gurcu | d9893a1d31b8338aedd6f9116cb5dc2c04ace45ca6f065e829ecb68c41db96c7

Analysis

max time kernel
246s
max time network
250s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21-01-2025 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wizworm v4.exe
Size

13.3MB
MD5

326cae42b360bc91696a9a09d1f497f9
SHA1

9162a3fa7edd91db0b4b209ffb632f4933530e19
SHA256

d9893a1d31b8338aedd6f9116cb5dc2c04ace45ca6f065e829ecb68c41db96c7
SHA512

a89d1551d86502d222346d44337cccabb0de1586e0d1b8981b9e63676c2341054d61fdb77d07df3aeca0920b60de5031f45067bd23bf3bb0e198224f441c910a
SSDEEP

393216:uOLsLayrPGrYlesyvrNxJ/2eMxV3ODQvT6O9lDp2h:jALHbOEiNiDhmQjg

Score

10^/10

gurcu xworm bootkit discovery execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

3.0

3skr.uncofig.com:9999

Mutex

wRjQMjeNtaZnUCMU

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot7942324376:AAFz5Z-GdKIj1CePZyqIUmvNWOymMRw8Lmk/sendMessage?chat_id=2078478344

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot7942324376:AAFz5Z-GdKIj1CePZyqIUmvNWOymMRw8Lmk/sendMessage?chat_id=2078478344

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00360000000461e5-22.dat	family_xworm
behavioral1/memory/4572-42-0x0000000000460000-0x0000000000470000-memory.dmp	family_xworm

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2380	powershell.exe
4756	powershell.exe
1924	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000\Control Panel\International\Geo\Nation	wizworm v4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000\Control Panel\International\Geo\Nation	set.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000\Control Panel\International\Geo\Nation	fitdko.EXE

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\set.lnk	set.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\set.lnk	set.exe

Executes dropped EXE 5 IoCs

pid	Process
4572	set.exe
412	WizWorm.exe
4636	jawhfm.exe
1920	fitdko.EXE
3272	MTHR7H.exe

