vjw0rm | hxxps://schuiframenrenovatie[.]nl/wp-includes/images/css/download[.]php

Analysis

max time kernel
201s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2023 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://schuiframenrenovatie.nl/wp-includes/images/css/download.php

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

http://severdops.ddns.net:5050

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 3 IoCs

flow	pid	Process
73	4156	WScript.exe
75	1584	WScript.exe
79	4156	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.js	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2RJZ4PQJPY = "\"C:\\Users\\Admin\\AppData\\Roaming\\New Order.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2RJZ4PQJPY = "\"C:\\Users\\Admin\\AppData\\Roaming\\New Order.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3704	schtasks.exe
4044	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133402894263195673"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3272	chrome.exe
3272	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3272	chrome.exe
3272	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3272 wrote to memory of 2108	3272	chrome.exe	86
PID 3272 wrote to memory of 2108	3272	chrome.exe	86
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2268	3272	chrome.exe	88
PID 3272 wrote to memory of 2380	3272	chrome.exe	89
PID 3272 wrote to memory of 2380	3272	chrome.exe	89
PID 3272 wrote to memory of 4616	3272	chrome.exe	90
PID 3272 wrote to memory of 4616	3272	chrome.exe	90
PID 3272 wrote to memory of 4616	3272	chrome.exe	90
PID 3272 wrote to memory of 4616	3272	chrome.exe	90
PID 3272 wrote to memory of 4616	3272	chrome.exe	90
PID 3272 wrote to memory of 4616	3272	chrome.exe	90
PID 3272 wrote to memory of 4616	3272	chrome.exe	90
PID 3272 wrote to memory of 4616	3272	chrome.exe	90
PID 3272 wrote to memory of 4616	3272	chrome.exe	90
PID 3272 wrote to memory of 4616	3272	chrome.exe	90
PID 3272 wrote to memory of 4616	3272	chrome.exe	90
PID 3272 wrote to memory of 4616	3272	chrome.exe	90
PID 3272 wrote to memory of 4616	3272	chrome.exe	90
PID 3272 wrote to memory of 4616	3272	chrome.exe	90
PID 3272 wrote to memory of 4616	3272	chrome.exe	90
PID 3272 wrote to memory of 4616	3272	chrome.exe	90
PID 3272 wrote to memory of 4616	3272	chrome.exe	90
PID 3272 wrote to memory of 4616	3272	chrome.exe	90
PID 3272 wrote to memory of 4616	3272	chrome.exe	90
PID 3272 wrote to memory of 4616	3272	chrome.exe	90
PID 3272 wrote to memory of 4616	3272	chrome.exe	90
PID 3272 wrote to memory of 4616	3272	chrome.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://schuiframenrenovatie.nl/wp-includes/images/css/download.php
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb77299758,0x7ffb77299768,0x7ffb77299778
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1112,i,5037829412702104306,5266441298391738285,131072 /prefetch:2
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1112,i,5037829412702104306,5266441298391738285,131072 /prefetch:8
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1112,i,5037829412702104306,5266441298391738285,131072 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=1112,i,5037829412702104306,5266441298391738285,131072 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1112,i,5037829412702104306,5266441298391738285,131072 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 --field-trial-handle=1112,i,5037829412702104306,5266441298391738285,131072 /prefetch:8
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 --field-trial-handle=1112,i,5037829412702104306,5266441298391738285,131072 /prefetch:8
  2⤵
  PID:3660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1800 --field-trial-handle=1112,i,5037829412702104306,5266441298391738285,131072 /prefetch:8
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 --field-trial-handle=1112,i,5037829412702104306,5266441298391738285,131072 /prefetch:8
  2⤵
  PID:5004
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\New Order.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  PID:4156
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\New Order.js
    3⤵
    - Creates scheduled task(s)
    PID:3704

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3836

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\New Order.js"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
PID:1584
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\New Order.js
  2⤵
  - Creates scheduled task(s)
  PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8f41a157-ee60-441a-9e2d-6154cee8720d.tmp

