xworm | d65824b6d2c191eb48d040261d408ecb3f1d0cf6ef9ceac096543b184582aded

Resubmissions

06/03/2025, 14:20

250306-rntphszxdy 10

06/03/2025, 14:17

250306-rl1eaa1ly5 10

06/03/2025, 14:12

250306-rja2ls1ls4 10

06/03/2025, 14:02

250306-rb7eva1jz2 10

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
06/03/2025, 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

34KB
MD5

420aaab8a4e68d5730a9e19422a0fe96
SHA1

f4dd350f797169f22c8efd7de8a252b7d2fcf8ae
SHA256

d65824b6d2c191eb48d040261d408ecb3f1d0cf6ef9ceac096543b184582aded
SHA512

fa1ccd03397231387559381aa7762e786b98fa89c02a8b09b6804a14ed0a3ce45ba11bb6b5f7a112a2420a3bd25f708f2ebc4afb281c377dc372fca563e63f98
SSDEEP

768:0e749/qEkLACVVickCVFy19JZ6aO/hoq/:XaCEk8hcdF49JZ6aO/CQ

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

association-lectures.gl.at.ply.gg:32463

Mutex

Gpg1PP1lxuWY9X4X

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral2/memory/332-1-0x00000000006F0000-0x00000000006FE000-memory.dmp	family_xworm
behavioral2/files/0x000700000002a341-47.dat	family_xworm
behavioral2/files/0x001900000002ae5f-58.dat	family_xworm
behavioral2/memory/4412-65-0x0000000000380000-0x000000000038E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3296	powershell.exe
4332	powershell.exe
2860	powershell.exe
1944	powershell.exe
3536	powershell.exe
396	powershell.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jfiggw.lnk	jfiggw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jfiggw.lnk	jfiggw.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 10 IoCs

pid	Process
1284	XClient.exe
4412	jfiggw.exe
2544	wreojq.exe
2348	tavagr.exe
2436	lrgbzv.exe
1308	cddqbs.exe
3864	XClient.exe
1924	jfiggw.exe
2432	XClient.exe
388	jfiggw.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Software\Microsoft\Windows\CurrentVersion\Run\jfiggw = "C:\\Users\\Admin\\AppData\\Roaming\\jfiggw.exe"	jfiggw.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133857434640059407"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3144	schtasks.exe
1596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3296	powershell.exe
3296	powershell.exe
4332	powershell.exe
4332	powershell.exe
2860	powershell.exe
2860	powershell.exe
1944	powershell.exe
1944	powershell.exe
3536	powershell.exe
3536	powershell.exe
396	powershell.exe
396	powershell.exe
4588	chrome.exe
4588	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	332	XClient.exe
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	332	XClient.exe
Token: SeDebugPrivilege	1284	XClient.exe
Token: SeDebugPrivilege	4412	jfiggw.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	2544	wreojq.exe
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	2348	tavagr.exe
Token: SeDebugPrivilege	4412	jfiggw.exe
Token: SeDebugPrivilege	2436	lrgbzv.exe
Token: SeDebugPrivilege	1308	cddqbs.exe
Token: SeDebugPrivilege	3864	XClient.exe
Token: SeDebugPrivilege	1924	jfiggw.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 332 wrote to memory of 3296	332	XClient.exe	81
PID 332 wrote to memory of 3296	332	XClient.exe	81
PID 332 wrote to memory of 4332	332	XClient.exe	83
PID 332 wrote to memory of 4332	332	XClient.exe	83
PID 332 wrote to memory of 2860	332	XClient.exe	85
PID 332 wrote to memory of 2860	332	XClient.exe	85
PID 332 wrote to memory of 3144	332	XClient.exe	87
PID 332 wrote to memory of 3144	332	XClient.exe	87
PID 332 wrote to memory of 4412	332	XClient.exe	91
PID 332 wrote to memory of 4412	332	XClient.exe	91
PID 4412 wrote to memory of 1944	4412	jfiggw.exe	92
PID 4412 wrote to memory of 1944	4412	jfiggw.exe	92
PID 332 wrote to memory of 2544	332	XClient.exe	94
PID 332 wrote to memory of 2544	332	XClient.exe	94
PID 4412 wrote to memory of 3536	4412	jfiggw.exe	95
PID 4412 wrote to memory of 3536	4412	jfiggw.exe	95
PID 4412 wrote to memory of 396	4412	jfiggw.exe	97
PID 4412 wrote to memory of 396	4412	jfiggw.exe	97
PID 4412 wrote to memory of 1596	4412	jfiggw.exe	99
PID 4412 wrote to memory of 1596	4412	jfiggw.exe	99
PID 332 wrote to memory of 2348	332	XClient.exe	101
PID 332 wrote to memory of 2348	332	XClient.exe	101
PID 332 wrote to memory of 2436	332	XClient.exe	102
PID 332 wrote to memory of 2436	332	XClient.exe	102
PID 332 wrote to memory of 1308	332	XClient.exe	103
PID 332 wrote to memory of 1308	332	XClient.exe	103
PID 4588 wrote to memory of 1516	4588	chrome.exe	111
PID 4588 wrote to memory of 1516	4588	chrome.exe	111
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 796	4588	chrome.exe	112
PID 4588 wrote to memory of 5068	4588	chrome.exe	113
PID 4588 wrote to memory of 5068	4588	chrome.exe	113
PID 4588 wrote to memory of 4756	4588	chrome.exe	114
PID 4588 wrote to memory of 4756	4588	chrome.exe	114
PID 4588 wrote to memory of 4756	4588	chrome.exe	114
PID 4588 wrote to memory of 4756	4588	chrome.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3144
- C:\Users\Admin\AppData\Local\Temp\jfiggw.exe
  "C:\Users\Admin\AppData\Local\Temp\jfiggw.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\jfiggw.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'jfiggw.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\jfiggw.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:396
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "jfiggw" /tr "C:\Users\Admin\AppData\Roaming\jfiggw.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1596
- C:\Users\Admin\AppData\Local\Temp\wreojq.exe
  "C:\Users\Admin\AppData\Local\Temp\wreojq.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\tavagr.exe
  "C:\Users\Admin\AppData\Local\Temp\tavagr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Users\Admin\AppData\Local\Temp\lrgbzv.exe
  "C:\Users\Admin\AppData\Local\Temp\lrgbzv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Users\Admin\AppData\Local\Temp\cddqbs.exe
  "C:\Users\Admin\AppData\Local\Temp\cddqbs.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1308