Loads dropped DLL 1 IoCs

pid	Process
4572	set.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	jawhfm.exe
File opened for modification	\??\PhysicalDrive0	MTHR7H.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jawhfm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MTHR7H.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
820	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133819357272380681"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2576	chrome.exe
2576	chrome.exe
4756	powershell.exe
4756	powershell.exe
4756	powershell.exe
1924	powershell.exe
1924	powershell.exe
1924	powershell.exe
2380	powershell.exe
2380	powershell.exe
2380	powershell.exe
4572	set.exe
4572	set.exe
4572	set.exe
4572	set.exe
4572	set.exe
4572	set.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeCreatePagefilePrivilege	2576	chrome.exe
Token: SeDebugPrivilege	4572	set.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeCreatePagefilePrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeCreatePagefilePrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeCreatePagefilePrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeCreatePagefilePrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeCreatePagefilePrivilege	2576	chrome.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeIncreaseQuotaPrivilege	4756	powershell.exe
Token: SeSecurityPrivilege	4756	powershell.exe
Token: SeTakeOwnershipPrivilege	4756	powershell.exe
Token: SeLoadDriverPrivilege	4756	powershell.exe
Token: SeSystemProfilePrivilege	4756	powershell.exe
Token: SeSystemtimePrivilege	4756	powershell.exe
Token: SeProfSingleProcessPrivilege	4756	powershell.exe
Token: SeIncBasePriorityPrivilege	4756	powershell.exe
Token: SeCreatePagefilePrivilege	4756	powershell.exe
Token: SeBackupPrivilege	4756	powershell.exe
Token: SeRestorePrivilege	4756	powershell.exe
Token: SeShutdownPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeSystemEnvironmentPrivilege	4756	powershell.exe
Token: SeRemoteShutdownPrivilege	4756	powershell.exe
Token: SeUndockPrivilege	4756	powershell.exe
Token: SeManageVolumePrivilege	4756	powershell.exe
Token: 33	4756	powershell.exe
Token: 34	4756	powershell.exe
Token: 35	4756	powershell.exe
Token: 36	4756	powershell.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeCreatePagefilePrivilege	2576	chrome.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeIncreaseQuotaPrivilege	1924	powershell.exe
Token: SeSecurityPrivilege	1924	powershell.exe
Token: SeTakeOwnershipPrivilege	1924	powershell.exe
Token: SeLoadDriverPrivilege	1924	powershell.exe
Token: SeSystemProfilePrivilege	1924	powershell.exe
Token: SeSystemtimePrivilege	1924	powershell.exe
Token: SeProfSingleProcessPrivilege	1924	powershell.exe
Token: SeIncBasePriorityPrivilege	1924	powershell.exe
Token: SeCreatePagefilePrivilege	1924	powershell.exe
Token: SeBackupPrivilege	1924	powershell.exe
Token: SeRestorePrivilege	1924	powershell.exe
Token: SeShutdownPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeSystemEnvironmentPrivilege	1924	powershell.exe
Token: SeRemoteShutdownPrivilege	1924	powershell.exe
Token: SeUndockPrivilege	1924	powershell.exe
Token: SeManageVolumePrivilege	1924	powershell.exe
Token: 33	1924	powershell.exe
Token: 34	1924	powershell.exe
Token: 35	1924	powershell.exe
Token: 36	1924	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeIncreaseQuotaPrivilege	2380	powershell.exe
Token: SeSecurityPrivilege	2380	powershell.exe
Token: SeTakeOwnershipPrivilege	2380	powershell.exe
Token: SeLoadDriverPrivilege	2380	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4572	set.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 3684	2576	chrome.exe	87
PID 2576 wrote to memory of 3684	2576	chrome.exe	87
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 704	2576	chrome.exe	88
PID 2576 wrote to memory of 3960	2576	chrome.exe	89
PID 2576 wrote to memory of 3960	2576	chrome.exe	89
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90
PID 2576 wrote to memory of 1084	2576	chrome.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\wizworm v4.exe
"C:\Users\Admin\AppData\Local\Temp\wizworm v4.exe"
1⤵
- Checks computer location settings
PID:1660
- C:\Users\Admin\AppData\Local\Temp\set.exe
  "C:\Users\Admin\AppData\Local\Temp\set.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\set.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'set.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\set.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- - C:\Users\Admin\AppData\Local\Temp\jawhfm.exe
    "C:\Users\Admin\AppData\Local\Temp\jawhfm.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:4636
- - C:\Users\Admin\AppData\Local\Temp\fitdko.EXE
    "C:\Users\Admin\AppData\Local\Temp\fitdko.EXE"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:1920
  - - C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
      "C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      PID:3272
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF44E.tmp.bat""
      4⤵
      PID:4052
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:820
- C:\Users\Admin\AppData\Local\Temp\WizWorm.exe
  "C:\Users\Admin\AppData\Local\Temp\WizWorm.exe"
  2⤵
  - Executes dropped EXE
  PID:412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x84,0x22c,0x7ff86c14cc40,0x7ff86c14cc4c,0x7ff86c14cc58
  2⤵
  PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,7843055061464665767,5636376252850854581,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2176,i,7843055061464665767,5636376252850854581,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  PID:3960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,7843055061464665767,5636376252850854581,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=2476 /prefetch:8
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,7843055061464665767,5636376252850854581,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,7843055061464665767,5636376252850854581,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4532,i,7843055061464665767,5636376252850854581,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4752,i,7843055061464665767,5636376252850854581,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4552 /prefetch:8
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4604,i,7843055061464665767,5636376252850854581,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4468 /prefetch:8
  2⤵
  PID:676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4968,i,7843055061464665767,5636376252850854581,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1368

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1576

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc 0x338
1⤵
PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d437d6105ab440dbfe0a3ac9f9c76be4

SHA1
740c97a2034eeb8669897fe6a8ee6433a56eef4d

SHA256
ec3edaea8e7ab0b9e5539a73e0e9106bab0069abd58af346174a817abd615986

SHA512
85f35d7f5a64c9eb61000c03578706c1e1e83777eb448dcf2abd1158d4d6a530939daee3e85240e7fafa67597f86d70589cd22f78df0542c756f8d49ac2efc8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f21d6e1a4601992957402a28b5784f99

