stormkitty | 8d59ef4f887ea68153faebb1ac97e69319087ff059903d4b26d1961828a8cbca

Analysis

max time kernel
85s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quest mod installer.exe
Size

176KB
MD5

ed369f4bf4345b9a0680f904495cd101
SHA1

6dceb43de613608cc8468998605eb4b7836b2412
SHA256

8d59ef4f887ea68153faebb1ac97e69319087ff059903d4b26d1961828a8cbca
SHA512

48b4f2b3a87b76985d6c1b513fa261c822ffd4ae5aa9f8b9cbd9e8dafa684bc0a4cb23a16b8202bd33717a3834c1b54ef9266ca1e27db251dc83752c54eb4761
SSDEEP

3072:gNOFXeivN1tvdibFsmIlOo2FzRbSHNBz65/M6If+3Js+3JFkKeTno:g05vNwbFGHNxBt25

Score

10^/10

stormkitty xworm discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:53655

147.185.221.24::53655

147.185.221.24:53655

topics-properties.gl.at.ply.gg:53655

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/memory/2776-1-0x0000000000130000-0x0000000000162000-memory.dmp	family_xworm
behavioral1/files/0x000900000001211a-44.dat	family_xworm
behavioral1/memory/2148-46-0x0000000000D50000-0x0000000000D82000-memory.dmp	family_xworm
behavioral1/memory/3708-459-0x0000000000090000-0x00000000000C2000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/2776-415-0x000000001D480000-0x000000001D5A0000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2732	powershell.exe
3048	powershell.exe
588	powershell.exe
2380	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	quest mod installer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	quest mod installer.exe

