zgrat | 67b12ce7540c0d01a9ff199865acab6b5643aa68ec1bdd30c0a8c78809a1ecc0

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bac1ed7db4d2fac01049a0047f73afb9.exe
Size

1.4MB
MD5

bac1ed7db4d2fac01049a0047f73afb9
SHA1

0bdb67928e2ab54ba58b333fb99041b54ef8bfe2
SHA256

67b12ce7540c0d01a9ff199865acab6b5643aa68ec1bdd30c0a8c78809a1ecc0
SHA512

12dfe3ade697242734e0b3db702410f3b840af7f7c31e6eb9c532f479944804fbd825635e11eaf359071451d4b28619803eaad6910f349f0170e18ac6b75b743
SSDEEP

24576:gMw7DAUDbPcfE6ZmAvDxzdK5q8cIqtxAG7lue5WwPEDH56ZlCj2fQAes3sZUYOy1:gMwDnkc6MKpdK5Ldqtj7lueo90ZlU2fe

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral2/memory/1184-94-0x0000000005760000-0x000000000583C000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-95-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-102-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-154-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-156-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-152-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-148-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-146-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-144-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-142-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-140-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-138-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-137-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-132-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-130-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-128-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-126-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-124-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-122-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-118-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-116-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-114-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-112-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-110-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-108-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-106-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-100-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-98-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-96-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-150-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-134-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-120-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1
behavioral2/memory/1184-105-0x0000000005760000-0x0000000005837000-memory.dmp	family_zgrat_v1

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 4940 created 3164	4940	Alumni.pif	56
PID 4940 created 3164	4940	Alumni.pif	56
PID 4940 created 3164	4940	Alumni.pif	56

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	bac1ed7db4d2fac01049a0047f73afb9.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoCoderR.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoCoderR.url	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
4940	Alumni.pif
688	RegAsm.exe
1184	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
4020	tasklist.exe
3772	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
384	PING.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4020	tasklist.exe
Token: SeDebugPrivilege	3772	tasklist.exe
Token: SeDebugPrivilege	1184	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4940	Alumni.pif
4940	Alumni.pif
4940	Alumni.pif

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 2168	3108	bac1ed7db4d2fac01049a0047f73afb9.exe	95
PID 3108 wrote to memory of 2168	3108	bac1ed7db4d2fac01049a0047f73afb9.exe	95
PID 3108 wrote to memory of 2168	3108	bac1ed7db4d2fac01049a0047f73afb9.exe	95
PID 2168 wrote to memory of 4020	2168	cmd.exe	97
PID 2168 wrote to memory of 4020	2168	cmd.exe	97
PID 2168 wrote to memory of 4020	2168	cmd.exe	97
PID 2168 wrote to memory of 2448	2168	cmd.exe	98
PID 2168 wrote to memory of 2448	2168	cmd.exe	98
PID 2168 wrote to memory of 2448	2168	cmd.exe	98
PID 2168 wrote to memory of 3772	2168	cmd.exe	100
PID 2168 wrote to memory of 3772	2168	cmd.exe	100
PID 2168 wrote to memory of 3772	2168	cmd.exe	100
PID 2168 wrote to memory of 4328	2168	cmd.exe	101
PID 2168 wrote to memory of 4328	2168	cmd.exe	101
PID 2168 wrote to memory of 4328	2168	cmd.exe	101
PID 2168 wrote to memory of 3964	2168	cmd.exe	102
PID 2168 wrote to memory of 3964	2168	cmd.exe	102
PID 2168 wrote to memory of 3964	2168	cmd.exe	102
PID 2168 wrote to memory of 2104	2168	cmd.exe	103
PID 2168 wrote to memory of 2104	2168	cmd.exe	103
PID 2168 wrote to memory of 2104	2168	cmd.exe	103
PID 2168 wrote to memory of 3980	2168	cmd.exe	104
PID 2168 wrote to memory of 3980	2168	cmd.exe	104
PID 2168 wrote to memory of 3980	2168	cmd.exe	104
PID 2168 wrote to memory of 4940	2168	cmd.exe	105
PID 2168 wrote to memory of 4940	2168	cmd.exe	105
PID 2168 wrote to memory of 4940	2168	cmd.exe	105
PID 2168 wrote to memory of 384	2168	cmd.exe	106
PID 2168 wrote to memory of 384	2168	cmd.exe	106
PID 2168 wrote to memory of 384	2168	cmd.exe	106
PID 4940 wrote to memory of 1108	4940	Alumni.pif	109
PID 4940 wrote to memory of 1108	4940	Alumni.pif	109
PID 4940 wrote to memory of 1108	4940	Alumni.pif	109
PID 4940 wrote to memory of 688	4940	Alumni.pif	115
PID 4940 wrote to memory of 688	4940	Alumni.pif	115
PID 4940 wrote to memory of 688	4940	Alumni.pif	115
PID 4940 wrote to memory of 1184	4940	Alumni.pif	116
PID 4940 wrote to memory of 1184	4940	Alumni.pif	116
PID 4940 wrote to memory of 1184	4940	Alumni.pif	116
PID 4940 wrote to memory of 1184	4940	Alumni.pif	116
PID 4940 wrote to memory of 1184	4940	Alumni.pif	116

