d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe
Size

4.3MB
MD5

0ea4b3d116fc31e856a0ff9ede8e8211
SHA1

39ef55554a6981517ca64599a193ea68377b00df
SHA256

d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff
SHA512

d5f7a7ba1f8ad2d994e84f402ac6eeb5de5dd67de6d1aac9d427b765893f56792fceed6d4a841794285a2f7e264a6b0b15adbeb41c5cbe8b7b584c90e0b1363e
SSDEEP

49152:Fj8f3jtqiCLg9LK2hIOR+k9jdAsizqxSiZ4K5MZqkL92c6nkdmbDgiIerM1R6ZPs:erZ4K5M+XDgiIewG+x6xZ14J

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 3 IoCs

pid	Process
2388	Logo1_.exe
4720	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe
264	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Document Parts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Media Player\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\130\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe
File created	C:\Windows\Logo1_.exe	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133377004749595808"	chrome.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3976	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe
3976	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe
3976	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe
3976	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe
3976	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe
3976	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe
3976	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe
3976	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe
3976	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe
3976	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe
3976	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe
3976	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe
3976	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe
3976	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe
3976	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe
3976	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe
3976	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe
3976	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
3504	chrome.exe
3504	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe
Token: SeShutdownPrivilege	3504	chrome.exe
Token: SeCreatePagefilePrivilege	3504	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3504	chrome.exe
3504	chrome.exe
3504	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 1976	3976	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe	83
PID 3976 wrote to memory of 1976	3976	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe	83
PID 3976 wrote to memory of 1976	3976	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe	83
PID 3976 wrote to memory of 2388	3976	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe	84
PID 3976 wrote to memory of 2388	3976	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe	84
PID 3976 wrote to memory of 2388	3976	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe	84
PID 2388 wrote to memory of 3972	2388	Logo1_.exe	86
PID 2388 wrote to memory of 3972	2388	Logo1_.exe	86
PID 2388 wrote to memory of 3972	2388	Logo1_.exe	86
PID 3972 wrote to memory of 1296	3972	net.exe	88
PID 3972 wrote to memory of 1296	3972	net.exe	88
PID 3972 wrote to memory of 1296	3972	net.exe	88
PID 1976 wrote to memory of 4720	1976	cmd.exe	89
PID 1976 wrote to memory of 4720	1976	cmd.exe	89
PID 4720 wrote to memory of 264	4720	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe	90
PID 4720 wrote to memory of 264	4720	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe	90
PID 2388 wrote to memory of 3184	2388	Logo1_.exe	42
PID 2388 wrote to memory of 3184	2388	Logo1_.exe	42
PID 4720 wrote to memory of 3504	4720	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe	91
PID 4720 wrote to memory of 3504	4720	d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe	91
PID 3504 wrote to memory of 2748	3504	chrome.exe	92
PID 3504 wrote to memory of 2748	3504	chrome.exe	92
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 2544	3504	chrome.exe	94
PID 3504 wrote to memory of 1984	3504	chrome.exe	95
PID 3504 wrote to memory of 1984	3504	chrome.exe	95
PID 3504 wrote to memory of 1096	3504	chrome.exe	96
PID 3504 wrote to memory of 1096	3504	chrome.exe	96

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3184
- C:\Users\Admin\AppData\Local\Temp\d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe
  "C:\Users\Admin\AppData\Local\Temp\d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a927C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe
      "C:\Users\Admin\AppData\Local\Temp\d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4720
    - - C:\Users\Admin\AppData\Local\Temp\d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe
        
        C:\Users\Admin\AppData\Local\Temp\d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x7ff7f83f7688,0x7ff7f83f7698,0x7ff7f83f76a8
        5⤵
        Executes dropped EXE
        
        PID:264
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
        5⤵
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3504
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb2aaf9758,0x7ffb2aaf9768,0x7ffb2aaf9778
        6⤵
        
        PID:2748
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=2040,i,13525711918443162979,10259762954567510816,131072 /prefetch:2
        6⤵
        
        PID:2544
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1868 --field-trial-handle=2040,i,13525711918443162979,10259762954567510816,131072 /prefetch:8
        6⤵
        
        PID:1984
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2116 --field-trial-handle=2040,i,13525711918443162979,10259762954567510816,131072 /prefetch:8
        6⤵
        
        PID:1096
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2840 --field-trial-handle=2040,i,13525711918443162979,10259762954567510816,131072 /prefetch:1
        6⤵
        
