xworm | fb05744e6285d0d7eaff70f7b303eb04ed24080af8c31e83b7da0bae16e2c216

Analysis

max time kernel
129s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2025, 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XwormLoader.exe
Size

7.8MB
MD5

239e4c2d3e6553ad53ccc6172a6a11b8
SHA1

f7313274cc27c47ca78a476541e0e30e84c4dcbc
SHA256

fb05744e6285d0d7eaff70f7b303eb04ed24080af8c31e83b7da0bae16e2c216
SHA512

76cce7ec3788db10a1886a27b862f5203c0c8d4294b79efb4512442d8b817be3ea3fb9777e5bacff90e38f14c84a60e319cff23e028dbd9567f4913d94b137f3
SSDEEP

196608:7//b4C6XrL5HfZBEhl3xZi5OslC9+PWbXooVl41u1mMFsr3:7/yvRZBEP3xZi5Oso+PWbXooL4Sa3

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

217.195.153.81:50000

Mutex

5UXpujbt6vWtkdEG

Attributes

Install_directory
%ProgramData%
install_file
svchost.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000e000000023b95-22.dat	family_xworm
behavioral1/memory/1620-32-0x0000000000290000-0x00000000002A0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
432	powershell.exe
1324	powershell.exe
1996	powershell.exe
2280	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	XwormLoader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
5056	Xworm V5.6.exe
1620	svchost.exe
1988	svchost.exe
2552	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133855907633147192"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3460	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
432	powershell.exe
432	powershell.exe
432	powershell.exe
1324	powershell.exe
1324	powershell.exe
1324	powershell.exe
1996	powershell.exe
1996	powershell.exe
1996	powershell.exe
2280	powershell.exe
2280	powershell.exe
2280	powershell.exe
1620	svchost.exe
1620	svchost.exe
2936	chrome.exe
2936	chrome.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	svchost.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	1988	svchost.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1620	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 5056	2060	XwormLoader.exe	90
PID 2060 wrote to memory of 5056	2060	XwormLoader.exe	90
PID 2060 wrote to memory of 1620	2060	XwormLoader.exe	91
PID 2060 wrote to memory of 1620	2060	XwormLoader.exe	91
PID 1620 wrote to memory of 432	1620	svchost.exe	94
PID 1620 wrote to memory of 432	1620	svchost.exe	94
PID 1620 wrote to memory of 1324	1620	svchost.exe	97
PID 1620 wrote to memory of 1324	1620	svchost.exe	97
PID 1620 wrote to memory of 1996	1620	svchost.exe	99
PID 1620 wrote to memory of 1996	1620	svchost.exe	99
PID 1620 wrote to memory of 2280	1620	svchost.exe	101
PID 1620 wrote to memory of 2280	1620	svchost.exe	101
PID 1620 wrote to memory of 3460	1620	svchost.exe	103
PID 1620 wrote to memory of 3460	1620	svchost.exe	103
PID 2936 wrote to memory of 2340	2936	chrome.exe	115
PID 2936 wrote to memory of 2340	2936	chrome.exe	115
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 4248	2936	chrome.exe	116
PID 2936 wrote to memory of 2280	2936	chrome.exe	117
PID 2936 wrote to memory of 2280	2936	chrome.exe	117
PID 2936 wrote to memory of 3960	2936	chrome.exe	118
PID 2936 wrote to memory of 3960	2936	chrome.exe	118
PID 2936 wrote to memory of 3960	2936	chrome.exe	118
PID 2936 wrote to memory of 3960	2936	chrome.exe	118
PID 2936 wrote to memory of 3960	2936	chrome.exe	118
PID 2936 wrote to memory of 3960	2936	chrome.exe	118
PID 2936 wrote to memory of 3960	2936	chrome.exe	118
PID 2936 wrote to memory of 3960	2936	chrome.exe	118
PID 2936 wrote to memory of 3960	2936	chrome.exe	118
PID 2936 wrote to memory of 3960	2936	chrome.exe	118
PID 2936 wrote to memory of 3960	2936	chrome.exe	118
PID 2936 wrote to memory of 3960	2936	chrome.exe	118
PID 2936 wrote to memory of 3960	2936	chrome.exe	118
PID 2936 wrote to memory of 3960	2936	chrome.exe	118
PID 2936 wrote to memory of 3960	2936	chrome.exe	118
PID 2936 wrote to memory of 3960	2936	chrome.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
"C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2280
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3460

