xworm | a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

Analysis

max time kernel
1561s
max time network
1564s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sv.exe
Size

63KB
MD5

c095a62b525e62244cad230e696028cf
SHA1

67232c186d3efe248b540f1f2fe3382770b5074a
SHA256

a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA512

5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
SSDEEP

1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

amount-acceptance.gl.at.ply.gg:7420

Attributes

Install_directory
%ProgramData%
install_file
svhost.exe

Signatures

Detect Xworm Payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2516-1-0x00000000001D0000-0x00000000001E6000-memory.dmp	family_xworm
C:\ProgramData\svhost.exe	family_xworm
behavioral2/memory/2176-36-0x0000000000EE0000-0x0000000000EF6000-memory.dmp	family_xworm
behavioral2/memory/1648-275-0x0000000001020000-0x0000000001036000-memory.dmp	family_xworm
behavioral2/memory/2040-584-0x0000000001330000-0x0000000001346000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2852 powershell.exe
2648 powershell.exe
2228 powershell.exe
2188 powershell.exe

pid	process
2852	powershell.exe
2648	powershell.exe
2228	powershell.exe
2188	powershell.exe

Drops startup file 2 IoCs

Processes:

sv.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe

Executes dropped EXE 6 IoCs

Processes:

svhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exe

pid process

2176 svhost.exe
1648 svhost.exe
2040 svhost.exe
2468 svhost.exe
2444 svhost.exe
2032 svhost.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

sv.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" sv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2176	svhost.exe
1648	svhost.exe
2040	svhost.exe
2468	svhost.exe
2444	svhost.exe
2032	svhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe"	sv.exe

Enumerates system info in registry 2 TTPs 35 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

csrss.exechrome.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

winlogon.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2952 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exechrome.exe

pid process

2852 powershell.exe
2648 powershell.exe
2228 powershell.exe
2188 powershell.exe
2772 chrome.exe
2772 chrome.exe
2772 chrome.exe
2772 chrome.exe

pid	process
2952	schtasks.exe

pid	process
2852	powershell.exe
2648	powershell.exe
2228	powershell.exe
2188	powershell.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sv.exepowershell.exepowershell.exepowershell.exepowershell.exesvhost.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2516	sv.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2516	sv.exe
Token: SeDebugPrivilege	2176	svhost.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe
Token: SeShutdownPrivilege	2772	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe
2772	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sv.exetaskeng.exechrome.exe

description	pid	process	target process
PID 2516 wrote to memory of 2852	2516	sv.exe	powershell.exe
PID 2516 wrote to memory of 2852	2516	sv.exe	powershell.exe
PID 2516 wrote to memory of 2852	2516	sv.exe	powershell.exe
PID 2516 wrote to memory of 2648	2516	sv.exe	powershell.exe
PID 2516 wrote to memory of 2648	2516	sv.exe	powershell.exe
PID 2516 wrote to memory of 2648	2516	sv.exe	powershell.exe
PID 2516 wrote to memory of 2228	2516	sv.exe	powershell.exe
PID 2516 wrote to memory of 2228	2516	sv.exe	powershell.exe
PID 2516 wrote to memory of 2228	2516	sv.exe	powershell.exe
PID 2516 wrote to memory of 2188	2516	sv.exe	powershell.exe
PID 2516 wrote to memory of 2188	2516	sv.exe	powershell.exe
PID 2516 wrote to memory of 2188	2516	sv.exe	powershell.exe
PID 2516 wrote to memory of 2952	2516	sv.exe	schtasks.exe
PID 2516 wrote to memory of 2952	2516	sv.exe	schtasks.exe
PID 2516 wrote to memory of 2952	2516	sv.exe	schtasks.exe
PID 860 wrote to memory of 2176	860	taskeng.exe	svhost.exe
PID 860 wrote to memory of 2176	860	taskeng.exe	svhost.exe
PID 860 wrote to memory of 2176	860	taskeng.exe	svhost.exe
PID 2772 wrote to memory of 2764	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 2764	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 2764	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 784	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 1236	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 1236	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 1236	2772	chrome.exe	chrome.exe
PID 2772 wrote to memory of 1464	2772	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\sv.exe
"C:\Users\Admin\AppData\Local\Temp\sv.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\shutdown.exe
shutdown.exe -L
2⤵
PID:1792