Filesize
5KB

MD5
0e25aa436f3c3c8e468c0761a6e8dedd

SHA1
f3d2a7829c3f6ecac3c3f22bde45d6cabc7d1097

SHA256
12f10f9535489460612c09241776c673ae828923fbbfc9072e08336d6adcb21a

SHA512
266010c91ef591691eb7f25e97506282e9a10f6635f27ed529a58ead6bb5f323ce06f4707b7fc6bb7ad08399ccaf393281c67c82c70a618fb0b93d5577996df6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b6ce60d508a59da7585cfcb4cf52f90e

SHA1
b5b2a82cbbb97a9da17c120d3b24e0fb30e44b04

SHA256
5479ff6688284acdf2058925c2ffdebc8fada9ed1ce58e8ac31f66b6b79603e4

SHA512
7fbe1952c437332faaadf7fbe64e0533029d0f8adc6da46bcd54c2f92eec7058762fbe048f963f761fd70ee8e3b20806073758bee032cbde5e35489d5b53d69a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c0a698cbf89e2ec474e6b4f564f458b8

SHA1
0d078786b1adbd25f3fb3b80e1b316aa98db2160

SHA256
4d4235d3534b5d331c71994b1858e8b9ca0743930b4b6584b828fb22c152941c

SHA512
19a21060d76805a30c719dbf30195a6ec41d868e347de52916e53fb599b4ad5dc27de82926a7718a2af733b6e67c47d97aac8165ebc995d1d1e55564f7a986d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
08d8f2f44c81d8bf9466a3f71db426c3

SHA1
d30784f4aadd8b250747072ae3b17f5f359c1228

SHA256
99355cdf80471d99b09ec495f606e344ef74e1f51ed9151382d64dc21021d4d5

SHA512
c8532d8f85940de4fb39f48b3cffd48daea970ac999d0e39f166c82bb218e93ba6d3328ce4ba31fce40f21b379b120877499751ac200343570ade59d2b803843

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e62e6e25bd7d8d97690b65c164dcb839

SHA1
c3e91d033783062d8e16ab7259150b55b6dae250

SHA256
8f80af660a27f4a0ff46ec03c8f1ca0a10f24d2ed091062cd43962e3922a9796

SHA512
3fb44a256d4b9833cd7895866807164dac7a318e77be33549233b44dc1e6b3ac0dd3e459e4775e2a2003fd96ea043055bd331b5177d1cd43cde955408adeebce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
538a3097c381df82bae67bcaa7b95810

SHA1
a118ef48a5b6442a7852ecd056265febed1b1b74

SHA256
233286d2be674b72ad1a21e35f1fcd1163f0fb4493e7a0c8a8a27dea387e62bd

SHA512
ac7ccc49fee5b1b0018cb299ad1005b9ab0b62941fff3792210c9d576caa345acec76cc398637cda677334687b6e715125422cb2891dfc083fa24a423cd995c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
71e7fb7479f099ef80ece2f783ced91f

SHA1
b3034a1ae3c10871f86d6a7f7859c0d5936ce785

SHA256
fed8e405326391694ce50e209b87d100ae9dc4f898634ba1ce5d7fd17428b08d

SHA512
8de24062daa8bff7b1ccfe02bf65b4cb9febabac1ef13ac9508cc6736c0e587eb7a6e43149b27c44f03632c915b20a59cdfb111da45841a1463154e6cb68c53c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
dc618bc63aa4ede65075f8620ae2e3b3

SHA1
1ee63e015da02a432b082cc91fc603f3f56bda19

SHA256
9eb3cf3e8c96a0e65ad5514053d4b1c85fcaae2eb5f6366759eb0598bcc64831

SHA512
415d40c1b1816d69c73043d65d6aaa952e28f935e642866eed9873ebb68266dfa6b9cc92278c348cd3e8a3087dafb3cec665404d6b63c7e7b1b1af2c8d81e0c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
114KB

