dcrat | 064df3f50dd20e9ab6bfa026fbdde8fff714f6ed31b117df251d10af0e34fcb5

Analysis

max time kernel
99s
max time network
145s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
03/11/2024, 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

driver.exe
Size

3.2MB
MD5

fa8ddfc3a3f06a423ea8065a19ea10f0
SHA1

ee4f298825ab6155a572d9e683cfd3847f48beda
SHA256

064df3f50dd20e9ab6bfa026fbdde8fff714f6ed31b117df251d10af0e34fcb5
SHA512

3669a3941b852ee3e162312bfc10d7cb82ce1b3f3f9e195a1e0c43ffa415be04cfd2dd6ddb4ed75fdca11e8d670ca36026ae68383bb6717791c34c9a1fb7b645
SSDEEP

49152:ubA3jGN2Bb3Rv0MgWaVCjoE+siJb//7Kb81+cgMfK6mQ/7Svbr79r3/d:ubFN2TmCn+sEjKuS6mPXJrvd

Score

10^/10

dcrat discovery evasion infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x002800000004506b-13.dat	dcrat
behavioral1/memory/864-16-0x0000000000170000-0x0000000000460000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	driver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
864	Hypercrt.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133750664341392921"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Local Settings	driver.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4696	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2420	chrome.exe
2420	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	864	Hypercrt.exe
Token: SeShutdownPrivilege	2420	chrome.exe
Token: SeCreatePagefilePrivilege	2420	chrome.exe
Token: SeShutdownPrivilege	2420	chrome.exe
Token: SeCreatePagefilePrivilege	2420	chrome.exe
Token: SeShutdownPrivilege	2420	chrome.exe
Token: SeCreatePagefilePrivilege	2420	chrome.exe
Token: SeShutdownPrivilege	2420	chrome.exe
Token: SeCreatePagefilePrivilege	2420	chrome.exe
Token: SeShutdownPrivilege	2420	chrome.exe
Token: SeCreatePagefilePrivilege	2420	chrome.exe
Token: SeShutdownPrivilege	2420	chrome.exe
Token: SeCreatePagefilePrivilege	2420	chrome.exe
Token: SeShutdownPrivilege	2420	chrome.exe
Token: SeCreatePagefilePrivilege	2420	chrome.exe
Token: SeShutdownPrivilege	2420	chrome.exe
Token: SeCreatePagefilePrivilege	2420	chrome.exe
Token: SeShutdownPrivilege	2420	chrome.exe
Token: SeCreatePagefilePrivilege	2420	chrome.exe
Token: SeShutdownPrivilege	2420	chrome.exe
Token: SeCreatePagefilePrivilege	2420	chrome.exe
Token: SeShutdownPrivilege	2420	chrome.exe
Token: SeCreatePagefilePrivilege	2420	chrome.exe
Token: SeShutdownPrivilege	2420	chrome.exe
Token: SeCreatePagefilePrivilege	2420	chrome.exe
Token: SeShutdownPrivilege	2420	chrome.exe
Token: SeCreatePagefilePrivilege	2420	chrome.exe
Token: SeShutdownPrivilege	2420	chrome.exe
Token: SeCreatePagefilePrivilege	2420	chrome.exe
Token: SeShutdownPrivilege	2420	chrome.exe
Token: SeCreatePagefilePrivilege	2420	chrome.exe
Token: SeShutdownPrivilege	2420	chrome.exe
Token: SeCreatePagefilePrivilege	2420	chrome.exe
Token: SeShutdownPrivilege	2420	chrome.exe
Token: SeCreatePagefilePrivilege	2420	chrome.exe
Token: SeShutdownPrivilege	2420	chrome.exe
Token: SeCreatePagefilePrivilege	2420	chrome.exe
Token: SeShutdownPrivilege	2420	chrome.exe
Token: SeCreatePagefilePrivilege	2420	chrome.exe
Token: SeShutdownPrivilege	2420	chrome.exe
Token: SeCreatePagefilePrivilege	2420	chrome.exe
Token: SeShutdownPrivilege	2420	chrome.exe
Token: SeCreatePagefilePrivilege	2420	chrome.exe
Token: SeShutdownPrivilege	2420	chrome.exe
Token: SeCreatePagefilePrivilege	2420	chrome.exe
Token: SeShutdownPrivilege	2420	chrome.exe
Token: SeCreatePagefilePrivilege	2420	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe
2420	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 1240	2516	driver.exe	82
PID 2516 wrote to memory of 1240	2516	driver.exe	82
PID 2516 wrote to memory of 1240	2516	driver.exe	82
PID 1240 wrote to memory of 1272	1240	WScript.exe	88
PID 1240 wrote to memory of 1272	1240	WScript.exe	88
PID 1240 wrote to memory of 1272	1240	WScript.exe	88
PID 1272 wrote to memory of 864	1272	cmd.exe	90
PID 1272 wrote to memory of 864	1272	cmd.exe	90
PID 1272 wrote to memory of 4696	1272	cmd.exe	92
PID 1272 wrote to memory of 4696	1272	cmd.exe	92
PID 1272 wrote to memory of 4696	1272	cmd.exe	92
PID 2420 wrote to memory of 5056	2420	chrome.exe	98
PID 2420 wrote to memory of 5056	2420	chrome.exe	98
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3296	2420	chrome.exe	99
PID 2420 wrote to memory of 3340	2420	chrome.exe	100
PID 2420 wrote to memory of 3340	2420	chrome.exe	100
PID 2420 wrote to memory of 4808	2420	chrome.exe	101
PID 2420 wrote to memory of 4808	2420	chrome.exe	101
PID 2420 wrote to memory of 4808	2420	chrome.exe	101
PID 2420 wrote to memory of 4808	2420	chrome.exe	101
PID 2420 wrote to memory of 4808	2420	chrome.exe	101
PID 2420 wrote to memory of 4808	2420	chrome.exe	101
PID 2420 wrote to memory of 4808	2420	chrome.exe	101
PID 2420 wrote to memory of 4808	2420	chrome.exe	101
PID 2420 wrote to memory of 4808	2420	chrome.exe	101
PID 2420 wrote to memory of 4808	2420	chrome.exe	101
PID 2420 wrote to memory of 4808	2420	chrome.exe	101
PID 2420 wrote to memory of 4808	2420	chrome.exe	101
PID 2420 wrote to memory of 4808	2420	chrome.exe	101
PID 2420 wrote to memory of 4808	2420	chrome.exe	101
PID 2420 wrote to memory of 4808	2420	chrome.exe	101
PID 2420 wrote to memory of 4808	2420	chrome.exe	101
PID 2420 wrote to memory of 4808	2420	chrome.exe	101
PID 2420 wrote to memory of 4808	2420	chrome.exe	101
PID 2420 wrote to memory of 4808	2420	chrome.exe	101