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3164
- C:\Users\Admin\AppData\Local\Temp\bac1ed7db4d2fac01049a0047f73afb9.exe
  "C:\Users\Admin\AppData\Local\Temp\bac1ed7db4d2fac01049a0047f73afb9.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Scholar Scholar.cmd & Scholar.cmd & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4020
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3772
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:4328
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 55320285
      4⤵
      PID:3964
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "NovNoneIllustrationsMagic" Dispatched
      4⤵
      PID:2104
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Mode + Lesser + Describes + Gc + Cache + Harper + Lu + Additional + Shadow 55320285\O
      4⤵
      PID:3980
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55320285\Alumni.pif
      55320285\Alumni.pif 55320285\O
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4940
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:384
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoCoderR.url" & echo URL="C:\Users\Admin\AppData\Local\CodeInnovate Technologies Co\InnoCoderR.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoCoderR.url" & exit
  2⤵
  - Drops startup file
  PID:1108
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55320285\RegAsm.exe
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55320285\RegAsm.exe
  2⤵
  - Executes dropped EXE
  PID:688
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55320285\RegAsm.exe
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55320285\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4168 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55320285\Alumni.pif

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55320285\O

Filesize
868KB

MD5
6a21cde3a01f038be34abec9621d51d4

SHA1
72aebf5176eb3783acf4a24ade5f3a711c89d861

SHA256
d7239d262dd48e78d6d193cb3f00f029292867c6a2460cda1156ca50359b040c

SHA512
52cbd27d5575edd97c91a5d2c1981995267a27d011ae4e030f94fdcd07edc0a0ab368f59c2dd1297c68cdf4fd24a2e2ea469f7411caf1e151b24a600aabede1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55320285\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Additional

Filesize
57KB

MD5
b98c209e475ad0627b395fb2b61311e6

SHA1
7636d29ca927763d888a23b00ec7e4d6a1c0f0bf

SHA256
6f73b8f3f80598c3c3cf7e7839f5f89fe32c0b5d5260b363381d9b8096144f80

SHA512
55f087aba705f35eaec1bc13f028a5bced635dfec79655025c0ca66a124989c381b8992d0868447865c9f56f13627aac3c1e1bdf844414b5c4bd2c53088a47a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Blogger

Filesize
61KB

MD5
5c06e20ff224701065793d369596a500

SHA1
b414b74c2669439d6539603acb94d9e5dba14efd

SHA256
f430e04071ba26dbfc204c40b352c35f37e972b9ca275ae0a9882400bd72fa6d

SHA512
09c570ca8323fc2a68aeffd4cf66d0ddd05e944e72d0282effb54eb9ac513c606027e7571b05801f6d07564e962304f01164d9957277664d3b4ec23b35332120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cache