        PID:4052
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2848 --field-trial-handle=2040,i,13525711918443162979,10259762954567510816,131072 /prefetch:1
        6⤵
        
        PID:4620
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4084 --field-trial-handle=2040,i,13525711918443162979,10259762954567510816,131072 /prefetch:1
        6⤵
        
        PID:4652
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4236 --field-trial-handle=2040,i,13525711918443162979,10259762954567510816,131072 /prefetch:8
        6⤵
        
        PID:3524
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4872 --field-trial-handle=2040,i,13525711918443162979,10259762954567510816,131072 /prefetch:8
        6⤵
        
        PID:3508
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3948 --field-trial-handle=2040,i,13525711918443162979,10259762954567510816,131072 /prefetch:8
        6⤵
        
        PID:3320
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=2040,i,13525711918443162979,10259762954567510816,131072 /prefetch:8
        6⤵
        
        PID:1592
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
        6⤵
        
        PID:4772
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6b53a7688,0x7ff6b53a7698,0x7ff6b53a76a8
        7⤵
        
        PID:2252
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
        7⤵
        
        PID:2644
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6b53a7688,0x7ff6b53a7698,0x7ff6b53a76a8
        8⤵
        
        PID:3516
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 --field-trial-handle=2040,i,13525711918443162979,10259762954567510816,131072 /prefetch:8
        6⤵
        
        PID:3820
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=2040,i,13525711918443162979,10259762954567510816,131072 /prefetch:2
        6⤵
        
        PID:5796
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3972
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1296

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.3MB

MD5
0ea4b3d116fc31e856a0ff9ede8e8211

SHA1
39ef55554a6981517ca64599a193ea68377b00df

SHA256
d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff

SHA512
d5f7a7ba1f8ad2d994e84f402ac6eeb5de5dd67de6d1aac9d427b765893f56792fceed6d4a841794285a2f7e264a6b0b15adbeb41c5cbe8b7b584c90e0b1363e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
c7230597ca16dd4709272c49a1d63158

SHA1
a3c5030684b7c39e894b50ebd778b5d3e69ba59b

SHA256
59ccf839e88266762a452679d678f50b1e35f81300001f681929ec54d0f8f01e

SHA512
de0c36f5edea397605fcd6dc24c8caefd3b7335ecef417b9ac5db100311218d3b896611a5ed2e68332d612cb3df8f8b443ee0eff7e0d540a052b6427dd44ff6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\_desktop.ini

Filesize
9B

MD5
ec7139d5bb99bcebaf0b91c58a9ec5aa

SHA1
70404362dd74e309722fd282c3492ec95674123c

SHA256
eb17ae1b1de9e95e0d159893048f2de5c1c158467e768cc0ddbaa517c45e0582

SHA512
b0114d8f74b17836819b750cff2b590b652e04bb2dc0e9dc8bffac7ed66bd9ded03cd35abc7fc0fcd0127a994c283dcd162e97e6dd76f5a903ff59e4951dfc48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
134633804d8cc2936baefd4f3e599d57

SHA1
73a4ec1b4bd8eacdea283e2b54c6bdb33d02b54b

SHA256
392e9dd1bfb8b7bce28d10eb875fa6145d7de305d92d23182b41b4896c6ea74c

SHA512
8d0ce365c189dfa6739c835828aabf119c07ba62bac4588924814dc2ca74a83c9bb68d5e261f1f777660546549037c58ba6e18c75eb7125e9a581a79b0441305

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
b52620b247a04a7bc862822c2c8db846

SHA1
4f8af72f2e57c361af70979a20cd25d2a182e0e9

SHA256
d4c40dcc45714fbaca2f8419ad7774946897611b94ea0947ba9d37e8ee40021a

SHA512
3a3720a4d7fb253c28a62bd2365c258eb7f03d47a0f7b61e59f30d411433a35a677fa81302018dd553f8ac921f9657fce38717fff0e39e844d89d476da8f0f93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
12d8c4bbfa1a58a5c28979f8e85238b5

SHA1
c69a2f673753955b5140d9fd514395fbcde694b2

SHA256
1b9108d55054215fd6aa570660457a6202f8412125b431f5141fb40b636d319f

SHA512
a29ef269304466c86ecf5c1509ea161ec6a65f9b16a4489469e9b18e498f8b00ebcfa5a65727a391c0d1dbccf0db59b936aabf179af05b6e532777a60f63880a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
eb2ab1e7a219c2afafd973c781cf13e9

