xworm | 6b7c8ac18f492b4536307f4680cd40a9990bafc716d451575ba46c124c3f07b9

Resubmissions

06-02-2025 00:57

250206-ba41bsxpa1 10

04-02-2025 16:36

250204-t4dz4stpdj 10

Analysis

max time kernel
1799s
max time network
1154s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04-02-2025 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm V5.6 PAID.7z
Size

29.0MB
MD5

0ea984ec2d550a4205fabd911f973a6c
SHA1

71307409e69eb60fe612315e09d4109f91cf23c9
SHA256

6b7c8ac18f492b4536307f4680cd40a9990bafc716d451575ba46c124c3f07b9
SHA512

7bdb043850bbc32d41872b4090426e2193582b139e8be25972b25b9f9fe3a1c54e089a5738a78a804211031a010b8e9a6bd8d983cb534fb34d4a0f87e9484eba
SSDEEP

786432:WqVzpgbD+4aZ/INeMVKyBMtD2Op14tMIADxrHLfygiw:dgbD+XtFMVKyGUuI4ZHLfyK

Score

10^/10

xworm agilenet defense_evasion discovery ransomware rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

v1pmXhMionQszKjj

Attributes

install_file
USB.exe

aes.plain

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/2120-1086-0x000000001B8F0000-0x000000001B8FE000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2120-957-0x00000000000E0000-0x00000000000EE000-memory.dmp	family_xworm

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

defense_evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	XClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	XClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	XClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	XClient.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5"	XClient.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 5 IoCs

pid	Process
2224	XWorm V5.3.exe
5080	XWorm V5.3.exe
2120	XClient.exe
5000	ngrok.exe
6004	XWorm V5.3.exe

Loads dropped DLL 3 IoCs

pid	Process
2224	XWorm V5.3.exe
5080	XWorm V5.3.exe
6004	XWorm V5.3.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/files/0x001900000002abe2-709.dat	agile_net
behavioral2/memory/2224-711-0x000001E2B0C30000-0x000001E2B1A0E000-memory.dmp	agile_net

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	XClient.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngrok.exe

Enumerates system info in registry 2 TTPs 21 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
3048	taskkill.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133831606381696998"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	XWorm V5.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	XWorm V5.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	XWorm V5.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	XWorm V5.3.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	XWorm V5.3.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	XWorm V5.3.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	XWorm V5.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = ffffffff	XWorm V5.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "4"	XWorm V5.3.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	XWorm V5.3.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	XWorm V5.3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	XWorm V5.3.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	XWorm V5.3.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	XWorm V5.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	XWorm V5.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	XWorm V5.3.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	XWorm V5.3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	XWorm V5.3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Downloads"	XWorm V5.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	XWorm V5.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	XWorm V5.3.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	XWorm V5.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e8005398e082303024b98265d99428e115f0000	XWorm V5.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	XWorm V5.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	XWorm V5.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	XWorm V5.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	XWorm V5.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	XWorm V5.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	XWorm V5.3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	XWorm V5.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	XWorm V5.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\NodeSlot = "3"	XWorm V5.3.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	XWorm V5.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	XWorm V5.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 7e003100000000004f58772e100058574f524d567e312e334f500000620009000400efbe445aa384445ac9842e0000006cab020000001d000000000000000000000000000000710a4d00580057006f0072006d002000560035002e00330020004f007000740069006d0069007a00650064002000420069006e0000001c000000	XWorm V5.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	XWorm V5.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	XWorm V5.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 6a003100000000009c59c6bb100058574f524d567e312e33424900004e0009000400efbe445aa384445aa3842e0000002dab020000001f000000000000000000000000000000a940ff00580057006f0072006d002000560035002e0033002000420069006e0000001c000000	XWorm V5.3.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	XWorm V5.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	XWorm V5.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	XWorm V5.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	XWorm V5.3.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	XWorm V5.3.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	XWorm V5.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	XWorm V5.3.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	XWorm V5.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	XWorm V5.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XWorm V5.3.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	XWorm V5.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	XWorm V5.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	XWorm V5.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	XWorm V5.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	XWorm V5.3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	XWorm V5.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XWorm V5.3.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	XWorm V5.3.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	XWorm V5.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	XWorm V5.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	XWorm V5.3.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	XWorm V5.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	XWorm V5.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	XWorm V5.3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	XWorm V5.3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3416	chrome.exe
3416	chrome.exe
1160	chrome.exe
1160	chrome.exe
5080	XWorm V5.3.exe
5080	XWorm V5.3.exe
5080	XWorm V5.3.exe
5080	XWorm V5.3.exe
5080	XWorm V5.3.exe
5080	XWorm V5.3.exe
5080	XWorm V5.3.exe
5080	XWorm V5.3.exe
5080	XWorm V5.3.exe
5080	XWorm V5.3.exe
5080	XWorm V5.3.exe
5080	XWorm V5.3.exe
5080	XWorm V5.3.exe
5080	XWorm V5.3.exe
5080	XWorm V5.3.exe
5080	XWorm V5.3.exe
5080	XWorm V5.3.exe
5080	XWorm V5.3.exe
5080	XWorm V5.3.exe
5080	XWorm V5.3.exe
5080	XWorm V5.3.exe
5080	XWorm V5.3.exe
5080	XWorm V5.3.exe
5080	XWorm V5.3.exe
5080	XWorm V5.3.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
5000	ngrok.exe
5000	ngrok.exe
5000	ngrok.exe
5000	ngrok.exe
3320	powershell.exe
3320	powershell.exe
2120	XClient.exe
2300	msedge.exe
2300	msedge.exe
1820	msedge.exe
1820	msedge.exe
4464	msedge.exe
4464	msedge.exe
1232	identity_helper.exe
1232	identity_helper.exe
6004	XWorm V5.3.exe
6004	XWorm V5.3.exe
6004	XWorm V5.3.exe
6004	XWorm V5.3.exe
6004	XWorm V5.3.exe
6004	XWorm V5.3.exe
6004	XWorm V5.3.exe
6004	XWorm V5.3.exe
6004	XWorm V5.3.exe
6004	XWorm V5.3.exe
6004	XWorm V5.3.exe
6004	XWorm V5.3.exe
6004	XWorm V5.3.exe
6004	XWorm V5.3.exe
6004	XWorm V5.3.exe
6004	XWorm V5.3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5080	XWorm V5.3.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1820	msedge.exe
1820	msedge.exe
5260	chrome.exe
5260	chrome.exe
5260	chrome.exe
5260	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1700	7zFM.exe
Token: 35	1700	7zFM.exe
Token: SeSecurityPrivilege	1700	7zFM.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeDebugPrivilege	2224	XWorm V5.3.exe
Token: SeDebugPrivilege	5080	XWorm V5.3.exe
Token: SeShutdownPrivilege	1160	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1700	7zFM.exe
1700	7zFM.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
5080	XWorm V5.3.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe

Suspicious use of SendNotifyMessage 51 IoCs

pid	Process
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
1160	chrome.exe
5080	XWorm V5.3.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
1820	msedge.exe
5080	XWorm V5.3.exe
6004	XWorm V5.3.exe
5260	chrome.exe
5260	chrome.exe
5260	chrome.exe
5260	chrome.exe
5260	chrome.exe
5260	chrome.exe
5260	chrome.exe
5260	chrome.exe
5260	chrome.exe
5260	chrome.exe
5260	chrome.exe
5260	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5080	XWorm V5.3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 4388	3416	chrome.exe	81
PID 3416 wrote to memory of 4388	3416	chrome.exe	81
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 4268	3416	chrome.exe	82
PID 3416 wrote to memory of 3860	3416	chrome.exe	83
PID 3416 wrote to memory of 3860	3416	chrome.exe	83
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84
PID 3416 wrote to memory of 1984	3416	chrome.exe	84

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system	XClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5"	XClient.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.6 PAID.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85188cc40,0x7ff85188cc4c,0x7ff85188cc58
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1688,i,5149324897694842959,13765453173921961120,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1680 /prefetch:2
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,5149324897694842959,13765453173921961120,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,5149324897694842959,13765453173921961120,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2160 /prefetch:8
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,5149324897694842959,13765453173921961120,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3232,i,5149324897694842959,13765453173921961120,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4396,i,5149324897694842959,13765453173921961120,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4412 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3656,i,5149324897694842959,13765453173921961120,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5240,i,5149324897694842959,13765453173921961120,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4252,i,5149324897694842959,13765453173921961120,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4904 /prefetch:8
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4324,i,5149324897694842959,13765453173921961120,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5276 /prefetch:8
  2⤵
  PID:3504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5284,i,5149324897694842959,13765453173921961120,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5276,i,5149324897694842959,13765453173921961120,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  PID:1236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4896,i,5149324897694842959,13765453173921961120,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4268 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4268,i,5149324897694842959,13765453173921961120,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5460 /prefetch:2
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3512,i,5149324897694842959,13765453173921961120,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3400,i,5149324897694842959,13765453173921961120,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3380,i,5149324897694842959,13765453173921961120,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:2584

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3552

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3436

C:\Users\Admin\Desktop\XWorm V5.3 Bin\XWorm V5.3 Optimized Bin\XWorm V5.3.exe
"C:\Users\Admin\Desktop\XWorm V5.3 Bin\XWorm V5.3 Optimized Bin\XWorm V5.3.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\XWorm V5.3 Bin\XWorm V5.3 Optimized Bin\Readme.txt
1⤵
PID:1068

C:\Users\Admin\Desktop\XWorm V5.3 Bin\XWorm V5.3 Optimized Bin\XWorm V5.3.exe
"C:\Users\Admin\Desktop\XWorm V5.3 Bin\XWorm V5.3 Optimized Bin\XWorm V5.3.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3d35cqqh\3d35cqqh.cmdline"
  2⤵
  PID:1604
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9B7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4609B834E2B34B309EE2C399C0AB2ED5.TMP"
    3⤵
    PID:2608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85188cc40,0x7ff85188cc4c,0x7ff85188cc58
  2⤵
  PID:3852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1848,i,10012224898366347234,1612561484079480468,262144 --variations-seed-version=20250204-050150.294000 --mojo-platform-channel-handle=1844 /prefetch:2
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,10012224898366347234,1612561484079480468,262144 --variations-seed-version=20250204-050150.294000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,10012224898366347234,1612561484079480468,262144 --variations-seed-version=20250204-050150.294000 --mojo-platform-channel-handle=2216 /prefetch:8
  2⤵
  PID:1196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,10012224898366347234,1612561484079480468,262144 --variations-seed-version=20250204-050150.294000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,10012224898366347234,1612561484079480468,262144 --variations-seed-version=20250204-050150.294000 --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3116,i,10012224898366347234,1612561484079480468,262144 --variations-seed-version=20250204-050150.294000 --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4752,i,10012224898366347234,1612561484079480468,262144 --variations-seed-version=20250204-050150.294000 --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4940,i,10012224898366347234,1612561484079480468,262144 --variations-seed-version=20250204-050150.294000 --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5092,i,10012224898366347234,1612561484079480468,262144 --variations-seed-version=20250204-050150.294000 --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3528,i,10012224898366347234,1612561484079480468,262144 --variations-seed-version=20250204-050150.294000 --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1524

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4956

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:400

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x000000000000046C 0x000000000000047C
1⤵
PID:2076

C:\Users\Admin\Downloads\XClient.exe
"C:\Users\Admin\Downloads\XClient.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2120
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /im ngrok.exe /f
  2⤵
  - Kills process with taskkill
  PID:3048
- C:\Users\Admin\AppData\Local\Temp\ngrok.exe
  C:\Users\Admin\AppData\Local\Temp\ngrok.exe config add-authtoken Your_Authtoken
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff834c33cb8,0x7ff834c33cc8,0x7ff834c33cd8
    3⤵
    PID:3576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,10225142143434167345,11561406440317988253,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2
    3⤵
    PID:2344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,10225142143434167345,11561406440317988253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1844,10225142143434167345,11561406440317988253,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
    3⤵
    PID:3304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,10225142143434167345,11561406440317988253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
    3⤵
    PID:2884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,10225142143434167345,11561406440317988253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
    3⤵
    PID:1312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1844,10225142143434167345,11561406440317988253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3976 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4464
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1844,10225142143434167345,11561406440317988253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1544

C:\Users\Admin\Desktop\XWorm V5.3 Bin\XWorm V5.3 Optimized Bin\XWorm V5.3.exe
"C:\Users\Admin\Desktop\XWorm V5.3 Bin\XWorm V5.3 Optimized Bin\XWorm V5.3.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:6004

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:5260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85188cc40,0x7ff85188cc4c,0x7ff85188cc58
  2⤵
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,9166140440736539088,1005410601050023438,262144 --variations-seed-version=20250204-050150.294000 --mojo-platform-channel-handle=1956 /prefetch:2
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1784,i,9166140440736539088,1005410601050023438,262144 --variations-seed-version=20250204-050150.294000 --mojo-platform-channel-handle=1972 /prefetch:3
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,9166140440736539088,1005410601050023438,262144 --variations-seed-version=20250204-050150.294000 --mojo-platform-channel-handle=2408 /prefetch:8
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,9166140440736539088,1005410601050023438,262144 --variations-seed-version=20250204-050150.294000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:3228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,9166140440736539088,1005410601050023438,262144 --variations-seed-version=20250204-050150.294000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4460,i,9166140440736539088,1005410601050023438,262144 --variations-seed-version=20250204-050150.294000 --mojo-platform-channel-handle=4440 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3556,i,9166140440736539088,1005410601050023438,262144 --variations-seed-version=20250204-050150.294000 --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:5484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3144,i,9166140440736539088,1005410601050023438,262144 --variations-seed-version=20250204-050150.294000 --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  PID:5600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5008,i,9166140440736539088,1005410601050023438,262144 --variations-seed-version=20250204-050150.294000 --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:5708

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:5548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
79e90b79849ab24f7077995c4e45f1d5

SHA1
3dae744f25bcaa1b690d61b789a8b1e58a790953

SHA256
3d2a7a2b6c89618f30d26fd5dac9ff7d52d6cf1d3651fd7aaa1d1229464b1507

SHA512
6169379e245102bc4b1ff74bc2c7cf356f24fdef55e5f3f8a7323da36f6ca92f1ec38bf230cacecc89c33e12e1b201de417a570a998f31cb281bed3ae8f8deb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
abe2985854bc8c12e9c093a87a3e8de7