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9d0a0cc40,0x7ff9d0a0cc4c,0x7ff9d0a0cc58
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,1568538396737957596,5355405075864465711,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1816 /prefetch:2
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,1568538396737957596,5355405075864465711,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2416 /prefetch:3
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,1568538396737957596,5355405075864465711,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2632 /prefetch:8
  2⤵
  PID:3960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,1568538396737957596,5355405075864465711,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3348,i,1568538396737957596,5355405075864465711,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4568,i,1568538396737957596,5355405075864465711,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3740,i,1568538396737957596,5355405075864465711,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3736 /prefetch:8
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4808,i,1568538396737957596,5355405075864465711,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4420,i,1568538396737957596,5355405075864465711,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3172 /prefetch:8
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4784,i,1568538396737957596,5355405075864465711,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4532,i,1568538396737957596,5355405075864465711,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4560 /prefetch:8
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5132,i,1568538396737957596,5355405075864465711,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4488,i,1568538396737957596,5355405075864465711,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5260,i,1568538396737957596,5355405075864465711,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5180,i,1568538396737957596,5355405075864465711,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4560 /prefetch:2
  2⤵
  PID:5776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4432,i,1568538396737957596,5355405075864465711,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4460 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4064,i,1568538396737957596,5355405075864465711,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:1248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5248,i,1568538396737957596,5355405075864465711,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5456,i,1568538396737957596,5355405075864465711,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6040,i,1568538396737957596,5355405075864465711,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=3492,i,1568538396737957596,5355405075864465711,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5568,i,1568538396737957596,5355405075864465711,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  PID:6116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5580,i,1568538396737957596,5355405075864465711,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  PID:6072

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4288

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Executes dropped EXE
PID:2552

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x398
1⤵
PID:5252

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d625cb4e7213cda4cc0278f2da01bc83

SHA1
ade59caf19d4bcba82cf3aa74f69267a4b73c17a

SHA256
d2ffb37fd8dc04105563827cd860d3445e28dad5eb407682e4df6d31e02f1f21

SHA512
79291872c96ecdc25883e880a1c038a58984745453a22d76a3bb54baebbae464d84a57fad211c6d553e96fc381e75f894972262dc736dbe47c5d5175240598f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
28KB

MD5
a0accabe047e77519330a2ae010ae161

SHA1
7d4f2fd1bcbedd986b7b1fc42a00459d0ce457f7

SHA256
36f3da9486e1a088f88a4a61af7c87d1d7e561cc79882b5d359cac235f121c4a

SHA512
9131a74fbffa0a89254de0004edb141eda82ab488d3224e8cf5f0f36a919301b8c1a352ab56b04812a5e05d46c328ce7f16eab44d9e3297b681214eb96a62d9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
67KB

MD5
7f6664bfccc13fcb9da48976840aabf2

SHA1
5980f611578360595453c62e399e96eb6b5330ec

SHA256
c18ed387f4c6490cbe89093cdc89c63300abb860cb1c98fede5c9537c4fc8305

SHA512
20c4ca7c19272c43e9a9a5de961cf8c8d1ce7843b115088e9deb06eaa8d6ecaa18b0dbd662d3b823ace1c649c17589028ebee738b208b1ab8deeb2e7ea35bd07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016

