zgrat | hxxps://github[.]com/GypsySynapse2/Calamari-SynapseZ/releases/tag/release

Analysis

max time kernel
332s
max time network
323s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/GypsySynapse2/Calamari-SynapseZ/releases/tag/release

Score

10^/10

zgrat discovery rat

Malware Config

Signatures

Detect ZGRat V2 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Calamari\sxlib.dll	family_zgrat_v2

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Loads dropped DLL 1 IoCs

Processes:

Calamari.exe

pid process

4944 Calamari.exe

pid	process
4944	Calamari.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Calamari.exe

description	ioc	process
File opened (read-only)	\??\L:	Calamari.exe
File opened (read-only)	\??\N:	Calamari.exe
File opened (read-only)	\??\V:	Calamari.exe
File opened (read-only)	\??\A:	Calamari.exe
File opened (read-only)	\??\G:	Calamari.exe
File opened (read-only)	\??\R:	Calamari.exe
File opened (read-only)	\??\T:	Calamari.exe
File opened (read-only)	\??\W:	Calamari.exe
File opened (read-only)	\??\E:	Calamari.exe
File opened (read-only)	\??\H:	Calamari.exe
File opened (read-only)	\??\J:	Calamari.exe
File opened (read-only)	\??\K:	Calamari.exe
File opened (read-only)	\??\M:	Calamari.exe
File opened (read-only)	\??\O:	Calamari.exe
File opened (read-only)	\??\S:	Calamari.exe
File opened (read-only)	\??\Z:	Calamari.exe
File opened (read-only)	\??\B:	Calamari.exe
File opened (read-only)	\??\P:	Calamari.exe
File opened (read-only)	\??\Q:	Calamari.exe
File opened (read-only)	\??\U:	Calamari.exe
File opened (read-only)	\??\X:	Calamari.exe
File opened (read-only)	\??\Y:	Calamari.exe
File opened (read-only)	\??\I:	Calamari.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

Calamari.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calamari.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calamari.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133701809927097957"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exeCalamari.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{F3A95809-DFA0-444E-92DA-161845C06755}	Calamari.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

388 chrome.exe
388 chrome.exe
1848 chrome.exe
1848 chrome.exe
1848 chrome.exe
1848 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

388 chrome.exe
388 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe
Token: SeShutdownPrivilege	388	chrome.exe
Token: SeCreatePagefilePrivilege	388	chrome.exe

Suspicious use of FindShellTrayWindow 53 IoCs

Processes:

chrome.exeCalamari.exe

pid	process
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
4944	Calamari.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 388 wrote to memory of 976	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 976	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 4504	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 5032	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 5032	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe
PID 388 wrote to memory of 1336	388	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/GypsySynapse2/Calamari-SynapseZ/releases/tag/release
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8b7c9cc40,0x7ff8b7c9cc4c,0x7ff8b7c9cc58
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=276,i,5065674222235550491,16212860463151605291,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2124,i,5065674222235550491,16212860463151605291,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,5065674222235550491,16212860463151605291,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2420 /prefetch:8
  2⤵
  PID:1336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,5065674222235550491,16212860463151605291,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,5065674222235550491,16212860463151605291,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4684,i,5065674222235550491,16212860463151605291,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4560 /prefetch:8
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,5065674222235550491,16212860463151605291,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5228,i,5065674222235550491,16212860463151605291,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1848

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2272

C:\Users\Admin\Desktop\Calamari\Calamari.exe
"C:\Users\Admin\Desktop\Calamari\Calamari.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4944

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x474 0x46c
1⤵
PID:720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
b98384b23dca244dd416d8ddac5955f0

SHA1
a219ce0cce7a983c1117ce007fe687c14d68232d

SHA256
0ea8af6e7a8e7fef7426a395a98b82dc1595fca243f2168e58c66e624f97cb1d

SHA512
db11e154db9c13971bbf05f2d2f5ac864181469693e9ea624b8dee1519b8edd855a1d70c3db702c0c02ecc64afa46e4b6fec1ef03fc767dc4de6fa02506eb71a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\3bc88c71-8dec-4ede-afdf-a9632b776deb.tmp

Filesize
10KB

MD5
d465a1af264457cd4170320cfaedd863

SHA1
4f3f8ff13d7020162a5db9cde0a70574433860f6

SHA256
09cede201845a081ec9220b666ca52f98c4c702edeb98811108e252ba01c8d26

SHA512
e5dab29200b5a81ab336aacd2d0f94805d7d56c4753f396703005c775e221cc54d0c996a9edc608758264293086758a1b9c3879c9862e2186ea2c7adf7cb694f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\5030f0ce-c753-4479-b3f4-0294aba42803.tmp

