xworm | 52356abff533c337129af9b251bfb053f49e3e00ad2da2440e2111ad66ceabd7

Analysis

max time kernel
150s
max time network
481s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 02:16

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

DCRat/DCRat.exe
Size

72KB
MD5

2c7d37e90dd8ab57d06dad5bc7956885
SHA1

da789c107c4c68b8250b6589e45e5a3cf7a9a143
SHA256

5ede5d774ab65f25357cf5a1fa5e354f6f2a9868651a0fa717485802b21b1939
SHA512

e74ae891771bfd9c6fcdfbe8e4f33f0d5f7c3457cd84b257500cdaf8fa8b16fe458a18db9b3a60591465982fc2871f4c3f2e7541c765f00a0516f805e7e9ca0f
SSDEEP

768:P7Zw33FNUf6Nhd/fQ1l+0vM0iT9HvMB90d24:zZ2FWSNhd/4131i89p4

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:3244

Mutex

GaPmqX8yNjWN2yOS

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/files/0x000400000001d578-1434.dat	family_xworm
behavioral1/memory/2572-1512-0x00000000011D0000-0x00000000011E0000-memory.dmp	family_xworm
behavioral1/memory/1584-1566-0x0000000001360000-0x0000000001370000-memory.dmp	family_xworm
behavioral1/memory/956-1585-0x00000000003E0000-0x00000000003F0000-memory.dmp	family_xworm
behavioral1/memory/1648-1594-0x0000000001270000-0x0000000001280000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2760	powershell.exe
876	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRat.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "222"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000023cea140e262824d9ad770a98569c0e60000000002000000000010660000000100002000000027d6552705fa821f3f4a52a3474a9887d0079b669b8060fca0d30acfbf463f9f000000000e80000000020000200000002c5800519bebf4d012e95a790f23d894a8fb12b581bd8e364a6af84c60e9e2f5200000004505ff497968f2167dd506ce653e21fae10ccb09850e49cf93d360d50cd85fc6400000001b9ef91d3b95fef6854a3686dbdf3c030b1218028f8cd13ecc2bbee89b986ed8b40d2758d2a34383bcb26bf1fc5e83d6c4cab1edf63c405f4176870d439dc72c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{797EBFD1-FA31-11EF-9D9F-E67A421F41DB} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "42"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "276"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "42"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "227"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "209"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "209"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000023cea140e262824d9ad770a98569c0e6000000000200000000001066000000010000200000003ef777aa314a9af5a2258be8f6a0a62b9e94b8e4f2dbe4cf9ed57b4d52186040000000000e80000000020000200000003637de2ea733c9790e59ddfcdf70aaf89ea06eb5b4646652273aeffc6e3efe4c40010000d42c6087ca024631bb5e9be749cadc502950f0c1b1b15023006289289280f8b0e535e94e54b208b6071d4d6065e9634847a41950e8057ca82e0231700ad29f508fa5f0818fc65cd5e4b933b619c0c8c36f7a0c8aaf70f4edb9957277e667038452a541578a52f49800a4f3e286321510e0d7dca7099e0166fe5c5882e672b0ef7bce499b43c7c5c015987b362dc7c5f127a16dfc4b57fcd3abdc5179fa7b6d9e82459a6ee14d6fc3f451d3be2fc6d73440d0079702e3574493909d38d9ccd8837016b7fd9a7d5bc276db6e29699dc56fda509aa9e3577288a0a71243042c50502629ae44a113c9daedaf0f071af86c004534befd1855d0683b2f8e232d6ed2677804d733275f89961088e1bd5a529d5350b17ef163f6cb2bd9c6a4ad0e65f5d3464de4d6feeebda00160f33bab9d3f3d2e602f635e8061e2195d1d4eb6ca36d540000000311468646ba87f4ef6ef26a617e80e0e1317af233f1add9bccfcb552703ca9937120b116857e3d3a50ca4389072414b3ca493940c18972480eb2e118a41fa51d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "227"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "209"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "222"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "276"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "222"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 301eda503e8edb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "227"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "447389455"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "276"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\NumberOfSubdomains = "1"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
2380	iexplore.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2380	iexplore.exe
2380	iexplore.exe
2236	IEXPLORE.EXE
2236	IEXPLORE.EXE
2236	IEXPLORE.EXE
2236	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2380	2520	DCRat.exe	31
PID 2520 wrote to memory of 2380	2520	DCRat.exe	31
PID 2520 wrote to memory of 2380	2520	DCRat.exe	31
PID 2520 wrote to memory of 2380	2520	DCRat.exe	31
PID 2380 wrote to memory of 2236	2380	iexplore.exe	32
PID 2380 wrote to memory of 2236	2380	iexplore.exe	32
PID 2380 wrote to memory of 2236	2380	iexplore.exe	32
PID 2380 wrote to memory of 2236	2380	iexplore.exe	32
PID 2576 wrote to memory of 2220	2576	chrome.exe	35
PID 2576 wrote to memory of 2220	2576	chrome.exe	35
PID 2576 wrote to memory of 2220	2576	chrome.exe	35
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 776	2576	chrome.exe	37
PID 2576 wrote to memory of 1560	2576	chrome.exe	38
PID 2576 wrote to memory of 1560	2576	chrome.exe	38
PID 2576 wrote to memory of 1560	2576	chrome.exe	38
PID 2576 wrote to memory of 1748	2576	chrome.exe	39
PID 2576 wrote to memory of 1748	2576	chrome.exe	39
PID 2576 wrote to memory of 1748	2576	chrome.exe	39
PID 2576 wrote to memory of 1748	2576	chrome.exe	39
PID 2576 wrote to memory of 1748	2576	chrome.exe	39
PID 2576 wrote to memory of 1748	2576	chrome.exe	39
PID 2576 wrote to memory of 1748	2576	chrome.exe	39
PID 2576 wrote to memory of 1748	2576	chrome.exe	39
PID 2576 wrote to memory of 1748	2576	chrome.exe	39
PID 2576 wrote to memory of 1748	2576	chrome.exe	39
PID 2576 wrote to memory of 1748	2576	chrome.exe	39