C:\Users\Admin\AppData\Local\Temp\driver.exe
"C:\Users\Admin\AppData\Local\Temp\driver.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Chainfontbrokerperf\NnyRwt97J7dLQPfM8F3.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Chainfontbrokerperf\ElcXSVDGSnDQH5.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Users\Admin\AppData\Roaming\Chainfontbrokerperf\Hypercrt.exe
      "C:\Users\Admin\AppData\Roaming\Chainfontbrokerperf\Hypercrt.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:864
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff9d1a3cc40,0x7ff9d1a3cc4c,0x7ff9d1a3cc58
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,17842899293499854231,15996434514515672488,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1564,i,17842899293499854231,15996434514515672488,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2088 /prefetch:3
  2⤵
  PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2320,i,17842899293499854231,15996434514515672488,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2328 /prefetch:8
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,17842899293499854231,15996434514515672488,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,17842899293499854231,15996434514515672488,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3332,i,17842899293499854231,15996434514515672488,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4276 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4668,i,17842899293499854231,15996434514515672488,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4676,i,17842899293499854231,15996434514515672488,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5056,i,17842899293499854231,15996434514515672488,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5096,i,17842899293499854231,15996434514515672488,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:1768

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d90368c6393b8d76d1a86ba5ddd28309

SHA1
a1777c594744ae77c7c0b5a11eb1c9e788d65264

SHA256
089c47d3cc8fb783006248feab472eba7307eddae337c24269706bb7e5d02d9b

SHA512
31ab8992c58bec1ee286c0cdedf7d80b79bcf6074cc2493edd499ecaf2cfb2df1ad266e9d16c6c2b443165a69adda7876a49c552d647769297e4f6c04f14f0a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8064570c8f55e989593ec826c53c0989

SHA1
fd1f352c6b87aae906f2859afd4ab11293951ebc

SHA256
bba0e5ab9d6acecba7a4aa9e89c4f715b6731be251d7194c4357db6bcead862f

SHA512
13144971043fb6c76f71dcd20a1da4d3a431007c39bdc4c6433569cd77245b2e373aa361481ffa2bcc642cc52e98ff25d8d24030af272f67ed0bb47b3fa87afd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8c5ab4807fa77021bb86a0ae0ed3afaf

SHA1
2950bfe5360454d57b190954d235e6b30113e31a

SHA256
fe116be78cf97898156398b1d414f275251f62254807108a5f210c8ca4815b9f

SHA512
7c2001604221ca11008cb1d4b828f7e13f0440df11cee3696becad43791559aa43b38dfeb9590cc60d03fc6077aa38b918ea40d22ae538d9ebea09f3aae5401d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
31edf9555d772172ce31b9a06ede8540

SHA1
3aa9d914e7baf069a354428ebac7a20886c425af

SHA256
6c40cc07a24d9a91477f580103f24637e60f6dcc90b5c173ce7babb86af828e8

SHA512
4b36397a52d5632c7b8708e2d253a7318fbf466552cfaa307a33cc010df2adb58b429e99426df310139d78289b14df30433a5516995078fb77fde2b4bf12fc96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0663e14468e7334b25b54677507c0ae3

