e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe
Size

4.1MB
MD5

19e39e02d05aaf110ea196df080d0013
SHA1

01e1c9f44b55182b066c009197131cb379c03300
SHA256

e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c
SHA512

eaa966b4108f06014deca5f7e67ddc233fa0a900b229992ebdc359f1c6dbf38a84ba146b62a530068ae27b1a885149a4b21eeaf95ce0cb7d7b8361fe9efc9128
SSDEEP

49152:Z7uTEk9yZGTrRJlfOI3vO1hVWV8O2f5wK4mjPuXVQb9ZQjFur5+YJsFQqSqACStU:0lONWWO2f9uiJ3/aHC31

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4560	Logo1_.exe
3336	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe
4404	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\km-KH\View3d\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sl-SI\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\th-TH\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe
File created	C:\Windows\Logo1_.exe	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133609189797860758"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4876	chrome.exe
4876	chrome.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
216	chrome.exe
216	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
3204	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 3768	4552	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe	84
PID 4552 wrote to memory of 3768	4552	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe	84
PID 4552 wrote to memory of 3768	4552	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe	84
PID 4552 wrote to memory of 4560	4552	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe	85
PID 4552 wrote to memory of 4560	4552	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe	85
PID 4552 wrote to memory of 4560	4552	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe	85
PID 4560 wrote to memory of 4516	4560	Logo1_.exe	86
PID 4560 wrote to memory of 4516	4560	Logo1_.exe	86
PID 4560 wrote to memory of 4516	4560	Logo1_.exe	86
PID 4516 wrote to memory of 2448	4516	net.exe	89
PID 4516 wrote to memory of 2448	4516	net.exe	89
PID 4516 wrote to memory of 2448	4516	net.exe	89
PID 3768 wrote to memory of 3336	3768	cmd.exe	90
PID 3768 wrote to memory of 3336	3768	cmd.exe	90
PID 3336 wrote to memory of 4404	3336	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe	91
PID 3336 wrote to memory of 4404	3336	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe	91
PID 3336 wrote to memory of 4876	3336	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe	92
PID 3336 wrote to memory of 4876	3336	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe	92
PID 4876 wrote to memory of 2868	4876	chrome.exe	93
PID 4876 wrote to memory of 2868	4876	chrome.exe	93
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 3948	4876	chrome.exe	94
PID 4876 wrote to memory of 1468	4876	chrome.exe	95
PID 4876 wrote to memory of 1468	4876	chrome.exe	95
PID 4876 wrote to memory of 1680	4876	chrome.exe	96
PID 4876 wrote to memory of 1680	4876	chrome.exe	96
PID 4876 wrote to memory of 1680	4876	chrome.exe	96
PID 4876 wrote to memory of 1680	4876	chrome.exe	96
PID 4876 wrote to memory of 1680	4876	chrome.exe	96
PID 4876 wrote to memory of 1680	4876	chrome.exe	96
PID 4876 wrote to memory of 1680	4876	chrome.exe	96
PID 4876 wrote to memory of 1680	4876	chrome.exe	96
PID 4876 wrote to memory of 1680	4876	chrome.exe	96
PID 4876 wrote to memory of 1680	4876	chrome.exe	96
PID 4876 wrote to memory of 1680	4876	chrome.exe	96

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3364
- C:\Users\Admin\AppData\Local\Temp\e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe
  "C:\Users\Admin\AppData\Local\Temp\e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4892.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3768
  - - C:\Users\Admin\AppData\Local\Temp\e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe
      "C:\Users\Admin\AppData\Local\Temp\e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3336
    - - C:\Users\Admin\AppData\Local\Temp\e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe
        
        C:\Users\Admin\AppData\Local\Temp\e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=125.0.6422.60 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff7d4161698,0x7ff7d41616a4,0x7ff7d41616b0
        5⤵
        Executes dropped EXE
        
        PID:4404
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
        5⤵
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4876
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa2928ab58,0x7ffa2928ab68,0x7ffa2928ab78
        6⤵
        
        PID:2868
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=2368,i,2828253152574491878,12653562180080781716,131072 /prefetch:2
        6⤵
        
        PID:3948
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1916 --field-trial-handle=2368,i,2828253152574491878,12653562180080781716,131072 /prefetch:8
        6⤵
        
        PID:1468
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1932 --field-trial-handle=2368,i,2828253152574491878,12653562180080781716,131072 /prefetch:8
        6⤵
        
        PID:1680
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3008 --field-trial-handle=2368,i,2828253152574491878,12653562180080781716,131072 /prefetch:1
        6⤵
        
        PID:4064
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3016 --field-trial-handle=2368,i,2828253152574491878,12653562180080781716,131072 /prefetch:1
        6⤵
        
        PID:944
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4304 --field-trial-handle=2368,i,2828253152574491878,12653562180080781716,131072 /prefetch:1
        6⤵
        
