revengerat | 0609543d20e58f2d96e03d4a87a04dfb37f59b12f47b0f752327c1db06e37b0c

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fab060854959752071dd189e5e8f02ed_JaffaCakes118.exe
Size

578KB
MD5

fab060854959752071dd189e5e8f02ed
SHA1

08d9ec618c6c9e6d3544c9877edb63575981aba3
SHA256

0609543d20e58f2d96e03d4a87a04dfb37f59b12f47b0f752327c1db06e37b0c
SHA512

edd8f4baccb95e25f771e1e9d077aa1fa1290d4fd467b5e54944c37673f40b05e499253ef1a74d09991fd8678fd9b44143b6bab2e09ade7b29705029d4088c2b
SSDEEP

6144:UKlr3FcfCElJk125U8SpVUagDsvb6mgmw4sFfTysVufBn597NX2I:UqVcfXlJkE5YVUjuOjysgfBnnl2I

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x00070000000234d5-6.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	ocs_v6z.exe

Executes dropped EXE 1 IoCs

pid	Process
1040	ocs_v6z.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fab060854959752071dd189e5e8f02ed_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133719256516334209"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
468	chrome.exe
468	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
468	chrome.exe
468	chrome.exe
468	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1040	ocs_v6z.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe
Token: SeCreatePagefilePrivilege	468	chrome.exe
Token: SeShutdownPrivilege	468	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe
468	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3300	fab060854959752071dd189e5e8f02ed_JaffaCakes118.exe
1040	ocs_v6z.exe
1040	ocs_v6z.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 1040	3300	fab060854959752071dd189e5e8f02ed_JaffaCakes118.exe	82
PID 3300 wrote to memory of 1040	3300	fab060854959752071dd189e5e8f02ed_JaffaCakes118.exe	82
PID 1040 wrote to memory of 468	1040	ocs_v6z.exe	83
PID 1040 wrote to memory of 468	1040	ocs_v6z.exe	83
PID 468 wrote to memory of 4784	468	chrome.exe	84
PID 468 wrote to memory of 4784	468	chrome.exe	84
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 1720	468	chrome.exe	85
PID 468 wrote to memory of 4916	468	chrome.exe	86
PID 468 wrote to memory of 4916	468	chrome.exe	86
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87
PID 468 wrote to memory of 3716	468	chrome.exe	87

C:\Users\Admin\AppData\Local\Temp\fab060854959752071dd189e5e8f02ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fab060854959752071dd189e5e8f02ed_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe -install -806691 -dcu -38047d8c737f43bb833845079fbe9836 - -ChromeBundle -roqshaqslgbnjapp
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcu&cid=806691&appname=[APPNAME]&cbstate=&uid=5c924c59-6c4f-4f14-80a1-1c9439f2a479&sid=38047d8c737f43bb833845079fbe9836&scid=&source=ChromeBundle&language=en-US&cdata=utyp-31.userid-626231663862653734616339656135336564633564306562.ua-6368726f6d652e657865
    3⤵
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffebebdcc40,0x7ffebebdcc4c,0x7ffebebdcc58
      4⤵
      PID:4784
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,10116437449640074426,16831727813650927409,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1912 /prefetch:2
      4⤵
      PID:1720
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,10116437449640074426,16831727813650927409,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2168 /prefetch:3
      4⤵
      PID:4916
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,10116437449640074426,16831727813650927409,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2240 /prefetch:8
      4⤵
      PID:3716
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3052,i,10116437449640074426,16831727813650927409,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3060 /prefetch:1
      4⤵
      PID:5116
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3068,i,10116437449640074426,16831727813650927409,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3100 /prefetch:1
      4⤵
      PID:3948
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4504,i,10116437449640074426,16831727813650927409,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4544 /prefetch:1
      4⤵
      PID:3988
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5148,i,10116437449640074426,16831727813650927409,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5164 /prefetch:8
      4⤵
      PID:1104
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4660,i,10116437449640074426,16831727813650927409,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5196 /prefetch:8
      4⤵
      PID:3264
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=836,i,10116437449640074426,16831727813650927409,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5156 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3800

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
aee98c62fbcbf5f4fb5e9ad4ce96bf93