C:\Windows\system32\taskeng.exe
taskeng.exe {23876387-BC66-4176-9C67-2658F95AEE05} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
PID:1648

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
PID:2040

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
PID:2468

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
PID:2444

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
PID:2032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef15a9758,0x7fef15a9768,0x7fef15a9778
2⤵
PID:2764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1084 --field-trial-handle=1180,i,10839044058123236771,11186751844758937802,131072 /prefetch:2
2⤵
PID:784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1472 --field-trial-handle=1180,i,10839044058123236771,11186751844758937802,131072 /prefetch:8
2⤵
PID:1236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 --field-trial-handle=1180,i,10839044058123236771,11186751844758937802,131072 /prefetch:8
2⤵
PID:1464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2288 --field-trial-handle=1180,i,10839044058123236771,11186751844758937802,131072 /prefetch:1
2⤵
PID:700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1180,i,10839044058123236771,11186751844758937802,131072 /prefetch:1
2⤵
PID:1956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1280 --field-trial-handle=1180,i,10839044058123236771,11186751844758937802,131072 /prefetch:2
2⤵
PID:1716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2216 --field-trial-handle=1180,i,10839044058123236771,11186751844758937802,131072 /prefetch:1
2⤵
PID:2840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3812 --field-trial-handle=1180,i,10839044058123236771,11186751844758937802,131072 /prefetch:8
2⤵
PID:2784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3564 --field-trial-handle=1180,i,10839044058123236771,11186751844758937802,131072 /prefetch:8
2⤵
PID:1884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3860 --field-trial-handle=1180,i,10839044058123236771,11186751844758937802,131072 /prefetch:8
2⤵
PID:1132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3828 --field-trial-handle=1180,i,10839044058123236771,11186751844758937802,131072 /prefetch:1
2⤵
PID:1588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3808 --field-trial-handle=1180,i,10839044058123236771,11186751844758937802,131072 /prefetch:1
2⤵
PID:1668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2260 --field-trial-handle=1180,i,10839044058123236771,11186751844758937802,131072 /prefetch:1
2⤵
PID:2972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1856 --field-trial-handle=1180,i,10839044058123236771,11186751844758937802,131072 /prefetch:1
2⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2480 --field-trial-handle=1180,i,10839044058123236771,11186751844758937802,131072 /prefetch:1
2⤵
PID:692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2056 --field-trial-handle=1180,i,10839044058123236771,11186751844758937802,131072 /prefetch:1
2⤵
PID:1896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3048 --field-trial-handle=1180,i,10839044058123236771,11186751844758937802,131072 /prefetch:1
2⤵
PID:1924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1288 --field-trial-handle=1180,i,10839044058123236771,11186751844758937802,131072 /prefetch:8
2⤵
PID:1928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=1392 --field-trial-handle=1180,i,10839044058123236771,11186751844758937802,131072 /prefetch:1
2⤵
PID:1128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3044 --field-trial-handle=1180,i,10839044058123236771,11186751844758937802,131072 /prefetch:1
2⤵
PID:2476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=2648 --field-trial-handle=1180,i,10839044058123236771,11186751844758937802,131072 /prefetch:1
2⤵
PID:2020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 --field-trial-handle=1180,i,10839044058123236771,11186751844758937802,131072 /prefetch:8
2⤵
PID:804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1180,i,10839044058123236771,11186751844758937802,131072 /prefetch:8
2⤵
PID:1928

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:908

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2312

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x574
1⤵
PID:2232

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Enumerates system info in registry
PID:1456

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
PID:2136

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
2⤵
PID:1196

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svhost.exe
Filesize
63KB

MD5
c095a62b525e62244cad230e696028cf

SHA1
67232c186d3efe248b540f1f2fe3382770b5074a

SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4A9377E7E528F7E56B69A81C500ABC24
Filesize
889B

MD5
3e455215095192e1b75d379fb187298a

SHA1
b1bc968bd4f49d622aa89a81f2150152a41d829c

SHA256
ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99

SHA512
54ba004d5435e8b10531431c392ed99776120d363808137de7eb59030463f863cadd02bdf918f596b6d20964b31725c2363cd7601799caa9360a1c36fe819fbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4A9377E7E528F7E56B69A81C500ABC24
Filesize
176B

MD5
f5f020e8bbc4ee36af2fe5b9280832a3

SHA1
27c11bfe59b042f1536e11f963aa4a7dd7726d79

SHA256
c56e81152eb88938ca78936a19944b43ca40d1466d768daa2a033bba47253e6e

SHA512
cee54912803f0f48874d2c6e001e9f9feec95c27019045878336424f4aa2dfcd6151e68c1855c75530b0ae939f2e5cbb76bc205adb8157db7d3551da83274917

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1c11bbd4a81a8c4a0cc9e3f814d9b542

SHA1
faf0a8a5e3a60c9c35548db61f0861bc03c06490

SHA256
96f803aac6bf9a80e416b0f619d39817c5888b9bf9b76e5ae7a6a389699de8d7

SHA512
182af200bfd568955443c79cdda69727eb28812d34d57f111422c37dd681e03dc393fba99dd674d4e44bfe1ec53e8965fa162a74c09776bb9c90215be5846229

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9539ddaf0f32397d7c4304fce6dd2c66

SHA1
b16e7aad9f29abea53afd3952439788de60e3e64

SHA256
2c03020fec01d4c4aeaed9523f108005baffd5be975e7850e2156ca18f71f039

SHA512
a8930afdc4ebb89ac8be1c77acb0b2f6ba0d426ccd530f9202f1ff6bb9fb170b389a551bb69a16627105017ae669a294fbea0d00ba4cd02733d15a74fd1c2c88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
521c3ea8b81ea15e8d7103a84158f81f

SHA1
a821d24737b89832bb3505520aba18dddab0b0ef

SHA256
f7f632859f1167025af23663332e3991b3f47330f84ced5cffc5257adf06b892

SHA512
ec701c9f18a3e1c11522f78db3827fabfa603617099842ab4070949e23604f7493a72dccf0fc0b11720c1f7fe95acf1de9fadd2232af31c2e6362e88e654c120

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\90c8a5ba-f5c3-4107-ab3d-9fcc6989e58b.tmp
Filesize
6KB

MD5
ed253af54d972d38d04a916cd872758b

SHA1
27a7b1310402b8d064f228fe204755e3dd96fb0f

SHA256
eb5e9f12ceccedb8760cb7d47016049283d57db49494c32154efe82704f70d1f

SHA512
fda2899dd929bcb5741f8765b3f63ea878384a887f78cc32358f0c4a5b7700171ead915aafd0b452a7378858ccd57a511047ac418c9df501f86e687d71aa5e3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004
Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
552B

MD5
b24bb6d84b0367ad02aa14940629c6e6

SHA1
ae3aaa8ef2c994abb3e3f7ab0c1721d441127e17

SHA256
02c029cfd0653a7a3bb687e963d622e66cc762435dc446dacc3a67280d3f20f8

SHA512
4a1f053b10d1bc060b1087aa61818c0c33156336ff682fbf87a2129ee00ae73a30035267bb7c51213616bd602e242366bbce3a20840c6dba5bc3b10f340025bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
1e805ff3211fc22625366b3accaaa4f6

SHA1
8abef3babaa9208717a7abc13392327866f4e221

SHA256
40933dde306a6e1d7a100eebf56ba5c62fbaa0922f84f96f2b120b45cf18b03d

SHA512
e953cdbc367b7b1f573b0112134c397e1502281ab0ad96d38d98972a8211fa1c47208d1f19aca0b0d9707b25fcc4158c21bdb9d812d8edde7769de1191be3da5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
3c921e1615399dfa946f6e0e38e62818