Filesize
96KB

MD5
443b7f938ec8f54b691f17d78e337135

SHA1
e0a8c4ea25bfe233c27bef35ffc7e750bd20a1e4

SHA256
238c23ba593a606687f4e94597470dabb3d3deac2e98e7e6ad7bfd822be999f1

SHA512
aae8d3961dfb739466923f78b936193e040b56df111d8ca121c86dcd95de9608e152bd2aa9b8b2cc367aae78569198c11c1ddab64c742b146f937b24447ea06a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000029

Filesize
115KB

MD5
50efcad6be346e0a9e080592825704c7

SHA1
e87a4150bffb880afacce98a38ac5e3a17030515

SHA256
e36abc23bd71762b5e527b386acb3b2b5b5158d199e3d896142f31c7363686c5

SHA512
6533b01075ea8c4b0b2c04444825b92028f5f9c0d9849cec82f89820047f0ab7b5f33904972ec75ef58cc6cbdacbdeb16d6e776c3b38123c86839013ae28cad5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002a

Filesize
29KB

MD5
f85e85276ba5f87111add53684ec3fcb

SHA1
ecaf9aa3c5dd50eca0b83f1fb9effad801336441

SHA256
4b0beec41cb9785652a4a3172a4badbdaa200b5e0b17a7bcc81af25afd9b2432

SHA512
1915a2d4218ee2dbb73c490b1acac722a35f7864b7d488a791c96a16889cd86eee965174b59498295b3491a9783facce5660d719133e9c5fb3b96df47dde7a53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
adcd57d7c6396c4e25a4c3b6618e342d

SHA1
23cce15f386ee224824e6099f5a83da803aa60e6

SHA256
18ba8a9badbeded3c8c798efc603f08a976124aa9ff3718ac683f7e18b23f2df

SHA512
b78cfd4a1bcfde228151ab39fcddacaa2a89a156fc464ef86eed1fd3d41581e3f48fd23f74dfe12f5909f9eeafeaf5d377ca2d4d3e342e5607e1ad6db7443f73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
31e4e9431b0205554253ca1b056ae13e

SHA1
30985ea3926486f9dc06b5d692685c67e7e58f4c

SHA256
66c96e1c92e819bec8f561dd5f7019c00f16f57c1784a4a6609a579929711bb3

SHA512
7e42100a0f9703de5ebfd4cc62996e79d6d36b968058ac5e0fb1fc8f5ae308ca3885bd0089766bf75bb0d6f96ab2eac69663afe574d7b2c2df564ee09cdd50e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\0893f270-32a1-4454-ae4e-b6d1c4d28791.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
7e7bf1980317232f9cfeaeca22703ac3

SHA1
e08b22df910a4d7787e88f77b4ec3146eaf75ab9

SHA256
b16f5938a3dbd9a326900cd0814db9796a8bfe4899a5f213ac04c13f93b4278e

SHA512
043461d12f846d032f6fabdf79cd2c3559eef82a22660c56e930bbb8abf7f59ef08e5758d9bd31f05f713a6c4f36aee8ed22aba5e42e7454aaa101bffd841922

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
d860bf93647e25f949e0145c5f8010f8

SHA1
962431d242085a1a89ce38241c500d0cb43316c1

SHA256
029e72e24676caf3e3d53248f3ea83cddb7fef12ab25dd3d73fc287fe0d1f90a

SHA512
456aa856816769fdb5cdee27ecea8c362924e1de7d69329166193c31deedf93b528e42ce4ac1e87c955fe0ab6c7d29e53450db755b6966ee2d81da1e6f6eeee8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
e5f10ec7ccbc4e53249b173607557eb5

SHA1
cfed49cd80a7a75240c7ac1b681df42a3e35d931

SHA256
11cc8bc1f81f8c873b1bec941f69627375b8ca5863917ad11fae7c725cd83f62

SHA512
a34b64164db155557d567725597c682ca2f2fe9957f50298cc36fd09c582f543ddb20282e1b19b2f28a19146adfe4679e14025819915cc57ff1fe08a6faa9150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
b5d54246c046b8325e986ff126003f28