SHA1
43db194a227004ebdda092b428a91ab1911aab9c

SHA256
ad2c88c7b91c21e99901f2a7ca2a088ec28022ff55302f091fb0c0fc612a949e

SHA512
c2096c13951a12d1fde51eedc36a1a15bc5ba8a8482dfd27d68301b6fc2660646974de267e88435045d6765885cf545264c99cbb20057b4e47e1c70a8c55bb0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0ceddb55a580517c103e14e26e6e08a0

SHA1
9b3fd09cbd7136b3b3a64b1611fb21eab8687a17

SHA256
ff07c3b7cc5efeaa22cafb5abf842b6fd81bcfafa30121940853ad8921b4ab16

SHA512
4b9e1a94fa89b3a4f44d5338bab02015a9b92fa8aa1f6cafa5fd8b61500f0b63fc78b6447910268fcb3c928ecf79489226254d711fb8ef916e0dc246306bd2a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4b9c811e569a467c64d6acacc4915f97

SHA1
45d80473570e4d25b26f0ad5a261bbd32975159d

SHA256
509c13293b926c7c178d45e14d0289f0cae6eabcd3f13a8ec1fa64e5b458d3e8

SHA512
af73cfc6fbb4d269675b22559808e60964e319c51c519470fb9a4ea4bbac7062e182daf151ebca30cbd3fd4fa04923b4e55819b45bd6161d7f8ddfb082db8a6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
19070d9882f404b4253ef3683b65df89

SHA1
9c0ad05733588b460c09c455c2d291811e76733f

SHA256
f575b9db31ec89b9e918da0f829cbd3e89adba470576ec80780a41a76b04e98d

SHA512
dac3ec823bbbe6dfcb094bc7181820f0c59d7fdab933e8b10561e3eee2dc14635cc2c1df7cd82f21ab41910ba4115dc23125cf089d9605992f9e13a96652e791

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4001b26b03e5af8519a84e022da6a603

SHA1
d8ca9c4261fa4e7e3ae6ff50e6b7cfe24aa36b79

SHA256
05ee4507ecc965c48fb4f571190cfcefea6425c136580441fe315db32d750615

SHA512
085dfe6a2c68348fb59992eea3cd12f7873f8e580b10d2926f49ba463c7bfc70d82caa45b598357bb562f2bfbbeca76b8201d53c60b632e80a28052fb3b1847b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
55344d4da8e9a19247a415c9a425e04d

SHA1
3ddccabbbc9c8c56b94dc4ca1dbec0fa746cd7e2

SHA256
873df1b04b05c615a7a854f8dfcd5b38a93af23f19128e0ba7732a6df8fc567f

SHA512
ccd72bb33569086690b33f689b1b7c50310a455bf7f3f57fea47cb1475a77e8b8268996f3d44b5f52b3ce86a5d84f31817c2940f9ff4a401c7ffd782aa5d4836

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c04160ef8145aa8cb83bf866a27db95f

SHA1
ac9a68fd7828dd6909d2e03a5b58494da7ebe61b

SHA256
33610f7f20888c6acc26c0e469d90d018571cf91d8207acf8766916e62a6c8fd

SHA512
59411e8ab0d7bc7fee8cc7e48ddf9f02f4a3a92cc6c1e77235c15826a49e0b94c32f286aec24981b4eb1c7db9a20f26a2f6529c210bf2f4035650f9b86c976f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6d6eee48104d2b694ef4576bbbb7e7c7

SHA1
ee5a1c24d38fe9ed2bf2c5de88be5f4fcde2d4ac

SHA256
c601abfb818913e59ef8e0d063e2a28662d9edd4cbbb1fc5f32a8884243dc716

SHA512
f97ddbffabc1ba3de87aabd13e601a5ea76b717d23dde99cc458396bc2eb16e59ef62c40648165ba9ac2edc64461da0837c39b4a194b4b6ece127018c2544280

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
56af4fccd9af74d2b3f0a010e78d5fe9

SHA1
3d6e2c81ef4324b3288351d61d44bfb7ad380950

SHA256
813c5dada5a0889c86872b240caaad18f24440cdbc0762c4801f4273c1c457d9

SHA512
67677105929de48f86686158548b3482ca574b266d3f4116e611d14905e280fb603c2190d6b8cb0c2c37cff4f1a512262551a25e1540a4a621a7bc78dc5855c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
20dff4a1e66fdbdbda6863c7087e0a17

