1b56ce8edfa807f2236af352c7896075d52a7f5a37a4ae60ac3afb9d257c5a65

Analysis

max time kernel
374s
max time network
377s
platform
windows10-1703_x64
resource
win10-20220812-es
resource tags

arch:x64arch:x86image:win10-20220812-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
06-02-2023 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

registro-en-ddiseño-grafico-gratuito.html
Size

92KB
MD5

3f740decdd242dbee07bbd8c7a87cb47
SHA1

dfea03b55a48a08a70ee544ffa985abd5dc27e13
SHA256

1b56ce8edfa807f2236af352c7896075d52a7f5a37a4ae60ac3afb9d257c5a65
SHA512

0c8a6fa3bf8adb370a1e13a7fb5e822e1e92df79e9320f7ec746428801b10524b91947f276be4510629b11566586a4274222240cec76eb6442429947d5638b22
SSDEEP

1536:JFirEQR3tk2fZOwNbWanjhxSIQTzyME/H:MbcanjhxSILME/H

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\109.0.5414.120\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

GoogleUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe	GoogleUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe\DisableExceptionChainValidation = "0"	GoogleUpdate.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\International\Geo\Nation	chrome.exe

Executes dropped EXE 52 IoCs

Processes:

ChromeSetup.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exe109.0.5414.120_chrome_installer.exesetup.exesetup.exeChromeRecovery.exesetup.exesetup.exeGoogleCrashHandler.exeGoogleCrashHandler64.exeGoogleUpdate.exeGoogleUpdateOnDemand.exeGoogleUpdate.exeGoogleUpdate.exesetup.exesetup.exesetup.exesetup.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeelevation_service.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
1104	ChromeSetup.exe
2488	GoogleUpdate.exe
2240	GoogleUpdate.exe
992	GoogleUpdate.exe
2324	GoogleUpdateComRegisterShell64.exe
4652	GoogleUpdateComRegisterShell64.exe
1580	GoogleUpdateComRegisterShell64.exe
1900	GoogleUpdate.exe
4756	GoogleUpdate.exe
924	GoogleUpdate.exe
3668	109.0.5414.120_chrome_installer.exe
4720	setup.exe
4372	setup.exe
4872	ChromeRecovery.exe
2344	setup.exe
4484	setup.exe
1844	GoogleCrashHandler.exe
5004	GoogleCrashHandler64.exe
2224	GoogleUpdate.exe
3744	GoogleUpdateOnDemand.exe
3328	GoogleUpdate.exe
4524	GoogleUpdate.exe
392	setup.exe
5108	setup.exe
3360	setup.exe
844	setup.exe
4268	chrome.exe
3264	chrome.exe
2424	chrome.exe
5112	chrome.exe
3432	chrome.exe
4416	chrome.exe
4800	chrome.exe
4460	elevation_service.exe
212	chrome.exe
1320	chrome.exe
2872	chrome.exe
1208	chrome.exe
3476	chrome.exe
924	chrome.exe
368	chrome.exe
3144	chrome.exe
5108	chrome.exe
1016	chrome.exe
2396	chrome.exe
4936	chrome.exe
4852	chrome.exe
2828	chrome.exe
4824	chrome.exe
3308	chrome.exe
5116	chrome.exe
4364	chrome.exe

Loads dropped DLL 64 IoCs

Processes:

GoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exechrome.exeGoogleUpdate.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
2488	GoogleUpdate.exe
2240	GoogleUpdate.exe
992	GoogleUpdate.exe
2324	GoogleUpdateComRegisterShell64.exe
992	GoogleUpdate.exe
4652	GoogleUpdateComRegisterShell64.exe
992	GoogleUpdate.exe
1580	GoogleUpdateComRegisterShell64.exe
992	GoogleUpdate.exe
1900	GoogleUpdate.exe
4756	GoogleUpdate.exe
924	GoogleUpdate.exe
924	GoogleUpdate.exe
4756	GoogleUpdate.exe
2224	GoogleUpdate.exe
3328	GoogleUpdate.exe
3328	GoogleUpdate.exe
4528	chrome.exe
4524	GoogleUpdate.exe
4524	GoogleUpdate.exe
4268	chrome.exe
3264	chrome.exe
4268	chrome.exe
2424	chrome.exe
5112	chrome.exe
5112	chrome.exe
3432	chrome.exe
3432	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
4416	chrome.exe
4800	chrome.exe
4416	chrome.exe
4800	chrome.exe
212	chrome.exe
212	chrome.exe
2872	chrome.exe
1208	chrome.exe
2872	chrome.exe
1208	chrome.exe
1320	chrome.exe
1320	chrome.exe
4268	chrome.exe
3476	chrome.exe
3476	chrome.exe
924	chrome.exe
924	chrome.exe
368	chrome.exe
368	chrome.exe
3144	chrome.exe
3144	chrome.exe
5108	chrome.exe
5108	chrome.exe
1016	chrome.exe
1016	chrome.exe
2396	chrome.exe
2396	chrome.exe
4936	chrome.exe
4936	chrome.exe
4852	chrome.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 37 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

GoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exesetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.152\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.152\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.152\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.152\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32\ServerExecutable = "C:\\Program Files\\Google\\Chrome\\Application\\109.0.5414.120\\notification_helper.exe"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.152\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.152\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.152\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\INPROCSERVER32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.152\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32\ = "\"C:\\Program Files\\Google\\Chrome\\Application\\109.0.5414.120\\notification_helper.exe\""	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\INPROCSERVER32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.152\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

setup.exe109.0.5414.120_chrome_installer.exeChromeSetup.exeGoogleUpdate.exeelevation_service.exechrome.exeGoogleUpdate.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\nacl_irt_x86_64.nexe	setup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{23F86CE1-FE53-4C43-8705-AF8C1C8B38B7}\CR_83ECC.tmp\setup.exe	109.0.5414.120_chrome_installer.exe
File created	C:\Program Files (x86)\Google\Temp\GUM63CC.tmp\goopdateres_et.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM63CC.tmp\goopdateres_fr.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM63CC.tmp\goopdateres_hu.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.152\goopdateres_hr.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.152\goopdateres_no.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\Locales\th.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\Locales\vi.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\chrome.VisualElementsManifest.xml	setup.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3344_900859165\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\ChromiumTemp4268_1122787950\model-info.pb	chrome.exe
File created	C:\Program Files (x86)\Google\Temp\GUM63CC.tmp\GoogleUpdateSetup.exe	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.152\goopdateres_ca.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\109.0.5414.119.manifest	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\resources.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\109.0.5414.120.manifest	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\Locales\nl.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\Locales\ru.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Application\109.0.5414.120\Installer\chrmstp.exe	setup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM63CC.tmp\GoogleUpdateCore.exe	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM63CC.tmp\goopdateres_ja.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.152\goopdateres_te.dll	GoogleUpdate.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\109.0.5414.120\109.0.5414.120_chrome_installer.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM63CC.tmp\goopdateres_sw.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.152\goopdateres_hu.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.152\goopdateres_it.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.152\goopdateres_ur.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\Locales\sr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\VisualElements\LogoBeta.png	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\Locales\ca.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\Locales\pt-PT.pak	setup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM63CC.tmp\goopdateres_cs.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM63CC.tmp\goopdateres_ru.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM63CC.tmp\goopdateres_zh-CN.dll	ChromeSetup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\Locales\af.pak	setup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM63CC.tmp\goopdateres_it.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM63CC.tmp\goopdateres_pt-BR.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.152\psuser.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\VisualElements\SmallLogo.png	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\chrome_wer.dll	setup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM63CC.tmp\goopdateres_ta.dll	ChromeSetup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\icudtl.dat	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\Locales\en-GB.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\Locales\he.pak	setup.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3344_900859165\manifest.json	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM63CC.tmp\GoogleUpdateBroker.exe	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM63CC.tmp\goopdateres_ml.dll	ChromeSetup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\Locales\da.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\Locales\es.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\Locales\kn.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\optimization_guide_internal.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\Locales\ml.pak	setup.exe
File created	C:\Program Files\ChromiumTemp4268_1122787950\model.tflite	chrome.exe
File created	C:\Program Files (x86)\Google\Temp\GUM63CC.tmp\psmachine_64.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM63CC.tmp\goopdateres_lv.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM63CC.tmp\goopdateres_pl.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleCrashHandler.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\Install\{23F86CE1-FE53-4C43-8705-AF8C1C8B38B7}\CR_83ECC.tmp\setup.exe	109.0.5414.120_chrome_installer.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\Locales\hr.pak	setup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM63CC.tmp\goopdateres_de.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.152\goopdateres_sw.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source4720_1361891914\Chrome-bin\109.0.5414.120\Locales\el.pak	setup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM63CC.tmp\goopdateres_ko.dll	ChromeSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