Executes dropped EXE 1 IoCs

pid	Process
2148	XClient.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 11 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2732	powershell.exe
3048	powershell.exe
588	powershell.exe
2380	powershell.exe
2776	quest mod installer.exe
2776	quest mod installer.exe
2776	quest mod installer.exe
2776	quest mod installer.exe
2776	quest mod installer.exe
2776	quest mod installer.exe
2776	quest mod installer.exe
2776	quest mod installer.exe
2776	quest mod installer.exe
2776	quest mod installer.exe
2648	powershell.exe
1616	chrome.exe
1616	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	quest mod installer.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2776	quest mod installer.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2148	XClient.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2776	quest mod installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2732	2776	quest mod installer.exe	31
PID 2776 wrote to memory of 2732	2776	quest mod installer.exe	31
PID 2776 wrote to memory of 2732	2776	quest mod installer.exe	31
PID 2776 wrote to memory of 3048	2776	quest mod installer.exe	33
PID 2776 wrote to memory of 3048	2776	quest mod installer.exe	33
PID 2776 wrote to memory of 3048	2776	quest mod installer.exe	33
PID 2776 wrote to memory of 588	2776	quest mod installer.exe	35
PID 2776 wrote to memory of 588	2776	quest mod installer.exe	35
PID 2776 wrote to memory of 588	2776	quest mod installer.exe	35
PID 2776 wrote to memory of 2380	2776	quest mod installer.exe	37
PID 2776 wrote to memory of 2380	2776	quest mod installer.exe	37
PID 2776 wrote to memory of 2380	2776	quest mod installer.exe	37
PID 2776 wrote to memory of 2852	2776	quest mod installer.exe	39
PID 2776 wrote to memory of 2852	2776	quest mod installer.exe	39
PID 2776 wrote to memory of 2852	2776	quest mod installer.exe	39
PID 2776 wrote to memory of 2648	2776	quest mod installer.exe	44
PID 2776 wrote to memory of 2648	2776	quest mod installer.exe	44
PID 2776 wrote to memory of 2648	2776	quest mod installer.exe	44
PID 1696 wrote to memory of 2148	1696	taskeng.exe	48
PID 1696 wrote to memory of 2148	1696	taskeng.exe	48
PID 1696 wrote to memory of 2148	1696	taskeng.exe	48
PID 2776 wrote to memory of 1616	2776	quest mod installer.exe	49
PID 2776 wrote to memory of 1616	2776	quest mod installer.exe	49
PID 2776 wrote to memory of 1616	2776	quest mod installer.exe	49
PID 1616 wrote to memory of 600	1616	chrome.exe	50
PID 1616 wrote to memory of 600	1616	chrome.exe	50
PID 1616 wrote to memory of 600	1616	chrome.exe	50
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51
PID 1616 wrote to memory of 1888	1616	chrome.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\quest mod installer.exe
"C:\Users\Admin\AppData\Local\Temp\quest mod installer.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\quest mod installer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'quest mod installer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -c explorer shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --mute-audio --disable-audio --disable-3d-apis --disable-gpu --disable-d3d11 "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7feedea9758,0x7feedea9768,0x7feedea9778
    3⤵
    PID:600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1208 --field-trial-handle=1316,i,14279310188401755734,12861227223155675725,131072 /prefetch:2
    3⤵
    PID:1888
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --mojo-platform-channel-handle=1468 --field-trial-handle=1316,i,14279310188401755734,12861227223155675725,131072 /prefetch:8
    3⤵
    PID:2876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --mojo-platform-channel-handle=1516 --field-trial-handle=1316,i,14279310188401755734,12861227223155675725,131072 /prefetch:8
    3⤵
    PID:588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --disable-3d-apis --display-capture-permissions-policy-allowed --first-renderer-process --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2012 --field-trial-handle=1316,i,14279310188401755734,12861227223155675725,131072 /prefetch:1
    3⤵
    PID:1548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --disable-3d-apis --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2020 --field-trial-handle=1316,i,14279310188401755734,12861227223155675725,131072 /prefetch:1
    3⤵
    PID:2212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --disable-3d-apis --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2888 --field-trial-handle=1316,i,14279310188401755734,12861227223155675725,131072 /prefetch:1
    3⤵
    PID:2368
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --mojo-platform-channel-handle=3960 --field-trial-handle=1316,i,14279310188401755734,12861227223155675725,131072 /prefetch:8
    3⤵
    PID:2500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --mojo-platform-channel-handle=3872 --field-trial-handle=1316,i,14279310188401755734,12861227223155675725,131072 /prefetch:8
    3⤵
    PID:3392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --mojo-platform-channel-handle=3908 --field-trial-handle=1316,i,14279310188401755734,12861227223155675725,131072 /prefetch:8
    3⤵
    PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --mute-audio --disable-audio --disable-3d-apis --disable-gpu --disable-d3d11 "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data"
  2⤵
  - Enumerates system info in registry
  PID:1544
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7feedea9758,0x7feedea9768,0x7feedea9778
    3⤵
    PID:780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1176 --field-trial-handle=1280,i,12447058375941698952,11030123966023691483,131072 /prefetch:2
    3⤵
    PID:2248
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --mojo-platform-channel-handle=1444 --field-trial-handle=1280,i,12447058375941698952,11030123966023691483,131072 /prefetch:8
    3⤵
    PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --mute-audio --disable-audio --disable-3d-apis --disable-gpu --disable-d3d11 "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data"
  2⤵
  - Enumerates system info in registry
  PID:1748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7feedea9758,0x7feedea9768,0x7feedea9778
    3⤵
    PID:2888
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1136 --field-trial-handle=1324,i,16151956784458378099,7152349070925702353,131072 /prefetch:2
    3⤵
    PID:3624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --mojo-platform-channel-handle=1448 --field-trial-handle=1324,i,16151956784458378099,7152349070925702353,131072 /prefetch:8
    3⤵
    PID:3660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --mute-audio --disable-audio --disable-3d-apis --disable-gpu --disable-d3d11 "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data"
  2⤵
  - Enumerates system info in registry
  PID:448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7feedea9758,0x7feedea9768,0x7feedea9778
    3⤵
    PID:768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1160 --field-trial-handle=1248,i,595927834391273464,14340832941540334067,131072 /prefetch:2
    3⤵
    PID:2660
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --mojo-platform-channel-handle=1428 --field-trial-handle=1248,i,595927834391273464,14340832941540334067,131072 /prefetch:8
    3⤵
    PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --mute-audio --disable-audio --disable-3d-apis --disable-gpu --disable-d3d11 "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data"
  2⤵
  - Enumerates system info in registry
  PID:2388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7feedea9758,0x7feedea9768,0x7feedea9778
    3⤵
    PID:2232
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1156 --field-trial-handle=1304,i,15032438140861958085,4127738651380749266,131072 /prefetch:2
    3⤵
    PID:3440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data" --mojo-platform-channel-handle=1288 --field-trial-handle=1304,i,15032438140861958085,4127738651380749266,131072 /prefetch:8
    3⤵
    PID:3448

