Malware Analysis Report

2025-03-15 00:03

Sample ID 240923-tmf35ssbnk
Target 2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch
SHA256 4fb369ab0a11c70be0d8861c2483623a1e0f91ca62445985d64b3fe6b37349a1
Tags
hackbrowserdata discovery infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4fb369ab0a11c70be0d8861c2483623a1e0f91ca62445985d64b3fe6b37349a1

Threat Level: Known bad

The file 2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch was found to be: Known bad.

Malicious Activity Summary

hackbrowserdata discovery infostealer spyware stealer

HackBrowserData

An open source browser data exporter written in golang.

Executes dropped EXE

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-23 16:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-23 16:10

Reported

2024-09-23 16:12

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-23 16:10

Reported

2024-09-23 16:12

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe"

Signatures

An open source browser data exporter written in golang.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

HackBrowserData

infostealer hackbrowserdata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\script_cookie_encrypted.exe N/A
N/A N/A C:\Users\Admin\rate.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 212 set thread context of 3752 N/A C:\Users\Admin\script_cookie_encrypted.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
PID 5112 set thread context of 4076 N/A C:\Users\Admin\rate.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\script_cookie_encrypted.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1880 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe C:\Users\Admin\script_cookie_encrypted.exe
PID 1880 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe C:\Users\Admin\script_cookie_encrypted.exe
PID 212 wrote to memory of 3752 N/A C:\Users\Admin\script_cookie_encrypted.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
PID 212 wrote to memory of 3752 N/A C:\Users\Admin\script_cookie_encrypted.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
PID 212 wrote to memory of 3752 N/A C:\Users\Admin\script_cookie_encrypted.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
PID 212 wrote to memory of 3752 N/A C:\Users\Admin\script_cookie_encrypted.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
PID 212 wrote to memory of 3752 N/A C:\Users\Admin\script_cookie_encrypted.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
PID 212 wrote to memory of 3752 N/A C:\Users\Admin\script_cookie_encrypted.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
PID 212 wrote to memory of 3752 N/A C:\Users\Admin\script_cookie_encrypted.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
PID 212 wrote to memory of 3752 N/A C:\Users\Admin\script_cookie_encrypted.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
PID 212 wrote to memory of 3752 N/A C:\Users\Admin\script_cookie_encrypted.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
PID 212 wrote to memory of 3752 N/A C:\Users\Admin\script_cookie_encrypted.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
PID 212 wrote to memory of 3752 N/A C:\Users\Admin\script_cookie_encrypted.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
PID 212 wrote to memory of 3752 N/A C:\Users\Admin\script_cookie_encrypted.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
PID 1880 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe C:\Users\Admin\rate.exe
PID 1880 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe C:\Users\Admin\rate.exe
PID 5112 wrote to memory of 4904 N/A C:\Users\Admin\rate.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 5112 wrote to memory of 4904 N/A C:\Users\Admin\rate.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 5112 wrote to memory of 4904 N/A C:\Users\Admin\rate.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 5112 wrote to memory of 4076 N/A C:\Users\Admin\rate.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5112 wrote to memory of 4076 N/A C:\Users\Admin\rate.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5112 wrote to memory of 4076 N/A C:\Users\Admin\rate.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5112 wrote to memory of 4076 N/A C:\Users\Admin\rate.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5112 wrote to memory of 4076 N/A C:\Users\Admin\rate.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5112 wrote to memory of 4076 N/A C:\Users\Admin\rate.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5112 wrote to memory of 4076 N/A C:\Users\Admin\rate.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5112 wrote to memory of 4076 N/A C:\Users\Admin\rate.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5112 wrote to memory of 512 N/A C:\Users\Admin\rate.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5112 wrote to memory of 512 N/A C:\Users\Admin\rate.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5112 wrote to memory of 512 N/A C:\Users\Admin\rate.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe"

C:\Users\Admin\script_cookie_encrypted.exe

C:\Users\Admin\script_cookie_encrypted.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"

C:\Users\Admin\rate.exe

C:\Users\Admin\rate.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 52.252.190.167:56001 tcp
US 8.8.8.8:53 167.190.252.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\script_cookie_encrypted.exe