GoogleUpdate.exeGoogleUpdate.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	GoogleUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133201975867467037"	chrome.exe

Modifies registry class 64 IoCs

Processes:

GoogleUpdateComRegisterShell64.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exesetup.exeGoogleUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3900DE1E-5C69-4B8E-B45C-EAC7B693074F}\InprocHandler32\ThreadingModel = "Both"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ = "IPackage"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32\ = "{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32\ = "{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods\ = "41"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods\ = "4"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID\ = "GoogleUpdate.CoreMachineClass"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\OpenWithProgids\ChromeHTML	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0\ = "Google Update Legacy On Demand"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32\ = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.152\\GoogleUpdateOnDemand.exe\""	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods\ = "4"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32\ = "{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ = "IGoogleUpdate3"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.CoreClass.1\CLSID\ = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods\ = "17"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachineFallback\ = "Google Update Legacy On Demand"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.PolicyStatusSvc.1.0\ = "Google Update Policy Status Class"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ChromeHTML\shell\open	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\ChromeHTML	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods\ = "4"	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3900DE1E-5C69-4B8E-B45C-EAC7B693074F}\InprocHandler32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation\Enabled = "1"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods\ = "10"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\PROGID	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GoogleUpdate.exe	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\VersionIndependentProgID\ = "GoogleUpdate.PolicyStatusMachine"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.CoCreateAsync.1.0\CLSID\ = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods\ = "24"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADDF22CF-3E9B-4CD7-9139-8169EA6636E4}\Elevation	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID\ = "GoogleUpdate.CoCreateAsync.1.0"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ThreadingModel = "Both"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32\ = "{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ = "IGoogleUpdate"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3WebMachine\CurVer\ = "GoogleUpdate.Update3WebMachine.1.0"	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LOCALSERVER32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32\ = "{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID\ = "GoogleUpdate.Update3WebSvc"	GoogleUpdate.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeGoogleUpdate.exechrome.exechrome.exechrome.exeGoogleUpdate.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
2100	chrome.exe
2100	chrome.exe
4676	chrome.exe
4676	chrome.exe
4896	chrome.exe
4896	chrome.exe
4996	chrome.exe
4996	chrome.exe
4412	chrome.exe
4412	chrome.exe
4376	chrome.exe
4376	chrome.exe
3140	chrome.exe
3140	chrome.exe
4524	chrome.exe
4524	chrome.exe
1732	chrome.exe
1732	chrome.exe
3940	chrome.exe
3940	chrome.exe
4424	chrome.exe
4424	chrome.exe
4528	chrome.exe
4528	chrome.exe
4732	chrome.exe
4732	chrome.exe
5004	chrome.exe
5004	chrome.exe
4144	chrome.exe
4144	chrome.exe
2488	GoogleUpdate.exe
2488	GoogleUpdate.exe
2488	GoogleUpdate.exe
2488	GoogleUpdate.exe
2488	GoogleUpdate.exe
2488	GoogleUpdate.exe
596	chrome.exe
596	chrome.exe
1856	chrome.exe
1856	chrome.exe
356	chrome.exe
356	chrome.exe
2224	GoogleUpdate.exe
2224	GoogleUpdate.exe
2488	GoogleUpdate.exe
2488	GoogleUpdate.exe
2488	GoogleUpdate.exe
2488	GoogleUpdate.exe
5112	chrome.exe
5112	chrome.exe
4268	chrome.exe
4268	chrome.exe
3476	chrome.exe
3476	chrome.exe
924	chrome.exe
924	chrome.exe
5108	chrome.exe
5108	chrome.exe
2396	chrome.exe
2396	chrome.exe
4852	chrome.exe
4852	chrome.exe
4824	chrome.exe
4824	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exe