SHA1
e0a882765249b85c5c7ec419ffec2d0d84e6c861

SHA256
639bababdcdcf17085395483fbabe5cf92fc8409816f6625ec988366994b8f57

SHA512
f632308d9e680bb45c858cd278d8ee53397a315fcedd5df5c13a2cebbca217ddcd9cd62052c5c41108d4a1279dc7ece78db42582ca1102c27acfd8c5960a3cde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
179e777e520bddfe2005cdf8a4c7a1e8

SHA1
e75d60cfaa4cdf1aa1fa8da9009a9c7e0bf16930

SHA256
9df17f689c57958eca591cead56d45f7fd6f05d8616528b672442ffc96626457

SHA512
f820d9817963bade744904a73bed2fc180a9bd02798ad9165ca669eecca0b99e22ceeaef80e282a546e8eda4d9bd5da9a9b79207efc465bc53347169fcd7917f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ad2316649f610c5a41f4f821ab743aaa

SHA1
69c293b4304e1a74a2b82207eebb0dcd79670940

SHA256
8d7e0657219e3986ae10b2f349769c5105cde9ca0eec78999a3d804d32fa3b03

SHA512
98dfcbf73312d6a5caf648f103034317ebd8b88b8b4dd2f7ac64761ac615fe078b735f1886936420c615ad55817ada1f7d58740e2f2d2ae82885b19d802130bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f6c3571029622c884d1341992118bb2f

SHA1
64aa09aa975f4067b3076874e2454d8fe5a931e9

SHA256
476e1efaca02978fc26378e5474d486b00fc85cdeca10b7afbe84deba9919da1

SHA512
72898bc94e9d01d04da228486abf09508523bf00e63f140439b8e0d834d93c2f5bd44d1196a0d4eaf295146cb5ad787d3831eafd81db74a7bb025e0632a82411

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
10479959d11b9a5be5cd0eded77512cd

SHA1
0624ce953a7ba53a588b268903f24b1de6aeab8d

SHA256
6512a8f339ed27c35394d64900b780412b9a035e27e022425a0361984764752f

SHA512
270a7022dcfa4575bdbda1e390fd6aba6e7d5bbd1162651b6fabdd74f2101cf172aa446a5bcb4b22734752262ccae67dd266b6d9c8113bf7b5556923e294db4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b043a339cf277222365c4ca64c43cc3c

SHA1
2d4fa52baa91da9d441e0a81c52462e7d7b05a8c

SHA256
dba1f29444182ae46b6ad8daa78b22ea50ab7d674963e729905cf90ab85cc742

SHA512
dc4db06f871d683ffa68d76de842f53aeaa45bbab7c7a53732c092c73ad3b865694683451f2c35bf6eab44566d5eeda6f6e3044c9a337a645f13e2483e26a13d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
898cb81cde4abe687c11e1eafc7f22f7

SHA1
faacd0197f7a90d7823d06e5ffa4b8b07cf13f07

SHA256
c2595f50620d241b4bf0a6497222ee261a6a2c5538965ff73741d6abe9da53ee

SHA512
c043ca095683d8cc38f9f75774c9508ce233cd7d67ad434786928cfc7411fdd60ae64f0d11c3dccb7682aa47670a39edb88eb731003a5d19c7ea87d0e7b4f810

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e9c54c729d73d853abea759a1f61e94c

SHA1
2b678d946551b4cad19d490b7f19edcc8a59b516

SHA256
9469708a19455b3ea6cc32e515971f27600742406bccd96a436ecc6c87d776dd

SHA512
dd222e2eece02a71ef66bf0085381dce94057cf295cc86989f17d15b6302a482bfb9296b74bb1b52e02808b30e3e5debae2803e46380f575f735127085ee086d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2cacbcd17643694e15ef1846978da845

SHA1
a704113963676d545b7c033c40d7410c484890d0

SHA256
42843556de1e82c75630bc8642b9268134899e1226068029c0d8a29590f3e39d

SHA512
0eafa10b01fb1c121ea089fdd6d4359454d0a4c61951a0e0eb0e7411b2282abc6f0213dd63813aa01584cd4cf3152eb911cced7cd04bf255566e25f3e372c0ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9e24bf456023c85ca20445a85e8c8c00

