4ab6bea1ec09fdb63490036d754206d66b5ed12d2242519e0b24e41ed07a6c89

Analysis

max time kernel
599s
max time network
602s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250313-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250313-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
29/03/2025, 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kaspersky.exe
Size

93KB
MD5

ab54e6c36ce4c5f741468fad657919e5
SHA1

39c0e66f651549f517b87bf1b8932f8e91dbeb23
SHA256

4ab6bea1ec09fdb63490036d754206d66b5ed12d2242519e0b24e41ed07a6c89
SHA512

a65052fbaa1f13d7d0fe1afb21b3921eaf4b2504170d6834b59165cb1636221d02bd16df81a972a2eb12c9238362a93be08541224da6b01efc4480610a10b4cc
SSDEEP

768:zY37g530YTXspgM0m2zGjpyDtdXWuDtXfLWh2XxrjEtCdnl2pi1Rz4Rk3ssGdpH3:agZ0AA0mT1mrWgLljEwzGi1dDkDHgS

Score

8^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Disables Task Manager via registry modification
defense_evasion

Modifies Windows Firewall 2 TTPs 3 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1568	netsh.exe
2608	netsh.exe
4076	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2366915068-2945093646-1682508031-1000\Control Panel\International\Geo\Nation	Kaspersky.exe

Executes dropped EXE 1 IoCs

pid	Process
4056	server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
123	0.tcp.eu.ngrok.io
138	0.tcp.eu.ngrok.io
159	0.tcp.eu.ngrok.io
163	0.tcp.eu.ngrok.io
14	0.tcp.eu.ngrok.io
73	0.tcp.eu.ngrok.io
75	0.tcp.eu.ngrok.io
105	0.tcp.eu.ngrok.io
177	0.tcp.eu.ngrok.io
41	0.tcp.eu.ngrok.io
90	0.tcp.eu.ngrok.io

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaspersky.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4684	chrome.exe
4684	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4056	server.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: SeShutdownPrivilege	4684	chrome.exe
Token: SeCreatePagefilePrivilege	4684	chrome.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe
Token: SeIncBasePriorityPrivilege	4056	server.exe
Token: 33	4056	server.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3848 wrote to memory of 4056	3848	Kaspersky.exe	82
PID 3848 wrote to memory of 4056	3848	Kaspersky.exe	82
PID 3848 wrote to memory of 4056	3848	Kaspersky.exe	82
PID 4056 wrote to memory of 1568	4056	server.exe	85
PID 4056 wrote to memory of 1568	4056	server.exe	85
PID 4056 wrote to memory of 1568	4056	server.exe	85
PID 4056 wrote to memory of 2608	4056	server.exe	90
PID 4056 wrote to memory of 2608	4056	server.exe	90
PID 4056 wrote to memory of 2608	4056	server.exe	90
PID 4056 wrote to memory of 4076	4056	server.exe	91
PID 4056 wrote to memory of 4076	4056	server.exe	91
PID 4056 wrote to memory of 4076	4056	server.exe	91
PID 4684 wrote to memory of 2240	4684	chrome.exe	99
PID 4684 wrote to memory of 2240	4684	chrome.exe	99
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2288	4684	chrome.exe	100
PID 4684 wrote to memory of 2840	4684	chrome.exe	101
PID 4684 wrote to memory of 2840	4684	chrome.exe	101
PID 4684 wrote to memory of 4604	4684	chrome.exe	102
PID 4684 wrote to memory of 4604	4684	chrome.exe	102
PID 4684 wrote to memory of 4604	4684	chrome.exe	102
PID 4684 wrote to memory of 4604	4684	chrome.exe	102
PID 4684 wrote to memory of 4604	4684	chrome.exe	102
PID 4684 wrote to memory of 4604	4684	chrome.exe	102
PID 4684 wrote to memory of 4604	4684	chrome.exe	102
PID 4684 wrote to memory of 4604	4684	chrome.exe	102
PID 4684 wrote to memory of 4604	4684	chrome.exe	102
PID 4684 wrote to memory of 4604	4684	chrome.exe	102
PID 4684 wrote to memory of 4604	4684	chrome.exe	102
PID 4684 wrote to memory of 4604	4684	chrome.exe	102
PID 4684 wrote to memory of 4604	4684	chrome.exe	102
PID 4684 wrote to memory of 4604	4684	chrome.exe	102
PID 4684 wrote to memory of 4604	4684	chrome.exe	102
PID 4684 wrote to memory of 4604	4684	chrome.exe	102
PID 4684 wrote to memory of 4604	4684	chrome.exe	102
PID 4684 wrote to memory of 4604	4684	chrome.exe	102

C:\Users\Admin\AppData\Local\Temp\Kaspersky.exe
"C:\Users\Admin\AppData\Local\Temp\Kaspersky.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1568
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2608
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffc8a6edcf8,0x7ffc8a6edd04,0x7ffc8a6edd10
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1992,i,16261925295464206388,9188888277272969120,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1988 /prefetch:2
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1596,i,16261925295464206388,9188888277272969120,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2384,i,16261925295464206388,9188888277272969120,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2256 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,16261925295464206388,9188888277272969120,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,16261925295464206388,9188888277272969120,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4432,i,16261925295464206388,9188888277272969120,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4456 /prefetch:2
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4672,i,16261925295464206388,9188888277272969120,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:2340