MD5 b50c04edf22d51016e00d6f385b41cc7
SHA1 22295a90e102a3ffdada9f52230fb9e604bac281
SHA256 2a7cae1fd866ff4f11e5c41c428b9b3c1078df3b523706d8a5145c55bd359ba9
SHA512 a574405593129fd729d8bf5fdcf6813cb68870cbb1124969def626db06069ccb2e18841c73ca5f34f71d33b4edd9c1982b6282a6f3e66b645e1043eff45f1f73

memory/3752-4-0x0000000000400000-0x0000000000DED000-memory.dmp

memory/3752-6-0x0000000000400000-0x0000000000DED000-memory.dmp

memory/3752-8-0x0000000000400000-0x0000000000DED000-memory.dmp

memory/3752-9-0x0000000000400000-0x0000000000DED000-memory.dmp

memory/3752-10-0x0000000000400000-0x0000000000DED000-memory.dmp

memory/3752-7-0x0000000000400000-0x0000000000DED000-memory.dmp

memory/3752-33-0x0000000000400000-0x0000000000DED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Session Storage_8.temp\CURRENT.bak

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\Session Storage_8.temp\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

memory/3752-36-0x0000000000400000-0x0000000000DED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Local Storage\leveldb_7.temp\CURRENT.5

MD5 9f36605efba98dab15728fe8b5538aa0
SHA1 6a7cff514ae159a59b70f27dde52a3a5dd01b1c8
SHA256 9c283f6e81028b9eb0760d918ee4bc0aa256ed3b926393c1734c760c4bd724fd
SHA512 1893aa3d1abcf7f9e83911468fa2eeb2ad1d7e23f4586bd6c4d76f9f96a645c15e63e44da55700347165e97b6ac412e6d495b81c3da9faa61d617c7a71a7404c

memory/3752-168-0x0000000000400000-0x0000000000DED000-memory.dmp

C:\Users\Admin\results\chrome_default_extension.csv

MD5 81b496ce1578a88f74dcf1b5a09f98b5
SHA1 ec5b2723bf4f88d001069fccd5300096c5955d0b
SHA256 5c99c6eb19efecfdcb5da9e8e547ce78065d0de4e7dcc4b70166d03d0870b7d5
SHA512 b72794dfb6955f8a2c102d072cd650617d08ca94805c791e4549ec2b326b8b896d872f848f701ebbad46342da6df051a3799af5434092b167a233a23978e580f

C:\Users\Admin\results\chrome_default_sessionstorage.csv

MD5 d07886f7107c50304e1b9cde0793ed04
SHA1 41453a6e9db25a06b4ef031c12fdcee8a3818741
SHA256 963b596f0385f5be1b8ad2f7e5b4ff474aeb1a1a8d17d20ff67a1cd30ca70344
SHA512 a917504c89a8ec7b8fc5d89a683fce01ce45a160dbb98861cc2432c221a2f3e7aca15b7325967c171e2de2d7ce26ffa01ecef49c7b896b1a16daa5a3125eb4ca

C:\Users\Admin\rate.exe

MD5 0c8bc5317e4b23f1e6dd3a2b7af70255
SHA1 49dd70a5dfb41a77806f0abb0b9f54d0cd01d652
SHA256 af847306fa5457d15f4d378e2622f6ff3f92c9a093810f760bf1f3cc91aacb7f
SHA512 e95a567a70df88ac1226fd4973a6103f195c38f1790750047feead51b186434d88ab5a525c77cbe509f6fa8d8c90b77fac9daf2a48d31f85db12ab1b11863878

memory/5112-186-0x00007FFF28693000-0x00007FFF28695000-memory.dmp

memory/5112-185-0x0000017A66870000-0x0000017A66878000-memory.dmp

memory/5112-187-0x0000017A69040000-0x0000017A690F0000-memory.dmp

memory/4076-188-0x0000000000400000-0x000000000045C000-memory.dmp

memory/4076-189-0x0000000005010000-0x00000000050CA000-memory.dmp

memory/4076-190-0x0000000005180000-0x00000000051E6000-memory.dmp

memory/4076-191-0x00000000062B0000-0x000000000639A000-memory.dmp