xenorat | b67d8fc52334fb2309368bf2a738520f1b42436951b211b7896f612b86350c10

Analysis

max time kernel
1050s
max time network
1046s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
18-07-2024 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Downlaoder_Menu.exe
Size

4.5MB
MD5

ec79983fdb605310fac832ba5809e2d6
SHA1

ca83d6453563e02decf614d0ce331de493267d2f
SHA256

b67d8fc52334fb2309368bf2a738520f1b42436951b211b7896f612b86350c10
SHA512

234bb8696c8a6929784165366dc4317d5826738711a7661bf26e4ffab8e958db23d0f2a11542b3f0b5c4c71d62d3e4bc7a730d94d917a21d132d40e2a67ed460
SSDEEP

98304:ePj50PrsilC2IbhblAh5+dWspirADIsYAVjw1gI:i5gahZWs80sfsw1R

Score

10^/10

xenorat xmrig evasion execution miner persistence rat trojan upx

Malware Config

Extracted

Family

xenorat

hax.onthewifi.com

Mutex

hAxxx

Attributes

delay
5000
install_path
appdata
port
1960
startup_name
Windows

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 11 IoCs

miner

resource	yara_rule
behavioral1/memory/1772-333-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1772-335-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1772-338-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1772-337-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1772-336-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1772-332-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1772-339-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1772-374-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1772-449-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1772-453-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1772-452-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2196	powershell.exe
2084	powershell.exe
4860	powershell.exe
1428	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	RegAsm.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvtres.lnk	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
1800	Downloader_Menu_2.1.exe
2424	risk.exe
1540	risk.exe
4048	cvtres.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1772-328-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1772-329-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1772-327-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1772-330-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1772-333-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1772-335-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1772-338-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1772-337-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1772-336-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1772-332-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1772-331-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1772-339-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1772-374-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1772-449-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1772-453-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1772-452-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Power Settings 1 TTPs 4 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1312	powercfg.exe
4276	powercfg.exe
1812	powercfg.exe
388	powercfg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	RegAsm.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1428 set thread context of 1108	1428	powershell.exe	110
PID 1108 set thread context of 1772	1108	RegAsm.exe	134

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Downloader_Menu_2.1.exe	Downlaoder_Menu.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1116	sc.exe
1616	sc.exe
2036	sc.exe
2756	sc.exe
1780	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133657786090340795"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1420	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2084	powershell.exe
4860	powershell.exe
4860	powershell.exe
2084	powershell.exe
1428	powershell.exe
1428	powershell.exe
4668	chrome.exe
4668	chrome.exe
1108	RegAsm.exe
1428	powershell.exe
1428	powershell.exe
2196	powershell.exe
2196	powershell.exe
2196	powershell.exe
1108	RegAsm.exe
1108	RegAsm.exe
1108	RegAsm.exe
1108	RegAsm.exe
1108	RegAsm.exe
1108	RegAsm.exe
1108	RegAsm.exe
1108	RegAsm.exe
1108	RegAsm.exe
1108	RegAsm.exe
1108	RegAsm.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
2224	chrome.exe
2224	chrome.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	388	powercfg.exe
Token: SeCreatePagefilePrivilege	388	powercfg.exe
Token: SeShutdownPrivilege	4276	powercfg.exe
Token: SeCreatePagefilePrivilege	4276	powercfg.exe
Token: SeShutdownPrivilege	1812	powercfg.exe
Token: SeCreatePagefilePrivilege	1812	powercfg.exe
Token: SeShutdownPrivilege	1312	powercfg.exe
Token: SeCreatePagefilePrivilege	1312	powercfg.exe
Token: SeLockMemoryPrivilege	1772	explorer.exe
Token: SeLockMemoryPrivilege	1772	explorer.exe
Token: SeShutdownPrivilege	2224	chrome.exe
Token: SeCreatePagefilePrivilege	2224	chrome.exe
Token: SeShutdownPrivilege	2224	chrome.exe
Token: SeCreatePagefilePrivilege	2224	chrome.exe
Token: SeShutdownPrivilege	2224	chrome.exe
Token: SeCreatePagefilePrivilege	2224	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 2084	2620	Downlaoder_Menu.exe	82
PID 2620 wrote to memory of 2084	2620	Downlaoder_Menu.exe	82
PID 2620 wrote to memory of 2084	2620	Downlaoder_Menu.exe	82
PID 2620 wrote to memory of 4860	2620	Downlaoder_Menu.exe	84
PID 2620 wrote to memory of 4860	2620	Downlaoder_Menu.exe	84
PID 2620 wrote to memory of 4860	2620	Downlaoder_Menu.exe	84
PID 2620 wrote to memory of 1800	2620	Downlaoder_Menu.exe	86
PID 2620 wrote to memory of 1800	2620	Downlaoder_Menu.exe	86
PID 2620 wrote to memory of 1800	2620	Downlaoder_Menu.exe	86
PID 2620 wrote to memory of 2424	2620	Downlaoder_Menu.exe	87
PID 2620 wrote to memory of 2424	2620	Downlaoder_Menu.exe	87
PID 2620 wrote to memory of 2424	2620	Downlaoder_Menu.exe	87
PID 2424 wrote to memory of 1540	2424	risk.exe	88
PID 2424 wrote to memory of 1540	2424	risk.exe	88
PID 2424 wrote to memory of 1540	2424	risk.exe	88
PID 1800 wrote to memory of 4048	1800	Downloader_Menu_2.1.exe	89
PID 1800 wrote to memory of 4048	1800	Downloader_Menu_2.1.exe	89
PID 1540 wrote to memory of 1420	1540	risk.exe	90
PID 1540 wrote to memory of 1420	1540	risk.exe	90
PID 1540 wrote to memory of 1420	1540	risk.exe	90
PID 4048 wrote to memory of 1428	4048	cvtres.exe	92
PID 4048 wrote to memory of 1428	4048	cvtres.exe	92
PID 4668 wrote to memory of 716	4668	chrome.exe	97
PID 4668 wrote to memory of 716	4668	chrome.exe	97
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 4712	4668	chrome.exe	98
PID 4668 wrote to memory of 1356	4668	chrome.exe	99
PID 4668 wrote to memory of 1356	4668	chrome.exe	99
PID 4668 wrote to memory of 3812	4668	chrome.exe	100
PID 4668 wrote to memory of 3812	4668	chrome.exe	100
PID 4668 wrote to memory of 3812	4668	chrome.exe	100
PID 4668 wrote to memory of 3812	4668	chrome.exe	100
PID 4668 wrote to memory of 3812	4668	chrome.exe	100
PID 4668 wrote to memory of 3812	4668	chrome.exe	100
PID 4668 wrote to memory of 3812	4668	chrome.exe	100
PID 4668 wrote to memory of 3812	4668	chrome.exe	100

