3404b07a501ed92b0c3f0c9bcff52207b88665729e2623be73b62c08d9eefa27

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3404b07a501ed92b0c3f0c9bcff52207b88665729e2623be73b62c08d9eefa27.exe
Size

4.4MB
MD5

07a95b7e6cf8d701311c5c03de734891
SHA1

c08d5097589fefbf7f6ee6adf7175937def481d6
SHA256

3404b07a501ed92b0c3f0c9bcff52207b88665729e2623be73b62c08d9eefa27
SHA512

4cc930e805dba6865e38ae336ba6ab38fdcf122537d8a4936947581982024bd239265ad728398ae0cef3e6d4936e9ceb21fd9b26d3cc2eba6286cb53822a1df0
SSDEEP

49152:h7Gw6B1nqR4S2Vc2k42DCbLnr0ieR02Z/K0tCJaMIPh6vRPPZAKCoZOBz0Xk/VTX:wESXTeDZ/K0tQPZvCoZm7qiiW/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4568	Logo1_.exe
3872	3404b07a501ed92b0c3f0c9bcff52207b88665729e2623be73b62c08d9eefa27.exe
1912	3404b07a501ed92b0c3f0c9bcff52207b88665729e2623be73b62c08d9eefa27.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\uk-UA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Text\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\fi-fi\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	3404b07a501ed92b0c3f0c9bcff52207b88665729e2623be73b62c08d9eefa27.exe
File created	C:\Windows\Logo1_.exe	3404b07a501ed92b0c3f0c9bcff52207b88665729e2623be73b62c08d9eefa27.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133578723908791232"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4568	Logo1_.exe
4568	Logo1_.exe
4568	Logo1_.exe
4568	Logo1_.exe
4568	Logo1_.exe
4568	Logo1_.exe
4568	Logo1_.exe
4568	Logo1_.exe
4568	Logo1_.exe
4568	Logo1_.exe
4568	Logo1_.exe
4568	Logo1_.exe
4536	chrome.exe
4536	chrome.exe
4568	Logo1_.exe
4568	Logo1_.exe
4568	Logo1_.exe
4568	Logo1_.exe
4568	Logo1_.exe
4568	Logo1_.exe
4568	Logo1_.exe
4568	Logo1_.exe
3784	chrome.exe
3784	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe
Token: SeShutdownPrivilege	4536	chrome.exe
Token: SeCreatePagefilePrivilege	4536	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
1276	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 4736	4452	3404b07a501ed92b0c3f0c9bcff52207b88665729e2623be73b62c08d9eefa27.exe	85
PID 4452 wrote to memory of 4736	4452	3404b07a501ed92b0c3f0c9bcff52207b88665729e2623be73b62c08d9eefa27.exe	85
PID 4452 wrote to memory of 4736	4452	3404b07a501ed92b0c3f0c9bcff52207b88665729e2623be73b62c08d9eefa27.exe	85
PID 4452 wrote to memory of 4568	4452	3404b07a501ed92b0c3f0c9bcff52207b88665729e2623be73b62c08d9eefa27.exe	86
PID 4452 wrote to memory of 4568	4452	3404b07a501ed92b0c3f0c9bcff52207b88665729e2623be73b62c08d9eefa27.exe	86
PID 4452 wrote to memory of 4568	4452	3404b07a501ed92b0c3f0c9bcff52207b88665729e2623be73b62c08d9eefa27.exe	86
PID 4568 wrote to memory of 4020	4568	Logo1_.exe	87
PID 4568 wrote to memory of 4020	4568	Logo1_.exe	87
PID 4568 wrote to memory of 4020	4568	Logo1_.exe	87
PID 4020 wrote to memory of 5032	4020	net.exe	90
PID 4020 wrote to memory of 5032	4020	net.exe	90
PID 4020 wrote to memory of 5032	4020	net.exe	90
PID 4736 wrote to memory of 3872	4736	cmd.exe	91
PID 4736 wrote to memory of 3872	4736	cmd.exe	91
PID 3872 wrote to memory of 1912	3872	3404b07a501ed92b0c3f0c9bcff52207b88665729e2623be73b62c08d9eefa27.exe	92
PID 3872 wrote to memory of 1912	3872	3404b07a501ed92b0c3f0c9bcff52207b88665729e2623be73b62c08d9eefa27.exe	92
PID 3872 wrote to memory of 4536	3872	3404b07a501ed92b0c3f0c9bcff52207b88665729e2623be73b62c08d9eefa27.exe	93
PID 3872 wrote to memory of 4536	3872	3404b07a501ed92b0c3f0c9bcff52207b88665729e2623be73b62c08d9eefa27.exe	93
PID 4536 wrote to memory of 4496	4536	chrome.exe	94
PID 4536 wrote to memory of 4496	4536	chrome.exe	94
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 3272	4536	chrome.exe	96
PID 4536 wrote to memory of 4900	4536	chrome.exe	97
PID 4536 wrote to memory of 4900	4536	chrome.exe	97
PID 4536 wrote to memory of 2144	4536	chrome.exe	98
PID 4536 wrote to memory of 2144	4536	chrome.exe	98
PID 4536 wrote to memory of 2144	4536	chrome.exe	98
PID 4536 wrote to memory of 2144	4536	chrome.exe	98
PID 4536 wrote to memory of 2144	4536	chrome.exe	98
PID 4536 wrote to memory of 2144	4536	chrome.exe	98
PID 4536 wrote to memory of 2144	4536	chrome.exe	98
PID 4536 wrote to memory of 2144	4536	chrome.exe	98
PID 4536 wrote to memory of 2144	4536	chrome.exe	98
PID 4536 wrote to memory of 2144	4536	chrome.exe	98
PID 4536 wrote to memory of 2144	4536	chrome.exe	98