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnWebGPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b384c26e626412ded6f59da2d4fa24af

SHA1
40144717e9ceba7afb45e4f9170d382fb8b008f3

SHA256
05380e95b0ebcc002a7589d268cbfe8706bd42b8f52d1fca6c663c96c78968be

SHA512
90dc5441fa39a9f7ec2b7aa7fdfee4a717c1cbb287ea2c78c719df3380c0a32862962862847da32afcd7135997306cf1936c2b035e71d14a3457eaf107c8a72f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
519B

MD5
62af493d2d976627771d8784883c3589

SHA1
75382cdd1be812267a788c14c2bd7ee743e3aac6

SHA256
f980430378414044d9ebe8dd387dec2e259ddff8bb0a7d70c8fa8cb513a59e5c

SHA512
ea49dbcdd275ec633ad32621c9809ccbb54caf4631fcfd4a12bed56c5ba3f0737d41d76011d3c756eb9b92f8ac95845bff0ee3b53de4d892d66a722f5c98b69d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a5aa935f3f97ba42f70c87f71927b1cf

SHA1
ab19a1ed44b8fcbf7e7e206ef2d527e332c77387

SHA256
25a4cd21ddf0a33e2e42cc83c34178ab5a83da29f05bf6b96129f0a4e0131fb5

SHA512
b68134ccf018444dea5b91a741f1a08d8b4e342adab7d2782e9c769ec08ef7b1fd703c427bcc5d7606e12a008243b1cbaba6defe63465503c1bb9c136f860d52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e091281a33cdfea9f95a88a9d9fbd2fa

SHA1
41cdaea490db2b04e445e45faa4868c0e902168b

SHA256
5e3dbd47355abf1a9f16d09c2dec04cfe2311201abfd0b33bbfa53afc53e0c9f

SHA512
02ebd09368c0a0a3e99696b69b8ab8b3ae10714cafc19a70d26e1148159fd736841188958e4c1edc35621ad25a810288d2f195ab78e7454d2ec7ec0ad331b91a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
db182e3138cd0e4fca8f86dbc353afac

SHA1
8347cff9d40f63b888165c137cfa0f5a7c499bfe

SHA256
ed2c4480ea21681ec08edc698b160d9e17da71871be0bf85d0bacb1989df83df

SHA512
a106527fc86280cff0cefaab1a45b4b5a005c263dce699be9360d332d326d64b942e9dfeb3394911632c26fb235b611a034dfe2b6cf0bcd76712a4d1f4f84fa2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59bd7a.TMP

Filesize
48B

MD5
037796c4722458699f6940b11e9c5557

SHA1
fea32827cc2d3efbc610411f1fbfadae49d9f145

SHA256
e897ae3e3df2df23e73f2de194fc319d720cdd2d66b4e83e4a2d1a3e6c56fae4

SHA512
74c70caa39a121ff5be8fbe2d1a1ee77c2821679f5e0a88f840ef2538aeb96a2db3f1903982a94d06cb4be090c926179fe73bddc8462a4fc42673e20b33a1780

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
e757f3385b7489c9bba7a99bedd0c8f4

SHA1
30dc393b513fffef5098131a710197350cc613c3

SHA256
d789af2869c24c80335829c959d3dd0c195e2657afd00e9fb9fe05ce8104928a

SHA512
6fa11c7f2b9542214dbb1d482e811fafd4484d1fbba0d5c6be7bdf2bd2c9a2fd6745fc8ce788787e89eb142e758d9afb55dfe19b7c23463903b7687455c166c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
f845c60c114892c62e25a00154436f92

SHA1
f53a046bc3752cec48c13608ef46c7128fe21078

SHA256
c47e17c57356b12e38036f490200bb8d745ccdc68a9d6c865cf0d95179891a73

SHA512
fd435fdbd2461d73baf4953e5e9234ca8feac81373f654f6be82833741d88cc50463a0a6e8448ba4a584c4fd2b4ce5b8080b92384c3e3fee7a804a9115e2aa84

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
93KB

MD5
ab54e6c36ce4c5f741468fad657919e5

SHA1
39c0e66f651549f517b87bf1b8932f8e91dbeb23

SHA256
4ab6bea1ec09fdb63490036d754206d66b5ed12d2242519e0b24e41ed07a6c89

SHA512
a65052fbaa1f13d7d0fe1afb21b3921eaf4b2504170d6834b59165cb1636221d02bd16df81a972a2eb12c9238362a93be08541224da6b01efc4480610a10b4cc

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
112317d572ce0538d2d1b20d7f32170e

SHA1
c7f3714c4806b907bcff7f79aa1d1c9373b77d1e

SHA256
fd9e9a8be71786826787d6eb9aa28371d09b0515ddf0c19b082fe7bac57a88a9

SHA512
265dbebc83c74dc97770e650580b0321144990d133403bab2bc1de4618cde63dfd4fedfa56b5e4e259b510585db0f7a59042c356356c56bea3ac861d4be5337f

Download Submit
memory/3848-0-0x00000000745E2000-0x00000000745E3000-memory.dmp

Filesize
4KB

Download
memory/3848-17-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/3848-2-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/3848-1-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/4056-21-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/4056-18-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/4056-16-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download