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Users\Admin\AppData\Roaming\jfiggw.exe
C:\Users\Admin\AppData\Roaming\jfiggw.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff86ffacc40,0x7ff86ffacc4c,0x7ff86ffacc58
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1816,i,10901929850190743823,10635169590348412430,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1812 /prefetch:2
  2⤵
  PID:796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,10901929850190743823,10635169590348412430,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,10901929850190743823,10635169590348412430,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2200 /prefetch:8
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,10901929850190743823,10635169590348412430,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3272,i,10901929850190743823,10635169590348412430,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3604,i,10901929850190743823,10635169590348412430,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4664,i,10901929850190743823,10635169590348412430,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3116 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4672,i,10901929850190743823,10635169590348412430,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3564,i,10901929850190743823,10635169590348412430,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4952 /prefetch:8
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4684,i,10901929850190743823,10635169590348412430,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5084,i,10901929850190743823,10635169590348412430,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4948,i,10901929850190743823,10635169590348412430,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5108,i,10901929850190743823,10635169590348412430,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4996,i,10901929850190743823,10635169590348412430,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5060,i,10901929850190743823,10635169590348412430,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5024 /prefetch:2
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:2376
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff620374698,0x7ff6203746a4,0x7ff6203746b0
    3⤵
    - Drops file in Windows directory
    PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3776,i,10901929850190743823,10635169590348412430,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5100,i,10901929850190743823,10635169590348412430,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:532

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1208

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
PID:2432

C:\Users\Admin\AppData\Roaming\jfiggw.exe
C:\Users\Admin\AppData\Roaming\jfiggw.exe
1⤵
- Executes dropped EXE
PID:388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f6321c876cfa73c71d66cd4855d9e412

SHA1
ca28669faeaee03b07adb5ab679f617b55584e34

SHA256
55b2a0e2e128c6c6351816e6ca93d4e7326fd491eaba28b5b02f26d2b9ef2239

SHA512
be037cceb2127099d1844f4f68edd3da09c6814fdd2981220b5b5c88f10b1902ce5e672dd8bc55fa6d1c8aa1d356fb3410d7a16623764763eab883c6ac8bd726

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.xnxx.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
595ec4fa212bbc85ca74564a994e316b

SHA1
e8878ac886910a66057a1435c0db6686aa475ac3

SHA256
bec2ddea3c4c0e91df0f83012624cf658345a2042c5732e3c0b3dc5eb78dd6c1

SHA512
a82962288c4f63fac05a5d89b54b99797c34c845ee892395ebe1a293288c90ba9b479445c40ddedad6dda9200bc8cbd5ce7726ec19e0d1392573401ca1066eb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
983c3eac5975e48e308d26eed2f2c46c

SHA1
138554295ed9b3851a18affc092a0097b64bc09e

SHA256
8136a55fbc06f702a806569358449b98eec2c3eaf1444d3eec30ded9cd725dfe

SHA512
3a874c155499fe13dc9cfaaed61e31144d501524f1921e54a1122005e832acf6791203c40039b0feada1fc5203d5b412cf674e83eddda20b8f8b1c9be27eec5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
91f854f75bae530281e1b9dde6d71946

SHA1
5b0c32ce68c794df4bb3065c10d97a836909ba89

SHA256
a3d606488f5e2d4130923bfc11cb6baf793b5cf5718f17df8ce8d78140f76321

SHA512
c07ef25831d32e8201caabc3254c755c8a03a5f3c7e9d413d5f9b5984fa5e9d3cbe15493838cb0146f2bf791f9c3abf250d111c05b7b556c8cd7263d7eb97bfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7b7bbcb575655d7f59fb1e8646a682ad

SHA1
75ad17a391f4ec805b6cb9345f8bd7ad888ae510

SHA256
daed3dd2f40a906304c9f888eab63a44605d5dcc4c30e9b14cfcf37b61284c33

SHA512
0db3630ccd53db2c4fd2389a77b72a2f3cd91b717e4eb443bd4a5c4a7345e17a2531be62be3761a2698613c6388913d23429ab2d6e9862baf1932c56a50a6c89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
61237e2d61fe3637677ea38723f2038a

SHA1
6784398b643a2100b204817ef8980a875d76d7f8

SHA256
3d35af2d33f5c9d69fed42041e0b9a9caa9259fae80f66c607144c1655bfa539

SHA512
40772f49f37179459f50d73ef7c9012232161dd2e4383bc9450eb076c2267d67ba78b2e82978139acd0c80722c01c4af7269a86e1dee0948b711c73910a72ca0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
8346dcd62e4f48f2a4d453b46fe9812d

SHA1
1b8e96aeae8e07a154d24023d63b1d1cfeefff06

SHA256
45dfb812e4f922ada3dea2e35ab08f2e8b4cdf9df315ce8f0a5966e693c36148

SHA512
eb9e3577c3adbe7f947bdb2734b657650781109f459aca2e7ebe9ee32ffd3075c5ec41963b90375f499d48a2bd25d9573771f4441e364da5c1c761e9f1b6ce8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
8b778add7908e3f7385a56097646bc28

SHA1
9f4dca510e410f59f95dc3bee30e24857214ab73

SHA256
deb25a33cc69149987a4e65fd2f9a2d01306d9bac4912f9cb84ac3ff0b13639c

SHA512
db3166c9dc597909363b2461a5ea40e3506c3400e2b05c3892db96fae5a948b036435bf1771d06b06323104fd9b00ffaebafdba53f68dc89c10f6692d9560150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
e7274424ab3bd92955a29bf1dded354c

SHA1
dca0932c8266476b12ca17809ae710d8ae362ed5

SHA256
b369e2a86abc7912add6ca682ed9637e530734c504c776760396a7803ddb02af

SHA512
9d02321464de57963581dbce93c4dbdeb54b5f54f29bac26a8d3cd96449d8e9d0fd204edf5e36dd2f8047300b426090da913132d02cc5926c7b92237d90bfb07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
b82f662259952a252041ec6a64448428

SHA1
d0bc75a37e18606d310d4c6645aae25462d9d88c

SHA256
19f9a6878c88bee7c6ca679a3acbefa6475dabc7613768bb17eb3c6c262d0c46

SHA512
2a7e8f37d9d568c98cc1a3579f02849e9ff945897b8b1f3b06022266315c0c9b2adeb6cf17eda93c62fc649bfaafe8fbf2da245da01992bf9223b2d0d340ec94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cddqbs.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
69416944dac24129d0969e2ac46f0533

SHA1
d71969659956b32411e0606a9bee640a0b108ef4

SHA256
dffc7e01106427982d7cafd3d7e3be37e16b098fbb0958410ea8d7c68bfb97ca

SHA512
aabb330053579af0d9de2661bd70eaadfd2e2e617759bc9c380db1c64731c6711304e49882138e9d337815377ee012a7458f91f692cb31538d73624385867f4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cb9070f7a07a5d3fc17121852bff6953

SHA1
1932f99c2039a98cf0d65bca0f882dde0686fc11

SHA256
6c908b4ca5b098e166b48a0e821050db43fba7299a6553be2303bee5b89545ac

SHA512
97b9fc5ce40b102e2c9334500f6c17625c982ff8e4afaaabd92c2468cd8deface01d7cdfd267c4f10aac123b7a6173fde85d2b531c6f134a3896a8ca5edfe1f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d9f57d6c4214f890e8c0b575404864dc

SHA1
017f9174a12ca9632ffdf6b4316c88e02800777a

SHA256
3d51900ed720bd3f98cfc27c5a268eaa93b2ae4a40202fcc8240e26d1a3eac8f

SHA512
bec0064af11dd33ba51e4e6271633b3d9143d9e6b99290bc84da066c74eff297dc92071cb56c377739a3ece3e19c780e4591cde667bf8d4aa73eb4797630d042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c24caab1947646fcc49d6158d78a56f5

SHA1
aa2cd00401eb273991f2d6fdc739d473ff6e8319

SHA256
0696315ad3df3edd5426276c265bd13d8bd2a0d101548bcaedd82e2aebde655a

SHA512
35e1d214dfb4c7f078496e3e303aea152aa48f9db5b9aa188aeb82b541582ed77f60bfe8712836232b5aa31d3645edfc79b42c8f90e92e06778f21aa44971bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k52dsxpm.vsz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiggw.exe

Filesize
34KB

MD5
950d739da650457fab6a225545794238

SHA1
e965286161ecda1b8c0072d8a2d80c191bb15705

SHA256
a571fcac5384158c4927e7c7cf07182b68eccf67845ba927beae44cd9835e3f8

SHA512
b7b91343176c5a7f6408b21fbc96c23d0b02c080b846e29f304ba91de1d0f37a772953e7ab65d1d627cb3490fbef3b85681564e878d8dcda57c0897dbad1d19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4588_1002749830\450600dc-99e0-4c58-b0d9-3a2185accb8a.tmp

Filesize
150KB

MD5
eae462c55eba847a1a8b58e58976b253

SHA1
4d7c9d59d6ae64eb852bd60b48c161125c820673

SHA256
ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

SHA512
494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4588_1002749830\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
34KB

MD5
420aaab8a4e68d5730a9e19422a0fe96

SHA1
f4dd350f797169f22c8efd7de8a252b7d2fcf8ae

SHA256
d65824b6d2c191eb48d040261d408ecb3f1d0cf6ef9ceac096543b184582aded

SHA512
fa1ccd03397231387559381aa7762e786b98fa89c02a8b09b6804a14ed0a3ce45ba11bb6b5f7a112a2420a3bd25f708f2ebc4afb281c377dc372fca563e63f98

Download Submit
memory/332-42-0x00007FF875D13000-0x00007FF875D15000-memory.dmp

Filesize
8KB

Download
memory/332-50-0x00007FF875D10000-0x00007FF8767D2000-memory.dmp

Filesize
10.8MB

Download
memory/332-152-0x000000001C6D0000-0x000000001C6DA000-memory.dmp

Filesize
40KB

Download
memory/332-49-0x00007FF875D10000-0x00007FF8767D2000-memory.dmp

Filesize
10.8MB

Download
memory/332-0-0x00007FF875D13000-0x00007FF875D15000-memory.dmp

Filesize
8KB

Download
memory/332-1-0x00000000006F0000-0x00000000006FE000-memory.dmp

Filesize
56KB

Download
memory/3296-14-0x00007FF875D10000-0x00007FF8767D2000-memory.dmp

Filesize
10.8MB

Download
memory/3296-15-0x00007FF875D10000-0x00007FF8767D2000-memory.dmp

Filesize
10.8MB

Download
memory/3296-13-0x00007FF875D10000-0x00007FF8767D2000-memory.dmp

Filesize
10.8MB

Download
memory/3296-12-0x00007FF875D10000-0x00007FF8767D2000-memory.dmp

Filesize
10.8MB

Download
memory/3296-11-0x00007FF875D10000-0x00007FF8767D2000-memory.dmp

Filesize
10.8MB

Download
memory/3296-2-0x000001FF37F90000-0x000001FF37FB2000-memory.dmp

Filesize
136KB

Download
memory/3296-18-0x00007FF875D10000-0x00007FF8767D2000-memory.dmp

Filesize
10.8MB

Download
memory/4412-65-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download