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3340
- C:\Users\Admin\AppData\Local\Temp\3404b07a501ed92b0c3f0c9bcff52207b88665729e2623be73b62c08d9eefa27.exe
  "C:\Users\Admin\AppData\Local\Temp\3404b07a501ed92b0c3f0c9bcff52207b88665729e2623be73b62c08d9eefa27.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a2A2D.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Users\Admin\AppData\Local\Temp\3404b07a501ed92b0c3f0c9bcff52207b88665729e2623be73b62c08d9eefa27.exe
      "C:\Users\Admin\AppData\Local\Temp\3404b07a501ed92b0c3f0c9bcff52207b88665729e2623be73b62c08d9eefa27.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3872
    - - C:\Users\Admin\AppData\Local\Temp\3404b07a501ed92b0c3f0c9bcff52207b88665729e2623be73b62c08d9eefa27.exe
        
        C:\Users\Admin\AppData\Local\Temp\3404b07a501ed92b0c3f0c9bcff52207b88665729e2623be73b62c08d9eefa27.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=104.0.5112.81 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x7ff7f02446c8,0x7ff7f02446d8,0x7ff7f02446e8
        5⤵
        Executes dropped EXE
        
        PID:1912
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
        5⤵
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4536
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3e61ab58,0x7ffe3e61ab68,0x7ffe3e61ab78
        6⤵
        
        PID:4496
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1984,i,843854146579966239,2662984692411221876,131072 /prefetch:2
        6⤵
        
        PID:3272
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=1984,i,843854146579966239,2662984692411221876,131072 /prefetch:8
        6⤵
        
        PID:4900
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2268 --field-trial-handle=1984,i,843854146579966239,2662984692411221876,131072 /prefetch:8
        6⤵
        
        PID:2144
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2892 --field-trial-handle=1984,i,843854146579966239,2662984692411221876,131072 /prefetch:1
        6⤵
        
        PID:844
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2900 --field-trial-handle=1984,i,843854146579966239,2662984692411221876,131072 /prefetch:1
        6⤵
        
        PID:3908
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4268 --field-trial-handle=1984,i,843854146579966239,2662984692411221876,131072 /prefetch:1
        6⤵
        
        PID:208
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4528 --field-trial-handle=1984,i,843854146579966239,2662984692411221876,131072 /prefetch:8
        6⤵
        
        PID:4336
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4552 --field-trial-handle=1984,i,843854146579966239,2662984692411221876,131072 /prefetch:8
        6⤵
        
        PID:5024
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4144 --field-trial-handle=1984,i,843854146579966239,2662984692411221876,131072 /prefetch:8
        6⤵
        
        PID:712
      - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
        6⤵
        
        PID:4540
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7a718ae48,0x7ff7a718ae58,0x7ff7a718ae68
        7⤵
        
        PID:4888
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
        7⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:1276
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7a718ae48,0x7ff7a718ae58,0x7ff7a718ae68
        8⤵
        