Filesize
166KB

MD5
12c280e1ae841ea9f2c3df30b6a22625

SHA1
8afc97c261f7e7c1c6ab30ac1dd4a32ae03d95f8

SHA256
84db2a0379608e079f3bce64853bbacb453b4a926fedb8ee878b55d5defdf00f

SHA512
9253183f7d6969d683aa1b916d577280db4788ea214398b8f3c4e6c12816ce74fc6262fc74e77c685432eec140314cc1855f8423a54000830512b44c42f376ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Canada

Filesize
39KB

MD5
1c787d2fbb073902e745ebe059a90c18

SHA1
2da707a960fb61fbdcb17ea61e7445134d4d99d2

SHA256
5ae0e8743b15a03533542178dae7c6404f6efcf9c703d7193229c4231ae7be89

SHA512
40ddf0f34089f66a7ffaee5f0721c040bc226b4a92e4bf1cef0e3d664915f6d109caefa3e8e80f7704c9dedef7a93831a5375c0abde7d29d6d2d8589002bb8e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cape

Filesize
54KB

MD5
815ef1dd16aba96e0cb27ea4775ea42a

SHA1
b9705b76b8062960f0d4d7a829c94bc0abb7800d

SHA256
5e076e4690e5acf57d06e6a418a7c6c5a78ff2c04183f3569831efc41d07162c

SHA512
c4a25a1d9956ab733fe1c60959cd7fb768fd7bbd2ce0cfb343bf77dfad103fbe4135e66794fea4d5bf172768657a68775646597054cd8b585b69861e17f4f297

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Catch

Filesize
26KB

MD5
8b77d16f494c3f0fde335d80ce9b37dc

SHA1
2dabb7627d96e1d92b89413de4cecb000817b606

SHA256
71df6a7d1e225cf788eba25f5f7375bc6692dc5c2d41be0b37b3eaa1a6d3d4e1

SHA512
7e07cd0e1da8d1796a1c5b407c3494918566114b84efc2305aa06f963eb99875e075b2ddf960e7183287625be8e1b566bbd4c38e6445b298759ccc0d7b25a939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Certificate

Filesize
28KB

MD5
f5a42f17f1bdd6ff8c4ad3cf30aa2dba

SHA1
48e3625b05866473a6dc1442eca8830431d25274

SHA256
46e02695df9c5c38ae5d30e3e10f46870b1c952d006dbf4fa49fef656edfe275

SHA512
169d3c6075eaf796e4685359eac397141e9edb93a8a5532d28f655de3caf5d67f55fb64ea335054d26770f2667989ba3c1784c700430dcb8b0d91f02c4891e6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Coin

Filesize
17KB

MD5
79df886544bbf4227d37374ebf53973e

SHA1
625472b424f8bb03936e9380777555d73e74c6d7

SHA256
d4573d0f3886882dc4914472c3b2ec4dfa749c8cc442026b0f8675ffbca13fc4

SHA512
544ab0a5c52898c01a188d8de7a4d3ea19428935c0333aa2ee8ee40e7daa29bc437d83930b0005f957bbb35782a13d0aa1dcf54c93400b06a702d40461e6c384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Describes

Filesize
51KB

MD5
1f11352f160ce40e13bbb6f161f18368

SHA1
26e4750f07db95e15c76a3072d992a759e83484c

SHA256
937880c128f9ea2b3019c5f0d859e3b69141727b71ecbcb623a510b83a425493

SHA512
31f850f51f29ab1ef224f9a44fe9d6a68abfd7a7bc7709fa7be95f921d9a09f7b6d708412790cbbacbb58e660eb0967070c73f76cd5054e34d1062331652af25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Dispatched