SHA1
644bdd9fd162c928cc51a573c95080eb51bbeb20

SHA256
2da00e55cbf014682df9959e01d4a602195c72a7a3931c9d6f1ad0cc8d84351a

SHA512
cd876fbc3d560f690e7c72633ae3e41ec930fb398b38944ad4f62975f3a449a43913d7a0aa3a97526e416d3c64c9704966aef41bc572cc5fee598e7997681d97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6d62b4a286bd5dee0049656a28c23612

SHA1
4ed5b36b8c5abbea1a9c0eb0d07959769e566e41

SHA256
8ba675a0dfdc0cd992934ae02bcbe4af9a58093e07a77592633323ab1928aebd

SHA512
420ec179e9d0a0bc1113489d126da45c7b2db7f12fa40eb291dab96644fa2270d3c67f31f031d76ee0da933373a4b61af6cd8b54b462e0006289cafba0b322a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
9cca6602a31908ea958fa0d94558f4c6

SHA1
feab1cb5f22b5fa6d272119c755de8f80656fd61

SHA256
39dc4fd53e8b28ec2752500652540649f47a82c5dfa3e80adf134aa60d66c144

SHA512
589ec0c6b6b3c27e0697d3a8c5c3365967bbfd6f3e8629627382fd33cca33365fb014d6925b9e35b2c37797f6f370eeef771ec2260caf00ea40d3a4744b3f1ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0278e414fd459c838f818a8253907c7d

SHA1
99e9a63cdcb31ead9e4ad0745f465f150fd6b9af

SHA256
c6e402d262a189bb1b1b2e15a9423c63b1f53674a18afed1c5f09c4e1c559330

SHA512
50890ea09252cc63a88fdd906371f5c0d479e677d98c154252417651ec81675b1618ab210743c964ce1118f9188ab4174269d003551b7a684416d047a2bab2a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cd67c228c6dc1d7e11bf3660f58f1651

SHA1
6a4d6854bdabec10c2ed9ee23a5a6c02a1df5e10

SHA256
b61cee999b33b2d4c5a3b6b0c9a4f0116b18496740229098df849426c49fa9d9

SHA512
426882d13fd67ebb4d45cdde89a646f77278bb948246094fe39504d406828802ad73e706827f42f675a58654afa3c1ea78be6d9cea6271d5cc4b7a03723074e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
45796b9b66c62929cf8bbb6e20ce777e

SHA1
68ef2f7cedc8dcd5d26902420a38cf6f774bcc9b

SHA256
d7f65e002fffa2c8fdab1dd861cd393ec03a6fd6c717e80107d017f6b6d9aa85

SHA512
4a01a0fe40c0e87ff690e673071396c66fa14ae3465dd63601b0183afae340a1e46d0844e11f307ecf9da1b49b88f0148ade432ca884eb676d6125ed935c7aea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
309b7bffc2c4fcae23bbce3d2002751e

SHA1
e00ce4bd99fb47c00b6283f513605f4152d948ec

SHA256
23a2286263df27251d0a839dfddd9ec24fb186d0113a257c23c7b81a1045f783

SHA512
d2130e7af6d9ffcde8b993de2595ced7f7426c1dc69d8d10470c7dd5366f0e8eeb77d36dec17042471a836059bdb19feba502a577ec2da2424e483bfb449fd58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
78d4df6e1928ec4849d8b2ca394d43ae

SHA1
dd232fdee9c86ebe937f167c59578857a6c268c2

SHA256
290557b4e5497ceb4ef58ff7926699a28ecb134429f134fabcc5aac2af043167

SHA512
64b1d2e03b7f45a4d210c379e167510ba56e398d43625547be87a2c7a768a9c22dc55f7a2180d443887742825a89a13f7e1043b96117d1d3376bcb819c6b0bb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
1cac05452daf1d0b7bf5f3ba8ce2bb75