        PID:1516
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1984,i,843854146579966239,2662984692411221876,131072 /prefetch:8
        6⤵
        
        PID:3204
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4764 --field-trial-handle=1984,i,843854146579966239,2662984692411221876,131072 /prefetch:8
        6⤵
        
        PID:3076
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1060 --field-trial-handle=1984,i,843854146579966239,2662984692411221876,131072 /prefetch:2
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3784
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4020
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:5032

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
6857cf81210ed5170930e5bda86d6bd8

SHA1
ede7b5e8d0f1efdb00c6b92b236c17691711ee00

SHA256
b37d268c2acb836286ec3f52b67679701a4900d807dbac3fe9981f89a8d6e7c3

SHA512
2f15d5a55dece454405db3403d305b5b8f91e6465afb9852a1ff6709ab3009c4b8ded694973643e6bb126a9018d0dd8a65ba7cc1ab0fbd05650637c0cd992b3b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
570KB

MD5
8d59d582fbbb186f068c2bbfab86bd18

SHA1
7c9851aafb449128fe95bbd8d22c2cb36a9d7ca3

SHA256
7b9a392a5997a7c3539c6663c51f132c678ade99ef36318255babd2ceec896ca

SHA512
bd505d2443e1f262584101c844399c2e0b6d6bead4ee5634be8f73d137bc16bd7c29a4053450be5d180b9172895fdd2439048d5142c1fa5c684f5e086b40b092

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240418000631.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
636KB

MD5
2500f702e2b9632127c14e4eaae5d424

SHA1
8726fef12958265214eeb58001c995629834b13a

SHA256
82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

SHA512
f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
a251e7d8920ad0ae50087d3903f218d1

SHA1
89a40725b1fec22d61561b2286720638ac0f6625

SHA256
6045f9f01ec3f769a595569f236cec5f057170f13aa5c7f8f01df1cd687725d5

SHA512
0b3c16211e1da01608cab5853c907f5c061d22aad2f83aa990fd5e27b08cca8147c0b0f02af9c91e10b7dd8f9d658360a0d73900b0c101fd2a6758386007bc7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
17225ffca0ad90511533a5db1373d6c6

SHA1
9a89efee21305f00dba0379d96b601f84486e5eb

SHA256
dbb743308c4e58f23bdcffde8aa83ebf3fcd2659b4b12e2f8765269d65c12224

SHA512
4269d73413ef08cbb6766a6e3bb8a901cb191f3cb8746cac012a15915144717faac728faa18d525cf3ac986e241b7424282357cb19352617df7baf8bfabdce6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7c3bbe72106309d90a1f9a15f062070a

SHA1
9679f93507cda6c2e2e1cc0a2298005d003e2066

SHA256
35c35d7058ceb7658a96e1808eac661780f542d431a063f4d3c2a8e0d5d9b89a

SHA512
2abbc176a16b4b85df5b336ba9469a7a6016c9f4077df0d5673148fe4ee15a71004153d3c58e2fe09bc2e68502a48f11b7b6657213d46bd4960fd1919d76e88f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
fd96ac1d9ac9d129b177231fdf800d20

SHA1
32164d4f573e6d5a15a8ec01acb7ec43933a049e

SHA256
a764b6025349de84099d7527cb66759756cfc322be055e95badbdd0ccec9726e

SHA512
939699d5ede9e890beb161658e274c4662fc99543733a152ccd1e424708ccf9a2e6fe5dac1156364f8802c7b260bdd4339a1d536002b033b511ed06f3b75cc8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5753fc.TMP

Filesize
2KB

MD5
c541d6caf1eba2f47a57217be76c5517

SHA1
6fbea28eb3c243a578e6d904eddf794b51c5869b

SHA256
1e5a9517f8e3940d71f3321f9075ca8bca5bb1e82eed3bf223d0bf265b960b6e

SHA512
bc9e7551a58873b1df732905c27e112c830a71bb725170c4e45e3c21a2f71822cc3ce48f9041fbc21d2fdbea8f5c8537e5d027fcffc6d2c67dfae7449e25e739

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
45192e3ea06f032d6ddb01cbe4f1e2a9

SHA1
267178045910a97cddb4eb30b572924f1647483a

SHA256
7b457056c30903281a0c604ba8438ff8fe0cc8679416ca44230ef74821bdf4ea

SHA512
e62b8d977e55da223a17b1ec6926b8964b7a3e8a583325d87f0916c7d629df83c2062b1a36464b4382888ea381ebe19371e883683987aa154b04a2b48d185a01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
251KB