C:\Users\Admin\AppData\Local\Temp\Downlaoder_Menu.exe
"C:\Users\Admin\AppData\Local\Temp\Downlaoder_Menu.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZgBiACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGgAcwBjACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVwBpAG4AZABvAHcAcwAgAGkAbgBzAHQAYQBsAGwAYQB0AGkAbwBuACAAZQBuAGMAbwB1AG4AdABlAHIAZQBkACAAYQBuACAAdQBuAGUAeABwAGUAYwB0AGUAZAAgAGUAcgByAG8AcgAuACAAVgBlAHIAaQBmAHkAIAB0AGgAYQB0ACAAdABoAGUAIABpAG4AcwB0AGEAbABsAGEAdABpAG8AbgAgAHMAbwB1AHIAYwBlAHMAIABhAHIAZQAgAGEAYwBjAGUAcwBpAGIAbABlACwAIABhAG4AZAAgAHIAZQBzAHQAYQByAHQAIAB0AGgAZQAgAGkAbgBzAHQAYQBsAGwAYQB0AGkAbwBuAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHgAZABtACMAPgA="
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAawByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAcABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZgBnACMAPgA="
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4860
- C:\Windows\Downloader_Menu_2.1.exe
  "C:\Windows\Downloader_Menu_2.1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Users\Admin\cvtres.exe
    C:\Users\Admin\cvtres.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\temp_.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops startup file
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1428
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
        5⤵
        Drops file in Drivers directory
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1108
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:2552
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:2240
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:2036
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:2756
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:1780
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        6⤵
        Launches sc.exe
        
        PID:1116
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        6⤵
        Launches sc.exe
        
        PID:1616
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4276
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
- C:\Users\Admin\AppData\Roaming\risk.exe
  "C:\Users\Admin\AppData\Roaming\risk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Users\Admin\AppData\Roaming\XenoManager\risk.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\risk.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "Windows" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBAF3.tmp" /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff326acc40,0x7fff326acc4c,0x7fff326acc58
  2⤵
  PID:716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1788,i,18418351434070791589,15598638438495936269,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1780 /prefetch:2
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2028,i,18418351434070791589,15598638438495936269,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2128 /prefetch:3
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,18418351434070791589,15598638438495936269,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2196 /prefetch:8
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,18418351434070791589,15598638438495936269,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,18418351434070791589,15598638438495936269,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4428,i,18418351434070791589,15598638438495936269,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4444 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4748,i,18418351434070791589,15598638438495936269,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4796,i,18418351434070791589,15598638438495936269,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4872,i,18418351434070791589,15598638438495936269,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:1636

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff326acc40,0x7fff326acc4c,0x7fff326acc58
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1968,i,13076070368440057107,18275078869646891521,262144 --variations-seed-version=20240717-180138.221000 --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1684,i,13076070368440057107,18275078869646891521,262144 --variations-seed-version=20240717-180138.221000 --mojo-platform-channel-handle=1980 /prefetch:3
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,13076070368440057107,18275078869646891521,262144 --variations-seed-version=20240717-180138.221000 --mojo-platform-channel-handle=2384 /prefetch:8
  2⤵
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,13076070368440057107,18275078869646891521,262144 --variations-seed-version=20240717-180138.221000 --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3080,i,13076070368440057107,18275078869646891521,262144 --variations-seed-version=20240717-180138.221000 --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4432,i,13076070368440057107,18275078869646891521,262144 --variations-seed-version=20240717-180138.221000 --mojo-platform-channel-handle=4464 /prefetch:1
  2⤵
  PID:880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4600,i,13076070368440057107,18275078869646891521,262144 --variations-seed-version=20240717-180138.221000 --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4608,i,13076070368440057107,18275078869646891521,262144 --variations-seed-version=20240717-180138.221000 --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3368,i,13076070368440057107,18275078869646891521,262144 --variations-seed-version=20240717-180138.221000 --mojo-platform-channel-handle=3360 /prefetch:8
  2⤵
  PID:4004

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ddac1dc313aca68bd46a5ca66857902d

SHA1
ae92e9e0a0428d0ffbe2b489712719750553bf75

SHA256
c4015717c5d2e59ce7df105da88f2acdd17cd29df5cb3190e7be49cc800cb5c9

SHA512
e6c370699596e22ba518c97fc5bdab91da975bb832399b62eb67d930ae41a55322be5e9a8084f39392fc4ee8505b72eec41929ea044e8a6e216b0cde3f258766

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0f8bde8731abbb90e15afa85837f91bd

SHA1
31fdf359b4f5cb906651d58e5acd12704a22a86e

SHA256
7cc4e8b0e473d5a333606a4ab0a60fe984a58426dd39bcb2ed62004a9b73b6c9

SHA512
609d439311ff26032df29726516f8163a1d55a1a5e811ca388cb34527e10cf821f3820b32113a79d9259f18b3041577bf32faf968e0bbb825147d34c3ea95380

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
6f024de442c49be3f12441a6cea55ad1

SHA1
30620db43a19c5499d356e9227b4aacc7a832fd3

SHA256
3cb7adf841b63a5ae649acbae6e045534c6d1a6725fb836585930366a9526f6e

SHA512
97f5eaa1668460f4ac2d314c1844480cbce4e4f200da4c60c19a1bc6b320b119d376dabde9b9477a6d08a41bc0503f9cf93ab71c374f7442ec4435a7dd4383df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
ec58d88f5e8c19e945295d662dcb357d

SHA1
0ef8fb6e45149a59e24dc9ba6ea39297731fd4e9

SHA256
a8df01334923b822c5767bdf73ebcc876fb37ef463375dba9337893f8f0968f7

SHA512
2ec10fb573f164ab66d278f9b5bd78b565765f562e3ef0f80f8e6691808efaad823f5e99a312147d0c1a2be13622e85a8657e57b522cab5e78b066a76b035bf4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
55c1dd8240457c56907255cd086a7bf3

SHA1
4cec7f24361ac554e8a521bb3b067973c68986f0

SHA256
f290f03028d8897ed18c6bcf59699a8d682706ffdcb617c10697872e7282c617

SHA512
9c2470a458b8ddd2e04a0ff0626e47dcd1baf3212538f5dcc4d7640d04707fc29f5e9ac91db5bb6622a5c50138930e3a80cfcb3cbd82a703232b603de61eedd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
64945c5f15dee49a9701de2ac98bce89

SHA1
673a32e50bd65b6b0e673795bf98e256773e4a92

SHA256
2cbd7601e7d9991766170f3ce93f137cc3a471c5b11b284f52603ae3bf2f8af1

SHA512
8534a7effdb53423979bcc33687094e19476a53f88b5583dda58c1332caf7a80fd1680b161a4165e5431a150a2a908faa877d487522ebaf8649f20ee5504fb31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
d4290cab295fa65d56570313bf9dd6c0

SHA1
e930214dfeac958876d17c49cf34a33674b0d7e0

SHA256
fe534a40034100b03baf1c310032afce26210e719c54efef4e2134f0f0a15134

SHA512
954efdd38f800ea7cde0864e93a05ff509be981071dbb180db01f11d3ed5ff7a07f08bf14f4726d92697d0153387bdb586a1f97793cece3af073003920416ada

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
907099d9e3c8b48c0483c15353311c08

SHA1
0ce33ab1ffb136f3d4f57063bc9e929d62e7146f

SHA256
d868d36f5d618f117d6c435ee56ddb3428a503e451dfea6893f9e3a1dfb5f6ca

SHA512
d9b37601fa52133551c0fdc8e7e300294cdcef1bfe1b1a9ba8882d82e02d8a7a2c320588cdf2cef82635775318da1130d468c2f6570a38a52ebd5fb6049e23a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
8c8d9fad8f90e1e3efa9746dcb3cd13a

SHA1
608a5c524ac5382058b94e5dc7b7edfaf58fa78d

SHA256
ac921f55db2ce6cc35b40af41c8a97337b61c4ad3d908fd0e8c0b4605d792767

SHA512
2686e0df13baf6d6cd181d27aba7d03281cfa721b103821bedc1d5f0130c551499598838743786df0624518972a1c79e03e356bb721ba422f0e582e544b7be42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Favicons

Filesize
20KB

MD5
dab79a57011073a06989e52bcbfd2d57

SHA1
37ed315da5b7839bd914dfbbd536da598344264b

SHA256
187880b2f8b0bdea51d013751bf54158a7035176ea339dd3042cb1c5668aee0e

SHA512
3831f193d794a50adf3022647dbd91bc7f47769932678ff2e469f532b02bde101ebb52ea07d91712ea6332c72adc4d55374b66148bb32b6952dbf6331b21c5e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0

Filesize
44KB

MD5
d2967b984b29aa8320fa77440eb2859d

SHA1
74ffcd4fe143c520fb96f758f604b9f02be06910

SHA256
403e2b63fd3b27bfe2bf85dcb58682b1066879c08293e0275d92dafd119cfdc0

SHA512
0d191b58d99c59c74ceefe8559a1602d03143897bafd0b38f17065105c6caa04a24816d4711ed8a467d84926518b676193d9dace04177055bd8b7c6b40b0540d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
160KB

MD5
46b02cc766ead5b8860f49f43d5d1146

SHA1
16c0fae4a7d21ffcd61df5e8b32ec8f50af45620

SHA256
f8cea79c81e16dc13e388d959364d5532540de6b6dba7078b5082c102ded03b6

SHA512
5da30ccdcb4ee1649eee29b88a2a53ef1388054fd8aa21db15c66296830e799af2896041be0dbed0abfb30a3acf728aa6c69c1080f1673dc57997a3a9750fe65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
125B

MD5
0de1d8d24d06324237fc5a91a7498737

SHA1
6d3e8b6d06e697f450d3210dc1cbcf15a1505198

SHA256
26ecb90d5a44081cbf40cf1d7b3e1954137826bcfeb0ca152faca441fa4d899d

SHA512
d6cdf0e72b3774f0feea78ef57063cbfb37ca6495c9dc9dc63ce1ee55987896ca3d248a3c83bdbdca21cbef4caf72467e8c702c4d4634d6d401e418f3ea120cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
de16f5a2d75ae20d2215ce7f81d25dd5

SHA1
bc04927d46b6c07232c5c97ab68738204b8aac25

SHA256
5146a1c9bc73c8c2eac316475c5a44c5c94c5badf71cf4cbafe5b6b67680104b

SHA512
dac8ac2d615b27bbca8e9cb71f65c192e7ad1528251e44bf8afab4536280f002ce85d8880f4175775485ec12d2d3140ff62643d29d732c905ca60747cb674a0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
160c55f7780398b43b8e16187e92ee9f

SHA1
d8c9383733cfe946bb71541cd1593986e6838687

SHA256
edfe57af8c7789fb87892e64d84aa93ff3ab0947225248c578f9511b89c933ee

SHA512
274fbb83610783ea4c224bc564297da37f0798dd0e46f3c5540ac9fd6fbd54265116c04c233dd8c516bcffb171d066fe6b811db4f98a008b5c8192fc00205159

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
790d1cb74811baf6cfe1d79366fbe3bc

SHA1
695c2bfe4e6e9e00e3c2db38ce14f71e347fdacc

SHA256
7d98a0e15a007125c3e3916f6e1605b0d132b8f950fb16f21bac8aed84543d53

SHA512
98b2aa0479c26582e4ac9d7723915ad178fa0956e989d1feaa3ba4bcd5e93a15d434303b0867856c77abb3354b07034975437b9ebf645ed03051b69953840456

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4717472a31e9372367dd67225ce0f903

SHA1
7378fd0b49a3d1209c8914975b6495abd545c25e

SHA256
6473d690adfa0550d9f3b552e6c7bfcfed5c806ce4a3a103f7ada431b648210a

SHA512
8f3e4a05de7fc6acef370ca6fb37bef3edf35eca3ae9e7e2e575b788d2be990d27299fde1e1da80d30534588fbec3ce3a353f72b13e98825b8d6befd89793fa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL

Filesize
36KB

MD5
e33ea7df67e632321ecc26f42b26bcbe

SHA1
e4115656cf292370d91c9783cb233aec72070f1c

SHA256
455ddb992b28a2c46a37cbea9aac28ca8a99e6ddc6c35bb7b5d12acbaf7ba54d

SHA512
9e9714231ad0671fb477bf509c525c8266037a7edac7c6eb55921f16da34e05004b3555c673ba96c5e836e56253590253bc7ff2b8ba4199d29cd891a329ca99d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
75296ae583e671d26e00aebb7c5ce058

SHA1
9ff4282fe653355e2facedc0138d229cfabc3c1e

SHA256
db8f6a3893e37458ed1a74362fc0b34eedfccca2cd5c2f9b0a8d6c31b66a717f

SHA512
9fbc005ac60b768d0221f410fb99015c6e2aa7a28b5ee215e41dcfd8bc1a06abb0e9aa0f10678209cc444f715b13472a92a4f8d5ff253a45db85d34f431f25ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c3d59def3206ab123feece2a2dcab7dc

SHA1
3d67c4208b841158da01dd4549904bc6b7830976

SHA256
d3bbbdea6d0abd42c3ab6dee50e79b309fc0ba1cc4ffbd20d806c26f5caac6fd

SHA512
a3e8d2720e96d257b57148d8891e8523917da8d72347c7721782aad257913f33f7b1fc219b230246d3cb7f495b86b83f13684b7941eb4c2f17e2e03981229878

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
edf8539cde02183e10a789557f0b9c41

SHA1
fc6d8f20280807fb56bbce46466768144355cbbe

SHA256
a20e5a5b86d709e1ed801a45a5b2ac566238defc5343e186877769e06d658958

SHA512
f1aee9a2822d8ac32bb65422e992a634130f34d4dcbb5a4c77ad9f61d1723661133d09e90baca0a176a525c1421847fc666ce5192aa7f2768ea31b745440ebe7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cb3756ef57a799e811279685fd96d92f

SHA1
a0f734d1d63e7fca958797b4d5009bc9cc271add

SHA256
ef7da0da6a8c30dbd3dbbc01e64b1f28f5f001511494f64883982c88c2da3d27

SHA512
a0c6a148a5042b03fe5fa8da67895cd3ea22eadc12ea5947bc45aac51fc117cccae71880c63c80a08e429dc176efbd527113f7a63aa5ee0cd32f0e4a7c2342e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
540d462eea0a5de676de238e93996658

SHA1
c4223bd1f66c13a8b527269be3d2eda287dfa5b4

SHA256
8417f94193b45ae4aa3d413e283c90b4c9ad77b031b2e13e176f5040ba483d0e

SHA512
539cf7b32c91a9c0172d327fc303f23e8a42f6932540bda5c7b8e9e98dc8e725ddf46195163f694edeee1ed52f7f252659a9f2ad1c3c15f6dc15a4d62b05fd39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
49dd737da1bb832da8248d9bb25e2176

SHA1
1b313f228029ddbb24cdc2879b7699f9e35cfeec

SHA256
d9f1ab5088c49638ce95eb9d48a8f50e98721810f21153610575915ff5715feb

SHA512
a3226565f083aca48a5d29780060bcf8ee0c9fbf880bab4b5f47686aa940f2b59d5f4ba9b28b7ae387fd521fbf9c4bf6751e016fd692c4be0464332eac85086d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1933ac66ad8f00feb66ca82d8005732c

SHA1
8a9470647be1c0c70d7830d78a81b2cb1ff19349

SHA256
c9fd30016b6b383ea93b0e327ef917e8d661f97534142bd04534717cf48cc1c4

SHA512
367b800d5d8a51787b0cbf812bc046dc21761b9ccc56f17f44d7b3267483c59c64202ce5e74af9ef9c9670e8bf63879fd6bfb8834decb75a29609e9d58c53f84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
31391f7eeb0888f5517e1d210cc53be6

SHA1
f69928fcb4eae93e56c33b78c951a16208ece8b6

SHA256
98646b386f04a0ff5fcd73dae128d467d9d497a65198080bba35027209cffa03

SHA512
f39b5189294ba0f811d767939172f0a22bd0437d27f5a1e6cf3522112099488723fd52950cd36fe4c450b81f0a520d88dc24b2d91bc6db19714c127e4ece1d57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
88a55ae070a2107f94d592d88854cfc7

SHA1
0d258f36bd3348912110e950fbe21c65d3dcbbb5

SHA256
6317ca9ab3a002ac91097707d39581020e68d1ccbbbc2143f0a17930def69ed9

SHA512
48b994cac82f3eb624699b43d1722c4c7a97e50a3d88e7293fd3f066ed73a6c9ddc1d0449533e66f18b31e9e7307946afdc7d8cca894c4567c3bca323c0da706

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG

Filesize
333B

MD5
4d1aa41af63b4de96176c12556169a0f

SHA1
563371401c6cb674d8723f8fee45df6f8743c800

SHA256
693886397b8342c942078fbdeab8f46eec98a60fc5edd4cceef424fc73506d3b

SHA512
8553134de30cf4a1cf863bf94e04d159f5d8354b13cf6e6b3c4be8a14d8ee82313f4ca6157206e0299539193f94eb5b8d1f3e7452b62e439ba8344282b208d24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13365778627369246

Filesize
3KB

MD5
aad058eb7079d485580a739920d2a7c8

SHA1
e8b73fcb0549ee36e47afd793208bae807e0d0d3

SHA256
43a124c75ddf013813f1803f36d4d701e5ed1488347d98719f589146d5d7aff5

SHA512
1f439971cad41085abcf7ac20736c71b7774a1a528dd9d505e3312c46c44df6714bf93d0ea4a6b7229831fa019a97adf5f5ae0f36d4e7e6bd6bb4c1b10fcb438

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
01736aba193983008808d7665488c471

SHA1
9397a954c6dded58e8932115dcb7ce57e0655a21

SHA256
b3d3dcb1d5dd43f0e0ad7446b7d1137e2418ced0d9f005dc8af7c08e4e8b5ea1

SHA512
de68828703c1fd07b19c42a60a78ee93a4c90d7b306bdd26b4428e9967bbc5cc0c6f78eaf5f5905d407de064217c10be23fd98a8d3e49e69f0a414ab79b5207b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
e4f2b31e98d9d7788fb03bd3e3edeb4d