C:\Users\Admin\AppData\Local\Temp\DCRat\DCRat.exe
"C:\Users\Admin\AppData\Local\Temp\DCRat\DCRat.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://java.com/download
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2380 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6229758,0x7fef6229768,0x7fef6229778
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1108 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:2
  2⤵
  PID:776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1416 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:8
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:8
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2168 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2200 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:1
  2⤵
  PID:1248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1736 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:2
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1100 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:1
  2⤵
  PID:612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3492 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:8
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3612 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3524 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:8
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3628 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1080 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1320 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2076 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:1
  2⤵
  PID:800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:8
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2804 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:8
  2⤵
  PID:616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2508 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:8
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:8
  2⤵
  PID:1244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2804 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:8
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2808 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:8
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=2656 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=3844 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3904 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:8
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4032 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:8
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3972 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:8
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3964 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:8
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4020 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:8
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:8
  2⤵
  PID:2864
- C:\Users\Admin\Downloads\XClient.exe
  "C:\Users\Admin\Downloads\XClient.exe"
  2⤵
  PID:2572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=4092 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1852 --field-trial-handle=1480,i,5147198126286809403,8970730871482192013,131072 /prefetch:8
  2⤵
  PID:752

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2064

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1424

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:888

C:\Users\Admin\Downloads\XClient (1).exe
"C:\Users\Admin\Downloads\XClient (1).exe"
1⤵
PID:1584

C:\Users\Admin\Downloads\XClient.exe
"C:\Users\Admin\Downloads\XClient.exe"
1⤵
PID:2432

C:\Users\Admin\Downloads\XClient (1).exe
"C:\Users\Admin\Downloads\XClient (1).exe"
1⤵
PID:956

C:\Users\Admin\Downloads\XClient (1).exe
"C:\Users\Admin\Downloads\XClient (1).exe"
1⤵
PID:1648

C:\Users\Admin\Downloads\XClient.exe
"C:\Users\Admin\Downloads\XClient.exe"
1⤵
PID:3028

C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe
"C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe"
1⤵
PID:1888

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2980

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
6d4c10a677e75635d1498f8712af2f15