C:\Windows\system32\ctfmon.exe
ctfmon.exe
1⤵
PID:2724

C:\Windows\system32\taskeng.exe
taskeng.exe {9E952263-07FC-41AC-B9BF-2E50E4C07550} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  PID:3708

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\422eaab2-cec6-4e8d-9fd7-3d1c8d96b8f2.tmp

Filesize
170KB

MD5
669c5f4aa711d4ea5b8cb4038787aff5

SHA1
aab854e984dac2a93bd725fb4b35e10b0d8b290c

SHA256
9d550ea195fc99a892d7b4d280624de0e6e8cc7af8858268833d0864f16b2f53

SHA512
b38cceabad0958841ef8fd1339a3e7e7449fc79a025c71ee314b9689a1a3e36434d0d6131be45a321085dd50e2736859d5a74fdeae0ecb1894276034798eb31d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
d998db6bb78f1336ff0e927205cd5dcd

SHA1
4d4a205d698b61b661514654b3917375f8ab644a

SHA256
32bce0ec12f35821550b935f0f9d841c1dcb83e9316c804190d0aa26881e9d9f

SHA512
c8e05fd8ab522baeab3742ceec64eea154ebb72f9408c82babec3d01ecad67886626c13a126b9290074d4149eef1be56853e9aea72c455147fe3f7039bbfe21f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Crashpad\settings.dat

Filesize
40B

MD5
ba9989410d716a22402772f7579c497b

SHA1
e382fd8a875080e0bc8d207a7714f1bb80e49166

SHA256
44b5004d498de3043d1f4775bdbeecf54135c83125021a3e68fcded07299936b

SHA512
bc9b14c99089e450cae307b7439b4624265925eeee20a89bf6dc13a9e6f4a54ab242d095d0549cbffa3cd88ea622eb1ea9d6ad9154a3b75a09448aabae4c1c5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Affiliation Database

Filesize
32KB

MD5
69e3a8ecda716584cbd765e6a3ab429e

SHA1
f0897f3fa98f6e4863b84f007092ab843a645803

SHA256
e0c9f1494a417f356b611ec769b975a4552c4065b0bc2181954fcbb4b3dfa487

SHA512
bb78069c17196da2ce8546046d2c9d9f3796f39b9868b749ecada89445da7a03c9b54a00fcf34a23eb0514c871e026ac368795d2891bbf37e1dc5046c29beaaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
900d02c46f8c77ff101f0a0534d2a10c

SHA1
008824f49213e2e2e1b2235857727c72fb88c984

SHA256
a8e5a9fa5dfd18decb1ce14a23ab671aed8c5b583784e4fbbcf9274aab96cc6e

SHA512
136516a52d5cb151daee16564c222a6243c153805b67b4332278b3934cc4632253a18cbf1b6760df3ba7287d513ac34ed6e841fe5cd9ff4ce7cabbffdc4b11b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\DawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\DawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\DawnCache\index

Filesize
256KB

MD5
37b6270aa565b573bb644c0f464430ff

SHA1
af359e40d5947504f3320bf45a9b540b8714a1a4

SHA256
8d8f433e04390165cccc6864705e5172f4b632d027997b127f749850dbbca765

SHA512
33d047ee899f30b523c4cc1f54c27914cb9542cea397d1c18d26d945846a722bddacecaa4a60b75a33b9a049c2042f4d54c15cc975ac4e2f4bb61f37715902f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Extension State\LOG

Filesize
247B

MD5
7fb8dc91ae98072401486d76437f504b

SHA1
df29b98d43004a8bee216b8184b71189876c664a

SHA256
d72e4456f32b0f7d7dc40857dc99d441a1f6b1bd49421c0312b12316d22cfed6

SHA512
05706ab57312dfe8155f944b2796980156669cada361a90b633360abbe96e4c9097e2689d168efe8f80f9403d653edcc04c8e0fd60cdd978037a9ccd12987840

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Extension State\LOG.old

Filesize
184B

MD5
9d6d7bceb7ac3535bc7eb1db4e6336a6

SHA1
43b9402a2053f86e084e1db94ef2e4369fa047ae

SHA256
76ee8db51de0b417271e859d1da0fe46fae75624b19364b2bfd11fb2811d2e94

SHA512
68a4b818c3341f6117d89f93f2ba12f5198cbc3e35cfb08f4d30854b4f378946f229def43226f5d649da8ee184ff4afe1f403298c286ab29a734658a5f1abd92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Favicons

Filesize
20KB

MD5
3eea0768ded221c9a6a17752a09c969b

SHA1
d17d8086ed76ec503f06ddd0ac03d915aec5cdc7

SHA256
6923fd51e36b8fe40d6d3dd132941c5a693b02f6ae4d4d22b32b5fedd0e7b512

SHA512
fb5c51adf5a5095a81532e3634f48f5aedb56b7724221f1bf1ccb626cab40f87a3b07a66158179e460f1d0e14eeb48f0283b5df6471dd7a6297af6e8f3efb1f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\History

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Login Data For Account

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Preferences

Filesize
5KB

MD5
1be19b94e6d3c63d9de05afaf69550d1

SHA1
c5803d991d199c99aa33d269047612c63ac77538

SHA256
16f2adc2b4f5f114a83897af1766baaa4b8b08a3eab9f35552abef34490b993a

SHA512
fbbdf74e0aadb02789809b9a25dfe874d35a7c376346cefa11f8c8733f78c83cc97c57bbf9dc82480a152af118c61f3b384accaf606c30d13c23e3ef7317d14b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Preferences

Filesize
5KB

MD5
b78281e25b517d695f86bfde708b2034

SHA1
4bd24690cd080b8423c1a2acc1062d0da2b4b3ac

SHA256
debf6f147bc7244d6f8af126d4b15d35f85d4e9b08ee9b52d3c22a58ab8942a1

SHA512
b506586637ecb1fbecfd3dc95187afc28cce526cf97ed8c83580bce2e65aa197328a6dc283d31b2f8ab623d4e78e19713122dbb94220f5ba9b2377ab0d1af7d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Preferences

Filesize
5KB

MD5
282cb5666da0cb066b583ba53f3be5d0

SHA1
2d26f6a1bcf4f2f585f4e425d692cb81b4cd3c0d

SHA256
f4ac2d23d28bc8f980bb4cfa007c882db4e8a868ab9d009d55ecb607445cc3c0

SHA512
e3b4224add723a12bc3874ed275def85bcc27f004106fb897da89b76c42fdbb62666678ae1c6633e118fbe8383ba2c9b3b66e2a2a0ab8a002fd0dcd0fdc3e9f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Secure Preferences

Filesize
10KB

MD5
b1640724d46091a2256fe66120361e5e

SHA1
0c985b335a6dce6676cd2683c6b5a50ea91c48bb

SHA256
7e443efb8cc1a25da1775eef008af0f38acbfff59602f904eb9019480c2c853d

SHA512
4fc4a95a6eda1ce3691e24846617be00dd5d3d759c1aa6148d23595ee5a3d30241b7775ac3a650db1018fa7f630a53a2b3f06571a5846d0324a1fa8be9e9f0e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Session Storage\LOG

Filesize
249B

MD5
13c6b0d2936e7485ff4eb974d2a92f7e

SHA1
6ee2ded7da2d44974fe254548d4792ecf2f11e05

SHA256
a48062a19555b6dc31ee23f8b3ebb43c659b22a47ed28557da1a4f73bcce37b3

SHA512
9ebf9ff75008117271e146f32cf85929127485f00ffde3a50658773bc4780f58dc7f8c506177d7b62d3b2fd365ea25f90b0808660da79e5d34c445883bc3cda2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Session Storage\LOG.old

Filesize
184B

MD5
fd8bfacab248874f72eba058201b65eb

SHA1
84b35d8693becb2eece135ad05dbb331a62f13fe

SHA256
2abe8e3c08dceb97910f9e6d2d3501904a199420193a5ebecede0cec3d3d3bb4

SHA512
9d9d92e9ef389b5a9a3953f46bd89574989b9cf2b4f5a7f07a86e1904cc8207cdaad81903f445d4bf5bcba0b724d16025212d604d1ef70d8eb39664de0b03f8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Site Characteristics Database\000005.ldb

Filesize
130B

MD5
0d30bb8b60f3c477b7f5bee76de87a5e

SHA1
754db054cc38503c0a7b261489b25208749dce50

SHA256
7d66803b525484d42d0699ed1a2370028b7aa21ce173ea3cb9331cb80d01b695

SHA512
fb43e45b6676ea12643127731a1d3fcd783c16b4b6aba0d31ea93af19020248d766ea877a7abfdfe484e70bd4c2ed8d66f44ac2c3da38885b3edbad41ef68c43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Site Characteristics Database\LOG

Filesize
249B

MD5
6e043411b8c47a4306f8df12b577cd0f

SHA1
997962a040577b1bc8a77cefcd59dc09fa740cfe

SHA256
15c403cfc057ac013f2573052bae3fe90660f1a0f8e1754095bf39331dbab1f0

SHA512
40dba5ed3f8b66fc01399196d9b8f299c96d89304a4922861a989a01670aea5df5c76494506b6bc17f28f74bbf51eb5afde996afba6a9fae3dcb17833286c688

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Site Characteristics Database\LOG.old

Filesize
198B

MD5
c8a962f2b5cd44a909bd32e08ea0b174

SHA1
39ebc12fe80cb5a54f383a9e558a762c061c8470

SHA256
20b298d6ee3a9d79efd2b918761b4a72d05415f83ffa3dfcd2a6b7b6a486edbe

SHA512
02c98efad4b12e5a33258154bae43d775a55740d054606f3c91ea15c804fa58e4d29a65d0f12d4418f2e9dcd2aa76f7ad795b8d64cfd31e1d7af49eb6a171895

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Site Characteristics Database\MANIFEST-000004

Filesize
107B

MD5
f3a604cc1687a04eaabc91b49ed90eac

SHA1
507d0c1334e11f23da43bb9c8702652511893d03

SHA256
628a12f2ebfd6d19731a8a362956c95803f1d909293f6936542fb458d8be1a39

SHA512
a49c1632af45f2a938c2752aeb67e254e92a04bff91affe95952ba7960a60ec143639565790898d55a5ac4d5eb34c2dab1b93e295840d4e30cf3b16d913a7806

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Sync Data\LevelDB\000005.ldb

Filesize
984B

MD5
a80137a8b54f688bede055aae53f52cf

SHA1
026524838c35c343d1d8a20e9451d6e8ddd70d5a

SHA256
7fca9d9cb42c7c0f4f3b407e49750c40281905871718e7dd8b4381fd90c75d83

SHA512
37c69c59f38d4ef9bcdcf41d4b914e3e78316ba7e8e6242bca5c232b107b0225bf4a3726eb848ad4949eb9f9a22756b59c6a4a8035d51a905da62820b713c3ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Sync Data\LevelDB\000006.log

