Analysis Overview
SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
Threat Level: Known bad
The file [email protected] was found to be: Known bad.
Malicious Activity Summary
Troldesh, Shade, Encoder.858
UPX packed file
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious use of SendNotifyMessage
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-15 10:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-15 10:10
Reported
2024-07-15 10:16
Platform
win10v2004-20240709-en
Max time kernel
74s
Max time network
82s
Command Line
Signatures
Troldesh, Shade, Encoder.858
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Processes
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 193.23.244.244:443 | tcp | |
| N/A | 127.0.0.1:63939 | tcp | |
| US | 8.8.8.8:53 | 244.244.23.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| N/A | 127.0.0.1:63965 | tcp | |
| US | 208.83.223.34:80 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/4056-1-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/4056-0-0x0000000002340000-0x000000000240E000-memory.dmp
memory/4056-2-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/4056-4-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/4056-3-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/4056-6-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/4056-9-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/4056-10-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/4056-11-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/4056-12-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/4668-14-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/4668-13-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/4668-15-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/4668-16-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/4056-17-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/4668-18-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/2704-22-0x000001F29F890000-0x000001F29F891000-memory.dmp
memory/2704-21-0x000001F29F890000-0x000001F29F891000-memory.dmp
memory/2704-23-0x000001F29F890000-0x000001F29F891000-memory.dmp
memory/2704-33-0x000001F29F890000-0x000001F29F891000-memory.dmp
memory/2704-32-0x000001F29F890000-0x000001F29F891000-memory.dmp
memory/2704-31-0x000001F29F890000-0x000001F29F891000-memory.dmp
memory/2704-30-0x000001F29F890000-0x000001F29F891000-memory.dmp
memory/2704-29-0x000001F29F890000-0x000001F29F891000-memory.dmp
memory/2704-28-0x000001F29F890000-0x000001F29F891000-memory.dmp
memory/2704-27-0x000001F29F890000-0x000001F29F891000-memory.dmp
C:\ProgramData\Windows\csrss.exe
| MD5 | 63210f8f1dde6c40a7f3643ccf0ff313 |
| SHA1 | 57edd72391d710d71bead504d44389d0462ccec9 |
| SHA256 | 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f |
| SHA512 | 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11 |
memory/4056-35-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/4056-38-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/4056-39-0x0000000000400000-0x00000000005DE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-15 10:10
Reported
2024-07-15 10:17
Platform
win11-20240709-en
Max time kernel
64s
Max time network
55s
Command Line
Signatures
Troldesh, Shade, Encoder.858
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133655122419165120" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffc4d8cc40,0x7fffc4d8cc4c,0x7fffc4d8cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1860,i,16873220921606128451,17574085711940951447,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1856 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,16873220921606128451,17574085711940951447,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2084 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,16873220921606128451,17574085711940951447,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2160 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,16873220921606128451,17574085711940951447,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3224 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,16873220921606128451,17574085711940951447,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3268 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3588,i,16873220921606128451,17574085711940951447,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4492 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4772,i,16873220921606128451,17574085711940951447,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4776 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4960,i,16873220921606128451,17574085711940951447,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4968 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4292,i,16873220921606128451,17574085711940951447,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4328 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| SG | 76.73.17.194:9090 | tcp | |
| N/A | 127.0.0.1:49744 | tcp | |
| US | 154.35.32.5:443 | tcp | |
| GB | 142.250.180.4:443 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 4.180.250.142.in-addr.arpa | udp |
| GB | 172.217.169.78:443 | chrome.google.com | tcp |
| GB | 172.217.16.238:443 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.16.238:443 | clients2.google.com | tcp |
| CA | 144.217.195.155:443 | stationplaylist.com | tcp |
| CA | 144.217.195.155:443 | stationplaylist.com | tcp |
| CA | 144.217.195.155:443 | stationplaylist.com | tcp |
| CA | 144.217.195.155:443 | stationplaylist.com | tcp |
| CA | 144.217.195.155:443 | stationplaylist.com | tcp |
| GB | 216.58.212.228:443 | photos1.blogger.com | tcp |
| GB | 216.58.212.228:443 | photos1.blogger.com | tcp |