SHA1
8d88474d8c6d9452b0623bf8cd6a64f51387b61e

SHA256
a7a0e27f9bc0bb4423541edcd8f27a19de37966a276f99ea8c03905724587183

SHA512
d540582ee0fe07d7ec1269e9b9cd6e54fc1d5b56f7666997da947cc308e0ab00fee3443fe8fc8203fdfebcd47bdcb82721a9b1d7a0ee4b3cb2edf1052ef91a3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6ae42783476793b5d8133e67784884a1

SHA1
988e2cb5d5a6bcfd16d26b89f00c31f22f492a6f

SHA256
38aafeb080fe22664f19c8931f8b27a72d63b2ad0ab67a1c5769f2dde5fcbf91

SHA512
80eea20fb7d03dda29abdcc6f4055da15fd62579f10f65ad4cb077ca7fc9081977b182dc1d679154f43d00f11ec92bd47ff4bfd4f2389314aa4effcd562fe299

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ae5ee2c6d04efdd0abd28fc1327c6531

SHA1
dca32da9117ea9f794d69b6af51dc1368bda1b1e

SHA256
0b4406e90902c6318d11a2f08a90308608ef280f480f311ac5f52989c8bdbd0e

SHA512
bafb956244b194b5e63ea1e81829677353a5d6e4ebd00638c72a4bbc391a4c9a0f73666cfc0c81c6935146b3bd26bb28b2206f5854916851e034643ccc15d8ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5a182a178598822e339447d87961a54e

SHA1
36f9954d0aac860b894b1c0e44aa0fb66855fad1

SHA256
fa81a1ebf6369ba7e222bf9b2e3e4da2f9fb75092dc47a708f537c18d9e1ba44

SHA512
1af60d74c82ba62b937b5d134670d2a93b482e13e05f3a7e7b3dd1830007f586321c14f6611ba5cb4040e67ce660183fcbd207ca022c7a25714630a302720465

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2c855d9f54ac0aae30c87c48ab4a43fc

SHA1
67534141a09fec06573e63ec7b849ab52459ac6b

SHA256
9da1129f8e263470ab3423685b27a19eaa12be81a96e7b9525e88d303123dcc4

SHA512
7ffbf6408447075a33e04d75f10bd208f3e28f55ed1da532c993d5170f9b87e53d53a806b7e7853f37b02193ca6d3be9c2adbd4e38b8e47351bb3017aa8f78c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7df46e5e9cb915d6181e736289c46921

SHA1
621120233b186ceb740b6d253ee180cdffc6d8e2

SHA256
a442167f2c8a7fcf6471f07227f7e71fe300a5f59c05070c0b2e1ad48e13efb1

SHA512
e9a525b9046b6a73fcebace33d056e12c7f175b23052a35713741966a261285f4cb4e798975cccc4258c719fec8dd6527de8b7d735b93234df5ec6ef735f0165

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6c23d5db2d8f99b3f70810fe16033d0b

SHA1
d8716914fd8d00e42ae37a2ca894476edf0b2aa9

SHA256
146c58a2951855149a3ba088f0fdf6ee7e5d4408677f909a6d5a3c2d76134ce1

SHA512
a99155d7b4fc7cf7b78691e6a2092d220a89abb71abe3610cdbb934713cd780859dc801102466b6975501b8c48afebe8ce3460da9f274375bd671cb0ebadc16e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1dd28eb15af943f63b0dfaed879347c5

SHA1
c3ab13f7f64ab75171ecf9375c5938d8e7c3e6c7

SHA256
bfc037f8c57b8ce624f78ba080e78becf9aa6664c39c6dd0cc1b19b91662bdd5

SHA512
f770f3fb793f359d776c0c286745212a5be2b94b9632e99390855037003245b720171f355ab1755e27f87bb1dbab28cf52b1e96fa02d07cbc0d3adae59337efb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a6f95ea44115cb5a2096e93ea9c2671c

