xworm | hxxps://gofile[.]io/d/aVrwVf

Analysis

max time kernel
154s
max time network
154s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06/03/2025, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/aVrwVf

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%ProgramData%
install_file
XClient.exe
pastebin_url
https://pastebin.com/raw/H3wFXmEi

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000027e4e-88.dat	family_xworm
behavioral1/memory/2892-90-0x0000000000180000-0x0000000000196000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 3 IoCs

pid	Process
2892	XClient.exe
2640	XClient.exe
1220	XClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
49	pastebin.com
50	pastebin.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133857018508400597"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4380	chrome.exe
4380	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeRestorePrivilege	1892	7zG.exe
Token: 35	1892	7zG.exe
Token: SeSecurityPrivilege	1892	7zG.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeSecurityPrivilege	1892	7zG.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeDebugPrivilege	2892	XClient.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
1892	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 4732	4380	chrome.exe	80
PID 4380 wrote to memory of 4732	4380	chrome.exe	80
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 4116	4380	chrome.exe	81
PID 4380 wrote to memory of 2692	4380	chrome.exe	82
PID 4380 wrote to memory of 2692	4380	chrome.exe	82
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83
PID 4380 wrote to memory of 2992	4380	chrome.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/aVrwVf
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffabf3dcc40,0x7ffabf3dcc4c,0x7ffabf3dcc58
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1996,i,11744178834860593935,1146239142055245000,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1984 /prefetch:2
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1940,i,11744178834860593935,1146239142055245000,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2028 /prefetch:3
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,11744178834860593935,1146239142055245000,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2476 /prefetch:8
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,11744178834860593935,1146239142055245000,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,11744178834860593935,1146239142055245000,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3632,i,11744178834860593935,1146239142055245000,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3832 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3340,i,11744178834860593935,1146239142055245000,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4652 /prefetch:8
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5028,i,11744178834860593935,1146239142055245000,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,11744178834860593935,1146239142055245000,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3836 /prefetch:8
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=840,i,11744178834860593935,1146239142055245000,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4432

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1304

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4424

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XClient\" -ad -an -ai#7zMap5886:76:7zEvent21825
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1892

C:\Users\Admin\Downloads\XClient\XClient.exe
"C:\Users\Admin\Downloads\XClient\XClient.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Users\Admin\Downloads\XClient\XClient.exe
"C:\Users\Admin\Downloads\XClient\XClient.exe"
1⤵
- Executes dropped EXE
PID:2640

C:\Users\Admin\Downloads\XClient\XClient.exe
"C:\Users\Admin\Downloads\XClient\XClient.exe"
1⤵
- Executes dropped EXE
PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e1a6ff20aad758d4a9b8fb90dda3d9dd

SHA1
92e858f212c308e5a0b479a2fd91de4861ee3e16

SHA256
f5d1aea3f12c5469ea6ef77d5151650736769ca7a892ead0c2dcfd65f22e4636

SHA512
25ba01ef2c833ace4212d4685fe4a345c8595adb03315f314c114c069752a289abec0027ed249dcaf6133722abb147a394bd49b67caa29e1b4351c02090f43ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
39KB

MD5
a979aa1892eaa53ad14881aa46b79b29

SHA1
a81f050fc30bb4078b28abfbce85d11cbb789466

SHA256
9f352490cfc20cc6ffb63c6d6b3fe1fc8f37bf42c194663bf7c558e9ae295aed

SHA512
f3a46cc79620c1540685b1bff640f7c82f08c714b42640d680872cb1968723b23df7597602d2a9e879bf7d4e4a48ce1091cebeada37663960a778d4fc0082308

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
2b5b642ca1f41bd0697be61083224578

SHA1
a8369f13712915f7efeed1d6af742b7e5933132d

SHA256
e3498e4353dca987ea99e13908077521789b3ee13aa98f8f28fab54ea3babc7f

SHA512
773e6f943a477c795bec3d30ce797a36a56be1698111fa29fbc7d3bab9f73c0567c4b60ef6870f4fb2a32180e59e1e1e09b21c687e71eba3c3f4e4d948d9f2f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
6b5df5ce2a630868e5a01a72d468f650