Filesize
10KB

MD5
1d078e5b6841500b70e6a57b297f931c

SHA1
8400103b465be4fe2a680f2ecca828004caec81b

SHA256
8ce6d79f15193fc1f6a198a5c3de4c3c7abbb674cfdbc8541e4e598c592f0ca6

SHA512
04410be6385d3b723b042b24b361bc29522eb71fdef9b26db92111b3a87c7b529b13a7f410f6715c6854514d44f68e5807dd5aa8c36e1a4627a69e1f48b002f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4264f93ce8ec76fdeff82d4e5839d010

SHA1
984d513976b8e1f907cd5c1405db590a37da576c

SHA256
3ea43d2ae794f91604828f77a95e6d49c1b0c73e00939e648bfa9b8dfa7ce81f

SHA512
59525d7a173c6113f3b7d63a4ba84bd24c4dd7c638be125cbaf2ddd28c98a20f70c2fd7953036e252d2e2f4c81a1dec43217e896cd2013cc9243b146f0bc3a7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
48578d7d0b74f8dbc6d88b7e9ad280ce

SHA1
15516b4a189dce4cde8a4b9c0bd7e6293fc76968

SHA256
ad421ab5a4cc79276fb81b7ccc70af30f9d4fb6463e1ced417a168c6431ac59d

SHA512
d95595c8825700d8c5ca6f181949be1b94b31cbc5b9b593e19118c758d6e6b0881c032ba8d3f6c59a33891294716f33b764a5bf9f4cd641f21de7ca2780306bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
61aa9d6827a7485089e1cdddc2ae3608

SHA1
98f462a682cd680a9fa4bcd994b573dabffd907a

SHA256
bc6e30c6a6655d438383e0da92a912fcd4e33fad5da96bc6c8ec7c5fa58f1763

SHA512
c4e8ce5eb0de22d870ee64e97fd4a210c894df31041ebfe963575cd6b7d2cdc87dfb727db08fbfe50a31273f6cff99146d4d20c968f5d928e8cf9923ce99403f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3209cae7489b338fdce8542eab20538b

SHA1
d5724e34f05884fe37c401ecf93b2daea7bb5450

SHA256
2e07171bbb6b525cb08a647527e072d015af6449e9db56a79f78236956d6973d

SHA512
29c42b84a18a6319ee8516763221e90bdac3481acad409ce9b22447975b822099c7722923229cc6e36cec56f098b4882163a5ef52bacc5f318722413d28bb555

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
32b351f2fc3c6fd856690fabe49bf5ab

SHA1
13a5f67b087e066fc75604fd3ef07fe0461e5525

SHA256
bed0e09fe3f8e8231203e86e1c60292debc5b1991b6329b143aeea63c30e5765

SHA512
309410fbf6a2b82b49cf3361a04bb0ca1a4aa3b39bd5d55c4022c753b2185e1538f809ef5d67ba403257752e0c868f8673459f3edb39e958b0515cc3245ddb40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bc77b9f0b33270e96d10f2d7f860495e

SHA1
7310fc13b97d5807ec2732a9aff6c9f4bc8dbaed

SHA256
b64927ff7ffcc0d7e90122f34b077102bbf1095cd2d92461f1ee997fb5a8d5c1

SHA512
524b6e9cbaad98963ca9dbab9a75019962bcb2f229418ace13e01da4e6b59278806ae934fa55d25044aeac58650e7a3f4bab416ca01e58b35b9607049ed7ce50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fc63f023da0f596c00afc608afe4720d

SHA1
5badcb3300f5ade6d7e5dc8a7e0163b2b5c7382e

SHA256
6a354b607e05fe72d08821d2a9330c258d11bde8364900c37c5b201ac85fb9ae

SHA512
6ccd8f55bace0073239c0e92e405ff13b00c929bc7982d21613e51d58afc868230a3ed69a3a49661a38f1ec4825d3eaaf3896d02c942900aed7e0be7e0250c0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1c54a7130302574b1e64f877d819e7a2

SHA1
c3cec5b554a5a7ec0adf547b285850d5c74a4199

SHA256
108b4947b605c1b7c7e78aedfbb9904b80a37eb838f3de88b94ad1216be76c8a

SHA512
5bdfb9f365fa2c076a455a9378ea755e6aefaeb94eb890a9dfb1892cf4a37fd38e7a240001577bddfd7d61591148da3c774aee82565875c643847bbc1ecbf472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
07a8ae3b5d9a35b8aff06301ba8f2630

