8274f641196b8fbee842b526a5d38b0f42eed5ce3b3081f49c56da827dd73175

Analysis

max time kernel
88s
max time network
87s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Server.exe
Size

95KB
MD5

2c5949bf0cd96709dcd7a697343ae789
SHA1

0be47b60083a92dbeaa93bc5a9c3b7f4dfa5e6f9
SHA256

8274f641196b8fbee842b526a5d38b0f42eed5ce3b3081f49c56da827dd73175
SHA512

8e8ee83e6688cb0ba9aa3ca7eb5807d0d78ed218efc946b909a6db0913962547b08ce8aa47d483b1622df4a32aa15474625150cc6af871a866baedd6012fc783
SSDEEP

768:K7LeNXwlhgDZKUHZanCE8qlmeXBKh0p29SgRtrb:K7LE705KhG29jtrb

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2956	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	Server.exe

Executes dropped EXE 1 IoCs

pid	Process
3708	Trojan.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8515eb34d8f9de5af815466e9715b3e5 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8515eb34d8f9de5af815466e9715b3e5 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Trojan.exe\" .."	Trojan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587986807897429"	chrome.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
608	chrome.exe
608	chrome.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe
3708	Trojan.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	3708	Trojan.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe
Token: SeShutdownPrivilege	608	chrome.exe
Token: SeCreatePagefilePrivilege	608	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe
608	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 3708	4228	Server.exe	86
PID 4228 wrote to memory of 3708	4228	Server.exe	86
PID 4228 wrote to memory of 3708	4228	Server.exe	86
PID 3708 wrote to memory of 2956	3708	Trojan.exe	87
PID 3708 wrote to memory of 2956	3708	Trojan.exe	87
PID 3708 wrote to memory of 2956	3708	Trojan.exe	87
PID 608 wrote to memory of 3472	608	chrome.exe	101
PID 608 wrote to memory of 3472	608	chrome.exe	101
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4340	608	chrome.exe	102
PID 608 wrote to memory of 4552	608	chrome.exe	103
PID 608 wrote to memory of 4552	608	chrome.exe	103
PID 608 wrote to memory of 1812	608	chrome.exe	104
PID 608 wrote to memory of 1812	608	chrome.exe	104
PID 608 wrote to memory of 1812	608	chrome.exe	104
PID 608 wrote to memory of 1812	608	chrome.exe	104
PID 608 wrote to memory of 1812	608	chrome.exe	104
PID 608 wrote to memory of 1812	608	chrome.exe	104
PID 608 wrote to memory of 1812	608	chrome.exe	104
PID 608 wrote to memory of 1812	608	chrome.exe	104
PID 608 wrote to memory of 1812	608	chrome.exe	104
PID 608 wrote to memory of 1812	608	chrome.exe	104
PID 608 wrote to memory of 1812	608	chrome.exe	104
PID 608 wrote to memory of 1812	608	chrome.exe	104
PID 608 wrote to memory of 1812	608	chrome.exe	104
PID 608 wrote to memory of 1812	608	chrome.exe	104
PID 608 wrote to memory of 1812	608	chrome.exe	104
PID 608 wrote to memory of 1812	608	chrome.exe	104
PID 608 wrote to memory of 1812	608	chrome.exe	104
PID 608 wrote to memory of 1812	608	chrome.exe	104
PID 608 wrote to memory of 1812	608	chrome.exe	104
PID 608 wrote to memory of 1812	608	chrome.exe	104
PID 608 wrote to memory of 1812	608	chrome.exe	104
PID 608 wrote to memory of 1812	608	chrome.exe	104
PID 608 wrote to memory of 1812	608	chrome.exe	104
PID 608 wrote to memory of 1812	608	chrome.exe	104

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Users\Admin\AppData\Roaming\Trojan.exe
  "C:\Users\Admin\AppData\Roaming\Trojan.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Trojan.exe" "Trojan.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:2956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffccebacc40,0x7ffccebacc4c,0x7ffccebacc58
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,3584110083995502613,7371101868430818177,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2204,i,3584110083995502613,7371101868430818177,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,3584110083995502613,7371101868430818177,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2316 /prefetch:8
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,3584110083995502613,7371101868430818177,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3224,i,3584110083995502613,7371101868430818177,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4636,i,3584110083995502613,7371101868430818177,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4500,i,3584110083995502613,7371101868430818177,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4504 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5104,i,3584110083995502613,7371101868430818177,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4612,i,3584110083995502613,7371101868430818177,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5056,i,3584110083995502613,7371101868430818177,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5300,i,3584110083995502613,7371101868430818177,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5196,i,3584110083995502613,7371101868430818177,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:2160