        PID:2932
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 --field-trial-handle=2368,i,2828253152574491878,12653562180080781716,131072 /prefetch:8
        6⤵
        
        PID:3596
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=2368,i,2828253152574491878,12653562180080781716,131072 /prefetch:8
        6⤵
        
        PID:2180
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4732 --field-trial-handle=2368,i,2828253152574491878,12653562180080781716,131072 /prefetch:8
        6⤵
        
        PID:2264
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4884 --field-trial-handle=2368,i,2828253152574491878,12653562180080781716,131072 /prefetch:8
        6⤵
        
        PID:4352
      - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
        6⤵
        
        PID:2624
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6fcdaae48,0x7ff6fcdaae58,0x7ff6fcdaae68
        7⤵
        
        PID:2604
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
        7⤵
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:3204
        
        C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6fcdaae48,0x7ff6fcdaae58,0x7ff6fcdaae68
        8⤵
        
        PID:3328
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 --field-trial-handle=2368,i,2828253152574491878,12653562180080781716,131072 /prefetch:8
        6⤵
        
        PID:3032
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4720 --field-trial-handle=2368,i,2828253152574491878,12653562180080781716,131072 /prefetch:8
        6⤵
        
        PID:2132
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 --field-trial-handle=2368,i,2828253152574491878,12653562180080781716,131072 /prefetch:8
        6⤵
        
        PID:756
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4348 --field-trial-handle=2368,i,2828253152574491878,12653562180080781716,131072 /prefetch:2
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:216
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4516
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2448

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
a4be970114fde7b4347a171ef559737b

SHA1
9ff5a5c55eca69d00aa5cf88a86831f2954ee214

SHA256
54f93dd3fd4b973502236e7372591290aef4913ed31ab38fa17c4b0e52b86e21

SHA512
e4fb957ac171ac1bbca431fbfbb8c9142b5493e3b875db7f61182c91adce87d29b410c766d5043b8bee276f9024b7b14ee636106a037db8f35d545b20ec635ce

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
570KB

MD5
7799df73bee0a32c78a6dd40da4389ee

SHA1
2d2206ce4656fe7e3ed37b031a6562a59be076d7

SHA256
e5b43a479a57312e61b8deb1e33f6450bece980d8595f4fc99f1006629f7a453

SHA512
292207c4036fc50e68c1f5d1cf4c464da13112412537023648018bbbbab46b1cc49bc0865587c158ab4f21f9a93b6e9b1ba76dddc7f8d40129a0197560757625

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\421b2034-0f4f-48e3-988c-d381faa3bfc5.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
636KB

MD5
53ee62011469b286a2a1b5658c86b9bf

SHA1
9bdac0b23b0a965947c780c6a6b48fc7122f9ade

SHA256
7125735e4e8595f1c17ff3235bc65dacabc2ec874b29ac7ba8eddd80ad10b3c0

SHA512
c9c24e578da0a38048e71548fac66465bcb624e971f745bba559e8c49fd621752e718d4c983a90a97277407bb23348ca109436e1eeebef030c3b599c712ff236

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
2cd879c3b1b25f881f4b7ab71b67a095

SHA1
e8c477526bb5bdddd659fdd44606060d83e703ad

SHA256
d15ec0b42a1305238584533da0ddd5ec2959a76896cabc74599185af8af9e92a

SHA512
95c25065ecb23b375e233d554beb9c5fb61d877f6b5586155d5b5931d270cedfd4508a8fde3dfee5073af2215b256d7cffde9f77923d41909d4168d9bc61123a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
970f3af4477c767ac5d0920f5f33bd5b

SHA1
50fc4104dce02329a5a84af5beac2cd752cbf269

SHA256
8be96abfac41bd24bcbddfc56b3f91f1367a3cb70cd4cc9ff7b10f58c5fc6565

SHA512
47938ce13d3decd3731441233932a3632fdd542f9d3963557dbe8ffad9fa8a2ac50a6d77b826916a5931eb483c709460fc150c592c6dd99b41d92e280e7a5a10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
335654f34fac7365086e75c0e21fc60c

SHA1
3addb728e0c5390a5846e5bfed80548d4d70f527

SHA256
f715841a226634185df6f4f4114c03b4a82c7acbf0304672eeee273dba1b1640

SHA512
18a79b90b31553f71b2a53bc6a8ed9b4b57a82330806b98dca25610f3d2f3ba394394edfe3f98309268d521ec99f2548118095e45712c2f739224b8435ecbe08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cb487775040f76a31393ebfcc358b50f

SHA1
84fdae0c3f49e2ca6077ed1d76efd2a9f96485d8

SHA256
4c51466851a97e3902df0e4ffaa269d8ab5ca7770b7838efdb1edd98bc83da79

SHA512
0f2c637bb6c6415c5b7121b6d3360f0db414a5fda442f91dabacddc3752518ab75f6ceea0598bbb442b4670d2a16c1e2ed16a462157f17d46b1fde32239397fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57730d.TMP