SHA1
b0c949ea6c988674f959ecbb28a9197600b545d1

SHA256
144851c5ba2356f293248763a83e47f0f9f16c22a51114535c57ee49f66ab335

SHA512
344605bc2a3c06b6579680c81da63fc76e3a261a6b6efd99e4e22a5946f6438d675d893bee6c0e6008c89cd8c48e2c41a20bb641434802e02bc4c92f5951ec82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7d3f275e808abe05901b7748647cd7eb

SHA1
274cccfcf31fdec4bc6c55d374639991ccef9389

SHA256
8dc41c805d98ffceb0dffe547f522fe1a327bbbb1494b43d5dbdd8d5605dd00b

SHA512
9bee6bee2de33815fe6e4b378e332efc98e5281d6942a307d58729425e548339d7f02a0427078e06fde9c40f9efe8773aac41a06aae8e43f562cb5ed46c80de6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4e7dc922f2a5641bbe6e99c4c9b75ab6

SHA1
2fa615c3871d337e25a4586ca2c7fa37dd5d6060

SHA256
0e2ba271791d1fcdd7dd379b419c16806db24240302c6ec16a70bcc24fd74e0e

SHA512
214581ac8ffc8730f7e15c0bf9ea2c443e13153f6f40440281c463d0d82d22ec7349b4e03a93935a241de3be8092bb10c05c2c4b5646c631e7d9c995b2664786

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b0e7e6ee432cd579f159057e646fb310

SHA1
7eaa81e0c9882986fa10dd4d3def14290aa6205e

SHA256
adec231b7cbc4cde6aa7223faeb9be953be03f57d3e9a48e4934dc6f8e9f2e58

SHA512
a7c0f9fde83c1e43b3920c1f31473af0e57971340d1eab663528b633d57b59b6143998cf44fd5aa477595e9f4beb6c5991568acf061f85dc8e51860bbd359d86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d0b9873eaa4ea1f48472d6bd92961861

SHA1
b30c08c2530e9db61ec9e796d4b71a7527c8be6f

SHA256
6b061cb3869ff12586d100efbe98b6dff108ddc2dfb8d5cc91ea105c2480ccbe

SHA512
0f4f7f854da13bcd8d7dcc00f7bd0ab14fe4c1e4d5a7a4d1ae80fb76a2cbe0340a8c9e3f4775499e020dc8b270f2915a539f91ef7e2500935b9bc4c513c85ee8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3d56d9ff070c725c883bfb8f56e48ee6

SHA1
26089838dd3f85147b826e116fa2dfa3eafff36f

SHA256
37710e08cdeb054384a704d9851fa1b60a86d48fe2412b10a31d7c54a8e699b9

SHA512
d75b13f7122d98ae7bee8c37f20e043170e1738cb211c2856ec3bd223a794b0b1578818d353490a6ac974bc1cf8640d32a8ab1dbfd6ae67e9d6928800abc135a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0fd359eb2a955a59f4511006f74a5814

SHA1
201d7d131d8869607505e108704db293ea328cd9

SHA256
1455909b9d83a93044e16f2c260745ead658f774d30c7822754343deb288217b

SHA512
6414f22309cb3b832752c62947a9aa1628b94a7c0b357ffc85d66c7f679b4429fd814f550f5f25227e134a49214d88dfa879be9e570dcab7494f03378f198609

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a7d51542276dcadf722e2f8f1fb095a2

SHA1
2231c8a324a94c46a52f9fda5d7ad2218c8d7dd5

SHA256
5efc47f348b475aa169643613b1c6b9dfee9cf203e22bff94c69665ee5566bcb

SHA512
6564c78a1d4046837c7f69302be88e87626b27b1290bb29ae0d8f78b91af72c2aca4cb19ceaa92a3d0f1f54b3b1a97924f9e8e86e081d340ff3e6af60d0ec939

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
551f55ee95955372c42bba0151c5d861

SHA1
442503bc5e85066a37514ad6a0fe5aaa511cdd95

SHA256
a4a1ed85aadda8035c6a02d068b9316b8ce051357a78fdc8a4217d628fcc9038

SHA512
1740d91342ce0feebad9786d6414619dbd724462f26254f808c8750e0a28d67e7832ddaf663c80c2afe2dd028bdcd45e235ece1e3f8ff23c4931c22d0844af33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8131f55b84413b631e821031220deba2