SHA1
c3c24009bd0fa1f2ce5ba784024ee4ac9d795aba

SHA256
19f5ddf908983b1fbd221af57fbd7bbacbc0d9073767b5bde6f830ee0f19dc90

SHA512
27d0cc8842556ad70b416a007f6ada07a6bf0c7d78d081ba56b9e6264e2734f7d43d4624e3163cdf7badeabaa4666b5f16a66f57bd63c5852af83cd54eaf131c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
71b8ab872229145449c3fe4521f15575

SHA1
be1636cb03b52b58e1cc6bd1747d1354f3d3efbe

SHA256
7f014e09e169e3ab8e68482389d8e773523edd8178a9741b8cac18a3210a712f

SHA512
59a3cb52329c0d7d7aa5dd9f4e5daf813959859f7050b4ef1f03e29281964806fbe6a5ad3799a848253ca1faa8d4e77d89581cb06033764b54fa3efe9b4689f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
13d4736c966d2e357fbfee5a9b2d397c

SHA1
6bdacd5ab34cfab490ef7001532c53a12696e0da

SHA256
b24a8ebc060544c6700ee7bc43e9e75f0534617964c7cb8e1df5c3c7e8b8bb94

SHA512
5d5788f8a070ce1c0051c633c9079fd089d586ed37cacf9e0b44faef77d47c0482b5ae56e7bbbec3a9806680c41b49290910640088a102e8313a15cc5f3dc206

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
7803941920e31670f716c0a0af14a280

SHA1
b93c517f0de1c2bfdc1ddd6898f3208a18dca7ee

SHA256
b2473c84d459533fcae7918ecb04605035da10825d502d7f53fbbfa01b05d41c

SHA512
12d7bc1bd6756975726beed56cb1845cac77171fc31f19a004e70bf6ffe5c183a70d3891e7ec677e787bd9574edf6589cc697e14ed6b86d1a2f0b57fe05fc75c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
2fde0900aabeb4a43182f4538233f3e5

SHA1
38d743144c8672c6b2a8cddd23fc17bec8a6c487

SHA256
0ae2a0ea8f9f06b1fc2ac9f24a137fd69c98d436deae3dd5663c2edf3020b13b

SHA512
cad022a2cef6d3b0f1b79a0475ebcdffa30ecb83a8181ccffdbf93dbe66c0563b863e18d4dd1c7810ab07210ae8fc384c0720b013d5c57563bbf8bd966513f23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
214KB

MD5
ba958dfa97ba4abe328dce19c50cd19c

SHA1
122405a9536dd824adcc446c3f0f3a971c94f1b1

SHA256
3124365e9e20791892ee21f47763d3df116763da0270796ca42fd63ecc23c607

SHA512
aad22e93babe3255a7e78d9a9e24c1cda167d449e5383bb740125445e7c7ddd8df53a0e53705f4262a49a307dc54ceb40c66bab61bec206fbe59918110af70bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
ec2d15a400a34a237bc46216fe6d20c8

SHA1
6629bcc8846b69682f7b5273d28f5b24e73521b9

SHA256
7fc5b174326bc20c0df72581f39f0a9c7c332512cbe9346140910fff67503a99

SHA512
513a71addedb464f6c555ba8c6f489217f00bc50497fd0d350c3261941b4d84f60070932c07febfd34fa556de7a41188fbdec290d0d29e34dfbafc73ce5107a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
b917953beeb86d7045632000326e6971

SHA1
3fa0db77441f86ff59f795501137bcf47d77a81c

SHA256
b48260cb912ff61db0913d1eedaa9a9b59f2cdba97e7a3a1a400b2843072ef54

SHA512
cdc26f695f9c6c5c6ca689c0ce17bfa7ed139ff0ee4fbdde5ed42189481968a9260b3fea05404a14d91bb887194f0fa672c52c3ff366673260a9a2ecc125da01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.86.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.86.1_0\_metadata\computed_hashes.json

Filesize
5KB

MD5
b90e29a684c6f7a524f28d6e278dd191

SHA1
6b5b99427288d4e764ac37b909a8e72b1fcfcff8

SHA256
995591621cb3ffecf8b9ab63ab1573d5f14b8d6cad10aefc7215438ce25992d4

SHA512
f9e20fb8f459642123c33ac363b8929f8bfd92a10cf4b2e13a8ce2fe6717681abe06af4d1253d6e8877541a9440c6c744595d57f1492a15eae718a5420df0bed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.86.1_0\_metadata\verified_contents.json

Filesize
11KB

MD5
6c41f52ebf3c6868f14e2687f7d9d6b2

SHA1
2f08ebd8740e1d64b299e6430e3317dbaf7f47d9

SHA256
8a2da780b5c51a957347195d86e1fce3598606224754fcae97ddced4942116b4

SHA512
f16cc71bb99b6e1fc4d4039c35c3181ef4cb3e3f99322c7d531faf3f3b0686042b9c31cdf0683a2656e7f6dbbd75a59d19c174025134dc3dd74036f8bcfd1f9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.86.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0

Filesize
44KB

MD5
bbf08113ad6739ee5e8c78e353e716de

SHA1
60a57cc0b86489fa5c118dde8c935e89fd7c01e0

SHA256
e16b99a40d2006e9fcb7b31f44c82ebe16b781993984715f765b4165ec40d029

SHA512
0c65cb291ef1622cbf377f7ff6dbf07a59fbd60f96107bb5236fcca6a6bba6619fa1520cc1e48347a06dc4d6be8abbea3a3611a502c07ba54deeb9cd17500fb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f325bd25f0532fb836e65151d7a2a9f3

SHA1
01a471767941a429b76a26758e10c3bb32e6a19f

SHA256
a9079e8fe6bb0467981c6b9aa577cee6af20d968796b7f1aac718b5497de94ff

SHA512
5b560f42f1fe46ffe57a432ad65354658a8634c0a1185ff45c1856f5d9d847194ad0494b9f6cc5497e85a869131397e9a7cb1a0624d3f84ae36297467e3d1344

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2

Filesize
1.0MB

MD5
6f80e0752f36f417d29a4fc4ae76d9bc

SHA1
d2c0c0e56ab7e0b2d19f7788451dd954cf42d458

SHA256
c1028f06127b117e88321a67b4269ae1950231ec9c65b48dd44a036b4ff9e779

SHA512
a0071bc45a085fbd0872c41427ddf4d0dd62bba18f26fd8bb51bf58eacef1f5a2a75f12e673b595ce2785904c11fdcea121f7fb324835c232cb108d165965204

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_3

Filesize
4.0MB

MD5
cfa172a650b84b3abdbcc47097ea7b57

SHA1
5b45943b506c37225942826c102fcca6bb743847

SHA256
74581baa80a130006b3dd5628aa4845b20089bb80a5c5710c459e2708c95b038

SHA512
fd8626ec91e0b48a17bfe1bbf51ff8419717f631109ea2ca39b908dbc06d7628b4ff5d861bee7bc2070685c59a63c9c3759db1cb589299a0cf430a7d3b5dabfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
e67be7cef6efe998b47b0dd7d2e52145

SHA1
619bc6a73a830fdfdec1244b2c0503f6608594b5

SHA256
b07f5476c30a29ebee8269990ef84efc05c7279fdec62d7c16c3c0b6310ae364

SHA512
10be33d6325683a961d4f6dfb93dbdea57075caf3235d68f4392f0ce758cc1da11e742ace62c0ac09fdf248844b20719a4b42c88e387fba194bf9acccd2715bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
660405011625e79020371f7ee4bcb2cc

