xworm | 4284e1cef08f8eeb36b70e700d580f34294253d7e0692bdd687240bd534923bc

Analysis

max time kernel
221s
max time network
231s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
28-06-2024 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

69KB
MD5

95ffbe3fbb27e900e3bf7012175efc24
SHA1

b386127111d1c82f20e4625b805aa8a01dae9192
SHA256

aeea4b2f2f8d924f36c902d96c0b77182984530acaedb33b3124665c4b2f769f
SHA512

409ede5eff17f9d239adae7df9a594072b828088e9a19d173f7064b89f678ee36a6b25db4ba0db6bb74521d7e88b12f737b8d80abd7854476df94aa89edacc95
SSDEEP

1536:ALSNQK0UvT9Mti+zoQ+bVEmuZAauL67LHXOoG1U2CEW1:AeN1/QX+bCY6HXOv4EG

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

behavioral2/memory/4088-1-0x0000000000AB0000-0x0000000000AC8000-memory.dmp family_xworm
C:\Users\Admin\AppData\Roaming\wininit.exe family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1472 powershell.exe
1976 powershell.exe
4988 powershell.exe
424 powershell.exe
Executes dropped EXE 4 IoCs

Processes:

wininit.exewininit.exewininit.exewininit.exe

pid process

2452 wininit.exe
4636 wininit.exe
2136 wininit.exe
1472 wininit.exe

resource	yara_rule
behavioral2/memory/4088-1-0x0000000000AB0000-0x0000000000AC8000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\wininit.exe	family_xworm

pid	process
1472	powershell.exe
1976	powershell.exe
4988	powershell.exe
424	powershell.exe

pid	process
2452	wininit.exe
4636	wininit.exe
2136	wininit.exe
1472	wininit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

XClient.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\AppData\\Roaming\\wininit.exe"	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133640595197026263"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4360 schtasks.exe

pid	process
4360	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeXClient.exe

pid	process
4988	powershell.exe
4988	powershell.exe
424	powershell.exe
424	powershell.exe
1472	powershell.exe
1472	powershell.exe
1976	powershell.exe
1976	powershell.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe
4088	XClient.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

XClient.exe

pid process

4088 XClient.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2120 chrome.exe
2120 chrome.exe
2120 chrome.exe

pid	process
4088	XClient.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

XClient.exepowershell.exepowershell.exepowershell.exepowershell.exewininit.exewininit.exewininit.exewininit.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	4088	XClient.exe
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeDebugPrivilege	424	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	4088	XClient.exe
Token: SeDebugPrivilege	2452	wininit.exe
Token: SeDebugPrivilege	4636	wininit.exe
Token: SeDebugPrivilege	2136	wininit.exe
Token: SeDebugPrivilege	1472	wininit.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	process
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid process

2120 chrome.exe
2120 chrome.exe
2120 chrome.exe
2120 chrome.exe
2120 chrome.exe
2120 chrome.exe
2120 chrome.exe
2120 chrome.exe
2120 chrome.exe
2120 chrome.exe
2120 chrome.exe
2120 chrome.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

XClient.exe

pid process

4088 XClient.exe

pid	process
4088	XClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

XClient.exechrome.exe

description	pid	process	target process
PID 4088 wrote to memory of 4988	4088	XClient.exe	powershell.exe
PID 4088 wrote to memory of 4988	4088	XClient.exe	powershell.exe
PID 4088 wrote to memory of 424	4088	XClient.exe	powershell.exe
PID 4088 wrote to memory of 424	4088	XClient.exe	powershell.exe
PID 4088 wrote to memory of 1472	4088	XClient.exe	powershell.exe
PID 4088 wrote to memory of 1472	4088	XClient.exe	powershell.exe
PID 4088 wrote to memory of 1976	4088	XClient.exe	powershell.exe
PID 4088 wrote to memory of 1976	4088	XClient.exe	powershell.exe
PID 4088 wrote to memory of 4360	4088	XClient.exe	schtasks.exe
PID 4088 wrote to memory of 4360	4088	XClient.exe	schtasks.exe
PID 2120 wrote to memory of 3552	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3552	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 2252	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 4432	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 4432	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3904	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3904	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3904	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3904	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3904	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3904	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3904	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3904	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3904	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3904	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3904	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3904	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3904	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3904	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3904	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3904	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3904	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3904	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3904	2120	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\wininit.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wininit.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wininit" /tr "C:\Users\Admin\AppData\Roaming\wininit.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Users\Admin\AppData\Roaming\wininit.exe
C:\Users\Admin\AppData\Roaming\wininit.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3036

C:\Users\Admin\AppData\Roaming\wininit.exe
C:\Users\Admin\AppData\Roaming\wininit.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Users\Admin\AppData\Roaming\wininit.exe
C:\Users\Admin\AppData\Roaming\wininit.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Users\Admin\AppData\Roaming\wininit.exe
C:\Users\Admin\AppData\Roaming\wininit.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffcc509ab58,0x7ffcc509ab68,0x7ffcc509ab78
2⤵
PID:3552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1868,i,6050951467539232457,3763344557383758474,131072 /prefetch:2
2⤵
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1868,i,6050951467539232457,3763344557383758474,131072 /prefetch:8
2⤵
PID:4432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2252 --field-trial-handle=1868,i,6050951467539232457,3763344557383758474,131072 /prefetch:8
2⤵
PID:3904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1868,i,6050951467539232457,3763344557383758474,131072 /prefetch:1
2⤵
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3200 --field-trial-handle=1868,i,6050951467539232457,3763344557383758474,131072 /prefetch:1
2⤵
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4192 --field-trial-handle=1868,i,6050951467539232457,3763344557383758474,131072 /prefetch:1
2⤵
PID:4876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 --field-trial-handle=1868,i,6050951467539232457,3763344557383758474,131072 /prefetch:8
2⤵
PID:1008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 --field-trial-handle=1868,i,6050951467539232457,3763344557383758474,131072 /prefetch:8
2⤵
PID:2408