SHA1
3b2a4402016bf3c95965965040fc1abb165ec713

SHA256
11eb62712e43b1e852bb55eca372fa4da97f8d32febae2da6918d79dda4b22b4

SHA512
cf8901325d8c072067f347c9ebf4050eb642579c9311c2d4acda0c602d2d047aa45e910c1d591241f8c2f402710dedeeb93f681d66fd13a9b8deef73bbe9a570

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dcec3f077c1840b55e02be956895c1b1

SHA1
14169a1b0b74a64f585561246f7a8f26f085519c

SHA256
41ffd44023f2862bcac01e69825e9e28d0b12179193bc45363efbca3802b85cc

SHA512
0117bdba0be69bf6da7c8b3c882c7293953a7f2a2002c221a762a2f388c9ef8ed33a552d204b9b52a3abb081dc280fa7bcb10a43c170fd13ebde757b5a88d93e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bfff04763396a96917eec6c2188f66f8

SHA1
ad16284ef5fe0734ed2dc7647ec391eb081910eb

SHA256
6066eff6ffb14a8f0b544be94b3b3149af91dc42a6ac07f951f4613d133c3171

SHA512
0533d58d710c999906ef9490a99e95bb63b118b95a5bc355969dbca9459908b011d68673574791780fa0b94b969a2a0df6230c19cb7aac617d61dccae628ce16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4dc9665ddd2cdf09e8ddda75c6737c9e

SHA1
cc0ec1cc46dd3b82690e5af5c514873fc04e1579

SHA256
56dda98a692a4459328de9268301e2bbaa5cb4029e9c4f9392fc678310f47ef6

SHA512
d8a6de87ea92dabc8abfdd0e6fc9e700a9bd41f6b10161c465d2f5bc790a2e68043069a431267f85060497545ee76b8fa872ad4a45f1488d0c451ae7213d5871

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
34acfc8c8b1438d322a1ebe0a74d54cb

SHA1
b7ff1cd005de9c3fd1ac3fb8e9b488660aa05ca3

SHA256
6b0a01e3283af72c7bfbbf9765a67a507fcf11014f80596741da51731e24f2ad

SHA512
e465013915bb8fbe2a38c06724d05f34e84997c0c6f97f98df7768f776c062e95379847b9df3f7c5808173dcec7342c3bca3c69349c2f2966bbcfdccd95d2ae1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
4f19df85272e8e9e259990aa0b1d012b

SHA1
4d29f1e3b5158ceb485a80b5a55c568b132143a1

SHA256
4ede47d2a2b80c7c97921611b0cb3397412c34480086af1dfc9ea7503d3f46b7

SHA512
547e09e58d13403ba5a66aec6a66b78657542d42fd3e6a70052260483486a81f3bc0e312c8855d94a3c6c0d122191913e73135e577d57502c9a032e5ec293057

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
3a16ce313f0aedba14943c83ef4a853a

SHA1
e3d635fcf3471a638153e8756da3d3e06cf102f1

SHA256
0d6943432a32c38e203c1a2eace24145e470b06d9d73bdf3a82a32955124d00d

SHA512
a89b9b75ca9a0556eff3ddfc202ac17e3d78c2a5334b61a1f97d9aa802234b2bbcb43b20fe2440d45c6a742e69a4032cdae5e92e491d1a5b79fe21cdf475ae6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScintillaNET\3.6.3\x86\SciLexer.dll

Filesize
943KB

MD5
2ff7acfa80647ee46cc3c0e446327108

SHA1
c994820d03af722c244b046d1ee0967f1b5bc478

SHA256
08f0cbbc5162f236c37166772be2c9b8ffd465d32df17ea9d45626c4ed2c911d

SHA512
50a9e20c5851d3a50f69651bc770885672ff4f97de32dfda55bf7488abd39a11e990525ec9152d250072acaad0c12a484155c31083d751668eb01addea5570cd

Download Submit
C:\Users\Admin\Desktop\Calamari\sxlib.dll

Filesize
864KB

MD5
d00e1627d7536022dd81aeb27577221c

SHA1
56a1f78e5acc89b97b02652f61a154265511ffcf

SHA256
904a9329bf56d110adec486f37411831a1148934a5ca4bbff9e33a1ca8ce5bcb

SHA512
d7cb95dd515f1edfde7e17681563bf5b709ac06f33805ce70dbcb76aca4ee34061c5201a54e1a92d67a1fb8f59512c8a64fcbb201fc88e5536001e40489dab69