SHA1
4460ca7acbb03cfd3387dd134d381c4cda48f6a6

SHA256
36809810aefc7b415f95627bff0b387fb64c0dee17b5067bede21400fa6574a4

SHA512
04f110de22bcdbaf0acfc25f3fc6481db8cef72ee6cc6c569a6f7662fe9258e3222f535bf152bbac88c34aed7201aad78de60df34c8bd7efee86fca68b9ca687

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2e285bfcb43461d8ca515cd3b2d938fc

SHA1
11ba0ec66ed2c090233dc85949019f1d61016319

SHA256
932818f2c05678e59577d931dc2ec9378d45a5ea16cfc0c32f8adc0c4014d5c1

SHA512
ff0c566ea75ac6baa5635d486933170d64e8eed50c4b86ef64ca011d29fe9e87c07d15f770dd2fea293035e811b8da72db1474ba495c484d2de2d1b802cb6392

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
c3ee22ea76c2db115b9b8a9c82e99836

SHA1
aadb19a887e03b1b19d5c77562837b9abbb47b77

SHA256
bd18352d288cab5d32bb264a792645fceae7188af5effdb0eea6d2f03246e6e6

SHA512
27a8d9384bf9ec6ff9930ab6ffcead1389a38c92ecf4860311dd2ac4df39ef7f62c4df9a09610ce00b9a14b8c45f322c6d9ae1f8f31c0a7d0ea5b0899b6f49ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b94f8ede9802fd0eafaf35254c353e64

SHA1
17732fa25bc86a89f73eb356cbb5c299cc41d6a2

SHA256
59b1f1f65714652c80765edb31b650f766c3254d7fa3f3a06e6b1caf083ef9c4

SHA512
1939aeca49bf762a5dbe33288b73024ac1192b067b96199851b6a5f9ce92380e0951b96575b219481883430679f2e3f871f50ebaeeddaec7d44bb8c094a6e214

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e43be9586a624672e9eea14f8c381082

SHA1
8538276575407b09e9f26eec19b5e449b74e3430

SHA256
31451efc036d1f8fba7cd5042076b5198113a364004a767d5d5592249db09110

SHA512
b11f756aff77da980763ffeef5f6efa41e6eddf3ac0f52cadb06f3ff451eb7fd3b512eb37d755ed0c12bc89e17afde7e7d567fb874c04897aca9610cd75b88e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL

Filesize
36KB

MD5
b4ebe7c439f8ade970ce74339425e2e9

SHA1
5b0586d869d3f27ed44169f0af3ab89ead0c126c

SHA256
7fbead7f06453e49d4094769aa8bd474600c1d476269b3e25fc1f6894938c38c

SHA512
fa6ec71e62fdaa20dc119c87d93f29785eb28eb16b4c68ca2df7718fd1c2b440d2640239d2a76a3538ff5e6ede85f1852742f722dc468cd94e6015c2f9ceb902

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
af2198c2757225da662647b3cfc006f2

SHA1
21d2e9f7d701a1791f97f9da7f56baec3a62a473

SHA256
2eb1941172fd1aaf849ae8583ee8f1a720f0f32119bc3a9ce0d788c9d709baa6

SHA512
5c70fb7ee93e9a0f33654d58e9e60fcc650ef9859a718d1eea0221de8e1bbf66a9ba47c1431dca25cf43abaa2d597093ef37ff524af9c3f9dbfe799964c8f901

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
388268a3c0462e9019178ff138e27ee6

SHA1
f1d5fadf451e8806bf117bece69e2b84ffa06b0a

SHA256
54134cd2828c969779a10a9ceb70a21c5f566b960fa7d1c8cb103d6f8545b8e1

SHA512
87ebf153a5c070f53fe749451a4d44930324ec88f1c2e4d60211da069ee6dc3fe8e4521351d7ed1f7454fa2f29861c5156ae6b9885a36a7b499a002059eedfcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
14f8600f0704a0bb120f4bd2e8f7af3f

SHA1
5c61ea7fed4306159d68ef598da9822320a696f8

SHA256
06022789c2be71d598ed017c971914dee087ba09462c940113f49a714810211a

SHA512
ff1425858bae83399a53d893aeca3c7ce99466af46887ff905676835b92e0c728e95bf35003054ce42218defce43624a89890e772e7e8652c91ab081a73c2a03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
b4c55498a8328d0d4ab20b0d65e66d02

SHA1
0718ae7c2623482ab6dc0a7cfd41dcc913d4f4cf

SHA256
0239c9ae0e6e9710292dcb1a4af780b8602e4b2ec48d50b138a606caeb46d4de

SHA512
de6a529a86732198485052c722dfcfb2b0ddb0f59bca00bc337af360aa046927d48c0c34e0a729d491e09e07da5aa50ea967a988833912d5b0dd6c3a0d31f097

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
76dd0271552fa23c23c0b73e30fc118f

SHA1
5eb6cb84102af85588700fc157c7e03e157c193d

SHA256
9fe53736ade235e4c251b8fdc8d2b34a835f57fd1986962b0bc9cfcef8d4b83b

SHA512
8699ab2786d0365ec7d7d2d8304b375f4429cf17c66b617c202591fb144b57079f66e9facfad14734cc79bd493f1fb7090c43bc413541ae1480eb8fad9f2723a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
11d65901023ad28663fe389240d7e17f

SHA1
4df38c41e173c831b70930b7f621d0d9190d0905

SHA256
8e277498b79d6bfda42d463e9bf41ea102e0c2e3877921332d806f43bb61aa73

SHA512
462f820ecf841a95831710e0794b8db4d1d8aa02a3b4ea4a940ec6640f1c0353043dcf65c71618545776853a900c7ffcb130758f1284f05db1326d9fc44bcdb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
90e697089183c1393a3d7eef7fb8bc61

SHA1
66514bbc26c984c9711f75c57f36270cc8c6f248

SHA256
3b6e5516bc19959dbb0709ae356e9b9bf8a6f01e5e894a0604cbafe7855840b6

SHA512
770ebedca83f2b331f0aab3e22124247d9d1154c8adbfb952556420b9b565fa369878f7445d4bf21c79b0b14ee1d61ddd86092dc3e4be18525bf9ef4a219dae5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a6652c266fdef206a9ee901b073c371a

SHA1
735cee3d1f1be14e5177d55c9e425b4269121c86

SHA256
2a935b3f75d4686ed5a50267a7544cb4e3408bedd61edc86b0db62fa6d90fd5b

SHA512
7d165db92d80ec46c66aa8dfe97e78779b03a8fc7b47abac50f178ff19d89c88a3ee214bf39c492b8d2080fa65119822963650c0b482b3aa91d7234dbca110d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
925aea703b79ac47889446906830b484

SHA1
8c3104fbd028c517ee7bd871e6146cb6f06ede3f

SHA256
5621e9257bedca32e9d8f6cde920cbd6c8cee9d3611fca4b8ba798278b2b0b7f

SHA512
33c147a875a18b7aba2ee8ba7cfa17152214ab6eef55345f2d2655d6738f6aec00b117e2315864123c69f4b232f99a17671bbee3bb546e2902af8cd99b3990db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
37f971a0d5ebd698d7f8a21c53f63266