SHA1
4717e2d9d15c02376d870f135c4058ea895c63c5

SHA256
0a7b94927ebe2fb87a63323d65831d55801ba7e3aa05564e696601fb52bd7283

SHA512
b368e14acb533a7be9195d6703d7c588dc58b9fce9dfe66c8269a3bf7effaaaee87392534f2443d6626782da4c5f00d6a4c42f2ce4037ce28c6f9430ae241e7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57c719.TMP

Filesize
2KB

MD5
4e34510db726e9efd5a0a84eebd11126

SHA1
427608b1653758528d51dfc0babb5aeeb48c87c1

SHA256
078cced8d023f7afc350a9f02ec2e5bf50dd0f1605a627472b82737f107473b9

SHA512
a80f54ee37dab49d8249301cd59184d308fa6c998eb70279ad8ff95b7947934bef81e8ad384fb5ccaed9fd5876acb30cd1035a8a32b0c6d89aed2af294700d5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6e8a3fc1f8e32b453ceb27f43d985944

SHA1
34451047f0c3bbff743302e1dd9314b7a40f36bd

SHA256
90169d57e45764db3177d5b38b07ef217b3fe2b2b3f6dba442fd7182e63e6a39

SHA512
2e0d506aacc19c2ab64261ffc640376906c6ffc7c479bcd6b57ecdd4cf4bc9a9792e23316519c0f5d77d494a3fe4f1310c657bb42a2c2f022361d77cf864aee4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d65de7ad-4bd3-426b-bbf6-b030451d95e1.tmp

Filesize
4KB

MD5
1c71f10828c55ce0d9bb6f4c6c0fdff7

SHA1
64b9d923bfa4d4c136e5561d10cfb113e469057e

SHA256
9ff8290ae91f348165b1fcf94bb28b689c275d4095c9215d66a7d89f34a6740e

SHA512
f5541648e2ee78085e6308c4468a0b836bc040312137912e13ab30cd5f73e63458d0d636dc7535215f1e3f62bc493a0459ecb926889ad23e1854793cc91cc7dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
177KB

MD5
c4656a6b5e19416c014551a490f1953e

SHA1
2966283c3375147892098b8f9da8abd23c61490e

SHA256
b96744bdf238b651bde9ffef334ad6810f9c70c1745dbdf120ca098ade62e310

SHA512
ad732c58365fbc8259d954b387e8f9ef1e0fea2dba92c00aed65728ad85477d04a4f8fd0a4cb370954f3a91fde2b71a72f5cc5ba88955cafb39848704942ed72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a927C.bat

Filesize
722B

MD5
e59e5819cfa4fd62fa162458588aa602

SHA1
6b50b82c54938c9bc28e2d3eaee57f3425bfa011

SHA256
c448d69621120455f2b8237fc7a209a25c328e3dae5bfeb7a62be6363ed6da0a

SHA512
76dc52679a5a738a624bb32a81537b9464bd1440976cd30b73f03363329c96610413310381831a34b06c7ffc1fe2067dfb216174f6e87e64c3e21c16aa318058

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
6f90600c6753c298155c8c551f98b881

SHA1
3be0cf771d972487222551d4fdec364b93c4334d

SHA256
1a3059cf52dd819c52bc9b87f85c9b7716db6c2f13839ac0b393d76f17bb56a9

SHA512
4a35269a5d30e43bdc1b841cdcb17e66ece3ab543f85ae514f530f0c17b00529f82c872769d9e98740293239c5db4424c5d3e7bfa56157e7eeef24dfa4a2a6a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
59065834a639762a709e333b2b2f8dfd

SHA1
25b1bb94dc10ff900681dc4023f255d45d1aef89

SHA256
7c1742a2989fed748cbcf932269698ebf92a2ffc88aa93a5ce8b791cc87a26a4

SHA512
3bd4acace94f4bb052fe58696cbb692283d48f9b56f87462fb831e1a162b41f6c6d9a8dfd0f9169b2290a6a585c31804235cebbb8611624a9b9c61fd4f53ac8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe

Filesize
4.3MB

MD5
2161730a7ae00a1fb8c5020a43be949f

SHA1
8db6b820472cdfa266c874e0d3a9395412995aa1

SHA256
07e7896b2304e3b9966294a02d2ed32f41994ee7bd0a284e4160743edaeb9e15

SHA512
aa3659b6184f4273b7fcf1f7d2cd0a5a9129b8856d15e4ca8904b709e85cd432538ce0510ca9777760a1a9d5391671232a79908860e7d665260a54910f6fea5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe

Filesize
4.3MB

MD5
2161730a7ae00a1fb8c5020a43be949f

SHA1
8db6b820472cdfa266c874e0d3a9395412995aa1

SHA256
07e7896b2304e3b9966294a02d2ed32f41994ee7bd0a284e4160743edaeb9e15

SHA512
aa3659b6184f4273b7fcf1f7d2cd0a5a9129b8856d15e4ca8904b709e85cd432538ce0510ca9777760a1a9d5391671232a79908860e7d665260a54910f6fea5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d00f911b3ad3541ae8caea4ae79b81b15bab1fe99f8d4c189306a83a293bc7ff.exe.exe

Filesize
4.3MB

MD5
2161730a7ae00a1fb8c5020a43be949f

SHA1
8db6b820472cdfa266c874e0d3a9395412995aa1

SHA256
07e7896b2304e3b9966294a02d2ed32f41994ee7bd0a284e4160743edaeb9e15

SHA512
aa3659b6184f4273b7fcf1f7d2cd0a5a9129b8856d15e4ca8904b709e85cd432538ce0510ca9777760a1a9d5391671232a79908860e7d665260a54910f6fea5a

Download Submit
C:\Windows\Logo1_.exe

Filesize
31KB

MD5
2b8afcdb6ed4ca38b8acee22489318a8

SHA1
ae3ae4402adcc0ce43f95e09cab85fb3a3caad59

SHA256
2fc57cf6290f57609b6d8054e57e75481f4295526a25697229b8d47eb9a32e25

SHA512
feb6c4fac5c2a1ba6c062507184936749149813085f8d780a7bd87bdb87c6477b689a205434cd449d3edc0961f3eafc91d690debe32c1e76f543d633edc7e73d

Download Submit
C:\Windows\Logo1_.exe

Filesize
31KB

MD5
2b8afcdb6ed4ca38b8acee22489318a8

SHA1
ae3ae4402adcc0ce43f95e09cab85fb3a3caad59

SHA256
2fc57cf6290f57609b6d8054e57e75481f4295526a25697229b8d47eb9a32e25

SHA512
feb6c4fac5c2a1ba6c062507184936749149813085f8d780a7bd87bdb87c6477b689a205434cd449d3edc0961f3eafc91d690debe32c1e76f543d633edc7e73d

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
1345af722e5aa9d5cfaa68e0d12ada17

SHA1
bcf04ccf6de318ae3263168510beffdbbe5cda34

SHA256
8523b11a24bc41c9ed8b998aa7905a3a92f064fa4baed25291c141bd64c14cc0

SHA512
ebe5e6decb33b7d3137fbb8622fb6a6fa937115484b5d9499478d2c6ac420b7b4fb86067d326372b13ac9a9ee87a099d70e1c19fc1e92f8b02ad89ec8e39014a

Download Submit
C:\Windows\rundl132.exe

Filesize
31KB

MD5
2b8afcdb6ed4ca38b8acee22489318a8

SHA1
ae3ae4402adcc0ce43f95e09cab85fb3a3caad59

SHA256
2fc57cf6290f57609b6d8054e57e75481f4295526a25697229b8d47eb9a32e25

SHA512
feb6c4fac5c2a1ba6c062507184936749149813085f8d780a7bd87bdb87c6477b689a205434cd449d3edc0961f3eafc91d690debe32c1e76f543d633edc7e73d

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-618519468-4027732583-1827558364-1000\_desktop.ini

Filesize
9B

MD5
ec7139d5bb99bcebaf0b91c58a9ec5aa

SHA1
70404362dd74e309722fd282c3492ec95674123c

SHA256
eb17ae1b1de9e95e0d159893048f2de5c1c158467e768cc0ddbaa517c45e0582

SHA512
b0114d8f74b17836819b750cff2b590b652e04bb2dc0e9dc8bffac7ed66bd9ded03cd35abc7fc0fcd0127a994c283dcd162e97e6dd76f5a903ff59e4951dfc48

Download Submit
memory/2388-2039-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2388-5765-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2388-8829-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2388-2208-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2388-8-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3976-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3976-9-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download