| GB | 216.58.212.228:443 | photos1.blogger.com | tcp |
| GB | 216.58.212.228:443 | photos1.blogger.com | tcp |
| GB | 216.58.212.228:443 | photos1.blogger.com | tcp |
| GB | 216.58.212.228:443 | photos1.blogger.com | tcp |
| CA | 144.217.195.155:443 | stationplaylist.com | tcp |
| US | 104.236.14.237:443 | gostats.com | tcp |
| GB | 88.221.135.104:80 | apps.identrust.com | tcp |
| GB | 216.58.201.98:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | 237.14.236.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.201.58.216.in-addr.arpa | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 172.217.16.227:443 | www.google.co.uk | tcp |
Files
memory/996-0-0x0000000002460000-0x000000000252E000-memory.dmp
memory/996-1-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/996-2-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/996-4-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/996-3-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/996-5-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/3432-9-0x000001E8D3EA0000-0x000001E8D3EA1000-memory.dmp
memory/3432-11-0x000001E8D3EA0000-0x000001E8D3EA1000-memory.dmp
memory/3432-10-0x000001E8D3EA0000-0x000001E8D3EA1000-memory.dmp
memory/3432-17-0x000001E8D3EA0000-0x000001E8D3EA1000-memory.dmp
memory/3432-21-0x000001E8D3EA0000-0x000001E8D3EA1000-memory.dmp
memory/3432-20-0x000001E8D3EA0000-0x000001E8D3EA1000-memory.dmp
memory/3432-19-0x000001E8D3EA0000-0x000001E8D3EA1000-memory.dmp
memory/3432-18-0x000001E8D3EA0000-0x000001E8D3EA1000-memory.dmp
memory/3432-15-0x000001E8D3EA0000-0x000001E8D3EA1000-memory.dmp
memory/3432-16-0x000001E8D3EA0000-0x000001E8D3EA1000-memory.dmp
memory/996-22-0x0000000000400000-0x00000000005DE000-memory.dmp
C:\ProgramData\Windows\csrss.exe
| MD5 | 63210f8f1dde6c40a7f3643ccf0ff313 |
| SHA1 | 57edd72391d710d71bead504d44389d0462ccec9 |
| SHA256 | 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f |
| SHA512 | 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11 |
memory/996-24-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/996-25-0x0000000000400000-0x00000000005DE000-memory.dmp
\??\pipe\crashpad_3216_GATDNBXMAPWVUIAV
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/996-34-0x0000000000400000-0x00000000005DE000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 2be61ad5718441efee21e9613d1fd0e9 |
| SHA1 | d6d5dd772ca7428fe41c5305331c1cdf112c48ab |
| SHA256 | 1e115abaff74d1471f579df8c90515eaf13528d8d6d0f12eea15d7879e0fa8e8 |
| SHA512 | eacbfd74294c5dc59ed77a4507d2a2118b25556284074b7a1dcfdb04f814ec77f42fb37f1a1f3b9a423e1662079bf079e93ac5ee2173bcd5702581aefd9a838c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2b2c15e299df0408ac8eeaa13af8e6cd |
| SHA1 | 1095790ee9cedb367f99e3569c87fa93757cff83 |
| SHA256 | 72feef1f731818e8353a036b54327c09f53fb75b232fbc61c75cf4c75cb94033 |
| SHA512 | 5f32fc2ac01ae5400989c8f42dbb3c05eb0a34cdfadde0e08b9ed6711679c401ee1a166a350008a35049a0cddacf690c583c214370bba0ceafe8fee9d02cd007 |
memory/996-64-0x0000000000400000-0x00000000005DE000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | c40ac670fef48bfc3342493d55593b77 |
| SHA1 | 5942feb5d7b715985a4bc5e7431e6a8823172190 |
| SHA256 | bb55559f66e5240d9e8f8ea9b56e80a2d8374df5a0afb966b8a0a16779a540e6 |
| SHA512 | 8633d97f546d4a825088b24cac2460045a9073adce99d55fa0af22e7ddc88d31c9d56965ab0445b61d43f39be94e37c5fe0cffe41f2643a0be243a9e416a8318 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 969e083bd78fbd280724aec7bed292db |
| SHA1 | de43ae8ea6e8d7bf09e0e45d6188d3819d213552 |
| SHA256 | 7e21cb42014892a908cc2da58828002e831e92ccc5134ad75465c3df1f14b4ef |
| SHA512 | 9cc2d6042202944b3e8258124751638ec24f157d2ee1e51144b9cb6518d83bffb917b228a0c7b60cb14ad351ed5cde92d25854637edb74ce1e53b1cd71a57385 |
memory/996-90-0x0000000000400000-0x00000000005DE000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ab586fd3461bec6feb3be909081e0564 |
| SHA1 | 88c7bf7f16878288787c96d49699a58400c80725 |
| SHA256 | 528b6eacf5e6f9e0c435e1b3c4786b2eea3068688482bf835010cd40c5773953 |
| SHA512 | 3cacfc9d6ab2daa0a81a762b02e259d0ac2ce5a501266aa1df2c8b41a199498913872ce81e38def8dd7930106a9684884bb9f9f92cb1cc81bfd807f9d3ae25bb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | c169c46d81d930738c59e307a9385a4f |
| SHA1 | 5d37f6de1d40faee210ab8ff99f5a61121ce8add |
| SHA256 | 952117e2a7cf8613ce56c7d6e0c61a46030e38515b485b9cb3e0c9a9d7a5d91d |
| SHA512 | 1c4b4269e97758ade38fe83d803ee272a3bd5d19ae1ba886bb81cd30ef72eb7af7026c7a0b2fb20298cd2a9ae0ca082614369dcccf3c661144aca07aa07f1ee4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 10c4a993a5d30ab2b6f724f5cad910c5 |
| SHA1 | 90f0e19be2555691db1c0aeddcf8411188c7cc54 |
| SHA256 | c6cf5144ada3641d88b9f88ca5363ca2e90dfbfa3d04fab9605172faf85e80fb |
| SHA512 | 5dbaa83bfe8718f1e2dfc656e7b3aaeea3abc632f6644dd7a8195e7c9f6d34b0bcdabb90342aa1e681b15842c2e8d91009ab775fcc42420f0064fafcec10f386 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 4897a69093b3aed7e5b11d0831e68545 |
| SHA1 | 820f1a66a95f84d19656b4e8b486bafee5f22212 |
| SHA256 | 48295d3e4e8d558acce0a71381055a95fac44f05c2dd02d4d5c9b2eb9b216f56 |
| SHA512 | f0646e6655441303f78c65933152d735ceda8b82a3f5aaf27b619b1fc98e09c413b64377a247779ed8671560e1e79829e24abb7f3a2e2b5e19b341a6edc14966 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 5059f1105c9a7a0b52a35ff99eba9b56 |
| SHA1 | e3b5280e1160a6253252dd7042aa2aa3f53dce22 |
| SHA256 | 6ac13a9f86ce7562f090b65d3d2d998d569d19da6b4d0ae02ecbb5091fb66810 |
| SHA512 | 8a727beff028eced21af16e6140497174188384b332f7bb436fe65defc9735b37e05616bc71b7bff0f9133cf7b9fccbf17d9521080a1e2acae752a64259a2260 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
memory/996-210-0x0000000000400000-0x00000000005DE000-memory.dmp