Filesize
121B

MD5
d8e632e12ae4dd791db868a01b0517f5

SHA1
54105b6b3fb1ed62da791a84e2b25aabc4a64b69

SHA256
07fd916ba8aa2704314e347d53db829089b71517cfb5f5916bfd46a209557357

SHA512
ce1027a2732abd6d19f3c6de12cd0bc13a5105f87fde26c2dad8ad31d8b94d07bdffe22901c620e35e861ca8c88ea19fc4b5f617d7e77d675ff1d9ac51cc86b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Dot

Filesize
50KB

MD5
7bdbd08262471edbabddbd3f0eb73727

SHA1
982f94b7bce42ec5e85dcd7eee54a84f71b1604a

SHA256
073d76d4c47b6ea7e91c637fa3dd79a5c1cffcf0c78b40524f1266e7825c5c32

SHA512
6dd1323456945dad835b91ab684044e6d54b507612136b38509e7e625e26307e28053572f9fee9f3db45f389161e016e3fd84081290cecbc8a8812e97554adbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Employees

Filesize
15KB

MD5
c8c58a153058966345433bbd8834dbda

SHA1
59a39d60f369fbfda6afed8d3b1fee21002001a8

SHA256
b6f76ac5bcb0f9dd126bc5baa15fcf5c09ae15a0b6b522dd9ab2b47bff0a3d0d

SHA512
f440fb4f1d62c5fd493528ae6739bbf35764c2c3c5a17582c69a28fcdccb2a0d80927bf6d1146547bb8a15a9c17a92e3ae7e19a22c279519d9361a32a2124154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Epa

Filesize
6KB

MD5
2e651ac65613cf88c69ace3b82e70666

SHA1
b7a971498fd5dc656986191ad99ed0282b97cabd

SHA256
07162ff4b08394818336d8d961a6318708b44485b8be3b544e9893765bec9588

SHA512
45ae03751ae5cce0adcf08085d9e67f7a61e8e9b1c78b2bee0fc49bd7905d535b153445f27075006df346fe6ff6a55db1426c746f207b3039e260f17f037b9b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Floor

Filesize
25KB

MD5
43420f6939b84c6f76d2ad347a322c6f

SHA1
fe4eca01368092a7b3727bb665dc64f6ba4d88dc

SHA256
9a5bd3b4dfb13e218e529dc54a1168a9fb509134c7d6f8628e3c7e9a1c1fb240

SHA512
6e7f287c343bc85c7adce9dc8092a8c0e89e3f0c0b51f5d2e852f7cc8faaaa42e91a5fed66bc561c67e3b0d4f467aaf3cffc508bcfcea705345a9833522977b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Gc

Filesize
56KB

MD5
c172fc0560e459df0e51f3be3f2afb15

SHA1
445a0dcf755f7a6dc7a857b3ecfac9bb80f51270

SHA256
e17006d0b79f95a22740b81ac68adc457cc166fc70dfd9f9053c518a5b9ba3c4

SHA512
93f87e6feb38e42921bce454d0f77c6366c4a8a5c297d5d512a7926502d2c84258257eabf16bb364d1eadc3d80ad2e076491a7dc1ad2730d8713fdc17196d550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Guidelines

Filesize
18KB

MD5
cf4da56640c302245b627fada062aac5

SHA1
01c181e566ad378261c35e970555e863f9f4359b

SHA256
ffc0c5d2817dcb88c5f4bb0a1bc58f4edd543902ece3edc00741122f8cc00478

SHA512
4645b62bdf46a0a9f6bd1fc988a5e94498f5442a81ca9a62fe6dcb9a13ea4eece9fe4ccd9e522d58bf8650e24785c21c444b6a5584d940e8f987f8bbb262b096

