stormkitty | hxxps://disk[.]yandex[.]ru/d/32mWEpqwMSyjAg

Analysis

max time kernel
85s
max time network
90s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2023, 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://disk.yandex.ru/d/32mWEpqwMSyjAg

Score

10^/10

stormkitty stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/4976-395-0x0000000000B50000-0x0000000000C7C000-memory.dmp	family_stormkitty

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
267	checkip.dyndns.org

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133354677069092474"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1896	chrome.exe
1896	chrome.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeDebugPrivilege	4976	Ä»Γ¿¼¿ºáµ¿∩ Windows.exe
Token: SeShutdownPrivilege	1896	chrome.exe
Token: SeCreatePagefilePrivilege	1896	chrome.exe
Token: SeShutdownPrivilege	1896	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1892	1896	chrome.exe	28
PID 1896 wrote to memory of 1892	1896	chrome.exe	28
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 3044	1896	chrome.exe	88
PID 1896 wrote to memory of 4600	1896	chrome.exe	89
PID 1896 wrote to memory of 4600	1896	chrome.exe	89
PID 1896 wrote to memory of 4808	1896	chrome.exe	90
PID 1896 wrote to memory of 4808	1896	chrome.exe	90
PID 1896 wrote to memory of 4808	1896	chrome.exe	90
PID 1896 wrote to memory of 4808	1896	chrome.exe	90
PID 1896 wrote to memory of 4808	1896	chrome.exe	90
PID 1896 wrote to memory of 4808	1896	chrome.exe	90
PID 1896 wrote to memory of 4808	1896	chrome.exe	90
PID 1896 wrote to memory of 4808	1896	chrome.exe	90
PID 1896 wrote to memory of 4808	1896	chrome.exe	90
PID 1896 wrote to memory of 4808	1896	chrome.exe	90
PID 1896 wrote to memory of 4808	1896	chrome.exe	90
PID 1896 wrote to memory of 4808	1896	chrome.exe	90
PID 1896 wrote to memory of 4808	1896	chrome.exe	90
PID 1896 wrote to memory of 4808	1896	chrome.exe	90
PID 1896 wrote to memory of 4808	1896	chrome.exe	90
PID 1896 wrote to memory of 4808	1896	chrome.exe	90
PID 1896 wrote to memory of 4808	1896	chrome.exe	90
PID 1896 wrote to memory of 4808	1896	chrome.exe	90
PID 1896 wrote to memory of 4808	1896	chrome.exe	90
PID 1896 wrote to memory of 4808	1896	chrome.exe	90
PID 1896 wrote to memory of 4808	1896	chrome.exe	90
PID 1896 wrote to memory of 4808	1896	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://disk.yandex.ru/d/32mWEpqwMSyjAg
1⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8be6b9758,0x7ff8be6b9768,0x7ff8be6b9778
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1868,i,12103455376786394581,1851535022669265737,131072 /prefetch:2
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1868,i,12103455376786394581,1851535022669265737,131072 /prefetch:8
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1868,i,12103455376786394581,1851535022669265737,131072 /prefetch:8
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2812 --field-trial-handle=1868,i,12103455376786394581,1851535022669265737,131072 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2820 --field-trial-handle=1868,i,12103455376786394581,1851535022669265737,131072 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4760 --field-trial-handle=1868,i,12103455376786394581,1851535022669265737,131072 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 --field-trial-handle=1868,i,12103455376786394581,1851535022669265737,131072 /prefetch:8
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 --field-trial-handle=1868,i,12103455376786394581,1851535022669265737,131072 /prefetch:8
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 --field-trial-handle=1868,i,12103455376786394581,1851535022669265737,131072 /prefetch:8
  2⤵
  PID:3652

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3720

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4736

C:\Users\Admin\Downloads\Windows\Windows\Ä»Γ¿¼¿ºáµ¿∩ Windows.exe
"C:\Users\Admin\Downloads\Windows\Windows\Ä»Γ¿¼¿ºáµ¿∩ Windows.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4976
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  PID:2236
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1060
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    PID:1844
- - C:\Windows\system32\findstr.exe
    findstr All
    3⤵
    PID:3700
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
  2⤵
  PID:392
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4008
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile name=65001 key=clear
    3⤵
    PID:3428
- - C:\Windows\system32\findstr.exe
    findstr Key
    3⤵
    PID:4592

