xworm | hxxps://mega[.]nz/file/WRRRDA7S#DgO8PD-fm_GIRUsHRgdua1HLCwG1LccOFenzNw1iW_w

Analysis

max time kernel
46s
max time network
54s
platform
windows11-21h2_x64
resource
win11-20250218-en
resource tags

arch:x64arch:x86image:win11-20250218-enlocale:en-usos:windows11-21h2-x64system
submitted
28/02/2025, 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/WRRRDA7S#DgO8PD-fm_GIRUsHRgdua1HLCwG1LccOFenzNw1iW_w

Score

10^/10

xworm defense_evasion discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:28477

our-vehicles.gl.at.ply.gg:28477:28477

our-vehicles.gl.at.ply.gg:28477

Mutex

AnNzhrgjdrhgI9wm

Attributes

Install_directory
%ProgramData%
install_file
realtek.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001900000002b11e-190.dat	family_xworm
behavioral1/memory/1544-207-0x0000000000CC0000-0x0000000000CD4000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 2 IoCs

pid	Process
1544	r6.exe
3792	r6.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\r6.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133852422158303101"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\r6.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
924	chrome.exe
924	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
924	chrome.exe
924	chrome.exe
924	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: 33	2000	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2000	AUDIODG.EXE
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeDebugPrivilege	1544	r6.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe
Token: SeCreatePagefilePrivilege	924	chrome.exe
Token: SeShutdownPrivilege	924	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe
924	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 5588	924	chrome.exe	88
PID 924 wrote to memory of 5588	924	chrome.exe	88
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 1776	924	chrome.exe	89
PID 924 wrote to memory of 5720	924	chrome.exe	90
PID 924 wrote to memory of 5720	924	chrome.exe	90
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91
PID 924 wrote to memory of 5484	924	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/WRRRDA7S#DgO8PD-fm_GIRUsHRgdua1HLCwG1LccOFenzNw1iW_w
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4fe8cc40,0x7fff4fe8cc4c,0x7fff4fe8cc58
  2⤵
  PID:5588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,4854326643463414503,138126132931283687,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=1784 /prefetch:2
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,4854326643463414503,138126132931283687,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=2088 /prefetch:3
  2⤵
  PID:5720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,4854326643463414503,138126132931283687,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=2368 /prefetch:8
  2⤵
  PID:5484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,4854326643463414503,138126132931283687,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,4854326643463414503,138126132931283687,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4568,i,4854326643463414503,138126132931283687,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4576 /prefetch:8
  2⤵
  PID:5356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4884,i,4854326643463414503,138126132931283687,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5084,i,4854326643463414503,138126132931283687,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  PID:5340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5220,i,4854326643463414503,138126132931283687,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5308,i,4854326643463414503,138126132931283687,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5080,i,4854326643463414503,138126132931283687,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3924
- C:\Users\Admin\Downloads\r6.exe
  "C:\Users\Admin\Downloads\r6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1544

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=4108,i,8425512666034524542,4476834323552806530,262144 --variations-seed-version --mojo-platform-channel-handle=4004 /prefetch:14
1⤵
PID:5344

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004D0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2068

C:\Users\Admin\Downloads\r6.exe
"C:\Users\Admin\Downloads\r6.exe"
1⤵
- Executes dropped EXE
PID:3792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
936b08769b04948500d3972dae63b3eb

SHA1
e4b8a0c2cf7b94cd578af26fd8b290e69827c463

SHA256
221e9729c1ef2bb12849687ba4a78508bbef1bcd511fc4407e700cf7351daa25

SHA512
ef1e4452bd83fc65ff15a466aa291e7f3224899a0d73e7728d06c7672a2acea391d3ad47640082672c43c73640f62858d2a3e3addeb6b519535ec4fb9acf8d7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
a33ed6e2dc0fe46bdfd5d7e0aff85b02

SHA1
40dec24704400f4c9c304a79009a5324c7e84778

SHA256
6a70db61489fb317496fe0e1b994e02d0f6b9f2e3670567c771407900e39dcf3

SHA512
8f4ee42cb61514683ee7a7e54e5eec8a4d13b4dcdb5ec2c219f206c9787f07257772abddb82fd193ba29c04b4599c81c0d7c5444ce1e78a0eb55594a04ee5f35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
495536808aa5e0059e2e6cdb8df0a3ac

SHA1
ca21163a4257faf4689cdc2723b6a59cc3fa784b

SHA256
761b6ee69761434c8e4c50e77e775ac1f98c00efbfd0f065165a8f0a730a87ff

SHA512
c0874f617a1f200cf095b920c3c1b94ab7314f9b1f87d0c45408b5441bb7b044ad1b5cde621edd8b05757ec7d18fd66a66726787d09be84c36201413299fb078

