Analysis Overview
SHA256
458d463a638840beb8ba3de4af72fa733373c004b83c32158277027b66dbeba4
Threat Level: Likely malicious
The file main.ps1 was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Modifies file permissions
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
Drops file in Windows directory
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
Suspicious use of SendNotifyMessage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-04 12:30
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-04 12:30
Reported
2024-10-04 12:33
Platform
win11-20240802-en
Max time kernel
150s
Max time network
142s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\control.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\msconfig.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\regedt32.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\taskmgr.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\explorer.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\regedit.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\notepad.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133725187202056040" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\main.ps1
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\explorer.exe" /A /R /D Y
C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\explorer.exe" /A /R /D Y
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\explorer.exe" /grant administrators:F /T
C:\Windows\system32\icacls.exe
icacls "C:\Windows\explorer.exe" /grant administrators:F /T
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\taskmgr.exe" /A /R /D Y
C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\System32\taskmgr.exe" /A /R /D Y
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\taskmgr.exe" /grant administrators:F /T
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\taskmgr.exe" /grant administrators:F /T
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\cmd.exe" /A /R /D Y
C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\System32\cmd.exe" /A /R /D Y
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\cmd.exe" /grant administrators:F /T
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\cmd.exe" /grant administrators:F /T
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\regedit.exe" /A /R /D Y
C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\regedit.exe" /A /R /D Y
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\regedit.exe" /grant administrators:F /T
C:\Windows\system32\icacls.exe
icacls "C:\Windows\regedit.exe" /grant administrators:F /T
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\notepad.exe" /A /R /D Y
C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\notepad.exe" /A /R /D Y
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\notepad.exe" /grant administrators:F /T
C:\Windows\system32\icacls.exe
icacls "C:\Windows\notepad.exe" /grant administrators:F /T
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\control.exe" /A /R /D Y
C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\System32\control.exe" /A /R /D Y
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\control.exe" /grant administrators:F /T
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\control.exe" /grant administrators:F /T
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\msconfig.exe" /A /R /D Y
C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\System32\msconfig.exe" /A /R /D Y
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\msconfig.exe" /grant administrators:F /T
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\msconfig.exe" /grant administrators:F /T
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\regedt32.exe" /A /R /D Y
C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\System32\regedt32.exe" /A /R /D Y
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\regedt32.exe" /grant administrators:F /T
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\regedt32.exe" /grant administrators:F /T