Filesize
4KB

MD5
02f2cf7bfd233d6737695bf64cff3b00

SHA1
a227b99310b3222efc6192f5a597367273cce181

SHA256
6c87c3738f1797ac8acdd03f177d7a9394b1eff7ccd2dd34dfc32d0e8b9b1de0

SHA512
d74cc66bbc2b2def2d178010abbd19b71e271b5b35a3fed124da08b010470f27b8655d92a13e37333c33d57f46ac3034b7e601a9d5f5f5bdd4783cd1aa3543b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Sync Data\LevelDB\LOG

Filesize
249B

MD5
d18a8c79e977d836b2ed734cce695dc9

SHA1
90d74e7fc4a96090e5a50a7550307ff25a2e73f7

SHA256
ed23af87ca2f8d03b3d3ca559250f4fca03989cb392b452233083d8d3a946fdd

SHA512
18779b981236ec849b2038895299d93649e94b92434883cf0adaf03baee6c56d6f5573d79e2a848b4a5509d555ef0503400bbead75eb160efedf7160d348a3b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Sync Data\LevelDB\LOG.old

Filesize
186B

MD5
f0dc4c4a8783ce60c0d11b0ccf11f728

SHA1
21ca7cdef6bf57e4bddc4944e5e51ec872e6f72a

SHA256
d47c5882ed99cb98c368797bf3f1af9699c19853d85ca6467f13f86592e6a3fb

SHA512
0a6cb8aef9b73c738237a092f19e87a2ecbd5b2088b9d534d123c6af7ed6600b759a8f21521ac992f4938e6030adba845209db62579f62ea27fcf7e7623f6370

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Sync Data\LevelDB\MANIFEST-000004

Filesize
139B

MD5
8d9da2a364a249c6222e6ab992df06c6

SHA1
d713021bdc2ee7a01da8f351d8592dcf8228d2a2

SHA256
8b6cabc40598599fae9d670094f32db93cd3753a9585be8dcc0e4923569385fa

SHA512
a2a452fd3c926636d74776bc9c8489e04f31ff3e0fbbcc14c2080e003dd4a55a7a8177ce30c4cb0b489f5215132b0a791b33254f4b5ce4658323330f11886e7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Top Sites

Filesize
20KB

MD5
f827a28f6100a85bd8217d338ccca5a4

SHA1
2a180393edd7109c3ab03db4e6edf07ddd9672eb

SHA256
82ee998a4908774d5f55d1d65c897abb5c36458bafada8dc945a09c6b9f21429

SHA512
77fc5289c9d5f954e789f2c0b908a39e8e988201b0ff89efc1002d2d5d7808a8e60e9332be4b9838490d48e4a4385d8cd9b3b18c8716ceb9d6f2117cb2e53d60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Trusted Vault

Filesize
33B

MD5
466c361a9b7f035ff88d07502c4134c4

SHA1
39c0716ffb6a9f6a89b83c2398d6edeaac3264e4

SHA256
5bad26fec3a00bb6b0f19c80df70c92f93526f588ebd925b492ddff883609767

SHA512
262e39fd67f106682c780d3125d7196ca30cb0876b42ab095c254a60f28289685bf375eaf5ba442f389a57504ad95569db1c33a6a623927183754fece2085db1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Visited Links

Filesize
128KB

MD5
43936fcd9873cc580e94b050c0702455

SHA1
56a7189931c23adc191a091eb828f46e8a260746

SHA256
b50bd72ae9e0b8a6f0fb53775d42876db772b33b1c2bd99118ce85321ea13198

SHA512
ee85d2b950cdf99b1e417a537b31739c8818a99353b4f8b8fe83c20a18d225328d72a7ad839784d1ea4deda97df2d94f0652a086a948933fb1231e7737870383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\Web Data