MD5
0a38e2be398fd355482667382a5d2f8e

SHA1
3587ceab33f0a08475f0929d7ca67804c9859312

SHA256
0f12d86248a75aca2c7703f70118e3d3424dec49cb5242b3f8fb5475bc9de41e

SHA512
60c2da1a785ab5785bb3fd4bda2ed8e029d2ea24a82c29d2ed3c76b91dec798bc7db305d60473b6d66915502bf966d74bc6500d38cc9aea3239dea78d764ab50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58be98.TMP

Filesize
107KB

MD5
3352bf3e108402c4a20483d689e777d5

SHA1
4aae2124b286fddf93a80a4a8d6c5bd5bb30bf00

SHA256
b3d5d3e5fde3d4d7647f9ebc901c043e25ff58a692c43158c4603f9d334961cd

SHA512
8cc2af9b878789e502bb33d24b14828b9a92e9ec4fc5b31a0503d0d2aaaff266d48ec8b5838e3b43fb8cb292af99d123ae563882073ca7e7d545fb3f00506f52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
9f07e3ba07d0d9a2ed9b36c1fb3cbd54

SHA1
b7181a7296aed0fc689a5ec475f799a1efd28a2e

SHA256
efad0c7efba0f244c723ff4a80decd4a28096a2900e209813ca67eb5b1fa5f6b

SHA512
109a6a687ef3dd8c0a33333a6b4e332e05805aecfded2d800aaaa8a1af949b8fbe49ad48e74e2afa9db27c6824871828ae5307db625ec012a7d870c2d722c79f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Order.js

Filesize
24KB

MD5
f054e5f62da93e9c92d200f9b6b8f9b7

SHA1
b1a1ace9cc2980de840c5b693914f804d8c931bb

SHA256
1f3b7ff4328eebc57d61fb3ec57373b23c2c3789873b44019a480f230b424a68

SHA512
2ecfed38715085997304cb5cee2aa60909e7475f68be7612c4c4c55521a8c6b272bf3432151737651780477eb7575aee14cb0fe26632f5c1f3ce9b32ddf66357

Download Submit
C:\Users\Admin\AppData\Roaming\New Order.js

Filesize
24KB

MD5
f054e5f62da93e9c92d200f9b6b8f9b7

SHA1
b1a1ace9cc2980de840c5b693914f804d8c931bb

SHA256
1f3b7ff4328eebc57d61fb3ec57373b23c2c3789873b44019a480f230b424a68

SHA512
2ecfed38715085997304cb5cee2aa60909e7475f68be7612c4c4c55521a8c6b272bf3432151737651780477eb7575aee14cb0fe26632f5c1f3ce9b32ddf66357

Download Submit
C:\Users\Admin\Downloads\New Order.js

Filesize
24KB

MD5
f054e5f62da93e9c92d200f9b6b8f9b7

SHA1
b1a1ace9cc2980de840c5b693914f804d8c931bb

SHA256
1f3b7ff4328eebc57d61fb3ec57373b23c2c3789873b44019a480f230b424a68

SHA512
2ecfed38715085997304cb5cee2aa60909e7475f68be7612c4c4c55521a8c6b272bf3432151737651780477eb7575aee14cb0fe26632f5c1f3ce9b32ddf66357

Download Submit
C:\Users\Admin\Downloads\New Order.js

Filesize
24KB

MD5
f054e5f62da93e9c92d200f9b6b8f9b7

SHA1
b1a1ace9cc2980de840c5b693914f804d8c931bb

SHA256
1f3b7ff4328eebc57d61fb3ec57373b23c2c3789873b44019a480f230b424a68

SHA512
2ecfed38715085997304cb5cee2aa60909e7475f68be7612c4c4c55521a8c6b272bf3432151737651780477eb7575aee14cb0fe26632f5c1f3ce9b32ddf66357

Download Submit