SHA1
4e879b1beaa47882a45711b4d781a3c2bf6095bc

SHA256
8bc5af39258c3ebef5e4336fd0915b0b2dc63c8a84dc2ba4a7bd999206a23e47

SHA512
39a8ebc236cf91df15b7592ce09ab769439794d04778ae2f31545757b9802c061c32e72f1050266374c5272d764afe78cc3be237af70728a4653728e2c9fe0e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fdd7779bd401bf64627f657a3903052e

SHA1
062da734ec23b523b062b8430514134fbc64e271

SHA256
92552c49515ffc3a785bd8deaddfce5f1446cfea7344883acd63afa1e68b79b9

SHA512
b239c8c09d294aea121495338f5d05806cfe689dd7f0929f7e6150ead6c3faa29102e6a4158bdcc91eedebf39e43b0704b2d8888b4a9f33f573cabf41057b88d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d4f375e9afa329d1a02aa57bd70b1f4c

SHA1
e13c06f51da81d016aca99aafcb02405a8d7f287

SHA256
77f71193497e43f8f250613cff53186243f4137aaa38418a0db9526a32f7bc8d

SHA512
0a7e9ee6e7488e26c1cb7e6888f22fe3140b5a268836432376b4f95e26a71d7f4c2257629627ba754f54a397334da6616a5fb41ce61f143779f7689f151dcddf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d580f60042775303d530de8bb1df6143

SHA1
acf0f3c6a636fbb2e914d323b1c9011c6ad25dc3

SHA256
8ccffb7fdafdee85e2e100003a26d965266f7aa282b305f852d8bdedcf1fbb8e

SHA512
b463ac764e08adca29055c25392b464787fce6709198d998c6cf68b012d9562f9774dd3d9e7a380c1f1acae5976e82fc5656de46c745794df395a68453472c8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f070043c0cb12a2c9040abc9d7fc98c8

SHA1
0cca645cb9de69aa7e6e3df64667c32f1a9d0fd2

SHA256
88f0a234db48507c3927633e9935ba06ee5286d736d00e211d8b8c6b8c30024a

SHA512
b1dd06d449598f1e92b3bed94734fe1ac3d7c0b8e0630578fa8b6842754b1323570ce4cce286b934a37b4fe383a0d64bd2f2f164d14816a1324c4219bad6f4ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
94528b5bc1e3be06d2acdf4b2e35c3f2

SHA1
bdd3cdbfc5d5a3a3aec4372f707f6a2c6118e737

SHA256
12382d383d1c39ce447bf6402c6734d627cd1d2261468850dbd0db76927e22e8

SHA512
3086d68f345987d6ed4c678f2f95dab61334963313ec5b8babdcd7b48b12c2709bddcc89b705940fcd4940c735ce3988f7e98427f1561593174f8b64eee08b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
82c567eaa7195f891109d43d36bb6f15

SHA1
47117315a27ed4828a9db19f9f05c82a10429de5

SHA256
b8a39aa5aaad6b0907766a9878aa5e735ce852d2f8b67aeff98da580e6995d15

SHA512
27ab71a0e25459b9fa3b9ad2e0f32ec061f6fd799dad3de9340384575920ffaed0e572683bf6a00c2b368fe02d31b9c8fe0ced42db22066d25ac16800d9f4b9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7ece383a111bfac1c329a6f74787b1b1

SHA1
2fe415c195f7a4dd802a5c22225e35f7a497791b

SHA256
5239f39eea2dd06453923af262c76dc39c4ea025bc6388082922229c6c2e931b

SHA512
da467f8d0865919c01292ba83a3ba8e239f8cfab9c86bace3efbd6b9f1b2449dc58bf72bc52c6f0be3cb9256b4c94f1f37ae49ddddef66826f2ddff8402ba338

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
14475f0f5df142504c9c2827620ed239

SHA1
d625b54582b56ec97b96fc9687e6b3135c1a6299

SHA256
58724af378e9dd2eff894d89977efe3c34f4d590447d1ad06007fb13846f9233

SHA512
7b4f17db658a4259b2fc796ad5f7951ba8a043faadee9ca8794267e887df4edff30da23696eb85152101f926af5c4e9b6b9c2d8de42d134721c69cd0a77aba1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4ae7c6303c4932e52c499dea126b964a