SHA1
9f0fc1386e7d6cba817b8a1161860a1ed908b9f4

SHA256
f4550f5bf105be1da8912c14252abaf99844b765d02767ef1a3fb5d8e027ad28

SHA512
a20525dd465f41f0ab95298d4e01162610d725104b17f6fb9db37d57ed6a0770c894a063240a6b6c9dc7492af3364afb66c199a3d6ef77b11698cc7386435a80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c9e0a35472b9ffbf1b7e475775620e76

SHA1
5718e3bebbf8fd27cf7873f2c1429fb3602cc14f

SHA256
afefa55849ea93abe71e0c085cc7baec92998f7c47ae0f593889403f448abfee

SHA512
21cc0c8d359d3e40c4fc1df7c2ab33fa60e8a89fa14c90dc4c98d7b9e30072834c166bf0878d16c3bf33682bec5dc1f8830ddef50c91ba8ae74b6119564115ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
42b4dfbd81c28aa71401ea289501271c

SHA1
ad2d6a7d9be3e487bca8037ccb82463eb7c28091

SHA256
dadc36d66a215047182a1e8b9234ceb2ff76a0b2b70e1b66947574f8d158ecb2

SHA512
4aa60c16327f6e74d3fb480fb8ecf95f7c72f9b2139bdaf107c690b4185186eb3e5bca55eb9a236c67f0db25e4221f331d3db4947d84386805ffcf18fb2032b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
bd06c5c9f9b73a7d30ac6e039e1077ff

SHA1
ec0bb5eacfac5241290a7a0ae279ffa0aab9610e

SHA256
a37be6a6d15de18d451e4bda3295026dec238c24649e4adac3acde9f12a8da53

SHA512
c623e30c7c4a9b0ccb6318d4dcb732cc5af57854e315cea8d08290702de7029d830fd6bd41dd78132ec180733cc5fa942d7bad8566dad992df9717e607388091

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
33094c5c61937d53e39e0d7ff2887ca3

SHA1
b223a45d9d2066e8660ace3b4a08e752cbddb6e8

SHA256
b63627c046181dd764da36e6a75fbd45d994ee623de2bfe12376759fab2c6a4e

SHA512
a449057c86af9ffe776e00e7065dfe4f15f28a79becc3e3bd3f74f32445c70f24df824b40b258a6be7d1bb43fb1d7f2139acce370bc79438a7f54b5742738df0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
028aa33103f55512b3ddcc85ab155077

SHA1
1a5f5a51d4953deab722c1d18a75f7e4b99da77d

SHA256
b5f695a0de1386bbc98995362697ca78e9c197eb3db103f7545037880483fbce

SHA512
6b5c8ae6d82976afe55358cace7d32848982b0c29567381fcf93ccf041ffdc5b64fbf2d5d766acb2bdc52132f301e8a6ee9e6d4f79c696ced882017ca31edf2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
2e55cad1743027d116176d73f97d18fd

SHA1
009dcbe11131caf56c6c9ac2627763c271c904e4

SHA256
4fdd8ec581946dd7b8a943e7e60e88d1be3346b8402a895f559bcf831864df7d

SHA512
ecebd87582d38bd69b38f4e0e5f3f2383d04bba2be2ca7aaacddf0ec992be6f8012f4e23e910401044bee884f043af0e15bb624199eb3072f7ccc93c96e8e1cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0a2581ce25d27c89853a8c5e60aeac6f

SHA1
d3f5bfaa9b6c89915dbc46be9aa6e49a7eeb2ce7

SHA256
5609b0664d3e47ce6611cbca5b25caa6b2321fdbddbfd7efe5a38da6dacb27fc

SHA512
198a3644eb4ee261f558b9e248eb6f1fe59704aa31524983e866e39bb3c534cf776bc276ce786c0b855da23ea827e816453755bc01e3d8ae3e3cf965914e70c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c67441dfa09f61bca500bb43407c56b8

SHA1
5a56cf7cbeb48c109e2128c31b681fac3959157b

SHA256
63082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33

SHA512
325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe

Filesize
150KB

MD5
e8a16450f1f658e2a216317eeab1ea49

SHA1
19b26d056d24b1e00933a104a8e320ba52c9c1eb

SHA256
6c0ffa7412a2aecdd253d12481460a4dd3ee02d912c3ee4d2124274e12add8a5

SHA512
93f952c4891eeb62a90b969973dcd5e5ce85b6d020b96f2520a5fcd47b21a4c6ccf9512d2c935c4dc3557b184a32d8b0623b342a1344b48fba24b6944749db98