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Harper

Filesize
99KB

MD5
9a89c70c2adb33456546941d2b676c04

SHA1
6b64ec2213200da0001fc709330e5f94ecac39f2

SHA256
86443249ceec930922dcc960d222881ba6869137f69a383d071078fc323e46ac

SHA512
0f00184dcd6b4d98a810a3bb12f0a1c322b162bd78d51961c69b5123ad7d443707e5a5a68a29d26ee8da54fef277277455b5696cc6705511f30e08e4879b7eac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hobbies

Filesize
21KB

MD5
9f1109dec39f80be3ba56bf1beaea61e

SHA1
e64d621962e47b345ede487f770cd6227ce78a23

SHA256
d2c251b8904efb517c0fb9e4f364488cb3b05617ca9263849fa929dceba2fd47

SHA512
ca353c8b6369ab1d3bfe2c7a4eb0a8b9bf3d9f5fce3d64f26a0c81b25d244b6bc9fe5ea539e39ee265e5d453c7a04d9645d5f7b9a812c899e348c3b7a1f4522f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lanka

Filesize
67KB

MD5
af2577c5738ab37f832ba7360f1833f4

SHA1
7a6d1416719ce9283886bd2b059040e9a72cf7e7

SHA256
1cab59b087c5e273385a1e3bda5433c3c2cb9454d8e056c9a95471725c005629

SHA512
8bfd12a5fa139aa5bf00172d3259c74d3e3b63d20cfe2a9ac66bb93ce1baf3d2e230d0d72c649fe7a863bb52a31628b62e3e3f9adcd5b715f817e405fbdd9ad0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lesser

Filesize
64KB

MD5
de922d91be163046b0fe69c0a381c8f2

SHA1
e6b9b56fe7e1cabb0afb18192ca4edce5c5b9db3

SHA256
4231fd0e1b00036fad40b781886609a20d499ac17d2fcb619e0e0dab047080b7

SHA512
69e08833f3f09ada23b9c7b104aac71562d2f82608691d3763d73228314dfb7fe793d738e01c74016f29bd7d1a269ae8f175d7f636b09d52632185320e4409f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lu

Filesize
178KB

MD5
64bbf1fac885227bdde9bcb0dd2ecc19

SHA1
fa5a013fe40c271620ae70bb53d0d47e4f7d7bf5

SHA256
6437e47907dbe626a2d81f1ac004b177ce028817d2ce48eb99dbc32e259edd0d

SHA512
2b01ef544963988b08f596a2f97eb5c8efa62edc20ca1867b68ecfc5f1d3ac33f8f911059268d88698ece20129f3abd1f2b37ac8a659d4a29b683da45be8a082

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Michael

Filesize
28KB

MD5
f0cf7fa76853ac271b2959f9e353daca

SHA1
92ec9e6b586ba21dd694382055bd687974ff48da

SHA256
10de1629c245abed078223cc03a6eb662401c61cf45c897f365bda147433c951

SHA512
c89117498dc7a5d84fea1671e4160e3866a3cad2c7b182c7635c0457b6ecf935f545fb205f75fb824ead65d213726ba5a8205455f644fd5eba5cb18b47eb90b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mode

Filesize
177KB

MD5
ed447bec431e66732b4ed2fc148e65c1

SHA1
38c6c0f6ed6ff0325f88f5ca187ea499ae0ee29a

SHA256
f7ca237ab4a0516ca4a0e5f00442d03aa096cdec4acba25ad8ccbbec1374ddae

SHA512
396d7201f16816c54063066cb8f9f3098ff6e9146f0e4cbfea174a906724b230afdb41e53618d9a2d299182d737c036afda64497caf2bd7172ef51cbe7f6e024

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Orchestra

Filesize
20KB

MD5
9bb0f29863b86089239e501203507d0e

SHA1
5f283a2a1d52b398f6654047fdd490ab9b898be0

SHA256
18bbfdc7c168bc75919682d522a915d6effd7260209afb4e86a912440aac7e57

SHA512
903d0d583e15c171c2ceb965effe20f1242fe101ab1457c3de2a6816558d3e5222e921fc33b288ee1178a5d31c84e0c270893e0856fb0df066d59099011468ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Peoples