Filesize
92KB

MD5
6093b9b9effe107a1958b5e8775d196a

SHA1
f86ede48007734aebe75f41954ea1ef64924b05e

SHA256
a10b04d057393f5974c776ed253909cafcd014752a57da2971ae0dddfa889ab0

SHA512
2d9c20a201655ffcce71bfafa71b79fe08eb8aa02b5666588302608f6a14126a5a1f4213a963eb528514e2ea2b17871c4c5f9b5ef89c1940c40c0718ec367a77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\shared_proto_db\metadata\000006.log

Filesize
666B

MD5
1a80fc32c4b517f9ad401d78c7ae6a05

SHA1
64107b4e91600d477195030b37f4be488d4d0dfd

SHA256
5e340e021733ff47e49a67c68443ad1636cfe284907f3a5ce1097500d8905864

SHA512
92c70d742482bb51b4fb7adc0bffb6ff37b53133d2f11517e030a42071730302641859de78b47b339a04a7b4a1b04dd5eb71b5d1627979dd8f3211d9306fd513

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\shared_proto_db\metadata\LOG

Filesize
249B

MD5
5e0972caeae35241942c30d3e6302166

SHA1
43a43b3511b8eee70a52d762022c13c546598e07

SHA256
5d6498207992c1ec99a651b3f652648845569a7ee9cf9f6f8bff1c9aca8ef154

SHA512
c012d1b784c30d9383c6f057ec974d7464cad0ceff48c22e1d197cdda3f1a265f5eca2422fa9f46ef7ac97d9b2bc0d1bb3c61a2c68ff246f345d98044a0e0f19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\shared_proto_db\metadata\LOG.old

Filesize
193B

MD5
23386d2b52814fd8bfac3f28a6c4a69a

SHA1
22f2d7f61b314f335f8c51d81fca1fb323344084

SHA256
927d86cd383af3cbe7f45853820097b4b8a80c78f5d42226882aa1f27c5b30f4

SHA512
25d0fb2618eb31ef6306e5d2ea89a6c14759ce68fbd071cd37ed106134f49dbc6befc285ffe71f35f584c33bd82dbb6f1ce25fb8b9e7c5be3cbfc3a1d0292f18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Default\shared_proto_db\metadata\MANIFEST-000004

Filesize
84B

MD5
be2a12b06745bb5de6254b2592d8ab20

SHA1
19a3dc035140689628e54095af6c4b4dae44b55d

SHA256
29e140732c7fc2d81fb1f506cc94386ce55f27446f9277e66236080cdf6f5944

SHA512
fad84027f46c0d4e4fb0357c15d77f7a86c941042ce538e0e89e5b8c477ed3cb46e262e3a3da186eadbb266c9288965c7299b4dc2a7ae1b346230dc48a7ecdba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Local State

Filesize
170KB

MD5
fe6b4b6a5e117160a254e2367804be04

SHA1
8bc01310c0fd68e204f352c1dd9767b7efd6598a

SHA256
090217b33179df8066719dd6285a15c6dc482231467d1f29ad3f3d16d3f8ed34

SHA512
460d73e559aecab3300994c5f56407920bfa606e393f09cacc66166bac072e7096f07a35bfdfc4ff3e9a781f9a4690b83f0d212cf134bb046e0f01cd814e3e4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Local State

Filesize
170KB

MD5
ff186eba77b582403481a761c6708fb5

SHA1
628a70ff63073da7c8b89f1814e9f5605768b187

SHA256
57e9109d25c26b5206489735e9abfd1b2553dc08c36f5e250976a5932b4c7e7b

SHA512
7d80612f672f742510204f6f0b451bc3e2f4ec320f338b533fa2a3d28c4fc51d64294f926bfaaf21c5cdd54d36dcd81ca1eb0b21ffe83613da9d60ae8695d2c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Local State