SHA1
bd3246e78b9d65da7f22f960a21ad08e5b0c312e

SHA256
e04130ebe7dbd10dbd1134562dfc1946f5d99396d9fdbf523707d1c24cb65818

SHA512
e2b85c155d093b93b0412c2c11a9df0f86eec3f1854f796556c7ebc0a20558395ac3857006e7c60f51e3af0a5e31cb6cf3f620a322c59eae41639ad17f97129e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
8b4079dbc673118994148fc70d2b2287

SHA1
5b45142446a23b475bc3f064a0868b9b3e358435

SHA256
f0aca57517146bf85990a94380b48aa1c19e2e1741495e0e2175924924fefd37

SHA512
7850259b25965ec365bdba677b04bdac20578dec48a9b17e566d80c9d04fd87fc61ebaada5ce86e7e35aebf3d79f255d8466544a54c432d03ea4b79edde1548c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe

Filesize
312KB

MD5
09f02c017e40a998537f26d0caee8d22

SHA1
7676d2f17068a9050bbbbe10908e75bc5d59b631

SHA256
fae6c9cfda16a9f4587b0041156a7284bf7cb1fc48e1e34f33b50ebc2d00e2d7

SHA512
0c7d4fad92bb7478e277f6c56e0e0dbd665171a7bea06a6668d9d0120c5f171cbcec37c60b6354a286192f2f0bbf104ccc5550159e863ee03cc2e23243eb93c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\roqshaqslgbnjapp.dat

Filesize
89B

MD5
9ede8209fd0d5d08a54b06331d0dd050

SHA1
0467285ff5da75f5004b696945a9b3aff23dc20c

SHA256
83a9bb057e5fac5a27dfe83aaff2698141ec49717ad093d07af5c4e080a26aa7

SHA512
3491f3680e70637ee6f7991a526552b065b66043881178bcda32a17929aa2e35352f44ac930b678de14aa2964ce0ff5b75767d13c5038aa7d3c61c3d35758c13

Download Submit
memory/1040-18-0x00007FFEC1250000-0x00007FFEC1BF1000-memory.dmp

Filesize
9.6MB

Download
memory/1040-22-0x00007FFEC1250000-0x00007FFEC1BF1000-memory.dmp

Filesize
9.6MB

Download
memory/1040-17-0x00007FFEC1250000-0x00007FFEC1BF1000-memory.dmp

Filesize
9.6MB

Download
memory/1040-28-0x00007FFEC1250000-0x00007FFEC1BF1000-memory.dmp

Filesize
9.6MB

Download
memory/1040-16-0x00007FFEC1250000-0x00007FFEC1BF1000-memory.dmp

Filesize
9.6MB

Download
memory/1040-20-0x00007FFEC1250000-0x00007FFEC1BF1000-memory.dmp

Filesize
9.6MB

Download
memory/1040-19-0x00007FFEC1250000-0x00007FFEC1BF1000-memory.dmp

Filesize
9.6MB

Download
memory/1040-14-0x000000001BC80000-0x000000001BC88000-memory.dmp

Filesize
32KB

Download
memory/1040-24-0x00007FFEC1250000-0x00007FFEC1BF1000-memory.dmp

Filesize
9.6MB

Download
memory/1040-23-0x00007FFEC1505000-0x00007FFEC1506000-memory.dmp

Filesize
4KB

Download
memory/1040-21-0x00007FFEC1250000-0x00007FFEC1BF1000-memory.dmp

Filesize
9.6MB

Download
memory/1040-13-0x00007FFEC1250000-0x00007FFEC1BF1000-memory.dmp

Filesize
9.6MB

Download
memory/1040-12-0x000000001C740000-0x000000001C7DC000-memory.dmp

Filesize
624KB

Download
memory/1040-11-0x000000001BBD0000-0x000000001BC76000-memory.dmp

Filesize
664KB

Download
memory/1040-10-0x00007FFEC1250000-0x00007FFEC1BF1000-memory.dmp

Filesize
9.6MB

Download
memory/1040-9-0x000000001C1D0000-0x000000001C69E000-memory.dmp

Filesize
4.8MB

Download
memory/1040-8-0x00007FFEC1505000-0x00007FFEC1506000-memory.dmp

Filesize
4KB

Download