Filesize
39KB

MD5
46d71f4c064c177c07c8e8e585c55a7c

SHA1
03f4ec1e0585ab5a98af2949dcbb5aa722fb1a1a

SHA256
5074a75b259058cc88230ee04140589aad77520806c9e914a629c19f6cff8a59

SHA512
f6409c84469a1b9e4298879236280b07507183d8b09b1fba672ca460df2b7fe67203deefba30fe7effbed852165a7eb391ebd98c3707c81fc7de5764970c5347

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Probe

Filesize
54KB

MD5
a6b00e3d701465090e903ffcc41de406

SHA1
5390cc55284bb5faa7778ef0ec722b248f3d4540

SHA256
c1f0c9fabc479794618b364bdf1550bff24c948207caac8c325ec88490a46e86

SHA512
9d06dd08f00094f5afec55630d8d772961e8806bdcbb9a53e43cb3ceaa4bd426c6be6d122d31d4e90db9c80b482c0d43318a88c589e81a976e37bab4a951db4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Promising

Filesize
36KB

MD5
16b3fd60702b6c19f67160f9588d9dc2

SHA1
c1067e67b1c45713c62aca7109b4677e71e5a916

SHA256
1e3f63bc5e769b1df04e99d634222cf29dfc3461626bfa6084a8c790222e164b

SHA512
2272c44d8ed1696fffa3e9ae5f85f9307cd8ae6e7d4cd0c2786e245b98da7787aad29e49fb27a88104784ca8748de19bc45555c04b8a4fcd86b2c34e7e88e4db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rays

Filesize
17KB

MD5
1578db7203861b774c7bf552c72cac52

SHA1
9af1c15db69040d2810e101041fdf73359f33477

SHA256
1843a38c83f0b3846aaa20dfb23fb9e03570ec349abaa3f749bb1fd9d4b8e40d

SHA512
1aad6c12f3f73634f8d290aae76262e558cff9c2002f34b9d243eafb3c2d7fe62d73f7c0471c79589f6b1de46190cb94f13bd6eb276d3835d37ba5f13c2e421d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Recreation

Filesize
43KB

MD5
d422851ff7d52c7149498c274efb713a

SHA1
e0e25c7580444d0cb744027f7d02c4af5c5321b3

SHA256
9f9e92ed6dc378e05f389b701ad7030b3b111326d9586836eeacb40f0b549ca7

SHA512
f6c6fbe394a59c07599d14f0c91512500f48ff631ff8a83ee9dc912b1c472bb0ee169d7193d7caf23a5ca2bd1b8215fb396f16f6559ed11c4841039ef1e547e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rick

Filesize
65KB

MD5
5a9406208357b524faa45ac96d97daa8

SHA1
c40f766cd152327fd38153c1c55f7c380fd2b8b7

SHA256
6302b0a1896a9ade578c2d952d62cde392e8b04a0801e62fda34ca17532184f9

SHA512
31472499ba7696e39f204e52c1f114cdc0994d8740585ebdd8453bfe18aaf356bd38e6cf5ea2adf5a141e45021ab8680c351d366b624747b9634aba4bbf952e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Scholar

Filesize
5KB

MD5
b978309617b5d2658385bf60a722860e

SHA1
5d4e02b6374b8f0eaf5f765b6601972fc8a101a0

SHA256
17537eddeada5e5eb29a1d7c1d600bf72b305363e1c701fbbf0152ef2f021d49

SHA512
c89e52445dfe9135e6b757e6cd14fe3889f65a61ea3ae96b6af665dfebedc00fb9650f73768a17a0ab270a8d65a12608c27ba05cfbf11664fe77bf068bfdd6c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Secretariat

Filesize
47KB

MD5
67e7e6db4f144ccb41efbb57d854a55f

SHA1
4e0a93165004c99ca9d6f59de222e43635d54df3

SHA256
45a36a92df2473bad17faa5ead418dc9e3c6dbc991168285358f5883c0ae079e

SHA512
23e3fefd7d510b15e08c9c103a08094a840b889c2675938ed2eabf419716cdce87fb4f1bcb0187c1469702e2b0652d043a26d520ffac8ec92cd7ceb11f560b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Shadow

Filesize
20KB

MD5
527cad6024261e4980a0fd32d2a53959

SHA1
ce08dc3ffe4000997e2a24285793a1eb9c6a0cd5

SHA256
b05ed8b65e9dbe5df4b2146f0a6bcf287dc40b2d087fbf7a1d0462d2af5dc67d

SHA512
042f9f681bdbec086c2b9b68ca26ecb7912b0a18d258d0e5c0d4013a83466e8773f493a0db199bb717c500fcf83b42f72363594a2729da50891e512c4c7d283a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Velocity

Filesize
11KB

MD5
ee1407046c23c9fee9f833717c36580d

SHA1
591c1781de9e1e83b8eb861cf05bb99dee04ff96

SHA256
274616c85107571f79b5c51e0d3a15fa37a5e63d5f9d19a6543727a72c8d0f1b

SHA512
8bf91808d51fd3b4a8a697f196daa28f37cd1835740a908d0cd4184d67af6e7d7d7820916034de69d163c2d3c95094d68c9e4ba8bf26079c2d1f55444e389b93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Walter

Filesize
30KB

MD5
e54c3dcd68a6c61431ac21164413b986

SHA1
d65952ea80d7c03bb9918b8a60548deb4b81af37

SHA256
5f30e4007c43ef66e2e7d2479f10cdd2eb3116626f9a4fab2c48dd7e355ddd5b

SHA512
29ee861cb28f25496e93da760f337957312e1529f4bab8f8b6aac4044c4846183ac9c0f012f7d54d79c8173117c1497a29f22cc94edd4bb1cec170b96289c90e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Working

Filesize
55KB

MD5
05112f352c44a6691e83faba89540033

SHA1
852127bac18dbcdb1dc81ef2fb922bf4b7874227

SHA256
eb8d6b1af74350681b0f74e1cae2c815b5ad6c563303130f143f5cac62b3505d

SHA512
a569b34ccce9f6bfb6286f0e20473c45637d12c6954eb1b5cbed1cfe221b9b08784d6844787c37da0397114bb974e5d26e77d76e02cbcc89c850fa9c0ef0df7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Yoga

Filesize
52KB

MD5
2b7a6f016e28c251b640c04e3d5a5d3c

SHA1
d7ddaf88067eced4057aa0bcde0225f2de8732ec

SHA256
17d5a5011b46ef39531b8a91c36a39c251fee4c515fddffbef4f9744881618a6

SHA512
7dc011b503b30f8bc82f4ff4c541b0836e64bacf3559b6099fd6225790406ec7949dd23a935f92f2317e5f903c4bc06336b83701cf7e296cee75b2485df644a8

Download Submit
memory/1184-95-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-126-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-91-0x0000000001100000-0x0000000001174000-memory.dmp

Filesize
464KB

Download
memory/1184-102-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-154-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-156-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-152-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-148-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-146-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-144-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-142-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-140-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-138-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-137-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-132-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-130-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-128-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-94-0x0000000005760000-0x000000000583C000-memory.dmp

Filesize
880KB

Download
memory/1184-124-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-122-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-118-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-116-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-114-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-112-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-110-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-108-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-106-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-100-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-98-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-96-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-150-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-134-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-120-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-105-0x0000000005760000-0x0000000005837000-memory.dmp

Filesize
860KB

Download
memory/1184-6397-0x0000000005AB0000-0x0000000005B16000-memory.dmp

Filesize
408KB

Download