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
11a45d63e6f62ae61dda65d2ac3f2589

SHA1
d6c010476cc53becde96e3c69a5552d031764558

SHA256
5b5b7df7633492a3272cdc976999d951c54cee16a884abda63539d085af137f8

SHA512
3c3311452e89d325b12e5272e858e1b106b3602e4729989e7b3e845c191ad3fdbe210f04f2a57829f266fc22e0d7c72fb0ad5ee67fcab64efa868c9cf1dc485c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
290B

MD5
fb9f8338c63fe52f48b078ac3690b8cc

SHA1
adf3e3a1e575ee1759649a8bf013efd795f0087d

SHA256
eb72fc5c452966247cb552f001797ff5c87508048a3059e185ed77efd846b170

SHA512
01ce629c725fa78bf13781596795aa83b120b5a06b48614ab13bf26aeb24b3e8fb1ed97d8209e319a93c6090038ff0b0f129b1f1feac76eb721ba43de0b9f09a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
290B

MD5
b868eb6179667f62e7d73dba006771c1

SHA1
f33b5ba2a9ed68d74204d38f31fba63d4ef83609

SHA256
fac4af73cc8239049ef7481499d7aadd1166f29ffa0f574d3bd54c61e03cfec4

SHA512
12664cc514f202371fdcb6ca5d4a35622cec741abdf7da4be8b2ff196555cb8f355a9b0334de54dc414183a5becf058523609b6293ef841582d0f091a9c5ccf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
252B

MD5
2ca725de58d616f5650d60ca16006de5

SHA1
6090cb743302808b5d23ea905e34f7587f977135

SHA256
7a1413f993551a46f86937d45aab8e67b1479ab28327ae74821c156b608cdd1f

SHA512
fdf5bde87eef88f4dfdab5e01da73979e1b82bfd1d790406d9e0bd32f0af39945296ec3001dade3d163ec7393291033864f8c5c9cf50e9bb8d29fd28ab191a9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
58KB

MD5
62fbd3edaca201c0ab8e94e74b049437

SHA1
4be5c20507706717e920ef87771b7a16eb879e9a

SHA256
e65dd3210be4f8ceef24ae0056876c831e31f6b265a9402690a90237fc395660

SHA512
daaafe5f2389c813b5391eda5e3e9f95bdf11c4c63067c248319d79d2efd14ca64d578986b5a23ecd4056c6ec52fbc21d7d4015a3a9878df0e0e9198b6c33a7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
c00e9f3bfcc3aabfb744834d364e304d

SHA1
2e58fa07ba6cf0f3a1f549cdf16e48eb81f90487

SHA256
500986e189f7b860330613d64700f226f2ac9b2fed8c5824477d6cc8b7bfb8bb

SHA512
c40cb7c5165dfa61ce84745de2cb67fd2ff6f8e8c9fdbae6f6d9d9cdceb25a87eb30d811e0d8a0c9405e7f087f190c97bd3a910c2d8306b329f5bcf93b442368

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\001\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
148KB

MD5
490881d8dc4fad6957415b852580b1f5

SHA1
67496a4c4c3867f9b3dde05e0c7e73031c3632dd

SHA256
cbc4a5c60d080a44a8f7788c0be47c1575d8885b78b88de08b8cf66d7af4f0b1

SHA512
97695b6df7f79c34b9ec55cdd4f1be28a64993520a4627e466e3e8c36b437f26e649e2087d0ff3f416477d2cdc6111a2655deeef39e29f3f12e2adf6dc9238f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
9b5f3e7b4a850b7e12255e86c749d9b7

SHA1
7d3a7470d71663ec627650e9999d14fe9f976fc0

SHA256
2b6bae73050eaa62ae7ff472bd5d66dfbc85b5189023921f4b73579323a0d846

SHA512
84b5479c81d1aae6f4a1d8cea1dc93d4e5325c0f0d4db2ca10e5755753a447c8ce05aea8cd4c8694522145c698dd2e18b14909352058d7069c5f6c63ad372eb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
45bb02ec2a2e255db9cd6697fdaf0519

SHA1
5c0f851de15db2e30447d05909f5d302e9754f9b

SHA256
0807e216a3cc3332cda626b90c70bbeddcf1fd8ee772ddd1e9784f37da71717b

SHA512
e53e266317b4d058ab7ffa40e6e8301b025a5928826364fb770f53d5c7f6e9d34f00de72337bfa01cada85eb711f427165284edf307af9680e30a16aa7ffae26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
7dbdbf8632cf7760649640934eae5832