SHA1
89858c9b875efa980c57f02e1812bcef19fb4471

SHA256
a1303025db7dfb79743a3a2d17739cdd1b2997881348642688438abdfb57a6e8

SHA512
339181744bb1966e958b77068f9981989eabb7d75259eacc666da8c225fceed547f10868b648b46f7b1b4e5869054e76ae5cc26eeec4d68f5dc43a830bd4da66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\013888a1cda32b90_0

Filesize
7KB

MD5
33ffe44d5fd92f1c07f66871262b1481

SHA1
d09f3245f5225173354939384edb5dbed98b63ee

SHA256
1d6455a28900b2cd1ac86de16caf1b82f11aeeb866dc0542bc743197d18834de

SHA512
b987b364e6401ffdf443769a4057315a029bfb27702f1cdd990bc38578f5ed1ec0673a6b907ca1d6146151bd839945a20c00fd985d0f5d341a22d204358e5db6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\013888a1cda32b90_1

Filesize
21KB

MD5
65bce767a67989c7ffaced3e60cb0baf

SHA1
4da9395d16417e1b3d5cd8c34a64fb8bf8e6d9df

SHA256
e55bd1d7a3774d046111d1962c5b456294e7e97ade8d1f4f37968c22880b1861

SHA512
e720d8ed135683798d7943c4513b1615626b931d922e056763ae97c79e82f8b4d0f2402c73880ed45a5985fe722522156934a71d0485728f7e1f5a89df59f22d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\67a473248953641b_0

Filesize
2KB

MD5
3bfb778f07447d53ce6bbcd52baf7eff

SHA1
1f00aa3a2d5af3d3c91f255ce2b07b1f6f5cd68d

SHA256
f8b0ba2e96e8431412425488cb5795caa6775f09b125a36ca177d02d99de86e4

SHA512
ae262409e31303ab6c92aa47dcb5b5614a893f56d50266a356481e14702a1301bd1e60fdf78bc7da2bdd0bbc4db45c56f3761181d427df2bbbcdf5cccdd6f83e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\67a473248953641b_1

Filesize
3KB

MD5
d917520de0492cd09b3066f4ef3f3fe8

SHA1
9db6a74367738337708abb3f13a8ed805e38af73

SHA256
664d08d873d7fedb6e16bfe5b8109ee0dd7327f13bf2016cd67a6a8773bcac01

SHA512
05ed183a20a6bb7bbcb3dad731a36f8220196e00a77dad491da7868bf4aea0acadea2db6be1b3bb120172c87de2ae7e2d299da6a212b5a627a7e139588106519

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\b6c28cea6ed9dfc1_0

Filesize
4KB

MD5
59100da831356dbf1beaebf99638e6c1

SHA1
5d6b3f10723b1f92ea88dc2e51550ccb8f3c713a

SHA256
122de9db34bee34661577a012f98d8065eb5f8fa258c869f68639ae8045338e3

SHA512
ff9e1a83c97f986b88f1e7f5b2d17c1138f65a775f84bbbdf6da4166663bca981bb8a8f7ce0fe8e943a60e9e1164b932ed76db2df9b6effd77911cc75ce3138c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\b6c28cea6ed9dfc1_1

Filesize
12KB

MD5
051e558b435171cea770465b219741ab

SHA1
67b6224e24b197f4512c2e9a68fc42539100d686

SHA256
81ae5f7d6250383106d80edae4c7f2b0239f611ae35818a33510205e2c6ca0c8

SHA512
89784079ca23d56613a967c0252e2316ba27ff8e5795efa6b7b1147f14c22dc2dec1294043fcc3b0763abd687067f1e375e10a0f374aa3f717265c0109fd91c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\ba23d8ecda68de77_0