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1056

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
810B

MD5
157ef8f4d7fbab0d5b3708146b7025ff

SHA1
1bfb0bc1aaa78ac1174c38c011a74c9a360beedf

SHA256
3291427d47f2a196e574660fecefd4a4401af50bd4e5b047cbf6915d03c7629e

SHA512
9d0d4b862eaac0f915c5de93eea3f1a0cb1591aa4a53be1e02dd6f3ed7f39ef9b6431cf116482fdaeb4949fb8204666dfb1c29fc7a6cf926f5e154f1f8f3ef3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
747d907d0f470cd296f4588927b762fd

SHA1
31900b2c48e2685295fbb8c08c4faeb0cf73b52c

SHA256
c18a281db74ec31b0092438b4cd2cc365c3dcd3d8964b5d794890ea8e6a613af

SHA512
2660cc2e033fd95b9640104fdf7c97d27d2278f35e7f5d35e1c490311c637e27cf12193413c90e88a1e7904272f77b1c465fe602f63c0eccfbb06d9e13a36f77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
d4769f73fcf8f3b16632dd8a5fb20ecc

SHA1
930e3823b5aca73dbe49b1e143425c4bff105b35

SHA256
a88dc7c0140e18606cc2150a2849940bddebe3e2dc82dbba32001d2bc5c41a64

SHA512
39d9923445d34c8ca8ae2f82943e1926f266802d12cc7a4c0902ac709d528c2790a822f1b14fd2925c3a8e0c21d36b0d3e8ff5d4477b9bbc21695ccd63de9a57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
56919c664128031389bb99c4c12587c6

SHA1
8ca920c0aa6b5715ea8203aa62aeb551219e2b93

SHA256
4e4684e9242108a658aadd17e75439a248847a17bd96f9ae56ed676b96e3f389

SHA512
51c37bbfd4fd6d9c9d441475b55f5d8fd4357825a2d1f62d2ebccaae6d07a35ed453366754f7136ee1285f610e0bee9d8071c4641050e20f3573a9a8bf783f94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log
Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aa4f31835d07347297d35862c9045f4a

SHA1
83e728008935d30f98e5480fba4fbccf10cefb05

SHA256
99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

SHA512
ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
052b734e3d0b49bccde40def527c10df

SHA1
2ac7c9bd7dc7bd54699fd06252a89a963e1c1ec0

SHA256
d51b94b595a5bee567d89011dc8d97f6210a7911828e5a24172708d5a177f65f

SHA512
bbe94350f51a4029f44631e5bb6658d9583d46011db3ca3159a21b179ab7dc7b200a27ccdf34897fdcba890acec2cdb84a2c1ba0cd95360478e38e911f56f4ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_goc2ajb1.egn.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\wininit.exe
Filesize
69KB

MD5
95ffbe3fbb27e900e3bf7012175efc24

SHA1
b386127111d1c82f20e4625b805aa8a01dae9192

SHA256
aeea4b2f2f8d924f36c902d96c0b77182984530acaedb33b3124665c4b2f769f

SHA512
409ede5eff17f9d239adae7df9a594072b828088e9a19d173f7064b89f678ee36a6b25db4ba0db6bb74521d7e88b12f737b8d80abd7854476df94aa89edacc95

Download Submit
\??\pipe\crashpad_2120_JLSZVQEEBGWCOBFV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4088-50-0x00007FFCB83B0000-0x00007FFCB8E72000-memory.dmp

Filesize
10.8MB

Download
memory/4088-54-0x00007FFCB83B0000-0x00007FFCB8E72000-memory.dmp

Filesize
10.8MB

Download
memory/4088-0-0x00007FFCB83B3000-0x00007FFCB83B5000-memory.dmp

Filesize
8KB

Download
memory/4088-1-0x0000000000AB0000-0x0000000000AC8000-memory.dmp

Filesize
96KB

Download
memory/4988-17-0x00007FFCB83B0000-0x00007FFCB8E72000-memory.dmp

Filesize
10.8MB

Download
memory/4988-14-0x00007FFCB83B0000-0x00007FFCB8E72000-memory.dmp

Filesize
10.8MB

Download
memory/4988-13-0x00007FFCB83B0000-0x00007FFCB8E72000-memory.dmp

Filesize
10.8MB

Download
memory/4988-11-0x00007FFCB83B0000-0x00007FFCB8E72000-memory.dmp

Filesize
10.8MB

Download
memory/4988-12-0x00007FFCB83B0000-0x00007FFCB8E72000-memory.dmp

Filesize
10.8MB

Download
memory/4988-10-0x0000016CEA460000-0x0000016CEA482000-memory.dmp

Filesize
136KB

Download