SHA1
54cecd68c773ad16120f466689a73fbaeac83e22

SHA256
f0b26d288f14291f2b52faac089d1c7a6ae9a0fc5497cf959ec3c0a801bb0cc7

SHA512
3b094c312982476e673ff1aa99f5033ee3516b3238025b6879453091e172b73b02e9b4459d9a6b75f51f55d0e73298793f7deabad719a0d476f225d72cff4cde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8e65ce8b6169a78b231788f487dcbc1f

SHA1
11cf5558010f022eb75720627b224278afcb26ed

SHA256
e1b16e50d0dce9551cb2c44b106ebb5211551250b7acb5906daae4d4a613946a

SHA512
402331d2284b99cc19144b1c8bdbf57b172dab3299379fb6f4b88e7eb5c7198616cd4599b00d1331778814c50702b7b878ebc326c003c503b473866f49d5f597

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
00470ea3611ad0f1505eb4a5315706c2

SHA1
03c7c9b41a88abf9361316f77b466320fec9c54b

SHA256
aaf3ee44d711fd42b14382353cec5d3487a41dfe8aeff5c01ac375e69b07237d

SHA512
0241e6b656b28a76ed49718a712dcfe05dd6636cce0519dcdd70dce698bb657b4aa95f23cc9a8dccfcb54ef085512947a96abd9afd9521ff38830ff199a9680c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\passwords.txt

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\Downloads\Windows.zip.crdownload

Filesize
5.1MB

MD5
e9b41c6a93437493e973efb0086d2ba6

SHA1
edd61e6f780b090ba655ab5169b9e2f1526ecc76

SHA256
6afa85b07a6613072408480b351eb900d4ac38ba3e3881ae96c66c004fe7ad4c

SHA512
95de21f0a0f7a31bce279be241bbc9e807e0ddbca9933bce133fba9d69ab95d9cad5ff7d0089e26fe4299a1abae9b94028631fee9f3a2999b94a97c451a333bb

Download Submit
memory/4252-427-0x000002003C670000-0x000002003C671000-memory.dmp

Filesize
4KB

Download
memory/4252-430-0x000002003C670000-0x000002003C671000-memory.dmp

Filesize
4KB

Download
memory/4252-433-0x000002003C670000-0x000002003C671000-memory.dmp

Filesize
4KB

Download
memory/4252-421-0x000002003C670000-0x000002003C671000-memory.dmp

Filesize
4KB

Download
memory/4252-422-0x000002003C670000-0x000002003C671000-memory.dmp

Filesize
4KB

Download
memory/4252-423-0x000002003C670000-0x000002003C671000-memory.dmp

Filesize
4KB

Download
memory/4252-428-0x000002003C670000-0x000002003C671000-memory.dmp

Filesize
4KB

Download
memory/4252-432-0x000002003C670000-0x000002003C671000-memory.dmp

Filesize
4KB

Download
memory/4252-429-0x000002003C670000-0x000002003C671000-memory.dmp

Filesize
4KB

Download
memory/4252-431-0x000002003C670000-0x000002003C671000-memory.dmp

Filesize
4KB

Download
memory/4976-408-0x00007FF8AAA90000-0x00007FF8AB551000-memory.dmp

Filesize
10.8MB

Download
memory/4976-407-0x000000001BD40000-0x000000001BD5A000-memory.dmp

Filesize
104KB

Download
memory/4976-418-0x0000000002D40000-0x0000000002D50000-memory.dmp

Filesize
64KB

Download
memory/4976-397-0x0000000002D40000-0x0000000002D50000-memory.dmp

Filesize
64KB

Download
memory/4976-396-0x00007FF8AAA90000-0x00007FF8AB551000-memory.dmp

Filesize
10.8MB

Download
memory/4976-454-0x000000001BC70000-0x000000001BC82000-memory.dmp

Filesize
72KB

Download
memory/4976-455-0x000000001C7A0000-0x000000001C7DC000-memory.dmp

Filesize
240KB

Download
memory/4976-457-0x00007FF8AAA90000-0x00007FF8AB551000-memory.dmp

Filesize
10.8MB

Download
memory/4976-395-0x0000000000B50000-0x0000000000C7C000-memory.dmp

Filesize
1.2MB

Download