MD5
101a404ffc3ca36a23732631e024b234

SHA1
b6b05d26ee05660dd27f43f6cc5a6492b13b683f

SHA256
9fa9df1c4f9e664573c5f603a9cf481c8cbd59faf6e43233a8845b2db0ae43b4

SHA512
b7c6c274a13ba175805e3cca642f6d709e3157317f6d41aa2f148508d1f3d830d6f38a8d7925d9e5a9d9e496ee8b7a9a7bea00c29af722bc5493307767b11e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a2A2D.bat

Filesize
722B

MD5
98498feb6a84a484b9ca4c9d0524bc5f

SHA1
87d7bc7f539f1b92f4347462d0e1224563541970

SHA256
9603745668facdb60f143ccb20d08c09aa80fb1f3e50088f80d28bf11be29bdc

SHA512
7c4a7cfa3df9d57dcc26141c9b60945a48643d17ceff6858d3df8e0c04d7f745f1c04e572a39f6e67b4e577f7095c4c47fac4fcc4b1618b1be9ae54f48d3dfc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3404b07a501ed92b0c3f0c9bcff52207b88665729e2623be73b62c08d9eefa27.exe.exe

Filesize
4.3MB

MD5
01b5f624498a90c3f5ab35c6172b3946

SHA1
8503d15e7a62a080ce18785bd7b78dc7d0af1e4a

SHA256
620879c1168a6760677990ef6536b6aea15ebeb0f370522c81c5117b311c798b

SHA512
a384ddece111df65a104d0969d46287de3b677f34aaf5adffb336373ba1d462d0516de0c83d6c86162d861e1f8a53d4c5af0761aaa82aa2bd54ec02d3f043764

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
0b8ee469d986ebf82cb70cec0f51c937

SHA1
f3beaddf9fb7f5ef7064400afbfd6d759e81e482

SHA256
c9320b5d3febbd02b006bab4ca4b64b8a1d0954bdc59edee2e3f42b02ee94bda

SHA512
10f473f147aff8d808fcd452f480f33ad5685f3ffdc17363a3965696a4b9dc46f92ea0a2be49230eb1b52c07cf49932899af4ed23cfd83d2e976f00f708c0f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
acd1ba1a0917f6606d075fe297729a01

SHA1
cbd44ec14613cbc86121ea16f78f9dc04d42b8f5

SHA256
44e6f830f84f8ff2d472dbdb394e6310499c14f47070cc609c352fb878337b04

SHA512
1de4c2423f11e94252717e02cef1cb60039829d20a9200999e8744cbc6c1665b0640e658e58b9c352d7759b7938b318df94bd3e513ae89d5c36bdbeadf122f15

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
8798ef6c65ae81379131a4b496ca5f7e

SHA1
872c6836ef2bc03c931cd6eb09d88253b7595f66

SHA256
3bb3b43db951b65389a3026ee287f6b5eab1fade33c6035b83d9e8be80a92dac

SHA512
7f11f550a995d623555f3b75a506137f44b340caceff986b57e306f10587a1361d80532ee673695e84085685cebb7ed2fe05598f03b1c970e40d053dd53e0521

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
522df09671ae433429bbcaf7252be0b6

SHA1
61ca04f9f4e85e8568ad48873b678d1e513cf1e6

SHA256
280a84c5c19d1271eeed9e7b9b3673a1981aaa57f14c4fd4b13ba86d8673869d

SHA512
f62deed71d60fc03149e67987af7a52bf70ede79171316883d37f3f01ea2b6c4973a677798812609030400f9d4acc0e3f3a52284e3ccfe5212e90cc019107319

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1132431369-515282257-1998160155-1000\_desktop.ini

Filesize
9B

MD5
72b7e38c6ba037d117f32b55c07b1a9c

SHA1
35e2435e512e17ca2be885e17d75913f06b90361

SHA256
e9719e3c653627668046bac84b77097bfb0cd018d68465c17130ed31d6d6eca6

SHA512
2bebd814b81ad2dc547802d42891d833caaad81d004758ec4373f9c7af2971eb822f0a559d2d5d4fca499912fea95e25bab22e92cb0c149d6a4c692eee6ee46a

Download Submit
memory/4452-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-146-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-1351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-4916-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-5360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download