Download Submit
C:\Users\Admin\AppData\Local\Temp\WizWorm.exe

Filesize
19.8MB

MD5
df02e1780dd49d8f537b1250211696fa

SHA1
ed88bba690cae57196ba10fa01ec1b86f6a39fd6

SHA256
27d5ba22bafbd94685f9c8cd3e6ebabd88e2a94bbd6be8ec25ec023b0e5c066d

SHA512
fef2bbc7840fa1066ac696d0da731adaa2d57b5a63b94cf7362ede33cb590452ddd9ec253d4c03b8b7e86e93fa4a367c0882fa8f498f40a19944ccad4674d223

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tgirz0pm.vuc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fitdko.EXE

Filesize
241KB

MD5
8964489afcdf25c4eef3aea0e0c9a872

SHA1
656485b929fd67c26f733ba6e85525d76c8f9791

SHA256
6b4840400cf2f697ce98a66af37497447278ffef8dcac35182726154146ea066

SHA512
3ff73c9c910e1f30c9235501864e79d6ac4bc8fafbb62191edca0b4f5ad5c6a46efce9065c2cf169775b83954085d79d2cb45d6f4be8fdbb85a6163f98fecfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\jawhfm.exe

Filesize
289KB

MD5
7e9d3109b138c0a67be983159fbbde98

SHA1
012308407fada7ecb5edfe4e067fa4d18acba424

SHA256
1f98a3f8852d28ed3b2f64e529c1ae1eafc5ef942a962ec89163f3db2744c8a4

SHA512
ac6a5a4ec87fe8770c1903f62d181f94366b2f9b3d3a4e8a04ec7f25b9e9d026762efc96ba5883474b9d1c2d0cca4a99e12f0343f6eac51af12d628a926a5e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\set.exe

Filesize
38KB

MD5
e1929d0781ff08abf8be3051479043b6

SHA1
0605a5657e022bd1cadf80f13446c678728dcde9

SHA256
b4ae6a462c5f24bec5870f6e92d94a00b1e1a4abd95e5433d6ac99a0f9d92042

SHA512
fb47c341b636293d500f1892f02e2be2b16bd0301eedc0c30025c00ae22ce3fe6d42abc0a4837cc5551eeed6cd5bbe815a0301db86bac6a84177a6c103d54d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp29F8.tmp

Filesize
109KB

MD5
7ccccd0ddf864a061e175cf9e5114a46

SHA1
c0b798cd725d5f270f347790e2ad13dab60108e3

SHA256
fe74cb06318fd7451fed5ad5ce5605bb746bb5ef55da3fe96f52ba20e159db49

SHA512
8ad1bb6375e7f35e0dc41353d2e79499285cc401c412ea16fdbb123c3a53aef315186f594364a4f4156a58fa780c973bbc7e0202e6a1ed8380742b6c45058132

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6106.tmp

Filesize
109KB

MD5
2fbabf9d3c366285411f7737ce52d7f5

SHA1
8c1632ed6f5f42dd7295311c59c1bd029dfc8210

SHA256
025d6d5074d20a7ff75e59ed38abbb915b9c68c7efaca9ab767f76fa7e2e3c91

SHA512
4925c585f735353ef6235556db94a0d90ca98ba8e617543fd6210510ccfb5034d3fea9349c5ab8805dd212ee918d4557d08723bd8f7d3ced94910006a54e457e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8548.tmp

Filesize
109KB

MD5
a7ad997ed7aa116038104ebaeea2c315

SHA1
4a9c9a2d4b246b870fb0987024a0cc2315dee269

SHA256
43a34da4ebddc1cea35ae1b0fb5f547a750ab2f0001f521deac45600c16e40ac

SHA512
2dc0cf8b545d3ef60033b9149abcffadd1e7f085046583282d7deb7c09bd5ffd7da50f1e43716bc2cc0e4208b32c7ebe3053823a8489c38954f4da409ab338f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC28.tmp