pid	process
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exefirefox.exeGoogleUpdate.exe109.0.5414.120_chrome_installer.exeGoogleCrashHandler64.exeGoogleCrashHandler.exeGoogleUpdate.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	916	firefox.exe
Token: SeDebugPrivilege	916	firefox.exe
Token: SeDebugPrivilege	3264	firefox.exe
Token: SeDebugPrivilege	3264	firefox.exe
Token: SeDebugPrivilege	2488	GoogleUpdate.exe
Token: SeDebugPrivilege	2488	GoogleUpdate.exe
Token: SeDebugPrivilege	2488	GoogleUpdate.exe
Token: 33	3668	109.0.5414.120_chrome_installer.exe
Token: SeIncBasePriorityPrivilege	3668	109.0.5414.120_chrome_installer.exe
Token: 33	5004	GoogleCrashHandler64.exe
Token: SeIncBasePriorityPrivilege	5004	GoogleCrashHandler64.exe
Token: 33	1844	GoogleCrashHandler.exe
Token: SeIncBasePriorityPrivilege	1844	GoogleCrashHandler.exe
Token: SeDebugPrivilege	2224	GoogleUpdate.exe
Token: SeDebugPrivilege	2488	GoogleUpdate.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exefirefox.exefirefox.exechrome.exe

pid	process
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exefirefox.exefirefox.exechrome.exe

pid	process
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
3264	firefox.exe
3264	firefox.exe
3264	firefox.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

firefox.exefirefox.exe

pid	process
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
916	firefox.exe
3264	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4676 wrote to memory of 4680	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 4680	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2164	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2100	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 2100	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 3308	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 3308	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 3308	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 3308	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 3308	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 3308	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 3308	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 3308	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 3308	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 3308	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 3308	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 3308	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 3308	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 3308	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 3308	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 3308	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 3308	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 3308	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 3308	4676	chrome.exe	chrome.exe
PID 4676 wrote to memory of 3308	4676	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Users\Admin\AppData\Local\Temp\registro-en-ddiseño-grafico-gratuito.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa4c474f50,0x7ffa4c474f60,0x7ffa4c474f70
2⤵
PID:4680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1496,15638063800192962515,18379320510099653401,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1740 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1496,15638063800192962515,18379320510099653401,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1492 /prefetch:2
2⤵
PID:2164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1496,15638063800192962515,18379320510099653401,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2276 /prefetch:8
2⤵
PID:3308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,15638063800192962515,18379320510099653401,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2600 /prefetch:1
2⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,15638063800192962515,18379320510099653401,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2592 /prefetch:1
2⤵
PID:4696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,15638063800192962515,18379320510099653401,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4136 /prefetch:8
2⤵
PID:4812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,15638063800192962515,18379320510099653401,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
2⤵
PID:3552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,15638063800192962515,18379320510099653401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,15638063800192962515,18379320510099653401,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4996 /prefetch:8
2⤵
PID:3948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,15638063800192962515,18379320510099653401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2624 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,15638063800192962515,18379320510099653401,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
2⤵
PID:4960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,15638063800192962515,18379320510099653401,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4608 /prefetch:8
2⤵
PID:3800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,15638063800192962515,18379320510099653401,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4380 /prefetch:8
2⤵
PID:2716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,15638063800192962515,18379320510099653401,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
2⤵
PID:4576

