb7cef036896ef9a9df728a62d3c00344b7e6afabbf7cbe53816514bee9198e7e6f276f1e8335faa907991e2b5beab56da87c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
11e0da3c2d9875b410e1c5d5ac47db59

SHA1
df03e1a6c7e2314d9799600caaeefd2b18175176

SHA256
34952d371e72fdb8c9194438019aebc059f42a5472aaf5710a739d4a803d78e6

SHA512
f2594f4dd956bb1ff62ff330ce81820ed16db77e8bb6f4179121e8c8d3225121e3b79228ad7a94cbb173c05067a1221bf7d097d7089e212063b0fe7a5f21e97a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1dada0bba30482f6aa1aa230c82a6df5

SHA1
618655f94753f0e49ac2ca0daad89847dfd81c6c

SHA256
438f5735f83568e2280ab59fd324c2b1b0c66c4a94bde9466ddfa7e971ce016b

SHA512
4c98b7c023b62d8e6fac95b3f974051d9d9b57bccbaa4d4be83b8d53155136be59a2ea0731ef37ae83f0d1fcd376f04f9095dbe030bff65a3a2250df91229ab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b8a1fd244f250623612e68224743f5ba

SHA1
44445c6e724a61749b1e3a109f202afaecb46eb1

SHA256
e142fbe2fc1959a41c13200122ba496033103978e9f845622938b0d0cc035718

SHA512
5bc8d042794a4f687954fd49a00f27ff4ecdd22ada8c1838cecfcb97652823f6f3bbe49d2a84ce2f2e53598c4548fa1a83b7290df6cd5cefc4c48419e6f79eee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ea8676f292bcb68688f24bcf28ced669

SHA1
1221ddf0f118f13d2265ebacf7e6f27f615dad91

SHA256
c8141e3eb2ef2bafaf158e845cf9e489d8fdbe680cb1fe2b5e336b3ba5d58c37

SHA512
646d45546d8fdb6e9f5f70bb1494fff101565daf451498d37f37747496e5ebd295c619c522e5797386d44f4ef623af536e44241a10d15fb898ca0ccc9aacf68c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bf808572c1d39657cdad07d443d84811

SHA1
e4047ccecd1811e7f137a77e0ff83e087cc48e7e

SHA256
127d9a1855e9de9610f05c8341d4ac5d22879081a4a29c05bd1fd87e88d8e925

SHA512
8e43451e236f76784d33a4a05a9ee04d0a7d612710db4187550b33812f8b83f9a491748c74a75e74566cbffa59392a08522bf36db7fe0684602a3402afb4f1d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3cc2994ff9d75c81342a878e6b7fcc64

SHA1
1f78558a1cce0125acccc873009f94995a5a0c3a

SHA256
6fc4f2839ad47771441dd217ab256747d57efbe272813d04eef95d27677f7aea

SHA512
a47cbf8fac4a6629d74fecc77983163878c84b7ba57d17de96ef94581f987cdaa45b97b0ad016a4b4121caa87c862fed94e203f9d5f37d1334d38c6c7eef5631

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB764.tmp

Filesize
100KB

MD5
1b942faa8e8b1008a8c3c1004ba57349

SHA1
cd99977f6c1819b12b33240b784ca816dfe2cb91

SHA256
555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

SHA512
5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC153.tmp.bat

Filesize
148B

MD5
614542cdb5fc774f4593c7a6c50f2c6b

SHA1
81d6679cc661ef389cf0a2561d750ae6908032dd

SHA256
00e19ac2ec36a7f628545bcdf6f7f588fee24b3ba00a66e68b7cb33d21432403

SHA512
7c61117e8f476f75bca3090824e139747890ec1a45dccc25344f04bdcfe533f8aeda256d075523a3cd4f0dbd6b4bda3f6933887f4d2de4baec6f6ce325b0a254

Download Submit
C:\Users\Public\XClient.exe

Filesize
40KB

MD5
3d041e688978fba193da36a83afbaa08

SHA1
f3421df6c9158eb3179982579e87ca5a90868251

SHA256
08173a11d60c0dd4882797df0ae48014b4e04d7835369cf54310aca501e64fdc

SHA512
ac59f053ec4fc81633a608cf4a0864fbe6c1ad910b2f820b6873b85df90cd5c60646a1b3f65e5ca5fd85dedcc536b2022a2399d016175c9de32dea67d5e1c0cb

Download Submit
memory/4840-512-0x000000001C4F0000-0x000000001C4FA000-memory.dmp

Filesize
40KB

Download
memory/4840-575-0x000000001D100000-0x000000001D10A000-memory.dmp

Filesize
40KB

Download
memory/4840-349-0x000000001E5B0000-0x000000001E900000-memory.dmp

Filesize
3.3MB

Download
memory/4840-421-0x000000001BEF0000-0x000000001BEFC000-memory.dmp

Filesize
48KB

Download
memory/4840-343-0x000000001D500000-0x000000001D53A000-memory.dmp

Filesize
232KB

Download
memory/4840-340-0x00007FFC04180000-0x00007FFC04C41000-memory.dmp

Filesize
10.8MB

Download
memory/4840-507-0x000000001C520000-0x000000001C5AE000-memory.dmp

Filesize
568KB

Download
memory/4840-337-0x00007FFC04183000-0x00007FFC04185000-memory.dmp

Filesize
8KB

Download
memory/4840-332-0x00007FFC04180000-0x00007FFC04C41000-memory.dmp

Filesize
10.8MB

Download
memory/4840-351-0x000000001BEE0000-0x000000001BEEC000-memory.dmp

Filesize
48KB

Download
memory/4840-509-0x000000001C420000-0x000000001C4AE000-memory.dmp

Filesize
568KB

Download
memory/4840-513-0x000000001C5D0000-0x000000001C5E2000-memory.dmp

Filesize
72KB

Download
memory/4840-530-0x000000001E900000-0x000000001EA20000-memory.dmp

Filesize
1.1MB

Download
memory/4840-331-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download
memory/4840-330-0x00007FFC04183000-0x00007FFC04185000-memory.dmp

Filesize
8KB

Download
memory/4840-572-0x000000001D6C0000-0x000000001D6E2000-memory.dmp

Filesize
136KB

Download
memory/4840-573-0x000000001C510000-0x000000001C51A000-memory.dmp

Filesize
40KB

Download
memory/4840-511-0x000000001C4E0000-0x000000001C4EA000-memory.dmp

Filesize
40KB

Download
memory/4840-585-0x00007FFC04180000-0x00007FFC04C41000-memory.dmp

Filesize
10.8MB

Download
memory/4840-510-0x000000001C4B0000-0x000000001C4E6000-memory.dmp

Filesize
216KB

Download