SHA1
716332db957aa341d4e8b01de5baef3545b1e2a1

SHA256
6b0e1879775d735fb11edd2717194494fb47d622733929a4c42a6d6e3276dcb6

SHA512
83055a8a6aa37d2bcc6692c5292a4f2ca5e483cc7afb8ecb99201d489a61ca8a37d481eb7bafdf5055e310924abde2641fcc9c43d74f24a46e62658fe19802ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
b07fd9955600191d64c34a15e1b7f953

SHA1
c6d2b4c522e9b53381bd8d06c5c2b1ad77189e69

SHA256
a92935cdc24ae345d0cbdd0b504821ae675c5b402e09350cfa9102ad43a43293

SHA512
81ab7af52727e15d083425da5ce57ed1687efa3fce2c57a15966ab1385f15367fd00e7d59b38f47c2648bd00b8aacd87b9b5646597dc6654b5512413a8dca680

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c005717cf928fdf5ab33eee6f05d3418

SHA1
6fd2addc3752546c229a727590e43f1baa46bb2d

SHA256
0ef944d220151fa909911e142a74909225a579e1e647065c5439f1022a4e2d0e

SHA512
816ebace08f9bee6223f879da626660f7ff967ca3e15e3ab23db559c7c14e330a220ff14a3ec19c5287c312aa7b8e7932f299c5b61e4fa702c86d3911649deca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a5e09136551855e0cdd80a3786119357

SHA1
32dabd04689e8ba8d56bdbd86fdcfa25979a2364

SHA256
7a26619c18d661deab95d9021401266c0763e961d80962624564bc2423fa3436

SHA512
69befc1dca646ab8d54596ac8a003c199c7d9f3144faa6942e304aa2f21db762429b8295a56d00b13bfa5f541ec7e25c4337c1ae2d574c9c152c7c6d85c5cf58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9025245d1b4e33b09c67840dd8ec4812

SHA1
e0c883f31d10ff7cf27ab8e8bec1d1bc384335b8

SHA256
c4ae4820f421eb62581a0d0d3f32aa67fc8319cec57578da73a12a43ab657bdd

SHA512
20d9e83565ef6162ff14603d36539ae027ad95eeea2f9eac1ea3f3ca1fcff895771430ac8ce6065d94f06c0c8cea7035ef22febde74c05798b9bf74a6707fda8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3e61b98860a118a9ffc97295140ea0e1

SHA1
673df577a0f743d306bb8989827d1840fabcd49c

SHA256
fdff3ec4d8082670076f1f9b2e81654e12923b04ca53842275d9ef7bf2ad15db

SHA512
5ef55be17a6fa4f23ff5e62fe3722b8c2c545d9d8697fffa5720151dcd414900b01c317db1249b105149d1edf9d6740fcd5e85d901d1d48c291f814d98a7158f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
13148aa990facf4edf22835fdfc98c75

SHA1
4090283659af3c9fa9a059324578e68569017d54

SHA256
3dc96acc4b859af04410eaa9dc9a4f0ecae64baf4fb4eee09fd513669ffef292

SHA512
34015b33447928b4a685b1a192686120276f40ebeb281f9f1525a529ae854d7f7db40ea8c443f84dc77ac8b0c244c8b8b9246793e95e314632e96f94523b9719

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
981fee17818395a61f6d038d040f6b81

SHA1
0ab14c77e7975de43456777b96a28896439a910d

SHA256
70ad8196f443a513184b2ecac6d09bc5147eb5e09d7dae76fd96ae0763c85df9

SHA512
3fe5f10b5c6ead5d6fae35a07001ebf455df54901174f67c02515a2c24fbca9cc686dbf2c507e94d2a81acb4e964961f8f66c351591267aeb558348640c1991c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f2f2cb9f0bd22834e85f0b597688761b

