c4a55442f94c323e1ff4f74ef381ccc96bcbfe6bb6e963bdc81d6f0801b447f4

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

script.vbs
Size

1KB
MD5

97a14839c26069d86a75ebb377ab7c17
SHA1

17c67fc8c31734bf3c09bd1e95bddd5a0e98e9f8
SHA256

c4a55442f94c323e1ff4f74ef381ccc96bcbfe6bb6e963bdc81d6f0801b447f4
SHA512

620cc6c942bf4db2e50b1ce5c3c96de63423dd014c2a87dd94d03620fbbd5bed6014599c521ffe17cad1a92c70fb4c765e0331c3eb1bf65b65888bccbcb686e4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2752	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133606961344573895"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	WScript.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3312	notepad.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
956	chrome.exe
956	chrome.exe
3068	chrome.exe
3068	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
956	chrome.exe
956	chrome.exe
956	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeDebugPrivilege	2752	taskkill.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe
Token: SeCreatePagefilePrivilege	956	chrome.exe
Token: SeShutdownPrivilege	956	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe
956	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 956	3080	WScript.exe	85
PID 3080 wrote to memory of 956	3080	WScript.exe	85
PID 956 wrote to memory of 3484	956	chrome.exe	86
PID 956 wrote to memory of 3484	956	chrome.exe	86
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 4948	956	chrome.exe	87
PID 956 wrote to memory of 820	956	chrome.exe	88
PID 956 wrote to memory of 820	956	chrome.exe	88
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89
PID 956 wrote to memory of 4768	956	chrome.exe	89

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.google.com/search?q=Bye+computer!
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9aa29ab58,0x7ff9aa29ab68,0x7ff9aa29ab78
    3⤵
    PID:3484
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1856,i,7278931395245806781,8683931617808115227,131072 /prefetch:2
    3⤵
    PID:4948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1856,i,7278931395245806781,8683931617808115227,131072 /prefetch:8
    3⤵
    PID:820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2184 --field-trial-handle=1856,i,7278931395245806781,8683931617808115227,131072 /prefetch:8
    3⤵
    PID:4768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1856,i,7278931395245806781,8683931617808115227,131072 /prefetch:1
    3⤵
    PID:4228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1856,i,7278931395245806781,8683931617808115227,131072 /prefetch:1
    3⤵
    PID:1628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4436 --field-trial-handle=1856,i,7278931395245806781,8683931617808115227,131072 /prefetch:8
    3⤵
    PID:3508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4700 --field-trial-handle=1856,i,7278931395245806781,8683931617808115227,131072 /prefetch:8
    3⤵
    PID:880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1856,i,7278931395245806781,8683931617808115227,131072 /prefetch:8
    3⤵
    PID:4432
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4656 --field-trial-handle=1856,i,7278931395245806781,8683931617808115227,131072 /prefetch:1
    3⤵
    PID:4328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2620 --field-trial-handle=1856,i,7278931395245806781,8683931617808115227,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3068
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\Note.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3312
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im notepad.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\wscriptexe.vbs"
  2⤵
  PID:4472

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
7dc437b429869500b76482e87744a74d

SHA1
e0cbdc7eb207726836bf68e49f291ba658f254e0

SHA256
2110430869a09babf25292b7ad3cd4335bb4fc581cf6b4d7c2335a3202675974

SHA512
2a5980429045cb2f460feee27bed6d0583cf640f86cb2ec8828b94e466f6bd1fa2b9d6c89ab8badb2da5422f62748229796aba831361ae72adbd2712b5a1e4a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
97d93d0ec1896c3efedd45a348b35ca3

SHA1
70bb872827d686fa98d55b67d964fe03ee6a8f8b

SHA256
329d513bab1db6fd03c629a033299aaa552780a738e225ebff673ecc47c4e690

SHA512
ebee7c0b29c6222dfab891edcf3be195b2dfe64cc12336a294c24f7aca7219fce8c128d6fba0c5d93cf355d8d9669638193ecc148dd32eb31229e738a9d1d841

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8cc7223d92cf7d1628553b6e4a57d084

SHA1
94c554a886eb1beb701dcb2eb20eb20b5c538153

SHA256
494b8440ae0186c810ae5f7354d71755bfc3303b3ba73a129780c59aae431938

SHA512
72813522b144c237bd14cc6c6e23d505c5f7d724d774c353f3104c5daf769e0f866b9f4f02b714af9f5e471eca111e7bec6c5143dd01eeb1fc7388c99901538f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b74c6bd83230836bc0740e52408510ef

SHA1
c0b7c73e0936f100bea7df34890a96daccfe0175

SHA256
caed94b4d884859cdaa7ca107ebc54e85d465999075ef14974c7181dba0b214f

SHA512
11fc764b07a2172546a5a1f6f87de13d1a1cb2afb156e464769230452660f5c09418c7621b848ae85827b242ed9be3076398727e0bf7dedaa9ae47ba135a485c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
27e4bd9c52d4468f7ee2043f03041818

SHA1
8d90c8e45c4299cd646db1a141867aba38ffd055

SHA256
879743b613567a0d0f0fe77b1c2fe4f2d74535b65dd81cbac818541bc006d85f

SHA512
fe48e50f890a24e4000af592dee7f934ada3552808a002f77ec8b697ac7c95b52ea3066cb2847937dd0fda264adbf85464dbf2eb7d0f17db68650277ea25c7e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\d52cea44-7c04-47c7-915a-e292f06c573e.tmp

Filesize
260KB

MD5
901ca5501d315c9d22f7ba650423bb93

SHA1
55edf1d1e367b7708f108786c7deeb4b8a406da8

SHA256
574699996284c22eb09b9a8f978e2664402a968102504be61b29f7715618b79e

SHA512
b935ac4c8a8a61ed87e0cb30ca749caba4f221c7c53d6bfc506fda6f442335fc951dd0faa4ffcaa58d28f37b7ee67a10b1c781fb05f90a347b123b89e5dc962e

Download Submit
C:\Users\Admin\AppData\Roaming\wscriptexe.vbs

Filesize
648B

MD5
c001fd80c8b02c85680712b8e3d89d5f

SHA1
d0eef2d6e37b6b7741f8ab4871b74b63eae917df

SHA256
be3e33d8a39d71b24b737cd9291bfbb417cd40867adc88089b54234d974af4c9

SHA512
cf7c424a1640a6acf7d7569d430df2b953db45eda06deffd1116a7567c26e3e0a1bf22f80082bd7682f791501ee25ab73a83e133481f9d2f52b57e379d96dd13

Download Submit
C:\Users\Admin\Desktop\Note.txt

Filesize
110B

MD5
5db850e057649101fd4257e31952d389

SHA1
73e4f5fc85c59cd19583a52f692c9f92967d0782

SHA256
1c41ed4e5b4c5bf2bad238bcb633a7db35b9e60de4e3d21d3f1bb4f1b2716011

SHA512
4906a80d315c2e56475ce26009bff021d9f45efda26b72fa56fc037a6e766d5917dbec504b725fd0a4f50e60e41ed75c84ab612ab0456873e340586e6a0f194c

Download Submit