Filesize
109KB

MD5
4c0a6177be784adde84a2e3ef3c4232a

SHA1
88e0a2b97e3f2849e455242df6b03670e964b36b

SHA256
a2ab32275c79e025c7b1d7df26603392cfb2606c42d70ee68bccabe490e17c6b

SHA512
1abc273b6abf24fa19f2afc6211138eb6251aedbd9a35c3731f6ba3716fbd7e68abe9d5eb167a7ce94ac8f863e26a06ed219a57a13cdc2cc6f5bc12481dd892e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD1B9.tmp

Filesize
100KB

MD5
1b942faa8e8b1008a8c3c1004ba57349

SHA1
cd99977f6c1819b12b33240b784ca816dfe2cb91

SHA256
555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

SHA512
5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF318.tmp

Filesize
109KB

MD5
402ab9dba30645bfd7cd8eba83af0b7d

SHA1
20ef5a12bb03156bb1af43b42680de2e9bcf8dc1

SHA256
e70ac6965ab4ea166b8661e5d5baedd65f834fa91d169a35983842fff9c595e1

SHA512
4ab2e0a8aa12a3cb94b895cf7c48a72af7bbdf17dbf44f88308a6d0d5a6b53043be0df0322ba4c2dd4da41ce46acf6127c3852f622a1374a916d25d6d762118a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF44E.tmp.bat

Filesize
158B

MD5
9c426c515831069a1a6b3b3036392b56

SHA1
6e7d4c86146b4286015a3aee19d714eaffae76f8

SHA256
6b785541bfdfb9ea123e03cdd41955a720df25c75f67ad5a9ebe16158819637f

SHA512
1999adc2c3f05a10e61481addf7ebba480cf2e1b909e5f1a8770054e21fb1d09a1038b40e07c1c83150c364642e0ebed6396313fd0b91c0c26d0c15c089ac0bb

Download Submit
memory/412-61-0x000001AEAF4B0000-0x000001AEB088A000-memory.dmp

Filesize
19.9MB

Download
memory/1660-0-0x00007FF86E0E3000-0x00007FF86E0E5000-memory.dmp

Filesize
8KB

Download
memory/1660-13-0x00007FF86E0E0000-0x00007FF86EBA2000-memory.dmp

Filesize
10.8MB

Download
memory/1660-60-0x00007FF86E0E0000-0x00007FF86EBA2000-memory.dmp

Filesize
10.8MB

Download
memory/1660-1-0x00000000006A0000-0x00000000013EE000-memory.dmp

Filesize
13.3MB

Download
memory/1920-244-0x0000000000340000-0x0000000000382000-memory.dmp

Filesize
264KB

Download
memory/1920-245-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/3272-263-0x0000000000250000-0x000000000027A000-memory.dmp

Filesize
168KB

Download
memory/3272-269-0x0000000005C90000-0x0000000005C9A000-memory.dmp

Filesize
40KB

Download
memory/3272-264-0x0000000005050000-0x00000000055F6000-memory.dmp

Filesize
5.6MB

Download
memory/4572-42-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/4572-65-0x00007FF86E0E0000-0x00007FF86EBA2000-memory.dmp

Filesize
10.8MB

Download
memory/4572-43-0x00007FF86E0E0000-0x00007FF86EBA2000-memory.dmp

Filesize
10.8MB

Download
memory/4572-155-0x000000001BFD0000-0x000000001BFDA000-memory.dmp

Filesize
40KB

Download
memory/4572-398-0x000000001BC80000-0x000000001BCBA000-memory.dmp

Filesize
232KB

Download
memory/4572-120-0x00007FF86E0E0000-0x00007FF86EBA2000-memory.dmp

Filesize
10.8MB

Download
memory/4572-131-0x00007FF86E0E0000-0x00007FF86EBA2000-memory.dmp

Filesize
10.8MB

Download
memory/4636-189-0x0000000005040000-0x00000000050D2000-memory.dmp

Filesize
584KB

Download
memory/4636-188-0x00000000007D0000-0x000000000081E000-memory.dmp

Filesize
312KB

Download
memory/4756-76-0x000001D47B650000-0x000001D47B672000-memory.dmp

Filesize
136KB

Download