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c07a734c97e3c09261633335e904aa16

SHA1
d24f48003654608d75412de8b9a000fe3adee9ee

SHA256
95b330a59c9d905b553a0c8b85705c1dc3ab1bca3b7daf1d03694159bbec195b

SHA512
a3dfb2e2270c41d58ffe91777ef548914e922f3ce88f4a9d7dc60c027e25c350edd2b6c3927c465c2e99be5268cfb86bfbb26ea827a686ce4909ccf247bead51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0cc31354b546da8f7f2005a37cb7a4c7

SHA1
2d6e59445d6c8f2fcece698870ad6a16cb3d9f8c

SHA256
82e89623654c4630a15dfcaca26ed1a2326ac92c50789b93d96a4606434760e9

SHA512
fada32d709b46c33eaab16bc279fd0d27558d892179018cade2f8bf83242ca7b613a85eedab5a0cb19cc18ac6835325b1cb5cb21f5003fda9c0c89a4e26b0898

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
01b9e8261fb3b67e25103c02cf3a1c20

SHA1
eaa5aadecaa3808d41765b507c94e569423f6fa2

SHA256
09a21343ea1fbb979dc8270f7c228f12f1adaa4c6563695f93abe2ce69bd6999

SHA512
d2485b5cf48d7068e5aacbe5b117d2211b93088be3b5abd3cb8d6b0cbb5557c09074b6d0ebe818ee83933f1a754f2e619b6ea37ce196cb82b1ec78f5ead4251a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
83afd06bef7fc04a2ddaffcda1a806f3

SHA1
2122e0aab4c09e8161a7dc5caa431cace828ba58

SHA256
d10404f26e17b56e8d06aea518dea36ba29803457f5ecdf76d0e8ee4e08eccf4

SHA512
519fb3fee89a3d7bb8df10af8e96ab0139b17798f7f5a6dfcf9fbcf787fc85c6fc75ee96114697123612555f79d6e43b0edbf845c1bd1f4f1ea3d825b4e8945d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
05603de11d314e0cf532572428d8d7f7

SHA1
e95430b0a81986d13679ec6e052801801ede7f63

SHA256
739d54fac534e2f2e1e4ce666beb7c1cb1f8efc848ad6db67cc0091e9b544690

SHA512
03f8a5766d01b7a748d784f0d0a21cf2b7ee257d20ba1be41fb9676d91641cfc7c4b3c52a6f171dd12a64c5998575d81d9bca18d81a42d34306957df56213801

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
4c30e2a97206693ff7c90e85c8712f12

SHA1
788445ad36eb721623564a9c3d4264f33095ba18

SHA256
e2ba73f9b60bb019966fc0b4873fc35cc128be8f13197df8ffe11eb443b61bed

SHA512
478dcc1c5b5d2dc769001eafde0355f1508779c2a285bc0cc2d33b4aa2d8fc9447c048cbdc45314f38fbc0e69b6579c0e04a486319fe1765e4be981779daf2e8

Download Submit
C:\Users\Admin\AppData\Roaming\Trojan.exe

Filesize
95KB

MD5
2c5949bf0cd96709dcd7a697343ae789

SHA1
0be47b60083a92dbeaa93bc5a9c3b7f4dfa5e6f9

SHA256
8274f641196b8fbee842b526a5d38b0f42eed5ce3b3081f49c56da827dd73175

SHA512
8e8ee83e6688cb0ba9aa3ca7eb5807d0d78ed218efc946b909a6db0913962547b08ce8aa47d483b1622df4a32aa15474625150cc6af871a866baedd6012fc783

Download Submit
memory/3708-15-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/3708-14-0x0000000001690000-0x00000000016A0000-memory.dmp

Filesize
64KB

Download
memory/3708-12-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/4228-0-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/4228-13-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/4228-1-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/4228-2-0x0000000001000000-0x0000000001010000-memory.dmp

Filesize
64KB

Download