SHA1
6f8d2ba54aa9d69e56f210754a8f3933bbc3de0c

SHA256
60ea290f6f9631b45fb40dd2ae13862497452d721083a00c79912ef70b32f69d

SHA512
b26d4b96eec96bba90eb5b820647e853f8cf4b3d7ccf5a72b06f641ff1a91e07507a63f7e462aee9cf0d43fbe0bbf9df5d2d19d2269fa8befda63e853955b879

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b1a51a70fe223092a5edf63dfa321680

SHA1
37f95b118e36672a609666412be4a1eb8de49f38

SHA256
c590c93b3d2978d61bc0d9140553934ef95c70442df8f7ae392355182a28a509

SHA512
543adfdf5d2358545bb71b2d7e62ba83b8a2dd9deec158dbe91f57e08862f2f146b564d4b888a5bd5ac6a95d8ad14f9f18837c3f2523d9c0a49b2fb8c1fe2bfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f8b8347c6b71fff161debb5334ad4bc6

SHA1
677ca6301cbd49ead8c3e71e216f515387adfcd9

SHA256
565d45e35ab08ec5093f8d292d3ab0b66aad323051dc9dd4ecfeeeb457870f76

SHA512
38a2bf7ca5fbbcdf80d999e6b435d0271e1ad8472bf7a904e1b73b74a8efcbe312a39c10227501340308ca0be41328cdd8dbe4cdeecb85a81781882c11cbb667

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fbbb6d2586b8c81bfd18bb4d8fe8a7f2

SHA1
09f5aabc5af3606f835748b7892945d9f5ec2b63

SHA256
eb1fd1ccaf2a7a343369a9e8b1b893e141793dde611c4d48430afab5d71aeb23

SHA512
4ac804a8004c6816c898276824df8cbfad484711489de301654f2dacf688674a05f892a27b22662716041c47c0be7bdfa3078723246895ce61241b2d87491d0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1b0b42b57087507869bdf91a43b29ca3

SHA1
d37d5287c4fe0c72555fb59d58b33a95dc693547

SHA256
4d8236dc08b528fbd3b7845af6cfeafdf8f8db2a6ca4fd84010e9915da3e103b

SHA512
c9ac11f59ec9859cf292cbe71caaaaa767db37467d409c9d5077fa8c069cc73ad828c82469553f54b6982962be4fe3cb75e4abf60932962f59a1b3ec38c72152

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
199d59393809a1e0ca247bbe907b55f8

SHA1
7db65ee4986c7f7d775e33ba5f98ff02925bef88

SHA256
a65f8db7b26d9a61718cbf3ce408dc496a22bde2cd38442e4033e5fe5ce0da1d

SHA512
c99eb8a89a56e23e3f11c3555fd19ae9040aed2960da0c349b43439e77cddf6703ed5c974f090bc90ca9f77ad92c085713581994bfdeef78c09eb8a8e336de05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b04a4ac97d98cd6ed22078f3e70e8cc0

SHA1
a068c546edde23f1ca9b3618736769f601cbfeb3

SHA256
7ef9cae02b825c7c52f5769effa25bcb87e9a859d94cbfc54eb5ca88d06a6fb0

SHA512
0f0d8b9eb23cdeb0d686437430c579e5cd1b12acbde591d5277399a8f7c2163311322f7088490f59d1bf1c0970245a3acb73c0eacdd6dfa503ffad1fa320d111

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2f7f4d8e78f41a3e91259830e88babd8

SHA1
6885fcedc80f8e0d0502588a7b2d16fbb9944733

SHA256
d24e39fa8522ebc1214efabc533a28ce54419a322e055a982590b2a876fec519

SHA512
fb1ec72f8a01a059f8e1be9ea561ccde44d9989a0f644d9c2f54e574efed6c8e2f47cb4decd1d21a6d994227a3c66c6d48669f14ecf193f048146d03df027afb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e5a451456a5c775c7b31c9fc2199d7ad

SHA1
dc9171b5c3428ac67fc337438cad0dc0196338cb

SHA256
03f36a0f2dbf1899b7a99d82081103f9b622b9fcedc49aa5d8018db1285c8a90

SHA512
e5ba9c68f78db0f1c682f7414818afaedab53361e12f8e8f80ccc1ea62235760372df21a558b53681fdb1e3a0711d963390eaf66f61c362881da337861b51532

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
297568ccd765da4125a0954f01f1450b

SHA1
358e81ec71f5a54e81d3ad98ce0013dc7d9b84c5

SHA256
b3e22b44bb37770c75eacb8e317888f369f097f4181dad47e1819ee623d94a60

SHA512
b4769b9c9d61064663309ba100581ea16cdea542eae3f6960458aca1156d40014aa6726ed0eaee72d68e2bed05c380098533c4115143d4089764b8d993037b91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8a254ab01474df640f4941fc664fc5c1

SHA1
85c629d210bb681ecd2438bc07ef3be72fc87a5e

SHA256
b9d9512daed81fb906acdf2d572bff766722ef1e1b1975955c8d1b58ec2fe269

SHA512
a15c1ddea3bb8258bb52f8dfa5580ebba6956fb4a66b4a21e8acad7992b6b747bd279a367ecd01f546507fd7dd285cde6df8a2610bae4126b4f6db6227c37e42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b10e3fe412f555a2f7eb7b98343551bb

SHA1
e846490a1b3c76f38204759130d674ade88c1dfc

SHA256
466219bfc7b01a26d871d07dfce584f2f503a6c11e99e5724f40b6cedc506383

SHA512
2db6f743e781f5af5c3ec665e395975224f4faf4a3b05ffc7f17536e95c0d13d6a302c32f666cff0dbb7ed9963662dcfa766e770220216d5ead8a78885cc8520

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b0698dd80a41bac079e50e8825ba1116

SHA1
a24cf413e9265c5bfc27873750edfaa985cee6ea

SHA256
0e0928c7b3f96d81172c729bb33b09ace687636fdab41e499adfe6168ec4a086

SHA512
dd36a644b4df6be78a2a5d5b69239ef4f2d2a5786a9e7f9b22e5c90eda12039f4d5b2c569aeed83a5a05598c66298c17524b4a6d7f2e0a1b7bde1a4e8ba1e2df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1ce9b6c4b23e3a63239c7b23cb5acf76

SHA1
3b86c23d424b2580bee62c3b0b6753c2f1ae713a

SHA256
0b6b4329359a5ebe4b525e55777681302c764f87a52f18828cbeaa0365995391

SHA512
bbd0ded736f916a46ab678e9f2bc1c7f95d76e12bbe371417dce85547380ebfd31f3857453f1cf2351bc2239f0f4e56bd38fa33a977c9ab6fc64b84fc80075ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
52ab436c104d29fca6b922fbd1c5026a

SHA1
6bac92a5c240e0df81178103512fb205b17b13d9

SHA256
da5d2dbaa3b2e8f26f4d493b73032dd56180b5c1ebdff4bea711a242ee0814e5

SHA512
1daf87e0cb2d1fdc577e8077683cead230c411a6ae67e3fff7adbf4537780b64d52f1dce436f4cf9ba7bc9e0f17a2304b2f06a68b8db433c75377d6685afbd7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f773736d87e109b115a3fb2f3ddc9c0e