SHA1
b8976016adc4742cbf36217fd0686c1e63480386

SHA256
b8127dbe55c6e52c74fe6defff1eb5cf2bd3dee48a2a5c35b24bda5092ee472f

SHA512
7dd204ff5e5eb2d8c00ebcaec25bcd8370808fdd619efbdc44426129e3149e73172f50386752a7d0d248487d820e5e935ea2025dc4fe48efc1d88d2cf4868376

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5dd0e5676d0884bec41f1604717bdcc4

SHA1
6669ecfd4ce9d71e2f19894b318dd6a9c9f27378

SHA256
6991932432885b16b6d8e2e4aa62874d853463790b38f5eb305408c51d4ae5e8

SHA512
16ddd306ce61cd13917a674f4d5b16065780b381085510d515abd0da1c5ff531b8b9940259e192a7dc4bfab7065254c5223ddeeda40d666ed6f46f2565ca17ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9c8628f39ee876bc6446cefcf129edcf

SHA1
486dd567adeb95ac155c0b3a8f5ffcda6348041b

SHA256
56c0e6fdaa9f4a0f86e3737d7dd41d86c8ae4ce5ebeefb9e82a58eafe8b5ef5b

SHA512
de77e83894f66fd66c0f9c3a748ecb31128911ebebee957b1105c8d966bcb0aa8b667e69b01c3ead032d93fb73006de0d4c1f4399a4b76406b506f47af01a245

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
74cb7ecd1b2d3f5f4e3a334b95dc9282

SHA1
0f67edd366010f576fdc7a9c925a2a6b98ad3498

SHA256
076732859551b64a9ae649d2d48d4c932623c2cb4bb23c280303d5b792436906

SHA512
9a9a8cc39a8d98f40077f9f179b1a6fa26c04975782e09f4b997cec4e10b2c50542de0383ee7c3a9af4e0446d727936bb8d615d597354963ca471624d79ecc6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
6e97a1b691e4e86acc86a9b8ef8f74e7

SHA1
113f88d6d0764a74b32f63d3d6efa14386806bf9

SHA256
7ee8c09b8dc51fdf627dde81ee5463089383537e842b9ce88f1a21a840d7eba5

SHA512
feb5a7f15c24efd23c0149ab0bf714587a56497e0f61b6cf04d762dd1ae6f1719c06538bdca2d8e39cee068615bac344af2aae44813afbf3c6e28534349e6cfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
2a9716ed367d07bea0ee9634c6ac80b8

SHA1
ddd9d1ea176db1fabe481684c693d778bd12a37a

SHA256
ae4e6ccf13798de8214bccfc8aa4b82a3fac255c8844031b7ba13d795c3ee585

SHA512
9dc5d6ee56d53265788f89fb88fcb85f1cac24161e42e78293b28ec9cce77f4e36eb813ef6506f7976bba9111369b49ae5efbd48df1c0f5b065a4ed3eb4abc73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

Filesize
654B

MD5
11c6e74f0561678d2cf7fc075a6cc00c

SHA1
535ee79ba978554abcb98c566235805e7ea18490

SHA256
d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

SHA512
32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

Download Submit
C:\Users\Admin\Downloads\XClient\XClient.exe

Filesize
66KB

MD5
c6ea111c19a9c9801ee1a2ef47913d18

SHA1
8a606099796f6e5aff656e095d755be62238a47f

SHA256
5d38a965c0470922de8fc9814bb22bbb9cbf7860f0dc8cfe5c0041f10bd8c7dc

SHA512
069739d907da860483c7931dc560ebf055f3c3806cb3382c15942a4f6922c84be7f0fba8e71199c1d0bb5daeb191250936071af86f30ab6d7fc9ec04217173c9

Download Submit
memory/2892-90-0x0000000000180000-0x0000000000196000-memory.dmp

Filesize
88KB

Download