SHA1
540f76ce8eff0a1483b83c2d7ec159294069fcd0

SHA256
c4e4cd27991af6289c8b158ab28061a1169f635abe1b902603d4b4cf68cb3d1f

SHA512
ec1a643f9fe40f40394f874e0d31247a25be9375faf7039c7368c0ecc7edca6d309fd23c58827b46303987a11f312a0ded82fe19592342854b9113fef8f0d8c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
7ad96ff6de112c14aa09ac305596374c

SHA1
d7224635eb2ed75fafddccca7850ff7db2d2ab37

SHA256
7dd2af0725c172cf5a8085bed5ea1c6cd1a2568ecf080ac6e4def3815f4bf6af

SHA512
0f23622c66ba01a0ee3890bf71ff91f4b253f69c8c146eddfc86f24c3dd22a2fabe4cb95a7ecd3e915681b5312fba72d49e1fa4f320e75ea90027a6cc3234250

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links

Filesize
128KB

MD5
4c97a3d8acbe115ab4fc456b841f8236

SHA1
a76af465ea2304364ab0615a074de94d80cb4f87

SHA256
d3cc41a06a2d2d8821f18d4a29fe11a8cea964bdd1685abdd7f5d821560ed435

SHA512
da8b0d0a0ca07d2dc733f8a693d568976a60cb489f6c9fbc2e8aac5904c9c4ff4ce5dc3c644d031a8d6ef08033beae619d8ea2c281a8eb9b0362bc31f2023764

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
114KB

MD5
3621e543feac6643ab01435d408506d2

SHA1
e11ea195c0bf409d157dc89a668de83da861e710

SHA256
8de596c824bac45afe46ab55c1a678ed1485b158ccbd85740b171b8187fd6a3c

SHA512
80d7b003f04441ac26d3d573adcd0b1637be287ef1c76bf0d8d5de61e904cbb6d184f3a4e2b067b74b9228867c4a4d08708e33209c7c0821ed001744caaff67a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
aaa1d3398c11429309df446cc70a4b24

SHA1
426037d880450cfe67c0db4e8836d8cf67c3af33

SHA256
d3c5bb416732a0643cb435ce980e4cf7ed0d96375d6d1d866565ffa4cf5f4e31

SHA512
5400a74ad59ee80e11b97e884bedee53af567520b807e4c3c43b68446bb495a967e22838aeee4bfbf02486ec5abfb2e821c5165ab2b894a54e0d7eb70c7355a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
59f2780f47569f4794b1ab74413a1155

SHA1
42027026980c47bf8e7b34778136984f2445a24a

SHA256
d651d028f5f1410ce2e9ee271d39f4f1b268dbeb3be5cefd8e7ff5832a0c5843

SHA512
a87cf850d2173fed5029bca698ae0d19aefd48ecd13b7e5a7de3f54ffa7e89bed49b465bb41d044ebed50c7747263e837c7e3b191199e18c825f260bd6bbd5d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
388e43c1f37cc50c8296f520d16cf2a3

SHA1
ee2f9838d6a4d721ab99e956d1b758117e975a6d

SHA256
258f9b6a6c74631bf7773102d533ade0b064295647f90bb5ef991cc3bc8e3987

SHA512
0ad8d599f2c5f767669783ca1892d1d1d89382e37737db5b49379a3e0c0a896ba8edf7dfd0b3c59c5cf2873a0df5e4bb85078e35daa17541f89b9e9c9575bc6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
96KB

MD5
27acd4cd42b9075aeee616e4416623b4

SHA1
aaa89f36700384ca918fd78d1b9f1465d3d4b873

SHA256
a81ae9aaf35a59ce78a891e40269cfe400b7039198802c22a3b775518a5f9775

SHA512
7d74dc688f0c5465b6331271be899fe8dbb1dc06977f2c4363a860cbe23276e0c6f6495758529efe13f9deeaf8868375e2e65f757737d1fb5945d89523793838

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
96KB

MD5
a99d67843aa312220ef78e8074c877ac

SHA1
be04437cfb348441394728d893b1e16668d3cfe7

SHA256
5a6f986453a27bb6fd8b59e058be4727230c58fcc5ff7a9dc5992b3e742b307d

SHA512
8c223dcad8f52c2237731245dfe10f8f641781155e15470056a9fabd54fe21eea73b7414f490dc39d32f9afb03216a91dac7ea9e47e42a6c220df2905fe128f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\segmentation_platform\ukm_db

Filesize
28KB

MD5
36d44d2c40b64636eeeedffadd1074a0

SHA1
8693df6c1111c5ec42184997e2807235138c093c

SHA256
c7160f9d65dd8a28dc34c27e687eb2977d45f2788aa6c837f7af3d1c067bac27

SHA512
9e8a5cefc3ba11a6c0989c24d76c5c44c0907035dc17bcf09e519ed16dcec39720dfa29500e589e5aff67c1f90506cd7deac013979ad93d3836bd1ec8702dbe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
9f873035e19a5e8ef5a11d57f8dab1b7