SHA1
aa1f68041e59498b488a92e381a93241eb41f4f1

SHA256
94a56d2ccce1b341906f86565f4cb103c4d361e82e3d734b9aaeb386c2f84b12

SHA512
4620267a0ce860ffa202d7d9ee25fa90fd68e24d9d21e2b8773064ed00c4486829bfe899dc545c67b3ada8d0a81a7799610d1af269c64079df3b5f8074819d51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f97560f7e933091a4c24de8a22400b7a

SHA1
b6b22f47708c9f021366f49c57d74d2e56c4d144

SHA256
bed7c146c77aab395d9cd3d39accbed88c80364bb73fd6bc599e964b12665832

SHA512
3c5e4ba3590e67828639afe6cec4d3131ebb1902a9403c2dca6adc24446a7493abf4f18db85af5266f8ac56a716075c0f24c8e82652acd8bd44d30e33376c9d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0d13cca01d63c7fbabbcc2175e0077f4

SHA1
b9b28e88f683a9a3d2dc78af1760019af50751be

SHA256
44d9d70aa748dc93091907216916a2ff5619182cfca75be7e39b57286670f864

SHA512
676f25e8635e0e82d0a313322cb9ede4f57a7ce862aeee6b5352b3005085edebb763eb4b2b52bf89afe4cce4b805865bb97fc375e74a7aeed12eae136be05690

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e12af46ef97ce2257f8776751ed88488

SHA1
056dbd8c8dda3f5080c8eb522ab40c0b1af0b164

SHA256
2f1469054a88b598a41785fd30eaf20dca59eba035226a75e3f851e07b9411e2

SHA512
baece78d227e39bf3355355a0c93450e18057cf6b3514eee662498d1e1b7dd9f67e27ff4519efec3ad32fa833d91e269cbf1d06be9f9445b07c9a454544fdbed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bd4961548f6fe9d68576db39c0090806

SHA1
2261079edfba0ee8c0884525864348c32cc9f1b5

SHA256
17e095d611e06325dfa6025814f124736e9083d6e2c086229b97c22f440118c0

SHA512
ee3fea5c8f9732ce46a7c3f76852fe65805a9522513418858ee49cba564430de556495c8baabe31e7775334647f64055c985f0658383b4d2a669f38351a8cf52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b9f279bde9568b3a6aea613dc3a3af2e

SHA1
7c1257788b7a9f9fc1e10f7664314793551f63be

SHA256
0ac5f8702bc74fe011d55ec05ff3fc4c4bb6b5d0eb5d04c7018b400116ac12a3

SHA512
a7713d6bcb0cbe8d5bca674ac3fe8826162bf44a66044b14388a14fcd36eebff7f4e59ff65c114caad0652cc94cc66c751cbe1744a21606b88e436e2534b8568

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b90fdb6c89dc18f56038686d18ae0ec6

SHA1
c0f90539fe3a7ab6a67347bf4a1fa013e2262b93

SHA256
8d3356c678ed70b6bc16041e2e1db838eb0e434686218d06c65d3fee0781be45

SHA512
23af4c834c6df48912ae8797873f0e16837c9f2876f004fc2d294af32478de9db1df8f0d03362c1389bca54ef53766694fc0bd1462ddda253a7ecd349891bbd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fe311cf2a28b430f810187915145a04a

SHA1
1d89a32802a2b7e441acf5d1662cc1ba4cee5f77

SHA256
f4c09fd1351854a7432470e9cb65413953cb0bbce8a03fbc7c0c820c83c99524

SHA512
a3668533246c3f93c6224e4938b70384cb647571006fa659803abb5cd1f8cd05135ad006be6fb2dfa65da80a02d57dffb56259dd39d7391e00fd2783023f2b3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
338bba659ee66e7299f1c98c127f0a74

SHA1
0bcd90929ae1e289e926d302c6de2c510dd7f316

SHA256
05e9a13704112d617adac92a59558d42a8da00ebb077e4c7e85ad08137a80a8f

SHA512
49efc039cc7311b9cc99e90f21c3b1095f7da58a4eca3111787bed8a9c155336f58812acdbf47629623cc7b3f9418fb6346a7ccdcf04aed095d3c12980a8e058

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
41c84e47ea3c8e6daa29d13ba72718f9

SHA1
03c3a566d9708c65e3fb8df9cd8321710e78f509

SHA256
0fb02ebffb190ced73a53db5c0886ffd1ae1cb56c2dfdbc5df2f1d0f982b85df

SHA512
65abe3d6b67088f2a529c785ce9c19217e912048d9a6efbc5241627b3124845ce403e553035461ef8340bcceb48c457e7f4534373b8693e8986b58b1f58970ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4954745b0cb9e91a44501ba86a79b5cf

SHA1
83c2cb008747ebf2e3b8559f69654df1c5b3b1bc

SHA256
4f8ee8bdb541e05e5da6cd1defb83ab49b78689cababf1c1a1c930a36a493bd1

SHA512
9cd95a7508d286c7d2fc40218c6d6693dd8b6b22771705400757caf7b10cbbd4092592f5fa70a7b3c494509d801dc8cf26b62a8576730027e904b525488bf5c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
35d2c4a514c2290e438d984a80d2063b

SHA1
9e505cefa5b16021a05984b8eadf846bc76eabbe

SHA256
1759e2f98c4fb57d7b0bb301f8213f6a28909e9ff7904a17fa835bb68bf337f3

SHA512
614f3f9707fa11d859440c36057ffbc544c8e360e9ce74f2206656e3b412ccca6ea0e2ce8457331bca28b7a26d2e4205f83bc2f46c5c83c8ea3316f3488ab5a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log

Filesize
3KB

MD5
0e2274179b6a8d815a93c5f011e67c6c

SHA1
34f813ae9078778e1d122e48cc78ce3cd826c261

SHA256
9a80e7829f2e661bd0e4cc4817963a9318c24fda1c221d54039ba4d532c7c9c0

SHA512
20776db61ce43eb999dba27c28ee44c5c6d0fb0e2da2006e8262a13bc537d73a8865da50c275c807a3ff58a5f0b3540aa7081d6bfc32183e80671abb07dbbd05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG

Filesize
336B

MD5
07c5b2bcba2898e15c5036ae25ce0eac

SHA1
4978f2294ae1f5344c5c3784d31801e844fae176

SHA256
05c6120a236ebf387104852984ad2f57fae8931e2daeb4c490ed67963baed698

SHA512
436017d6c0dcd2d44b00c89c10e9f1de11c52d3b069fbb32a771fd3b87ad694cfd4898e7c3f02f83fa4539130bf0ad18cf17696dde8357564e679bb91269a071

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ac4cbb4109abcfb834ec202754187f65

SHA1
a4b19effd0adf48c0516a40d21d109191e7b2f74

SHA256
51bfe35771f26891a0de95e3e1ce8b53d019519f1a032e277432ef3a3ddd53dc

SHA512
cace486ea52c2e09174ec33c16941db7192d30131f9bcdac2247f08dbe7be90e7bcb7b1e73d103aa154e60ddc0d9400dc5d2ce39d7eddd27338c8fffd9e20936

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13383160658642031

Filesize
2KB

MD5
aa6565bcc0da2c1d95645dae07d25370

SHA1
5bf5c6aaa1f16ea4c85ec369bbe0123b9da6d7fb

SHA256
29389d6e0755b1e57ea409035b175ef9ae6e9807d500c716bbcc360df86b49fc

SHA512
5a8d1881d4bb72d8c47a70c019875df3bf77a23d64b6a74c138aeb38ee16632ce96bdf1f464bdc58ce4ae96b1d64080edd6c9c52b368f826bccd1931ab6c2725