Filesize
363KB

MD5
48a543a10a03fe2b72e3639548a71c63

SHA1
ce3a3ab97b2dddfef37bdfd886f376cb43cdc2da

SHA256
c424c67a7d6011170061f81f92c8211efce38167c734c5360d9ff59ddac1622b

SHA512
75b5b93a493466501a4ca433fbed3a727d89a7904f6db4d796e74f2d7408063d8c99e860e62ba6d5135e6168e72e26a856f338c185de9fd163f68a956e0170d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Local State

Filesize
346KB

MD5
13ef14c90ff8062e3781da1e9c406dd5

SHA1
8a6f859ba8b3c7e968d9ea12ed749b143a4909fb

SHA256
84e589bfcf3d6996b14cd0706dd866a28354e62599b66c1b6776ff765dec1ea0

SHA512
bea7e1bca2d3ec716a7dab17734cc2d420faa24d5a1bbe9b98a86741c3bdda2bc2bab4c0c7cdface29c785b63e60a9e875d2473c05688a0abfbb915911f77016

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\ShaderCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\bff4bade-3930-4a91-bb6f-bd30ce9aec6c.tmp

Filesize
347KB

MD5
e41ef0e89f0fea8564f4945d1cad7614

SHA1
7cde018f603b55fdd7cca087430a8583b3354bdb

SHA256
6e3a7e13676029547074c9bbb7aa4da8156feedbbc0f5456f6940b4b9e2444d6

SHA512
e084490eb76d127ffc6f231816c3f1c8e90f52edbd4b6bca41a20fdcdab574ef0e7320f522a4a20f739ea4de12bf8bd9e981308489e8462e2bfb49de3e5c475a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Chrome Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
84d120519335dcc5c615387360f49060

SHA1
d4fb479e3e708065fc9a696ea8e5904d1ba42e51

SHA256
bd1e1f40d3474ec908e7ea3b489e871d9ffc1ef65fe4324b56a165c8d165ea60

SHA512
ce7b4a8d51fcf8b885fb1e7001fa96b9bfa1b00ba2f5c960bd08ce2e8cfd9c85f5e0b43acaa369744bee4a2edf04ad0e9b74e24b9052c2383588eb77f62f464f

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
176KB

MD5
ed369f4bf4345b9a0680f904495cd101

SHA1
6dceb43de613608cc8468998605eb4b7836b2412

SHA256
8d59ef4f887ea68153faebb1ac97e69319087ff059903d4b26d1961828a8cbca

SHA512
48b4f2b3a87b76985d6c1b513fa261c822ffd4ae5aa9f8b9cbd9e8dafa684bc0a4cb23a16b8202bd33717a3834c1b54ef9266ca1e27db251dc83752c54eb4761

Download Submit
memory/2148-46-0x0000000000D50000-0x0000000000D82000-memory.dmp

Filesize
200KB

Download
memory/2732-7-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/2732-8-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2732-9-0x00000000020D0000-0x00000000020D8000-memory.dmp

Filesize
32KB

Download
memory/2776-34-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/2776-28-0x000007FEF6033000-0x000007FEF6034000-memory.dmp

Filesize
4KB

Download
memory/2776-415-0x000000001D480000-0x000000001D5A0000-memory.dmp

Filesize
1.1MB

Download
memory/2776-2-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/2776-458-0x000000001D910000-0x000000001DC60000-memory.dmp

Filesize
3.3MB

Download
memory/2776-36-0x000000001A670000-0x000000001A67C000-memory.dmp

Filesize
48KB

Download
memory/2776-1-0x0000000000130000-0x0000000000162000-memory.dmp

Filesize
200KB

Download
memory/2776-0-0x000007FEF6033000-0x000007FEF6034000-memory.dmp

Filesize
4KB

Download
memory/2776-37-0x000000001A6A0000-0x000000001A6B0000-memory.dmp

Filesize
64KB

Download
memory/3048-15-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/3048-16-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/3708-459-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download