SHA1
a381bd5ccca7b5e23e81715896ca269057a718a3

SHA256
7a0c5e89baf6e18f7b88daf4e391829fe3ca06e67840ca012921c283b1b25be8

SHA512
814e2dc161abbf4875f40b2d7ddb18d461959ec59b95b9f1bd81fd20961e5fab980c16bdb2dcdfe12e6ca4b74eef27c5794442f5df48b7be71d4722cc5b7d4ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
200B

MD5
e3d8006a40392567737ceb7762d29c67

SHA1
ee2c82a780c6f418b7a8ae0dbf5de61f99ff0339

SHA256
f5a6f1a290751d6943c7a277e5079a85614ed7fecbab621366ae3c047a4cfc9a

SHA512
0d222823beb5d3bdf42c9ed7d07bb965b95f77bee2cc900e8b8836fb75a08b0755199af0ef372714cba1c6b30e09313f1487af1561e3d6809326d1bb20775778

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
363B

MD5
a0a1a72308f38c771895f95096dc3dbd

SHA1
dcc987f083049ba1693e45a367553079e46ba2a5

SHA256
a5181e27cb729ea8a0db5efc7f0b3249dc1d14f2f911e3255bee699957fe5e90

SHA512
c4e1a983966049730e3853866473d90561d1c4bd75afefae32675279ad811f52c20062be81e1195af128466948f6879697b339810c1d033883befbdb48b76737

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
194B

MD5
59d73cf2d76257cb693321540b8d1a1c

SHA1
6689549845ca691a39598335014e50246065d20f

SHA256
342484c571fd93e5ff6ca4b7edbf56975259c8b9b654ae7607ac760e57bb5ce7

SHA512
52e0f8f41661225d8041a4d0574be1124d51e3a8f5571a82747f9fb72aee27ddb9adfaca1790a2e7059d48e62c36610f7493100594b29305ae2e01a6c449bdb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
200B

MD5
0a6dda36465fa863fab0478d5b8df7c4

SHA1
f60a2b7ee6198a0d4f7fe2463a920e3c2182237e

SHA256
7fbe700c124fd96ad1195d2d657dbe8a95e2ce1c6505a0eeafc9145f6a87d59e

SHA512
b8029fae66e18a92a2d93d4b92a4d2128c9389ba536c815b024c2d7b9b47754849b3442332446ff87e27c3323285efee661c49c57d9c03e1cacf8009b14eefb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
8fea0a8e3523675b08720c6b4000b887

SHA1
c0e993e8147226c772bbe91c3fa66f383db2c4d9

SHA256
530f9536f084996ccb118053695016c987a60bd4821cc2ee8023b80816e5cd1f

SHA512
f737ba06fce3b7cf3d61ea88f747934713d70d13fc99d08f1328c6905ce435faf37f58251571672b06f676ae0ee678b0cf1a999c99b0ddb2037a74f33a27dd35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
6b8fcfe5ae7afb2df0594c2852dacbac

SHA1
18443e88981a10dcd1431332d921da6314ffa7ae

SHA256
cd5ab663f9c9a919717c63cc673d84c77106587304acf0ad08917f1a39a62bed

SHA512
a27b5524194c62aeb5937d9d9aa04aa47e4e7aa236f27eb8b30cb6feb007e2a8b8bec59acea0497306470dc0e75018fdb332b43236ca6b38b03fdb0a98b480bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
5402b386b37e88e9ac1b9756117e5ea8

SHA1
b6da4a5a1df3662d71aa5f669c14f1ab66b55b97

SHA256
242464733ea12782453ea8d3ab6b8bdb997b7bf3350ca7e8770c7a04741f3751

SHA512
4a33c20d7e9303d17c14653694b41310ef562f0ca70d00359e25251dad05a96a3c29c10243187418afff795b18b945690459e97542d829fbaf3f30e678df8f83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
6a7d064ffa22f0cede62612d424e3854