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9883f9942c8e02d3f74ddc1bb6a57fa5

SHA1
d0febc38102cadd1946392fb908ca5981c3e502d

SHA256
aed8ea0df8c23d2e630513376a792124dce683b94fe0a7701af6a482ecb4f509

SHA512
3d1f56a5d135efe8b8457f86cf43b7850f7e9b892e36c560d48ef347a1fe997aac26ff3ccbcc02997d2b1bf4a6ff020490b19dc7053d99add827cc7cc67be392

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e7cc99144738d070648a5ea8aa9a8f66

SHA1
e695eb20be75861ee3e01db0ef72be9abfa8a5cb

SHA256
f94c32a3bf215c0af808837dc6a7645f2a79544b772abb2a09556fc9079b9890

SHA512
a4e67cbd1179e8be8b0a709e33bbcd34a193bf1bfdbe3fc78abee44ebd7c17429388b0329139177de8b3a8a42ca568bdff2cda83493063254ceec650da7236e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ff8c7b417eafa275a8b8e752c1568aa8

SHA1
e1d6dd01741f9b56f35d19dd2186727b78fc33c5

SHA256
3ec879561e79a0bd76afbd649b4b5869449bf748631acb4b61cc72ee7534d707

SHA512
e2b717e5662fada9a3a1a7e31cac15dbfb58d3b5796c37adba986d082ba55366f5af9a4272ab6dc0942afd40b0d2e3bdb1bba770e600ee884d751ad071a9fe8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
312247507cd30eada32dce6db4190874

SHA1
c7a24804bb82a4bf6e201944ec3b9e52fc128316

SHA256
3a6762d28054d42fad3d538b59e61b6e65da8f13a734598af7b7910b535fb3d5

SHA512
42d2f639f7eab65f923bd814d281d5a68ec4f449244a12a891cc097a3c2d51b67ff8f58f181b241c7be1411fadf5f9863dce86e408c1fc3f437799be925cdf7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
1eccc97cee947aa6b59f9239af3a39c1

SHA1
3a28e97a55bc84799b20ea1a0dc67a9a82a1d7a2

SHA256
a169732481949b0c558ab678bdaad87e215c515d6378e1e8fe4e503ecf1860aa

SHA512
989ca0acfeca97ac8a1e2e2ae986965c0fddfbb555b475cbc106326312464e86fd1dab1cd475e430d8ab67f88f55880e0790cc3c01d919bf789694916d80a510

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
8b801f71db53d3b9c125074aafe19c9c

SHA1
e4b0ba429bd2a53a80de99a4b5e88c0441abfaea

SHA256
168726e8894e7e81a2c3aea0450d40d48bb6459b8c2c0354d8a426db7e191317

SHA512
de6f448902d4075f9ed1a2539197c319785fea4591321540ea4722c1710193a022460c9d831dd7e13e5403ea8d4788d2661e89091e103c0f0547732d4f39b92b

Download Submit
C:\Users\Admin\Downloads\r6.exe

Filesize
58KB

MD5
252a38f6f56022a7f1e1c54828046d81

SHA1
7eeef3c3762e83907c0d2e455df0665c2470ca36

SHA256
e370b827aa02f20437cf64649bef8d73ed55c18f572619f1d1eb5215ea76db12

SHA512
a8c8334e337e898e83505cd3a0b4ac6c230c6da28c5270d6572ef148be8cf8e10b173c20f64dbaa7c81e3283fed2d182fe17f7f752b1511b8f09834bfbd4829c

Download Submit
C:\Users\Admin\Downloads\r6.exe:Zone.Identifier

Filesize
52B

MD5
dfcb8dc1e74a5f6f8845bcdf1e3dee6c

SHA1
ba515dc430c8634db4900a72e99d76135145d154

SHA256
161510bd3ea26ff17303de536054637ef1de87a9bd6966134e85d47fc4448b67

SHA512
c0eff5861c2df0828f1c1526536ec6a5a2e625a60ab75e7051a54e6575460c3af93d1452e75ca9a2110f38a84696c7e0e1e44fb13daa630ffcdda83db08ff78d

Download Submit
memory/1544-206-0x00007FFF39683000-0x00007FFF39685000-memory.dmp

Filesize
8KB

Download
memory/1544-207-0x0000000000CC0000-0x0000000000CD4000-memory.dmp

Filesize
80KB

Download
memory/1544-208-0x00007FFF39680000-0x00007FFF3A142000-memory.dmp

Filesize
10.8MB

Download
memory/1544-209-0x00007FFF39680000-0x00007FFF3A142000-memory.dmp

Filesize
10.8MB

Download