SHA1
9a9c985796d01d067c038ac252a74f2d9a3ffe27

SHA256
7e3e793a2d0e67cda741607dba4cc11acdeabe7c8a5c5c316e0389f32e9dce86

SHA512
539bad3bc7e2982d2034ccbd0b6a90d7edbc14fd1e1269039c17783f4f4d3c11a202d80c0e3d65d2dccf3499d3038924ecdef082c9776dedd423fa262ef3a4ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2d227b1a125508f7af7c121079dc9f2a

SHA1
50956ece151e150644d37687f7c1abd20a9d8c7e

SHA256
6250f7be70ce0f81e487bdb1a71c80673fdaeb042574c51fe1765c74c863542c

SHA512
71a6c68887f5cc21222d2b7456068cc5773fa1417736d113ff06977949e8d275e2d5ba6e613be9ce67e368cfd9e1463723c77143370143b80883694b942d84a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c99a3482a8a02266c151f4871d26f7b8

SHA1
3e29577df0aa39dd71435d64187d79889de752c6

SHA256
db0b13e6d8f9513168e629a19b647b71fc836028935e4423792698e98e6879a8

SHA512
fe29e5dc317da5c1efdbcef061119172b4108601db320c92a2132e0c83cfbaf604ccf9c390af82842b97f84d0bac934d80f052a84b3a7a93927b4b48152fde5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_prrpaata.fc5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBAF3.tmp

Filesize
1KB

MD5
c824a7486b8af655d347fd367022d0d2

SHA1
17bb7f077818e6d5ecb3be0fc681d341b82dd72b

SHA256
025ef7965c1b7643ff8d71a48c71d62ce4380e3ac6324ecf51f80717a4d61c14

SHA512
a026982ac700263bf2dfd5415365dbe52b0e59095adfd00c937af28f5c84978faf65aeb2cd2c7c9dc5c7b38dc82dc2acc2d7b91e96026e73a881483168586bc1

Download Submit
C:\Users\Admin\AppData\Roaming\risk.exe

Filesize
45KB

MD5
2cb05f0d4360327b33956fedf516c6fe

SHA1
4562653b1361ce66ded9633e5883d00184c08796

SHA256
af82f7a1ca358d54f5da73409d05360c265f7569fb768218051c7ef2620e66e6

SHA512
f0967245d1693d74d146356c9540a9ae0b848a96a6e58eacc111a951a6b32e01f325f8848b2b0c66b38dbfcdcb37e052ccfc27cf9b3b6752f3cba876181f6fa6

Download Submit
C:\Users\Admin\cvtres.exe

Filesize
5KB

MD5
c9698a20e68954387eed40d36d17c087

SHA1
c50cf0ac1cbf51a89b6c1b816e5e63e7e7287179

SHA256
3a71a978827979baeec7b94607e93a72cf2a51a7204a572f68a3788d83b87d8f

SHA512
f8099e4e6bf6e1cd850faa398b3ef8862852342bef0ec8a7318495be6e82ddf903834b951faa6c5bbd0879414dcaccf3fec6ade4ef74054e08011d718ed1e813

Download Submit
C:\Users\Admin\temp.bat

Filesize
5.4MB

MD5
96b7afe999094957a1ce5b1c0ee0cb2f

SHA1
6b5d48b5f75246993de0263d27d2b9cdcc6ebf3f

SHA256
d22cb88bfae5285d86cb35c2acba863f85b2e63c241c1959d15ca3416bcb5e4a

SHA512
ed7e02b26664b442f95fdf83af03d7773c017dadf3bec8c2d37cc2b30c49b6751a3104b85f00cfedbd145f422635e5b3ad49ea80adf7c0a92b06db474c6a238c

Download Submit
C:\Users\Admin\temp.ps1

Filesize
1KB

MD5
5e817bbd9ef2f8821aa0283b20a51923

SHA1
102ca518d89653fb400636e660fa3fc276235c5c

SHA256
27f2822ca2be992ebb6e1000aa3a2c39e9b4ff7e257cb45eadda8776d65018a7

SHA512
f21388e0655e6733abc70ff9fe2bbfdca00d81d2e7a09236d679293df34a966990f689f2d62119cdd877c7aeda35ab0c2b3c66108bc6b721e5dea34a93342d2e

Download Submit
C:\Users\Admin\temp_.bat

Filesize
5.4MB

MD5
ff46d6b0970c55dba491b6dd06384f84

SHA1
c8be08575f2174a9a00bff33e3b1a7c1d9c4a025

SHA256
a5ad5faab69350449e8fd14adcb262ecb289696d5f0da374891e9eb226824c85

SHA512
b0d5b4eb5d9b58f35f218dffb43956716adb062626a75fcde11ba517e9d16d015f8a0d90ae72fbad47c87cbec86ef3e6a16347900f0c0be97e47f6d58bdac3a6

Download Submit
C:\Users\Admin\temp_.ps1

Filesize
1KB

MD5
5a0a8376c0e45cc25d4050920cee3dcc

SHA1
2de4ddf90f3165b245bd9f77c145c8f770c98b85

SHA256
86af1b7845145745ccaf65bf0dbeb1a981701ad0c6793c2dc93c0c2f2aef8d25

SHA512
f5afd39336d6b9f0590d68a716e8c3b403c13b98aae34d76f43e34698d2c6485e3dbce7a6439623362effec50ab0b2696b1ed25e377ba4dae75047ef419f51c0