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde544cc40,0x7ffde544cc4c,0x7ffde544cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1852,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1848 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2140 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2196 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3268 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3296 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3588,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4428 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4676,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4628 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4728,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4736 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4296,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4696 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4944,i,17907026513461649610,17520004158712331024,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4932 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| GB | 142.250.178.14:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | 202.212.58.216.in-addr.arpa | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| GB | 172.217.16.238:443 | clients2.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp |
Files
memory/132-0-0x00007FFDFD9B3000-0x00007FFDFD9B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yorizonq.yp5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/132-9-0x00000239F3B00000-0x00000239F3B22000-memory.dmp
memory/132-10-0x00007FFDFD9B0000-0x00007FFDFE472000-memory.dmp
memory/132-11-0x00007FFDFD9B0000-0x00007FFDFE472000-memory.dmp
memory/132-12-0x00007FFDFD9B0000-0x00007FFDFE472000-memory.dmp
memory/132-13-0x00007FFDFD9B0000-0x00007FFDFE472000-memory.dmp
memory/132-14-0x00007FFDFD9B3000-0x00007FFDFD9B5000-memory.dmp
memory/132-15-0x00007FFDFD9B0000-0x00007FFDFE472000-memory.dmp
memory/132-16-0x00007FFDFD9B0000-0x00007FFDFE472000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 5db14c1fc67fb5ac9211934781689e5b |
| SHA1 | 930c258efa74d7ae5d7c11d9ca4b6912c7dc59eb |
| SHA256 | 2682fdefeeb94036b974a902a4d086c577052098a35c474aa266c8f08da8ae26 |
| SHA512 | 11d41e69782cea08a319d10bee874a823561dcdd0332650d15de5bb08be3592f44f6e00ec935beeb05ab46cd06f8b54f50da804fb0db7968db907f624878300a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 1ec2e7fbad8cfce7ea4a466c502ca56b |
| SHA1 | e5edfdb66545ae4e13b28256d95e6091768ed4e1 |
| SHA256 | 8db5fd231f56dceb35aa74ba701f12e3918b6c460ab68c5d4eeec9b7223a92ac |
| SHA512 | 356f535f80fa2127297474f59475ba032dc8014342ee4ad4379633142a553884ec4395e3feb948ffdb5b7047baaf67d1449cf76f7afec39a6191c88926aefc59 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f1493fb1709cfd984de10bec1186910b |
| SHA1 | 5f40b414d625f8bf572b478854bab2aef2915b8a |
| SHA256 | 11fe7ecba873905fb4c8c93ad7a12d0ea9fdb9662aa430a0d42be6ecbf81c5c6 |
| SHA512 | 6cc80207967a78fa99f113625cce48a809cf553682d3bb09c381a4888c119d189bf5ca54b4fecdd4ff9dd3f5c5d6d9be2ad3e59b382d08bf1702d59192b44476 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 05275f90b6cd8b556aaaabb5792ef96e |
| SHA1 | 642cd019dd079ee20da2ecd051afb6afa717477d |
| SHA256 | d8a71dd99f97db3dc40bc5ccb7876d3d6e29e34e7d1e6f562a15efa003977e61 |
| SHA512 | 00cd0e4b818e1d15bf7ae3a5a9f66436e9fd52b9519f7a94fcb19ad06987a8fa4a5d31091304217675cbe2ae1749d266ac8e6bb8f475df3393c98be80d9cc9d4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f7bc6773-0c24-41aa-8972-a8420771d3a3.tmp
| MD5 | c922028acbe867154c1556ac9566dff1 |
| SHA1 | 68be73aa2bcf4337e2e6ca0c59724369988526e7 |
| SHA256 | c36a49235d8c2c947bb509e32d89810db3d0f7a2a68e9d154b3972ddbf4aedf0 |
| SHA512 | 22aa8656d05e1400ad8eb0851abed4dad83dc0a9562028d941ab9fa53d14fedeacb22ed7ef43d1f2b747e86b9707a721f43e0e7c15b04367ab91a2c47ca2ad7e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 3de7988e0053c68c55a8daa0e2852277 |
| SHA1 | e8476905a299b0a1a18ce12681b60719899bf530 |
| SHA256 | 9edb897ecbf50402d0692bca92f228d7116e1696bc2dd7a168e5dcb84e2ae56f |
| SHA512 | 8dc4d19e3ff558b4bbffc876514a668846ae5a9c1cca25b7c8941a119baefb8bc6d06588037e938c07115dfefb3ba80ddf453f6e6ef1f508213e4cb5123ec063 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c37b36ab957873b94c92890b6b0e1566 |
| SHA1 | 6d52b6ecb29b66de51345bcd30d3767158ded1ce |
| SHA256 | f3ffc6d2b85cce6204fcbc182473fd6e1da2e931e135bd6907fc12f26366cedf |
| SHA512 | 1cc15c7025bf39dd2d684b8b29a7672db2b9c7fec5dc106f0186bb8123d0baa3b9a5ada5eb4a35bb84f1c635df013bd38cbc02235f5762ff5e6f49dce3b90d5c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | b5a5c41131159f30eb7e0109646183ab |
| SHA1 | dcdfb628a165161ebb8faed7c72b4ea0d077df31 |
| SHA256 | 081af51d0a91cd96579aeb1e507806d64e44a999d6e4eb9100d17ec266797efa |
| SHA512 | 79a173e0d0058b1a13933e02e63b3d1c73561a9072081d8b85e8e6469b3542bfeb1d1504e3cc4fb99c7216408d47427a942b825ee15600abbaa2ebf46405e5d9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 000f684ee1bb1b68bd240a513d2bac95 |
| SHA1 | 60e1ce4741fa9d6284d15d11bcfe790f2e220409 |
| SHA256 | bf03d5133ac85ab85bae4d3849f3f1f7d10e32d98acaecc73c1fb51d66baeec7 |
| SHA512 | 66014ca426ce617594c7b3ec5933a26d9feea4ead1bdc2ff300ce1b3697fc52d8c8c39e79121de02a45cfffe6aa05128534dde8c7acfb3a4b66fe63b42d82891 |