SHA1
681896c44eb48ca3c32ce9566714aef63a8e362c

SHA256
8067872a6f5ff2dfff6cd1f93fccc41e6f58b632c9676ef72db1440a3477e1e7

SHA512
668bcb63beb60d00756befdb6ce9a1e04ce8add109661361a2526960cab342a98070029065f5b02f77514bd35c05ff6b5e6dd0b80264fd1587067a98ecbccec9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
8a6f5eec8a4f1f7b46f361ce43cd62f4

SHA1
14c15fd5cf7a22dd6ea42bd423870db569b78e04

SHA256
179532aba96bc526703641304b93b16edddf7b03370edcebed002b82a2d75f09

SHA512
97aebe06c3518f55deb7e94c7d7b1ead907421da113c734438cca412a07ba106bfbefca060cbc4b2f2161ff118eab8f4fe8de7ec32bba5d18b28106e339e4c0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
b20daa33b9840d4a00e8bb3407414f26

SHA1
fe7df54a46b4676f6af73698f3f7f2ce14c56bb7

SHA256
244becb6686df18a29a0e8c1660b52318e2fd45d1eb49bc3072b3716f9d779c1

SHA512
d3b6a2a7e0048315037bdc04a3ca41a28a9771d360bc742c669cafefe3e189ab94d03f06ba253e4696d7901705c425c0ff3f1f56a74302ce8b625c15687cbb29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
153KB

MD5
f67de4d258d328593ebd42814415b907

SHA1
441f74925bf3315187be61c6f1470cef63ea8aa9

SHA256
7f141ec4de99cdf71816f52d0e1e19812a0746ae0ba589f2cf00d14e7025db65

SHA512
ebc3aa13c4690fcf3f552ccdc073678b8cf58ca664ca8e984b46c90cb979b449dd2075d388b7f185aef3bc76d4917d0058afe6f9f2b18df7e79f29d1a5f2a865

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
76KB

MD5
a79de1656f0ec481bacc46091c949f2b

SHA1
a079a0cc6bb3dc595861860451eeafd7342a7d33

SHA256
14588b9ab4d49d6b4fc2d126052fb5b70360b4042bb452da2b5f96b099e00bf5

SHA512
c7a6c49f3961c0aa6cc2f98922791b7f04248182eca1ace7b66844dca9462fbad690fa01c8715caa209ea215a2775a905fe2b951b81ac17308c5b84b08e1e97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2A8F.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
92618e720ce5b81118d766fdddce8d95

SHA1
b2d2bc6e07666552eda01f0bfb453c8e82041417

SHA256
b9cde37b1ea0c6fdaedc75f2641a1070c2880c55119ac73eeb7397068c7f476e

SHA512
a587d1b30c58bdda524ae5ce941de460a7489db09464ad38f82c8242b60066b23836c24c829f3fb7620e5e016b569db859edf3b363d02d2549662de9ae3bed80

Download Submit
\??\pipe\crashpad_2772_ZRIOUAZCUTTKOOJF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1648-275-0x0000000001020000-0x0000000001036000-memory.dmp

Filesize
88KB

Download
memory/2040-584-0x0000000001330000-0x0000000001346000-memory.dmp

Filesize
88KB

Download
memory/2176-36-0x0000000000EE0000-0x0000000000EF6000-memory.dmp

Filesize
88KB

Download
memory/2516-0-0x000007FEF5EE3000-0x000007FEF5EE4000-memory.dmp

Filesize
4KB

Download
memory/2516-30-0x000000001AF70000-0x000000001AFF0000-memory.dmp

Filesize
512KB

Download
memory/2516-1-0x00000000001D0000-0x00000000001E6000-memory.dmp

Filesize
88KB

Download
memory/2516-32-0x000000001AF70000-0x000000001AFF0000-memory.dmp

Filesize
512KB

Download
memory/2516-31-0x000007FEF5EE3000-0x000007FEF5EE4000-memory.dmp

Filesize
4KB

Download
memory/2648-14-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2648-15-0x0000000002920000-0x0000000002928000-memory.dmp

Filesize
32KB

Download
memory/2852-6-0x0000000002E90000-0x0000000002F10000-memory.dmp

Filesize
512KB

Download
memory/2852-7-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2852-8-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download