Filesize
4KB

MD5
7cde11b7e8d64d6f4c0695de20355ad0

SHA1
3fb954ccdf5a4e67dade3741f24b273e919e050d

SHA256
de946a1df877226174b3318c9208239df0748a7b8605af76f49e89ad15ee4bdb

SHA512
1ee2b78ecdffa62cd68dda017834ba4c917e8d72f22a952c3789689bd80bfdc018b58f632e6924b6e0503544a600a7ed021825b2b04f3aebe3024b1825c50c17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\ba23d8ecda68de77_1

Filesize
1017B

MD5
ef93998c76d280d749bcf68f404f737e

SHA1
0360adc371085a6a3c100d8cf63d38c534c0b8e4

SHA256
0c9e99353ab93e220ac301cc0d398d24f42e98d32a179b84b919831597ef6087

SHA512
fbc60757a07477d422efe6c69526d3426159f15e84e4e9b64c20018b1f6fcc8c6c59681788884841c062f84c78af1b272f7412aa42e0aa9d2dc15f5515b7ee81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\fa813c9ad67834ac_0

Filesize
4KB

MD5
5f56578acdbfa6125c9e80028cef6d12

SHA1
9e031a5ce7c9226d8711cd3bf8be7ae492578cc7

SHA256
02296290da912a2568def6b7f541c2ba681eba678d1cf9f793ac02f6178ebdba

SHA512
90d7f7d94c42c3f7fc914cac215c2b472472723df3b598d5e26af6297ccc46cf7d9f8a6242a199734a28162d8654b8f816a1e0424fd811939afe22df21f3dafc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\fa813c9ad67834ac_1

Filesize
11KB

MD5
1f6d1fb5430013de023a13985a09f9de

SHA1
7abd9d2cd979abf57dfa5fb122499dfcef19cd74

SHA256
8aa3414ded8e7928f0b0bd85c68d75acdc47f0ce9d2fdd12b44758c07ad3d0db

SHA512
72d1e21af246c61b2fd61d4fad5b2a79a3e49b5f49a6945475757106ff810600ea8081941265697aa62fbe27d85c2fc6c2a6fef7e2ef0cf9f40cc62716944919

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
192B

MD5
4649ed3feeb92c6220362d89fcae5ac8

SHA1
2638a52e7513ab1c7ee7d80145c37e25f58348d6

SHA256
d6c19c2b3fc56916afe79efd23dee843026dd67ed208b972575c142d1cd1503e

SHA512
a49585ce93b7f65901e1357cdd86e7c478d3989ca491fd3f817c570aa72813562c445cc203896bfa72db8157bf001723a2b41044521d23da2d3403c7634bc99b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
103b5ba0e0444dd6334bd40d8d85d577

SHA1
c04fe3feb4b2a129d49be0794c8c850e2456d11e

SHA256
ba74b15440a66596d94ba5111d3382570e46dde89b42b78a434697441441557b

SHA512
9b7a28a8dc16405f83fe656423c506b92b12f79d55f82b187804282ee7320b440fbd4ab6b2619f566232ee3c8729eda55d6b579ea85f3a7c43fd16f630419956

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
8b0ad734c1652e157e3477b91283cb28

SHA1
246f8d47ebd20f88f2fe02204c10310a935a34aa

SHA256
d3d5d1bc4476552fc96ec27eb507b6230199d0364d3b928b98eaecfba7382f88

SHA512
c937c0a2706e1a96137be4733732064b861fc575cffc61d82a5ad6af2bdcf8c1b0b17002a0a23931162f00ca17d5543ee8d4100c712fb9ca06cbb3ed8aeb99ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
995a1781ea1c753a3b2aa56e83fcca39

SHA1
41f83a4bd2e7f65108901892c4b35efabb0039e8

SHA256
321962242f4379206c6efbea28352d4db58b3b47e681da514620c856d2786760

SHA512
f79722577fddfa274a29228b55f03f1221f6b3dd57cfd848d9fba4914aeb7d5562d4162e78b4a89fbba39bf1e88e199e644b48996cda8d276b9c8bb43563724d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
046b48876fd81be2812d2bd63d1e0604