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
211a0e8c9d910d733be3047d5145ba4c

SHA1
a695156d1be51b5e4ffc116169457d54e7a0d0eb

SHA256
705181e8f5217a0afe39062c869985f0b86981f38aba049fd556272c4a7a1a26

SHA512
17543e691a0fd64c94dfba61771941995bc2375356c82356920289cf08c6de8e1dc7d49b527d9e98b98ef55182666aa65abcf8e2ae4f740e5a89449762891c85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
7c325230100ff434f2682783bcd92453

SHA1
af08c3c6b0993209bca107ebda6f1c51a01f692a

SHA256
acd2976dbf02256cfd5a8362aa715494f2d19fa0e0462fbc59fa13f9f6cbc66c

SHA512
7289e905ae8682d280620a20e54085e217ff8fa38ee55f8a2cc36ece4f3715da0af8a39dbbbb5cd0b12360aa080e5022b7a9ccf792c65c552f49ea42a702a6bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
324B

MD5
65fecf0fca0185a4aa913d65fb6fb665

SHA1
aba8891fb5f48a3919b8b63840350b471ad36c38

SHA256
0e10a311133c01330fef9a1e80c5037cd3b896cba0a8b0b1503d17fe930a8201

SHA512
5ee449b48035cae0e282caf069ee328650c621c624d7f17f711de12ba21a18b85e14b3f023e51606805921fe7bba5c11ce3493d0dc04cce4a8f90bf1e5ccf5ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager

Filesize
40KB

MD5
28fa84d3b2594f0d6b2fd16523846b3a

SHA1
bf849af1f4fd2f5a6f349626de76b354295760dd

SHA256
2cf9aabfd9d5a6e026c1799707ba6a918de6927f6776829fa37dcc89c9b94285

SHA512
4c1a6e31683593d663d22d6a20ca763e773b5820cee56ec9741d6627dab7542b81a5d5b025677f70f9bc8becfd79fc5cf3f9c85388571001cea427ed5b868082

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\b6640732-e43e-40af-b3be-b28e4c99c81c.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
ef48733031b712ca7027624fff3ab208

SHA1
da4f3812e6afc4b90d2185f4709dfbb6b47714fa

SHA256
c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

SHA512
ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
c983b9405a561ede2fa5b0919433bad8

SHA1
14a4fb9b71b5088eeb88a93670da30980b31a10e

SHA256
df5da4b81d7fa86af6d742d922bafe03e3723f4f914e57a6e7e0be77818c9698

SHA512
e49949df962ea691bc17f2d510b198cc017529621829667b032addd09a4bcf3bade1d553f019501e42e44441b24516afab7d69d82b9abb767abde13ddcd3f4a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
ac0f903970ad59569a1ef3e9f820c896

SHA1
324e8fad4aa759aa3cef091bd975c777f76d2129

SHA256
fd48de81f2a265bb67fd34f3892e02cedeebfc02cfd27ee0ab563b3c948c7daa

SHA512
1c3a50ec8ae6ce707c407fb47d01443d2b21e14b04369f188a7ff074eeec52ffa6fb6234301c80bed8441ab3f2011a2211ee3a6504e51a61fd995f39b8bb2b73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
124KB

MD5
cf73e0f41af9febf42b92925773a59fb

SHA1
a4bc111e8806b9a635d596504387323b6b811f46

SHA256
2e05a3076a35e7712be89265cc38b29cf4d984b1dfc5b4cdeca54e744f928d8a

SHA512
c350bd476a13888c9af0eb383acb8346aae2fe1bdaa36d0e3f52d1ff6154304f07aaa64f70074d5fe8c6f56d3214d7b6233ecfe4762d4760352d0fb695697f35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
3e0529ad404786e3e7ec6faea606d121

SHA1
74e6861919304eaac9aa951fb7799a4e58389462

SHA256
0385f1847689b13201940e5a9bc3c4c26b4bb274aa83513e98f6319d11750cc9

SHA512
141d03121f7d57fa80ba303bd079b5cc80d96a653e628c1d21b7628eb44292d198f78da0c8edf7c553ce01b0a0d2b092c0a374f46e65462d6d5f6ba299d05eb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
b714297c628c9ba2cd45201ab182ec8f

SHA1
e8a19f71408f65b6ab241ec4fb8cd1cd39627e2e

SHA256
a6648b5071fef2b75413a93f1762c8cea4c8abf10cf7ff007a672f65736ad304

SHA512
0b5749f3c695a25c4f2b125ebb10d28a8ac53882f6ea9ccf02fe34139d52ed60b97b0fb71028be3743bb640a64c6e6057213a3737744d9d63730072757cd6919

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
235KB

MD5
327d0845cb1e13cc0c616171f7cdcee7

SHA1
4121cf6a0eb377abbfbdb7afc11b3618a781b3db

SHA256
7613d2b8846b35796116d7c1abfc63edcaea244a213778332f615e932665e58d

SHA512
7aeecfa7b34cc40baac73e8803ad7af619dc6e83a606fd2fb077337a2449eb8fc7b150a989dc2fba6fb13a613af96e882de65a3ed1310fab8ed33e40c7c5046c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
235KB

MD5
403745016f954f0b342a5fa02152a3db

SHA1
94a9e552a3f13e424ca3436f21ac54322298bad3

SHA256
ecb5600c28159cb6fc8389dc2d653e71372e4c7a67bc31da9e4c97d26147c401

SHA512
4467c0171aa4d9b857e21e680177b5619193bc4f20113ebe74413a59d8d7dc27038448f1fe25c3037378776ce1ca1e2763ff9dc6804320a0c66663e6ebcbd56f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XWorm V5.3.exe.log

Filesize
1KB

MD5
1be7203acd6229945a1cba0d5e856b7f

SHA1
14ba215de70394a60f5616267ee855f368b41ff7

SHA256
96210dd80524de4c054948d92475cee3574823cd8dc8331db1210bddcd3fafff

SHA512
33300a8fcd18dde69d84a5892d8ff933e71a69328b1078793e00a32899f39ae38a4f8c75e1df7a56f516ac76dc65d4bd61aa9d9fd3a50be9e5774a94ad26f49b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
02a4b762e84a74f9ee8a7d8ddd34fedb

SHA1
4a870e3bd7fd56235062789d780610f95e3b8785

SHA256
366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da

SHA512
19028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
826c7cac03e3ae47bfe2a7e50281605e

SHA1
100fbea3e078edec43db48c3312fbbf83f11fca0

SHA256
239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab

SHA512
a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
61dab63188fdc9aa60be108e52d54e83

SHA1
57ed1063e4242b9ab24e1d2f1073812865d8d45f

SHA256
14268e86f9f1e64b322f94aa9b428425b5f3bfff8bf5ce4d0ec94ce4e91ee55e

SHA512
401fe3b47cca6f5d77ca3291931b8821ede68bcdb8a8318bf4bb6472dc4d5ea4ba4bc9f1195eb4be974f5676ea68a26bdb95a4a24d0ff7c9550d9451d7634fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b2101ff6ef1781874791d95607943929