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:3700

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff70255a890,0x7ff70255a8a0,0x7ff70255a8b0
3⤵
PID:4488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,15638063800192962515,18379320510099653401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4412

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:4460

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x240,0x244,0x248,0x218,0x24c,0x7ff70255a890,0x7ff70255a8a0,0x7ff70255a8b0
3⤵
PID:812

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:844

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:916

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="916.0.224134311\1612218743" -parentBuildID 20200403170909 -prefsHandle 1532 -prefMapHandle 1524 -prefsLen 1 -prefMapSize 220115 -appdir "C:\Program Files\Mozilla Firefox\browser" - 916 "\\.\pipe\gecko-crash-server-pipe.916" 1624 gpu
3⤵
PID:3328

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="916.3.211026532\163300340" -childID 1 -isForBrowser -prefsHandle 2148 -prefMapHandle 2168 -prefsLen 156 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 916 "\\.\pipe\gecko-crash-server-pipe.916" 2252 tab
3⤵
PID:2264

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="916.13.601671366\977513829" -childID 2 -isForBrowser -prefsHandle 3392 -prefMapHandle 3388 -prefsLen 6938 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 916 "\\.\pipe\gecko-crash-server-pipe.916" 3188 tab
3⤵
PID:3832

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="916.20.1710215626\1361329520" -childID 3 -isForBrowser -prefsHandle 4356 -prefMapHandle 4352 -prefsLen 8020 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 916 "\\.\pipe\gecko-crash-server-pipe.916" 2136 tab
3⤵
PID:2792

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:4524

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
4⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3264

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3264.0.145381710\604840557" -parentBuildID 20200403170909 -prefsHandle 1432 -prefMapHandle 1404 -prefsLen 1 -prefMapSize 214136 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3264 "\\.\pipe\gecko-crash-server-pipe.3264" 1508 gpu
5⤵
PID:4608

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3264.6.1773341176\303838994" -childID 1 -isForBrowser -prefsHandle 2424 -prefMapHandle 2156 -prefsLen 3184 -prefMapSize 214136 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3264 "\\.\pipe\gecko-crash-server-pipe.3264" 2556 tab
5⤵
PID:2992

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3264.13.226027304\1086461150" -childID 2 -isForBrowser -prefsHandle 2084 -prefMapHandle 2516 -prefsLen 3451 -prefMapSize 214136 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3264 "\\.\pipe\gecko-crash-server-pipe.3264" 1676 tab
5⤵
PID:4992