SHA1
429aa672b2758434402b139a9e21de0932c087da

SHA256
5cc4295810abb369a9eb7ac0c590b2045cc2aeae36474241383a41e6812fcaa7

SHA512
b7517b942734c6b77459d4f065391a62953af2ceea09742e1027e01da9e85bef1a010b7e31df2f3fdbeb489041af1f5262b7fb274f3174575e7e0b9401208539

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b4b6d4cc52b5a3a71149b1f33d94d5de

SHA1
97d3dbdd24919eab70e3b14c68797cefc07e90dd

SHA256
da8c02ce00d5b1e6d4c3667465c7bbc14d7cd5227eb634f3d9690afd488267fe

SHA512
fc894f03709b83df7d2fca2779e1e60549078b67bcdbff0b61c8e5a802982210ae971309c1f92577573299288963ab5c95c6b38cbaedf53dc6062812c57a97af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe

Filesize
14.9MB

MD5
cac67604904dce94d230953f170d4391

SHA1
9ea639f23a5699bb66ca5da55b2458347aed6f13

SHA256
64e5b7463d340b9a8b9d911860b4d635b0cf68afbe3593ed3cc6cbb13db0b27b

SHA512
af358008abb47a345a53dab222a01ab6c0ed10185fca8d2be9af2892161f150c8cc8a7f75272d1eb1acd17b49f32d3531adbc1cfdd153cc7c3e90841cabe766a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gw5004f1.ryf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2936_782376177\346004ea-34a1-47af-aa29-daabc96b4df0.tmp

Filesize
150KB

MD5
eae462c55eba847a1a8b58e58976b253

SHA1
4d7c9d59d6ae64eb852bd60b48c161125c820673

SHA256
ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

SHA512
494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2936_782376177\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
38KB

MD5
076f2c93e34a152c270907e33143fdf4

SHA1
26278090a3e808d79e76ce8dc3ef21f55524c9b4

SHA256
59d95ba60294f08afe88b16ca08c6befd1148ec4a120a674fc5bf8287205ebc5

SHA512
54cbde7e10665bf039d69df63a05dcd6886a883d51e8354d3cc78f2f0883a80b7441a24108053b9b23bacc4a8cff366fc52fa02e2a10e8f3f9c600a1e9fbe867

Download Submit
memory/432-46-0x0000027450910000-0x0000027450932000-memory.dmp

Filesize
136KB

Download
memory/1620-84-0x00007FF9CDDD0000-0x00007FF9CE891000-memory.dmp

Filesize
10.8MB

Download
memory/1620-32-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/1620-36-0x00007FF9CDDD0000-0x00007FF9CE891000-memory.dmp

Filesize
10.8MB

Download
memory/2060-34-0x00007FF9D11F0000-0x00007FF9D1B91000-memory.dmp

Filesize
9.6MB

Download
memory/2060-0-0x00007FF9D14A5000-0x00007FF9D14A6000-memory.dmp

Filesize
4KB

Download
memory/2060-5-0x00007FF9D11F0000-0x00007FF9D1B91000-memory.dmp

Filesize
9.6MB

Download
memory/2060-4-0x00007FF9D11F0000-0x00007FF9D1B91000-memory.dmp

Filesize
9.6MB

Download
memory/2060-3-0x000000001BA50000-0x000000001BAF6000-memory.dmp

Filesize
664KB

Download
memory/2060-2-0x00007FF9D11F0000-0x00007FF9D1B91000-memory.dmp

Filesize
9.6MB

Download
memory/2060-1-0x00007FF9D11F0000-0x00007FF9D1B91000-memory.dmp

Filesize
9.6MB

Download
memory/5056-35-0x00000176C1040000-0x00000176C1F28000-memory.dmp

Filesize
14.9MB

Download
memory/5056-19-0x00007FF9CDDD3000-0x00007FF9CDDD5000-memory.dmp

Filesize
8KB

Download