Download Submit
C:\Windows\Downloader_Menu_2.1.exe

Filesize
4.4MB

MD5
9d3195f106a540570da0d038bc07cf68

SHA1
33c1dd7a4101d1622b4d9268da0b731e00ddca39

SHA256
240b3b43f49f5430d9d2e263e857d6e4c9c98af09fe8ae7d9c0e6b7c9eeacfce

SHA512
9c7b0da3e2a01a05f61e39648d31851c5b0d70d7f20d865792cf4c8cec39ad764b2f11833116dbcdea57f3ec1785345921defbd656eab4fc23095b63ba889f69

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
2d29fd3ae57f422e2b2121141dc82253

SHA1
c2464c857779c0ab4f5e766f5028fcc651a6c6b7

SHA256
80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4

SHA512
077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

Download Submit
memory/1108-189-0x0000000140000000-0x0000000140508000-memory.dmp

Filesize
5.0MB

Download
memory/1108-190-0x0000000140000000-0x0000000140508000-memory.dmp

Filesize
5.0MB

Download
memory/1428-139-0x000002E4BC5E0000-0x000002E4BCB10000-memory.dmp

Filesize
5.2MB

Download
memory/1428-98-0x000002E48BC90000-0x000002E48BCB2000-memory.dmp

Filesize
136KB

Download
memory/1428-188-0x000002E48B9A0000-0x000002E48B9A6000-memory.dmp

Filesize
24KB

Download
memory/1428-140-0x000002E4BD040000-0x000002E4BD0B6000-memory.dmp

Filesize
472KB

Download
memory/1428-141-0x000002E4AC3A0000-0x000002E4AC3BE000-memory.dmp

Filesize
120KB

Download
memory/1772-338-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1772-449-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1772-336-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1772-332-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1772-331-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1772-339-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1772-328-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1772-335-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1772-374-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1772-452-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1772-453-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1772-329-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1772-327-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1772-330-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1772-334-0x0000000000D80000-0x0000000000DA0000-memory.dmp

Filesize
128KB

Download
memory/1772-337-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1772-333-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2084-24-0x0000000004BF0000-0x0000000004C26000-memory.dmp

Filesize
216KB

Download
memory/2084-77-0x00000000082F0000-0x0000000008896000-memory.dmp

Filesize
5.6MB

Download
memory/2084-63-0x00000000076C0000-0x0000000007D3A000-memory.dmp

Filesize
6.5MB

Download
memory/2084-28-0x00000000058A0000-0x0000000005906000-memory.dmp

Filesize
408KB

Download
memory/2084-25-0x0000000005270000-0x000000000589A000-memory.dmp

Filesize
6.2MB

Download
memory/2084-64-0x00000000065A0000-0x00000000065BA000-memory.dmp

Filesize
104KB

Download
memory/2084-78-0x0000000007480000-0x0000000007512000-memory.dmp

Filesize
584KB

Download
memory/2084-27-0x00000000051C0000-0x00000000051E2000-memory.dmp

Filesize
136KB

Download
memory/2424-23-0x0000000000040000-0x0000000000052000-memory.dmp

Filesize
72KB

Download
memory/4048-84-0x000001B13C450000-0x000001B13C458000-memory.dmp

Filesize
32KB

Download
memory/4860-76-0x0000000006B70000-0x0000000006C14000-memory.dmp

Filesize
656KB

Download
memory/4860-79-0x0000000006F60000-0x0000000006F6A000-memory.dmp

Filesize
40KB

Download
memory/4860-80-0x0000000007160000-0x00000000071F6000-memory.dmp

Filesize
600KB

Download
memory/4860-29-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/4860-35-0x0000000005570000-0x00000000058C7000-memory.dmp

Filesize
3.3MB

Download
memory/4860-91-0x0000000007210000-0x0000000007218000-memory.dmp

Filesize
32KB

Download
memory/4860-58-0x0000000005B80000-0x0000000005B9E000-memory.dmp

Filesize
120KB

Download
memory/4860-90-0x0000000007220000-0x000000000723A000-memory.dmp

Filesize
104KB

Download
memory/4860-59-0x0000000005BB0000-0x0000000005BFC000-memory.dmp

Filesize
304KB

Download
memory/4860-65-0x0000000006B30000-0x0000000006B64000-memory.dmp

Filesize
208KB

Download
memory/4860-75-0x0000000006B10000-0x0000000006B2E000-memory.dmp

Filesize
120KB

Download
memory/4860-89-0x0000000007130000-0x0000000007145000-memory.dmp

Filesize
84KB

Download
memory/4860-66-0x0000000074020000-0x000000007406C000-memory.dmp

Filesize
304KB

Download
memory/4860-88-0x0000000007120000-0x000000000712E000-memory.dmp

Filesize
56KB

Download
memory/4860-21-0x000000007311E000-0x000000007311F000-memory.dmp

Filesize
4KB

Download
memory/4860-87-0x00000000070F0000-0x0000000007101000-memory.dmp

Filesize
68KB

Download