Download Submit
C:\Users\Admin\Downloads\Calamari.zip.crdownload

Filesize
5.8MB

MD5
5321acff16bbe68a2942c9c655f9e4fc

SHA1
56f82061cb7d044c89470c01e7805cb2365c0bb9

SHA256
e232359fdbaa1d46dcf56a5715a0ba4c700c93fb310f551a4a3afa912afdaed1

SHA512
affb725177d76f3f8f86660f690e0d87a1a52198594334600d5c8b4a1653d6af83caaa74998e1b6c8a0e0891395acd2286cd03ecea26ea7b94694eac35279910

Download Submit
\??\pipe\crashpad_388_TACHPGKLMCYASFHG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2272-310-0x0000022211170000-0x0000022211171000-memory.dmp

Filesize
4KB

Download
memory/2272-284-0x0000022211420000-0x0000022211421000-memory.dmp

Filesize
4KB

Download
memory/2272-312-0x0000022211180000-0x0000022211181000-memory.dmp

Filesize
4KB

Download
memory/2272-313-0x0000022211180000-0x0000022211181000-memory.dmp

Filesize
4KB

Download
memory/2272-314-0x0000022211290000-0x0000022211291000-memory.dmp

Filesize
4KB

Download
memory/2272-295-0x0000022211030000-0x0000022211031000-memory.dmp

Filesize
4KB

Download
memory/2272-292-0x0000022211040000-0x0000022211041000-memory.dmp

Filesize
4KB

Download
memory/2272-289-0x0000022211040000-0x0000022211041000-memory.dmp

Filesize
4KB

Download
memory/2272-290-0x0000022211030000-0x0000022211031000-memory.dmp

Filesize
4KB

Download
memory/2272-288-0x0000022211420000-0x0000022211421000-memory.dmp

Filesize
4KB

Download
memory/2272-262-0x0000022208E40000-0x0000022208E50000-memory.dmp

Filesize
64KB

Download
memory/2272-246-0x0000022208D40000-0x0000022208D50000-memory.dmp

Filesize
64KB

Download
memory/2272-278-0x00000222113F0000-0x00000222113F1000-memory.dmp

Filesize
4KB

Download
memory/2272-279-0x0000022211420000-0x0000022211421000-memory.dmp

Filesize
4KB

Download
memory/2272-280-0x0000022211420000-0x0000022211421000-memory.dmp

Filesize
4KB

Download
memory/2272-287-0x0000022211420000-0x0000022211421000-memory.dmp

Filesize
4KB

Download
memory/2272-281-0x0000022211420000-0x0000022211421000-memory.dmp

Filesize
4KB

Download
memory/2272-282-0x0000022211420000-0x0000022211421000-memory.dmp

Filesize
4KB

Download
memory/2272-283-0x0000022211420000-0x0000022211421000-memory.dmp

Filesize
4KB

Download
memory/2272-298-0x0000022210F70000-0x0000022210F71000-memory.dmp

Filesize
4KB

Download
memory/2272-285-0x0000022211420000-0x0000022211421000-memory.dmp

Filesize
4KB

Download
memory/2272-286-0x0000022211420000-0x0000022211421000-memory.dmp

Filesize
4KB

Download
memory/4944-433-0x000000000E6D0000-0x000000000E824000-memory.dmp

Filesize
1.3MB

Download
memory/4944-391-0x000000000ACD0000-0x000000000ACE0000-memory.dmp

Filesize
64KB

Download
memory/4944-390-0x000000000ACD0000-0x000000000ACE0000-memory.dmp

Filesize
64KB

Download
memory/4944-386-0x000000000ACD0000-0x000000000ACE0000-memory.dmp

Filesize
64KB

Download
memory/4944-389-0x000000000ACD0000-0x000000000ACE0000-memory.dmp

Filesize
64KB

Download
memory/4944-432-0x000000000ACF0000-0x000000000ACF8000-memory.dmp

Filesize
32KB

Download
memory/4944-404-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

Filesize
4KB

Download
memory/4944-388-0x000000000ACD0000-0x000000000ACE0000-memory.dmp

Filesize
64KB

Download
memory/4944-374-0x0000000004FC0000-0x0000000005052000-memory.dmp

Filesize
584KB

Download
memory/4944-375-0x0000000005DA0000-0x0000000005DAA000-memory.dmp

Filesize
40KB

Download
memory/4944-387-0x000000000ACD0000-0x000000000ACE0000-memory.dmp

Filesize
64KB

Download
memory/4944-373-0x0000000005490000-0x0000000005A34000-memory.dmp

Filesize
5.6MB

Download
memory/4944-372-0x00000000005B0000-0x00000000005DC000-memory.dmp

Filesize
176KB

Download
memory/4944-371-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

Filesize
4KB

Download

pid	process
388	chrome.exe
388	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe