Analysis Overview
Threat Level: Known bad
The file https://mega.nz/folder/iG4GlTRZ#Xa2tQ1iSr93n28K_EJWBMQ was found to be: Known bad.
Malicious Activity Summary
Detect Umbral payload
Umbral
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Sets service image path in registry
Checks BIOS information in registry
Themida packer
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of AdjustPrivilegeToken
Opens file in notepad (likely ransom note)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: LoadsDriver
Enumerates system info in registry
Detects videocard installed
Modifies data under HKEY_USERS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-24 23:05
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-24 23:05
Reported
2024-06-24 23:06
Platform
win10-20240404-en
Max time kernel
59s
Max time network
57s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Downloads\release\release\map\map.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\Downloads\release\release\main\cheeto.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\KdphrfJqsCLNXDdltpBWekh\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\KdphrfJqsCLNXDdltpBWekh" | C:\Users\Admin\Downloads\release\release\map\map.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Downloads\release\release\map\map.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Downloads\release\release\map\map.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\release\release\map\map.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133637439519301399" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\release\release\map\map.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\release\release\map\map.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/folder/iG4GlTRZ#Xa2tQ1iSr93n28K_EJWBMQ
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff935d89758,0x7ff935d89768,0x7ff935d89778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1748,i,14964434225943421191,10380810133836295089,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1792 --field-trial-handle=1748,i,14964434225943421191,10380810133836295089,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2064 --field-trial-handle=1748,i,14964434225943421191,10380810133836295089,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2892 --field-trial-handle=1748,i,14964434225943421191,10380810133836295089,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2904 --field-trial-handle=1748,i,14964434225943421191,10380810133836295089,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1748,i,14964434225943421191,10380810133836295089,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1748,i,14964434225943421191,10380810133836295089,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5136 --field-trial-handle=1748,i,14964434225943421191,10380810133836295089,131072 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xf8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 --field-trial-handle=1748,i,14964434225943421191,10380810133836295089,131072 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\release\release\readme.txt
C:\Users\Admin\Downloads\release\release\map\map.exe
"C:\Users\Admin\Downloads\release\release\map\map.exe"
C:\Users\Admin\Downloads\release\release\main\cheeto.exe
"C:\Users\Admin\Downloads\release\release\main\cheeto.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\release\release\main\cheeto.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mega.nz | udp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | eu.static.mega.co.nz | udp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| GB | 142.250.187.234:443 | content-autofill.googleapis.com | tcp |
| LU | 89.44.169.132:443 | eu.static.mega.co.nz | tcp |
| LU | 89.44.169.132:443 | eu.static.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 5.144.216.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.169.44.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| LU | 66.203.125.13:443 | g.api.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 13.125.203.66.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| LU | 89.44.169.132:443 | eu.static.mega.co.nz | tcp |
| GB | 142.250.187.234:443 | content-autofill.googleapis.com | udp |
| LU | 66.203.125.13:443 | g.api.mega.co.nz | tcp |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 127.0.0.1:6341 | tcp | |
| US | 8.8.8.8:53 | gfs270n078.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs204n070.userstorage.mega.co.nz | udp |
| LU | 89.44.168.219:443 | gfs270n078.userstorage.mega.co.nz | tcp |
| NL | 185.206.24.30:443 | gfs204n070.userstorage.mega.co.nz | tcp |
| NL | 185.206.24.30:443 | gfs204n070.userstorage.mega.co.nz | tcp |
| SE | 69.30.89.11:443 | gfs240n101.userstorage.mega.co.nz | tcp |
| SE | 69.30.89.11:443 | gfs240n101.userstorage.mega.co.nz | tcp |
| SE | 69.30.89.11:443 | gfs240n101.userstorage.mega.co.nz | tcp |
| SE | 69.30.89.11:443 | gfs240n101.userstorage.mega.co.nz | tcp |
| SE | 69.30.89.11:443 | gfs240n101.userstorage.mega.co.nz | tcp |
| SE | 69.30.89.11:443 | gfs240n101.userstorage.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 219.168.44.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.24.206.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.89.30.69.in-addr.arpa | udp |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 127.0.0.1:6341 | tcp | |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
Files
\??\pipe\crashpad_3708_JQCGEUUIRLDTCVAL
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\Origins\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000021
| MD5 | b1dfa46eee24480e9211c9ef246bbb93 |
| SHA1 | 80437c519fac962873a5768f958c1c350766da15 |
| SHA256 | fc79a40b2172a04a5c2fe0d5111ebeb401b9a84ce80c6e9e5b96c9c73c9b0398 |
| SHA512 | 44aefedf8a4c0c8cbc43c1260dc2bbc4605f83a189b6ef50e99058f54a58b61eb88af3f08164671bad4bd9c5e3b97b755f2fa433490bef56aa15cdf37fb412b6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 41722e33199b2f9fde089eccb17c7e17 |
| SHA1 | a9e512d5f31bf66231a97453f06992c7f4038236 |
| SHA256 | 033c88b30c1cf019f4139463f23fdd2210cc76f63ba96a37ad3872b10860f7a6 |
| SHA512 | 251b1f3b0f9efff5cc4161093b667ce8c2bf33e4cb170b674e7aca57962e5f24e111b9a95c78c5694b89785ed39258d8da2d87d5c20e84b12856b2894548621c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | bf4299f4e058664a0bc4012adf51a8ff |
| SHA1 | c89db86f2f4cd76778568b2cb7caa2afbbd25208 |
| SHA256 | 0293324db27266d2d0e4fe4e319553128c33568b3bb17bbbbb925b736d398737 |
| SHA512 | e570f926928ad9bd97fa9b654ab3bf7c3abc883657c7e561d43f8b874ab00a5f785a9b0ab2f430b03520203e9f450ce3f3bd1dd1636b7122f0557b7a0fb7822d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | a02adfffc2fc81c5e6e9953894dc7f84 |
| SHA1 | 1e5e35484aeb07e3997bb5da26e1db694c0694ba |
| SHA256 | 7daf17b6dbc2a72c9ce5b5b0d8f9f77dc9821af0758aca452624bf0b92a5c20c |
| SHA512 | dfc7c6c55357496a791e9292c5c69bfaaa52946b320973d2eb0c9b62657773b23bd62ac29f36cf855eaafda9bafb743be435e014013134296e83ee4686cdb404 |
C:\Users\Admin\Downloads\release.zip.crdownload
| MD5 | 36d7d89f533951086328341f0c7138a9 |
| SHA1 | 88b2b8860dc1b9235f8d33dea6a35050a2602e6d |
| SHA256 | 5d7df54b987e4172e9a9d83d6f04a12ae2b28064fbaeed475d82a889590c19af |
| SHA512 | b25cd6e9aa6715d6e350ad54d01bea5cb9e4b9bf028be1d88f515e767cfcacb2460ded9bdc155bc75cf325fc9a6d2faafe831ee948b3464987774f86fbfba471 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index
| MD5 | 9a77a2417a772ab2f991383c0928c652 |
| SHA1 | bdc3ac814f9fdd270fdd1a98991a7270cb8e3674 |
| SHA256 | fa924c45e7d4aeb568896da088220522a459fcbb2389a9d4e9b0fa842a46d9fe |
| SHA512 | 1ba51ad9d0921d2551d9a7045034706fec859888f7283006176b196c91262117ab5721253cbcdcb57725fce0e8dfd9cfd7334da1d9e6eda6ee38d447bc75f975 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1174d82e6bc6e2c8df4b755962b26248 |
| SHA1 | 770e9f3d15b8748de7f73da1003741e18a9e7703 |
| SHA256 | 442e1baa5bcceb6e0ffffa6b1bb96ec15d50832826f7b45a9ebb59e1bffbaa71 |
| SHA512 | 67522c917c94d4dcef8ed1c7d4da15a48ee5bd9a2586d2bfe545c05507faee1296ecba1093bed7c12bfdddf5421d07f76ec8f337f39ca74feb307e7c50a80682 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 5302ab4f2c602a6ab3734129bc26a170 |
| SHA1 | 26d4e07dd14bba0a7cbb108ff97065f7b06756c0 |
| SHA256 | 2ff94eab31d727a34c64e4de3d441bc851d17dce7104a4d9fd3359f0ad18fe4b |
| SHA512 | 667fadc98c849a6a059a5283e841fe9ec1d0e9ef6ea0a2a15049a1a88a28901902ba1784e744ed6cf4e8db1ce4c388c6abac03b7feb788fe57ebe34de582b978 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c36f.TMP
| MD5 | bb69059858951126c2c34ea8c8967b7a |
| SHA1 | 8606d8b9a900d48585bb32774295574b1474e1c0 |
| SHA256 | 2768fa53b55774749a4a4df37ddb6bc87c7f38084ad761cb184e363bf179ba19 |
| SHA512 | 529428dce8603199ae9bc88ce422af03a89a8d13d955b7b4287fab5790f0691e471555af11358c3efcf52706ad875dc0845a2fa658dc68f8ca9f91e1b440e6db |
memory/4944-220-0x00007FF750220000-0x00007FF750B36000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2ededcb0a3c41782348c2dc12a8029b3 |
| SHA1 | be485325a6cfb1339f9ec6a5109514bc5d4b4da8 |
| SHA256 | e5e638bdf2f9236c32019f6e482629bcf12699a4464414fabca6ce5ea528bd0d |
| SHA512 | 42449eb2d344728c352bc6133b3685ab1d8834ccea28c420d04827263ebb351f63aa25cb73b7de92ac0a7acb8519b12a99ca7d7a4e6cfb87e3f1dc71bafd228c |
memory/4944-230-0x00007FF750220000-0x00007FF750B36000-memory.dmp
memory/4944-231-0x00007FF750220000-0x00007FF750B36000-memory.dmp
memory/4944-232-0x00007FF750220000-0x00007FF750B36000-memory.dmp
memory/4944-236-0x00007FF750220000-0x00007FF750B36000-memory.dmp
memory/2008-237-0x0000029CE9B30000-0x0000029CE9B70000-memory.dmp
memory/1680-242-0x000001A3F17A0000-0x000001A3F17C2000-memory.dmp
memory/1680-245-0x000001A3F1950000-0x000001A3F19C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kzpuspm2.0jw.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8ea31fba2da65ce5e15ecf07f99d748e |
| SHA1 | f9b5237dc46a9cbe05cbb1a8276958199ad20ec4 |
| SHA256 | 7e7092d5bc556a562df2b1b3728cb6a1dcafdcf035973033e52c2d2bb286a4c7 |
| SHA512 | 1fae9748b05015449d588d8689e53d40722942c3a69baa2a5d36c7b177e5f52e6c62a7c95fa03355cbacb96cda429a1b888e8c4c97be1e7a807c964a102f9b15 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 577f27e6d74bd8c5b7b0371f2b1e991c |
| SHA1 | b334ccfe13792f82b698960cceaee2e690b85528 |
| SHA256 | 0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9 |
| SHA512 | 944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log
| MD5 | af3520adb8c7e6f67e7c7da194a32e24 |
| SHA1 | 16ab88aae466c87481927d8e69706674dfb0e811 |
| SHA256 | 5aab39176d2e4bd06372565ec4fe5c3eed4714317115790582198681ca9de8b7 |
| SHA512 | 2a10475088d6732968592c66ff450ad9613513ad0334649c3177e842eecb95d6c4e69cab8fe0cff13bd4bf6a5d474a7d4df7705e00f778396a1ee09e7f7abfa8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
| MD5 | 52eb1e0e80e81f7b4cec775002fc7d28 |
| SHA1 | 615a0fe298b0801e940c1dc7e81207a056552b26 |
| SHA256 | 03f825a83b681164e2b667a1735f82182558055c73afec47042d9dd4d36c9e58 |
| SHA512 | 9d3a201548ac665d8badba6bdebf01b82976e4addace3c3b521bc64edeb1dcc7557d60e7636ce005f78b90c320c514caf00597b04ea0ef0d1acb0d7471530260 |
memory/2008-316-0x0000029CEB7F0000-0x0000029CEB840000-memory.dmp
memory/2008-320-0x0000029CEB770000-0x0000029CEB78E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4481ee26552f99b7168bf2110282e680 |
| SHA1 | dfb6f6678e71268095eb623cc826066ac5781a62 |
| SHA256 | f47e34a6682ea8c43abf397abaa87f97543785a11259f66b0a6694ce8a987c29 |
| SHA512 | 20fce4cbfe59782f6b19d8c12361987030a41daaf2a47629eb83104bc1f5c212074b8069fbab4c899f3ac4b0bdfa9f21c8d1b5851452fc984c57210b98436680 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
| MD5 | 961d7ee8dc78d66eca9276c76305a4bc |
| SHA1 | c93baeb8323bd4225b90477048eb14aeecc05546 |
| SHA256 | 9c866fb6a1d1a0da81d219f2f1e93c6e0257601cc26087e78fa6c2e02cfacc22 |
| SHA512 | 6db7e3ad7f1a60d3151cc3f53e0124858b46054a668d3bec9ec895dbd80df0b03213404f4c9c4430747b7fffa5c26775b720ee350d2642d519afbb0bfd6a5de6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bbc63b50dec399c4ed9911c112d323ae |
| SHA1 | fe52b8defc29deec0c5cab9d011d086f8e7cbfce |
| SHA256 | 70384d514db0a25d06682eb8b1cf9bce123b70d634adee79ad1f7e83253d610b |
| SHA512 | 284500c2f9904cca7ffe6ed6d5b4d7eceece7a56c1283317aa85d926e2c9a75c3bcf8ec9ccde51c2fac63e4ecb7ddf5a7c794a95d0d49dd43514bbdacd56ab4a |
memory/2008-386-0x0000029CEB7A0000-0x0000029CEB7AA000-memory.dmp
memory/2008-387-0x0000029CEB7D0000-0x0000029CEB7E2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bf74f98aa43cb2d651802169aa85d8b9 |
| SHA1 | 24a1f01795accb09aadc89479c26d6e3dc8daa70 |
| SHA256 | fd036d6e558ee05e270c2f7a0afca3952895a2807771518a65238df6e133d0f8 |
| SHA512 | 2028bb04ca3b01f2d7ee34791eb69a72e6d4ef257e15dd20ca77f0df5eaf1a32f5406f84c96424fc51acdb3374cef6407b96462dbcb7ca7ce194f544801e2c3f |