Filesize
2KB

MD5
1f497c78bb1cefe5fae1f2d3e5c467dc

SHA1
12ec3f79d43fc239252d3812f8f0c2edc492bc51

SHA256
e7fedf1f3f9f65c94434b56a0a6b0be4a9773cb80c1fe09b6391adaec9849dbc

SHA512
f7ce6b59abe22c099ba4ded438dae24ad228fad07f742fe053c580f2c052a91d5af99bc7616681f0f377f8b5bbbe7ae2defab99203bd1af816724a1e63b62e92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
592ea95c6ecb4471c99207f0e617cd53

SHA1
ec926fa60affb0b666f8782d63ea4e2e8abfd1bb

SHA256
079eb45f8dc2307f89661979612a680750b488447fadad7fd8eb29a558b248d3

SHA512
df53954aa684400c8a5b7e56b81eb65efc0740ee1fc2ab9f08d116a5f2c09e56fbfb3aeab3f0de9fd3e30ca9e81b7c6c6054ff604ad1b7420124236dcd9aeed4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
53fbb31f8781657e0da2391d9473b7e3

SHA1
87be006dbe7e341f0d92dec26316566b23b95ae5

SHA256
b7d585abd3de42c14b03679b13a8d4a523fb3e87bca87f568209a5247716fb9b

SHA512
e2ab2c363878fa26fdd81b07afb1f03f4060024da86918fa80d91843067018ec776cbff4a61f5c5242297407e3c2b77d83c7b2ace4444859948c0e8f92194322

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4892.bat

Filesize
722B

MD5
5108b9a1b56c1f7523fbc91f6d901279

SHA1
0134a86945de6fb488808081e47f8f84523443d9

SHA256
dd98c0dd44d76d366a4b13605ade411c795f6f6529edf116fb6a577c41edd8df

SHA512
5ef8acded807885b0af5a30e47bc59a49502197e9e6f1f46a27dd1962a5e1211a99585ae90f03b8cbace8468bf7d9d6035cd076e53396cc68c1803d9840aed95

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
667c3a8ff30e7fe3b922810805409071

SHA1
299f1dfbe5330ae71e91ddaf604f946714cb3f97

SHA256
7a7e622200060f52d5dffabea97c3e5758ca77b69c5637ea83c4fcfe07d67a11

SHA512
7c0055cbab2901db8f079ce01b97d59dad0fc81160b710ffb27ad1f3e76f96c1e5b28c4211b957de01b49c2c64128398134f3a5c80f42682daa5e3aa5f515b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
f23f1bd97e7fb38aae65cb42efd6006e

SHA1
bc33aa2acc3ce2f60869c169b4486064634b7839

SHA256
efc004c449ea29c323182499cc0acb11f1fa74fb7609acb9e83eff058a59a700

SHA512
c77d608305658cdc4dbff196ac120971daab7a2a2ac0b3a46d5e00cce98ea5c051d7c860be02e7d55baa857c0154feaa22c640ae2a2bd7e8b2da037c924ae9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe.exe

Filesize
4.0MB

MD5
781a600a895e771ada56cf0afefd9050

SHA1
6bd0605333fe5cbb59441ef2d3f8bbebf453eba4

SHA256
627ceedadc031997a5a04d7186782415bb5e5c0c44c9ffb64e65bade7c008fd1

SHA512
15978229235d920fe511bfe859609b1ec6dcd38199dfba33393d00be7274f822a3002fb6ef53c5df5be0d9ec869e2b359ac3b829a1ba61a7bc1b358b5a65770d

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
b2c359ffd4bf582baf62f6e8adf87a6e

SHA1
8e9a26cf9202a00b2f38b9cf92a2cc0fa2e76b79

SHA256
ee8fad0e09119ff89b6f13fc18df351e81b41199adfc10acbfeccbbb88e02a9d

SHA512
1b1cddd7353d0e9300f1c661feda7f8d1a71e6d90279cb72c3adb51a7bce9c64e2fc87777926db50a8d41cc945445821d1b3cc1628f7446a7c03e64bcf8aff92

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
86f9430d4925c4f45151eea124081d83

SHA1
52df34b47184ed2700bbd92b68874c73592b6d1d

SHA256
41b9e2bf3ce43d681d6dde91ffff8a23adcc4da2076516de2bf2631708b74350

SHA512
910bce524874bbe43de4e9309b1e7aa6a547a6592e3cdcff1f992c156142dc4bf493d23218f635bb6f6366bc1616d96d6ca885d651c0b4be87ab845901f4e3e8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2804150937-2146708401-419095071-1000\_desktop.ini

Filesize
9B

MD5
31874817e0fb055be8d2c971c0e3bbde

SHA1
ee8a35d6a86cb6d13f354d67d912e194bb09c74b

SHA256
94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

SHA512
55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

Download Submit
memory/4552-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-1365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-4930-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-101-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-5374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download