SHA1
b6c19bd479363a198d7a284548c14c8e4cc409e1

SHA256
55cf279000176db2bbc1d4de0cdbab726faa11d06c1deaf4c77cafffe0e73e98

SHA512
765ff80e30af0d2c30533a71b2311f1536b451959c5e153b1652a076165906e67eafb5afab950c50db21820768ce251d6c3a3fe57138773476d21897bf7c049a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d51fa2388262f300f4b6ed6b26e02018

SHA1
ccbd70753e6871b547aea435bfa5638390dcf528

SHA256
a4f5d55ab140792e5cdbde4a7a62352322e6d47893ac24e303be2693b4a732b8

SHA512
de79f33a9c8a40e0fa2f7a1525871cbf0bee807e31445d4d4654c4ccbd775b78d58c1a328094115cc39e7907df0222062910105e16e7565d78dba8cce1527808

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1ad985d8d38ac65b1a02787b997a2d36

SHA1
2b4144cd95e32d3a76538b7a84ecaf7e786de5cd

SHA256
6d6dc6f2c27e89473182c2abd7907be72ebc53e82385b941d3037d72bd38feaf

SHA512
8625eed092c987abf5489011d035b7be5d2ed9235419fdbbc398821f6fdf25033bc42b1098d8f43e2e2afdfc46993902fb81895f2bc4bb6a510849be58a5727f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bda40ab20a6198228bc2973642a84903

SHA1
1e5394aa7aafc75102c9a0ddad88bb1e1c0fdbe2

SHA256
099128b34bddd7c803d33633f3f1ae41964515a704a0b465bdbd67901700fb49

SHA512
72ca55bda9a61c45d23701f0864ad095af7fbeca3d8d191e9daf2d83a016af9ebb9489795f27daa737c559d483ded654baf80e22d66a481e9f7de5b49d6710cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4A606297\XWorm V5.3 Bin\XWorm V5.3 Optimized Bin\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFZzY\RFZzY.dll

Filesize
112KB

MD5
2f1a50031dcf5c87d92e8b2491fdcea6

SHA1
71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

SHA256
47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

SHA512
1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q3qn5mft.arb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngrok.exe

Filesize
16.4MB

MD5
ee2397b5f70e81dd97a4076ba1cb1d3a

SHA1
8350f648ebd269b4bca720b4143dd3edcdfafa8f

SHA256
b5b1454e2e3a66edf3bde92b29a4f4b324fa3c3d88dc28e378c22cb42237cc67

SHA512
57fc76393881c504ac4c37a8ea812a7e21f2bed4ffa4de42a2e6e4558a78bba679ec0f8fcdc39798306c3a97e424fb875680b7f78ac07be3f7f58df093575562

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3416_726435681\8b9aff11-fbc0-40a8-97ff-089ab7a3dfba.tmp

Filesize
150KB

MD5
240cd355e89ec1f3566bb2ef1f361dad

SHA1
2ade60eb20f0fb16657a4fb024d207a931dc927f

SHA256
1f0388d23a4d8492e2f9839392b22a6957deae8750b60ff860ee939811594295

SHA512
961fe2017949d185761d8491ab4f7f2ec3b0562cfb6fef202c34d685a87f2ea032f53d653e4c1d492dff1fb43d738e7727985738c1a956a1a18aae77a3d7f3b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3416_726435681\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Bin\XWorm V5.3 Optimized Bin\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Bin\XWorm V5.3 Optimized Bin\Readme.txt

Filesize
190B

MD5
e388f90db8883175638a3f6180d68444

SHA1
bb433eb2c51569624097172e339c9f9368f0372d

SHA256
f10fd461b04f640b6940665b5f6ea4d1af954992c74978b71a21a58d8cdca3f3

SHA512
b659fddd67a9142474e5bc0dd53b0a18a53ebfccfe8b3170d47eae0d9cc04fae867314e4fd8b537d235f7608d6aaa825329f2fcc07f64eb0650e48e1d6b54b88

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Bin\XWorm V5.3 Optimized Bin\Sounds\Intro.wav

Filesize
238KB

MD5
ad3b4fae17bcabc254df49f5e76b87a6

SHA1
1683ff029eebaffdc7a4827827da7bb361c8747e

SHA256
e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf

SHA512
3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Bin\XWorm V5.3 Optimized Bin\XWorm V5.3.exe

Filesize
13.8MB

MD5
897201dc6254281404ab74aa27790a71

SHA1
9409ddf7e72b7869f4d689c88f9bbc1bc241a56e

SHA256
f41828bd13a3a85fdf7a1d688b21ce33d2015c3c5f46b4d92ab6ea8ea019e03a

SHA512
2673cd7b927ffc22f3a4b4fbfcb1b4f576c416d67168e486e6d79fdd132129c9e244e36d7b7883a4a1ed51e993cc4384bf24f2fa3129584f2bd43fd16042de20

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Bin\XWorm V5.3 Optimized Bin\XWorm V5.3.exe.config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
6851d5fd813e96a6e7b08343c1939719

SHA1
f6a1db680a06f1cb8160ffa2b130cfe9baba951a

SHA256
902ab4d4ad1e9fa1c40d0653b892825262e2c3b120bd9ab1e1ef2970041f7d86

SHA512
16f75e535fc2e95dcf153ccd2dd4f40cb3dbe5918963dacdcdee41e776add54f560acd5c746418c7cd7ce654601798d17e6f3d15051a279324b42c6273fb8c53

Download Submit
memory/2120-1049-0x000000001C730000-0x000000001C73A000-memory.dmp

Filesize
40KB

Download
memory/2120-1010-0x00000000023A0000-0x00000000023AC000-memory.dmp

Filesize
48KB

Download
memory/2120-957-0x00000000000E0000-0x00000000000EE000-memory.dmp

Filesize
56KB

Download
memory/2120-1038-0x000000001E7D0000-0x000000001EEDC000-memory.dmp

Filesize
7.0MB

Download
memory/2120-991-0x0000000000830000-0x000000000083C000-memory.dmp

Filesize
48KB

Download
memory/2120-1086-0x000000001B8F0000-0x000000001B8FE000-memory.dmp

Filesize
56KB

Download
memory/2120-1142-0x000000001B970000-0x000000001B97C000-memory.dmp

Filesize
48KB

Download
memory/2224-721-0x000001E2CDDF0000-0x000001E2CDFE4000-memory.dmp

Filesize
2.0MB

Download
memory/2224-711-0x000001E2B0C30000-0x000001E2B1A0E000-memory.dmp

Filesize
13.9MB

Download
memory/2224-719-0x000001E2CCEB0000-0x000001E2CDA9C000-memory.dmp

Filesize
11.9MB

Download
memory/3320-1095-0x000002126F450000-0x000002126F472000-memory.dmp

Filesize
136KB

Download
memory/5080-930-0x000001A0FCC90000-0x000001A0FCDF8000-memory.dmp

Filesize
1.4MB

Download
memory/5080-969-0x000001A0FD0F0000-0x000001A0FD3D2000-memory.dmp

Filesize
2.9MB

Download
memory/5080-968-0x000001A0FB450000-0x000001A0FB47C000-memory.dmp

Filesize
176KB

Download
memory/5080-971-0x000001A0FCEC0000-0x000001A0FCF72000-memory.dmp

Filesize
712KB

Download
memory/5080-970-0x000001A0FB510000-0x000001A0FB592000-memory.dmp

Filesize
520KB

Download