SHA1
6235625f06fcc2d5c26c21bd0ae38166cd7919e6

SHA256
cdbc372db5c11282e9c2330855a58cfccca5498c525fdf74263b9849100ee9b9

SHA512
1efcae5cae62b0697a6601c3de485771058fb84c4dbac67887db76ff3ef66efa29d558d40b3ffffbc607c151f7f4e052e3e0c9ae07de6f33baf524cf1c0b8d93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f797248ba8fe203ad875969b9cfad1af

SHA1
ae4a9f8618080b8af1dbaf5dcd7a34541c23d1a9

SHA256
577650f32294e0e245b1275b75d0bc9c47c27db44ef43dfe081a4c68df035177

SHA512
9d6f152a7311f2824e0d67aa97b562933917a7511e0723dc1cb20a9c3f08f19a388e30b40e415db7ae088a194f8d7b084f65b6d0e83ab145c105a66ea8781cd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
c53c2a997bac9fca600d901ddcc8c50d

SHA1
71eaf57f2ff36f96f73c1a4c0ffbe3d61e232edd

SHA256
8bad8460c9309caab53a38da3dc6d96e76b6c233f9706a8f1d611937a4472162

SHA512
81d5663ede224acdffddf6364845c6826f53c9765ba4bb5681ac9fb70b757e5d0e652ddb0b7fc393de29e137e91653776ba8e8b62b01048040f7865ce35279e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
b5284e6991b8e482a8b538d0c63e706b

SHA1
d962578d9c2213d507b200e318988f308b7aa89f

SHA256
d26f498ac373f8628ad0b731bc4e6f27a35b6ecb085389fb0d1ff19ae6b1410d

SHA512
ce7e34fed03708c9f3ceb4bfdf09a7febf66f054f49e8a863625b98098c04511e9e230a5b70f0b118fbe27c26620d2c607af5cd1fd532a6e10cb649992cb8ed2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
120KB

MD5
7b90e8bd2a2452b5c7035641c14266d3

SHA1
04b105a9fb8a41b7094cc12dc459abcc443ce4ed

SHA256
55cea0dd1a691ea4e27227e578354f013eab7a04220c18eb42168aaa0bd1ff09

SHA512
20c17cdaf48569a1fb92a2028c113be67fb2bfb45137a3e64520d1dfcd7a3db8236c0c90706c69b7b1d3a4ae74978fa9c6a1f731c54cdddc5cd1c1ff48135799

Download Submit
C:\Users\Admin\AppData\Roaming\Chainfontbrokerperf\ElcXSVDGSnDQH5.bat

Filesize
156B

MD5
f8d5537ca8e4ade91d9c424bbb742743

SHA1
dab5d089087714f3c12937af5cd4a12735f7d041

SHA256
d993620d870902006f29993bb6f7e4500d7a41b6c86ac13e184b003b9bb802af

SHA512
93fde7b826d737895aabe929ffc4fa1cb435853467804a7e037b8b55e8ef554a2da1d9ffac4246325c54d593b40afe0ba0404459138fdf743165d307fdd2a1fc

Download Submit
C:\Users\Admin\AppData\Roaming\Chainfontbrokerperf\Hypercrt.exe

Filesize
2.9MB

MD5
3b1705a7b64014017e0e6b4cbd5ee850

SHA1
4f2235b1397e19e1bea4427d373c779aaaa02446

SHA256
f2416af1c65f284dd53304d87a004f801053e3652aba703e37db90aae0beb35b

SHA512
7296f8be245e325fa4683add3319642b4cb3ec5c595c26cab3cee0ddfd33239561f870a4bc0e848ac73aa0148c5056a5152407f9ad5cc98ee35d8073766d4d00

Download Submit
C:\Users\Admin\AppData\Roaming\Chainfontbrokerperf\NnyRwt97J7dLQPfM8F3.vbe

Filesize
217B

MD5
9255fcce2e09a40b0013f5d3fc62e667

SHA1
85e0e8939015fb0a3a97983fd89152e64803c580

SHA256
147aa686cc834ffc2d00a9e0e255dad8cb7454591ba72e1d4d62e14c0179e24f

SHA512
b1c983b3348a88a526fd0cc5c03f3f1edae12b5184a6d019a5a4c0dfd255e01a5999337da99983e0aa4eb2390f535419b08962a115d984a499de41e33bb21e6e

Download Submit
memory/864-15-0x00007FF9D1723000-0x00007FF9D1725000-memory.dmp

Filesize
8KB

Download
memory/864-16-0x0000000000170000-0x0000000000460000-memory.dmp

Filesize
2.9MB

Download
memory/864-17-0x0000000002570000-0x000000000257E000-memory.dmp

Filesize
56KB

Download