SHA1
4af8c846a98ba479b1c6a433eb9f413ca802c9d3

SHA256
87b5693ab891f80a1384cf6e3b26c745ddfa1e96eb3ad59cda0d2430c092c1c2

SHA512
b8c339054c3a5fa7d795dcad740d693b9a808c69119819aade216fb86a6a000109e72deb0b82d55cc6b65a373e5d4869223122d9247686e927c4e7ffaef099e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a32aed36660812851f1e63e8556e41a9

SHA1
beac9a9967f085309f889236860a9aae369781d0

SHA256
b30df7dbca2d05521dd6c0893f6134732710c858b5528ca35e0ad6d7d6d5ae46

SHA512
80dd3c89ef739003d67f425aa5a813b45fe761da0ceb002f2a1cf122648d57ff5f4132e69a52859fb4d6b42e1c6e7d6fbc3dfd45badc1eabedc004f08ae67840

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9a74f5be58279840e469844fe54494dd

SHA1
8f0cf98f31b34471b10a8830d323b1808f6c4306

SHA256
a9bdf12048b7b86e787b0adcf3ee9814b0747af7caa6e7ca8ca44da443989aeb

SHA512
6fa65b680b651de6a530477e0a125dcbbad4dc399383b742c3f6650def7d209c3ce1a63ece559a7c2e8370db4480784d379449bb0ed3505845000ae03deda4fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22a82092db584d7637ac3184b56d8dd4

SHA1
981ed01b63fe9327a692426b44db2b5f4bdca76c

SHA256
1ad31b467b0d1638528aad3160edb3a0f29d1244a76b3b42d70870ad65942863

SHA512
12428af605038fa358bf046a1848a480784dcea0283391102767f6a6eb8871c6cc10dce8bc1d3c2d29f2267fc4b65828c3286701df26ac0e969acfd46cc28e0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
729015805413685d852fb3f669f26982

SHA1
66c7f0bb1181ca2896c4e1d8ee5852f09702dc62

SHA256
3df6bc98cd0aea54b89c276bf71812c4b1397d514b4f4dbc2372c9fd11075ffe

SHA512
07f2be315ff6b92e5225e83359d09f405144c49105882b2864d3ba86e51cfc69c182d105a77b2f8c19b83fa14c0ce4129a4034fac41e03ea61cd2254cfa827ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fae9030a3b8f4d98e759eebfa9f676fb

SHA1
c6bdd8e014302b201060c88d5c9ba08670dc0ff2

SHA256
a69e348286ec35666f3eb913efcb1017e864d312fc4825c1836054dedbe045d0

SHA512
13d2dda47f7c6338977eb3589813ae71980ee1db7005c4de0f512ce2805043caf841311acaf845fe1e5d9a1ae0c747931411a1ff1744ba10f4f47575af6deb44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4fa09821ba9a87685fe49976a01a4b33

SHA1
544315468b2e37ec67268691118a352988d39988

SHA256
50a0a71a065c96bc0f94b027633a4b2d12a05153493bcb80c0734949a20ff15a

SHA512
cc45655926984aaebcf1eb2cb196872c5b28975b7e391741bf4094cf1c7fe2b49b85d410251e052b25a161e06852688fff5adc81145a1deaf9878485b8dffec1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fc50a005da5b3dbd155f5cdffe87c86a

SHA1
e17c95949eddddaae9c2ff74de8a9589f830f176

SHA256
2450ad606e6eb67d16028e723a90f0081ba0063a83376ad6dc118135c52f3684

SHA512
d1e65480bb675795f8de6ef1b9ed52d22890bca5ca34538cd7d2cab3be4341e2480f2c85a090eee7e1dca711a551d9c43fb27ef6beb8143a02bb1e95ff987420

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
42643357213b113d516821e1aee93cfd

SHA1
4f79e2b03f3d0416253ef57ec3656d37095b9f8e

SHA256
b6bf4b34bd27d07bcdce906d4222f05a1051d3aad5c99554c4b5ef35b3126bd8

SHA512
62069d74e465308ddd81890e041cdc35546e95906fc153b94e6be60342aa1c646770b71011ef56c407abe674b9947b7c665a3fa2f25309a26f4e1b8be6466725

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a00a69659f9fb6ce220024e2fc55bbc3

SHA1
43b1459852280f9416eb046b504ca9878b62ccbb

SHA256
19a81d9c57a5a57d4f8ba3628ec52a4a619f238d504c25e8d0b447c0daa08f30

SHA512
05f8a34d080a550309ca7f5f0815b4a27b3993c10026d59bf323904945c1ac81b37128f2afba1b960dda519a1627464f4677fc1f3ca27a842e4b4bbbffcddcd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2558852d5c226afa0f6761ad75be4fd1

SHA1
790fc041dd53fd2c69bb28a0dda287b6434a04ab

SHA256
50974aab00af1a968e0829b009e65ca817fb6b80e673ceabd0c8bbc653aefaf0

SHA512
49dd5fbd355028d63f4880ac331910d79598967b5ba92aca9105d773b345a38634d310c3d4250ea8a07c716fcff9caaccc73ea75d207e8f1ee6a05281634cc3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
3129fe3a242a302bf16ad6d0e09bc9df

SHA1
2c37acaa7d8a7c481793be3eae42bcc933b77c55

SHA256
6d2afecaef1a8ff657daace70184ef6c319cc531430fbf4aa1f5a38d8849d126

SHA512
cb560a806e52142b60bfdc0081773ebf7f9cddc92a8d8801d9bba7901e7b1cc5bf28e9ea9c02c1cc77e6190892c1c063ec8e0943964950b4b3baa353360e35e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\984187ee-c6cb-4a1f-a427-573ee49002e8.tmp

Filesize
6KB

MD5
9cf4aa8e129b9b5916cb8bb12e6157c5

SHA1
befcaf3af374ab90ab1fcdf12b169c6f7a11007d

SHA256
f8aa75ff5f156fc8094c1df5b224be9785ad4c64086e9ff4b4bb031167871c62

SHA512
824f46d81f1f6eeaf512df3bd5f478190f4abfa4084f7b4496b7158fe5cb9002e1176fb2738cc241b7d958d7747b7b6f2c1fe7f55fa9377d451c66e2549689a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
3fea3643dafd2ab1f7165a2ec73a6873

SHA1
d639d107bbad72ce76f0b460720b42133f5d92e8

SHA256
a9f46ffc8622702c87098118a817cad571f32e30264847d755eade17e21734af

SHA512
3fb511cb7ed35cc8d715b23806c743a6c2a4032a8cfd85bedfe38867db7775df9c94a86fbc1ef2ebf3680eda121f13001df5750983ba4bb53494b00182a73069

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
4c9e7fea4d8c9b81f6c5cacb4a771064

SHA1
e6ae512af5b43e96dcabd76933433942b654018d

SHA256
e6fa3c3c4618affd7575925095c10be902dbdfe487247db8f17c8d6ee4d6e560

SHA512
8e768dc27182c75ce249fe10f3f6232aaa9bd9c347ee95701f4a883c300991a2202a58df353552e75238126ee2430a6b87e023d9292ce1bdfd7db812ac2365ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
24c7b5a8d3035c1afd156fbb54649fdc

SHA1
4ff5a9317060cd172c7d7f3f184357d7c55dd06d

SHA256
0a002672c95c7ab4a678ab07af0521fc5e60058d7f7de79273d2819481a2fbe3

SHA512
1e7e79c68e5eb2bf73ef96e6adf162192ae50a327f4b01a50023ff273cf35c79cad3d7dfd5464143e5a16a27ad775c752bc9f6f1ec6b0701a08e07a6fded0a55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
601cb170d261d3ae037349b934400a71

SHA1
eb73ad7567bb54b4191e27c15bc4e20e84685e90

SHA256
f3b3251434372c4228b70813002558c2a152ed443344368eb346d7d181eac597

SHA512
b5f89914820c70a3ec5479012c24423333c74505dc9ee13b0b32094788c8ac065dc86a7b65ed9429e350301ac97bdcc8ff5a6883d88c977e6eb6338353dc6022

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
26f0a2a8198db295c7f8db24bc1615d6

SHA1
871e831f631ee0a5337ab137f087435451251410

SHA256
800d65f2bd66bcbdecbf2232c994c9ad700e37c10b5185869c95fcfec29f1e51

SHA512
02de50bf20306b2d6e80b17587a3494eb9411649c5fa5f85c09d142b873e209d03d683746e95e1f6becab8186c618412c00bf900075327d648ddf614262c4034

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
073825373bd235fc8533dd7a0dff5aaf

SHA1
980e6286eaf29d054404497c684b89bfd834eb5f

SHA256
2e6dd0abb2069433ada005925d8dd7171d0f766f6abe9eee33b2728334db1d67

SHA512
79005f606c05b01aef2215dc5f3fa86158bd0c56ca4632ecc115bf7412c87668bce038850a6b26afa40941a09add925caa80040d228daae6745b757e81d44986

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
2ba90a5c007b7769b103756200117a10

SHA1
948fdf749b7af47740a7ad10e90e790c693c007e

SHA256
fe1b2cc670224dc059a88e0c09724cbae6176d518402047328fce86b4a24a2a7

SHA512
47fed686b54e7e189aa4ca8cca892d0d6306bd72126c28b54a05a3e3e5738b4be746eee74f723eb307570350037a40cc438fb7434c285d053b914bfe29fbd79f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
328bdd0591737d7752921b68495e2a15

SHA1
a3aae673b9d25f88b4eeaee6609b95e9aaa8dacf

SHA256
6e59d33f9a1ff154c214ccb2c1e3afa3a7fad5431be330e8a6e867127c96cf33

SHA512
178060157656de5318b9d60e937d3e6b55af82794be58907eaadaf8597b06aa658f85b6e1a7df052ba182bdd9e0ec6287ee66b356fe7b9d20fa2f9078255b3f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
519d566511627d6ddcd756b877d62af9

SHA1
e7a88599b5fb20f8412ab24cc0a1780b92a20e52

SHA256
324dcf6b781525c856f508dc50f1c53f65dc67a2c6a62e466d70ffa331e8a842

SHA512
521561e782e39249df4fe4136781f9cff341915ba7917a1c129e9338bd1d6aaa439898d7795f94f1c0b44b491367f14fdeb63ad0b3958122b3c76106b46cc960

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
54283a31a35ba571b537942d97432cbd

SHA1
0607437672d2f7f05c0e26730b3023003f2b4c34

SHA256
67f827a481d3ba58cd470659c08ffd7650758fd5b81e4d00fa741e081951f87d

SHA512
67d775d656dccc47cc16ee7aba825aa53d7fa8eea66f1d185197f393f2e08a44ae0447babf792668427134c349f1bf2ea74b84e13d24c97dd22f401a1a720dad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c8ba5c2949e1bda9410d6c842fda8316

SHA1
467f51cf1b3c349870e59c0b66377ffc92e9fbb8

SHA256
0a2d2c306017d3f73501e55f3db5b0451f2c2b313a2e710e9ac6db51a7ceb3ff

SHA512
4bb80431fe868a1df9b3a2d6ce423a751572d6dbf0497454e7aa720135fd1ee257e7dd5be2e84409003cc528f1832f0ff077f62c1a4bd5aaa50750768664ef20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6f4cd3b449dfdf457572d0f6bd542092

SHA1
be06e0e20dc057ac0247c5f0aacf6d57223b325d

SHA256
d45f013cd53ea70dd3fc72b466b029e88534991e958578befe727de6f72ae1f3

SHA512
b74a920c5d9e77477891e5d1f09697980182b7e7ae0da1cc49480cbbee91b678f9e75256c41390321f7b3efb1ab78727565c45898edfb9f53846f773012fc274

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7ff2436372dce6c0eaed2df30a8e348c

SHA1
5869331891013be74dbff1589534f57d5adadffe

SHA256
6cc75d4ba485534b15525302958bf92e93c381612d1bc66ffc6552de3df40893

SHA512
52deea0b003619a7716dbc5c41494ba29a22b87ce5036ee6e73cd7b79cd57f0d50c2dc68d4e1ddec615eb0660f605a02795d80308f8c139b239ff9c7c91dca0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
93b397111b3e272825c963a7a83d27db

SHA1
9fdbc68526ce7538d83ebc6f2a678417eaa1aba7

SHA256
51b74773f51408e79f956b35ecde24bb7243e7a88f22f0b51a57a27d8c6764bb

SHA512
bb310e8424a6c3100cfd3d4ae7f7c91f18ad4736c47b9c1195f6c419d954333e102c4cf0469f3dce1dce65d8434f0ed4add1ab683d5ca6484b0d9fe05c4dd510

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a5038ace1f3d6b301d1599ea1e2ab458

SHA1
ec32df1c69c6d8509c167b144b0679331fd910a8

SHA256
b8e123213b7610e7579fa89fc73a91eba689f98fb33581d5d65d0e322bb799a4

SHA512
2c1410973ba594d5aed082e816a52a0aad16014e09e09972dda602f14c27eca3b7e5424731578935330d63c9b542cd907a52ad68d8f10d2a2b43724fd65bc8b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
350KB

MD5
8da8442b0692b2f6eb5ba2cf7ca2e217

SHA1
b4d71378e0384b85801d368de4d8f1512eb01b6d

SHA256
99677548cd13f18fafe329c8f63d43c2174b368bc334c807b6914e26326a549d

SHA512
435d514381e12971d96769421a93e2da9c83c6e43a218f193e655680b19a5f823c8a214a594fe741694baa02e98203056283e5a350e668fed778b47fd9252ed9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
350KB

MD5
50d1f903b7bf5e4701001d35db281a6d

SHA1
b8e1b23e6f48b916efb2658e6347437582b3482e

SHA256
5ebb4af6947170dd2c5c894323a25a2904cb4966712a678ada2713b4098b538d

SHA512
a73581b0bf2906bf34f56e01f12ee6a73c6f9f5e301cacb674e49611e2b42e779289bcdf9b8678b67868be92ac2c07c153d9ebe2557b2a7f78c593a3d0867987

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
77KB

MD5
75abbf65600a2e4a9af200335801baa0

SHA1
8faa35821411e3fb75c7c61e8dcad9cd5bf9187c

SHA256
1152d58db674197aa4e53ff84c17311e1e4207ac645cce0ac3981c3f6b26b8bf

SHA512
a44f65177371903acd3132d105d02bbf780d2a4af4eebbc473112be8c25fb05a309d0ab8c1dee3664870b8989e120e430e42107a894f9bcd6359a67f8d422e26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
87KB

MD5
d98925b7cbb3e485e65e0f962a3ce3e6

SHA1
ab394e7d2652b814ec895ed71597b2198ab1fd25

SHA256
368d3edd537d77db9027fa768daff5c03cdf5901e19f5fcbe5c9f6ab05a7b431

SHA512
109eda5bce5beea0960e9e77c43de2816a8a4845ee9c7c8283499e42e12bad8205b3c581ac721228b5e6761cb66b781ba252d057a9c008b1563d7cece94157da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\bc28335c-deb7-4cf2-a403-315df9c43d56.tmp

Filesize
350KB

MD5
a0f79701e45004349259dc6777407055

SHA1
f2bba624134ef6a43783799c850f0da9e465fec1

SHA256
4988307ac2dce039f2af00a83f8e302bf777564bcddc0b74ca6660dc592c057a

SHA512
7e013c996d9c8f277fd1299825e9e249169f9ac63c2d31506d550bba729548f28c336c6dde3860209431cdc6e27d0c0fa6bcef1d86b5e24022a1155eeb8e699f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\IQS0PQ7S\www.java[1].xml

Filesize
323B

MD5
cb55b73718ed45598af19b23e3af8398

SHA1
e81a2aab8dce91cdb8deaf25b20cbfd778f93d55

SHA256
689c1410d292de18a44e6ea834d228ba42ab1c864bea40abfda174e66cea7e99

SHA512
86e7a3a661e0e6d1e425fe0ec52823d3f78af3d8095d50e3510f491c64646fae5ff428429350644d297e519b3d6957ae2afdb26283fbdc78e9fdb89318e5ecc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\IQS0PQ7S\www.java[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\anyweax\imagestore.dat

Filesize
1KB

MD5
c991521f23aad7c005b134b2b407e673

SHA1
66f93a4a2bca1bbe133da256c66f3567b2ea7bc3

SHA256
4a46d52824f0b3e8e29c6094171d87a4f0de8f5e2f09e779197d30af1d2953d3

SHA512
cf70686144aeb436155fdbdedce015605287af34ae645e3251c3ea1d5fcc8bdc7540b2756562923564e99cc52a35fa710f6d04d20615a5cb97a40b95e947e1d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\favicon[1].ico

Filesize
1KB

MD5
8e39f067cc4f41898ef342843171d58a

SHA1
ab19e81ce8ccb35b81bf2600d85c659e78e5c880

SHA256
872bad18b566b0833d6b496477daab46763cf8bdec342d34ac310c3ac045cefd

SHA512
47cd7f4ce8fcf0fc56b6ffe50450c8c5f71e3c379ecfcfd488d904d85ed90b4a8dafa335d0e9ca92e85b02b7111c9d75205d12073253eed681868e2a46c64890

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF44F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF452.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF590.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0acd660b9a36204be17bb0a41ebe6577

SHA1
0d61a817da8762e644700407121b48607f023710

SHA256
8b011e62313e8917d65212c07ff71b62a84d1fc664ee236f2149a3f0337943e8

SHA512
0cd40558f3732ba052f65776f773e560858c75cf83791ba1c6f6a4bc25fe9d923735b3ab99c812bd52de135223a8032a5ae7cfcf68d8ab56be605fca30557797

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 710244.crdownload

Filesize
37KB

MD5
355f208d3fb2b38f9b09f0e2569d76a5

SHA1
40865e778499b458531177ad870a5343900a222c

SHA256
7f28a2ae61ffd7f152d7bb24756c8b78076017a000b996eb74c5362bc3ec063c

SHA512
460d250036231931e9676ae3675bbb1309208c0069db497db3af027c8a51e5a5e186f9c765f33237e2c18f181d3a0299d1ab8c9b38e89c252d9577665c9446b7

Download Submit
memory/876-1547-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/876-1548-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/956-1585-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/1584-1566-0x0000000001360000-0x0000000001370000-memory.dmp

Filesize
64KB

Download
memory/1648-1594-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download
memory/1888-1733-0x0000000001F40000-0x0000000001F4A000-memory.dmp

Filesize
40KB

Download
memory/1888-1715-0x0000000002250000-0x000000000225A000-memory.dmp

Filesize
40KB

Download
memory/1888-1749-0x0000000001F40000-0x0000000001F44000-memory.dmp

Filesize
16KB

Download
memory/1888-1742-0x0000000002250000-0x000000000225A000-memory.dmp

Filesize
40KB

Download
memory/1888-1709-0x0000000001F40000-0x0000000001F4A000-memory.dmp

Filesize
40KB

Download
memory/1888-1708-0x0000000001F40000-0x0000000001F4A000-memory.dmp

Filesize
40KB

Download
memory/1888-1711-0x0000000001F40000-0x0000000001F4A000-memory.dmp

Filesize
40KB

Download
memory/1888-1710-0x0000000001F40000-0x0000000001F4A000-memory.dmp

Filesize
40KB

Download
memory/1888-1712-0x0000000002250000-0x000000000225A000-memory.dmp

Filesize
40KB

Download
memory/1888-1713-0x0000000002250000-0x000000000225A000-memory.dmp

Filesize
40KB

Download
memory/1888-1716-0x0000000002250000-0x000000000225A000-memory.dmp

Filesize
40KB

Download
memory/1888-1741-0x0000000002250000-0x000000000225A000-memory.dmp

Filesize
40KB

Download
memory/1888-1714-0x0000000002250000-0x000000000225A000-memory.dmp

Filesize
40KB

Download
memory/1888-1740-0x0000000002250000-0x000000000225A000-memory.dmp

Filesize
40KB

Download
memory/1888-1738-0x0000000002250000-0x000000000225A000-memory.dmp

Filesize
40KB

Download
memory/1888-1737-0x0000000002250000-0x000000000225A000-memory.dmp

Filesize
40KB

Download
memory/1888-1739-0x0000000002250000-0x000000000225A000-memory.dmp

Filesize
40KB

Download
memory/2520-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2572-1512-0x00000000011D0000-0x00000000011E0000-memory.dmp

Filesize
64KB

Download
memory/2760-1541-0x00000000004F0000-0x00000000004F8000-memory.dmp

Filesize
32KB

Download
memory/2760-1540-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download