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3264.20.2143244975\2023792608" -childID 3 -isForBrowser -prefsHandle 4276 -prefMapHandle 4208 -prefsLen 12504 -prefMapSize 214136 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3264 "\\.\pipe\gecko-crash-server-pipe.3264" 4260 tab
5⤵
PID:2424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ffa4c474f50,0x7ffa4c474f60,0x7ffa4c474f70
2⤵
PID:4460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1612,6714229004719918542,966053713322036491,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2292 /prefetch:8
2⤵
PID:3128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,6714229004719918542,966053713322036491,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1692 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,6714229004719918542,966053713322036491,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2612 /prefetch:1
2⤵
PID:3684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,6714229004719918542,966053713322036491,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2604 /prefetch:1
2⤵
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,6714229004719918542,966053713322036491,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1644 /prefetch:2
2⤵
PID:2164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,6714229004719918542,966053713322036491,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
2⤵
PID:3096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,6714229004719918542,966053713322036491,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4352 /prefetch:8
2⤵
PID:4752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,6714229004719918542,966053713322036491,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4468 /prefetch:8
2⤵
PID:1504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,6714229004719918542,966053713322036491,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4608 /prefetch:8
2⤵
PID:1676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,6714229004719918542,966053713322036491,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
2⤵
PID:1196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,6714229004719918542,966053713322036491,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
2⤵
PID:4944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,6714229004719918542,966053713322036491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,6714229004719918542,966053713322036491,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
2⤵
PID:660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,6714229004719918542,966053713322036491,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4440 /prefetch:1
2⤵
PID:744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,6714229004719918542,966053713322036491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa4c474f50,0x7ffa4c474f60,0x7ffa4c474f70
3⤵
PID:4540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1436,1712956971282654899,3318136681182537725,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1496 /prefetch:2
3⤵
PID:4572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1436,1712956971282654899,3318136681182537725,131072 --lang=es --service-sandbox-type=network --mojo-platform-channel-handle=1904 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1436,1712956971282654899,3318136681182537725,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
3⤵
PID:4400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,1712956971282654899,3318136681182537725,131072 --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2564 /prefetch:1
3⤵
PID:4280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,1712956971282654899,3318136681182537725,131072 --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
3⤵
PID:4752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,1712956971282654899,3318136681182537725,131072 --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2380 /prefetch:1
3⤵
PID:4608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1436,1712956971282654899,3318136681182537725,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=4120 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1436,1712956971282654899,3318136681182537725,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=4396 /prefetch:8
3⤵
PID:2732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,1712956971282654899,3318136681182537725,131072 --disable-gpu-compositing --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
3⤵
PID:4716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,1712956971282654899,3318136681182537725,131072 --disable-gpu-compositing --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
3⤵
PID:3140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1436,1712956971282654899,3318136681182537725,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1436,1712956971282654899,3318136681182537725,131072 --lang=es --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5460 /prefetch:8
3⤵
PID:3204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1436,1712956971282654899,3318136681182537725,131072 --lang=es --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5432 /prefetch:8
3⤵
PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,1712956971282654899,3318136681182537725,131072 --disable-gpu-compositing --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
3⤵
PID:3660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1436,1712956971282654899,3318136681182537725,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=4796 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1436,1712956971282654899,3318136681182537725,131072 --lang=es --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5784 /prefetch:8
3⤵
PID:236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1436,1712956971282654899,3318136681182537725,131072 --lang=es --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4124 /prefetch:8
3⤵
PID:2224

C:\Users\Admin\Downloads\ChromeSetup.exe
"C:\Users\Admin\Downloads\ChromeSetup.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1104

C:\Program Files (x86)\Google\Temp\GUM63CC.tmp\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Temp\GUM63CC.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={141D35F9-AEA2-377E-70C9-57179316BDD8}&lang=es&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHWL&installdataindex=empty"
4⤵
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2240

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:992

C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2324

C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4652

C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:1580

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xNTIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xNTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODY1NjdGQkUtOTkyOS00RjU5LUIzOTctRjQ5NzkzMEQzRkFEfSIgdXNlcmlkPSJ7RUE5NDY2MTgtMDAwMS00QzIzLTk3OUMtRkQyODgzNkVBRjlFfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezhFRUZERDBELTIyQUMtNDZGMC1CQkYyLUZDNERFRDVEQkExRH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iNCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjcxIiBuZXh0dmVyc2lvbj0iMS4zLjM2LjE1MiIgbGFuZz0iZXMiIGJyYW5kPSJDSFdMIiBjbGllbnQ9IiIgaWlkPSJ7MTQxRDM1RjktQUVBMi0zNzdFLTcwQzktNTcxNzkzMTZCREQ4fSI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSIzNDc5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1900

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={141D35F9-AEA2-377E-70C9-57179316BDD8}&lang=es&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHWL&installdataindex=empty" /installsource taggedmi /sessionid "{86567FBE-9929-4F59-B397-F497930D3FAD}"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1436,1712956971282654899,3318136681182537725,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1436,1712956971282654899,3318136681182537725,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=4876 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1436,1712956971282654899,3318136681182537725,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2400 /prefetch:8
3⤵
PID:1812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1436,1712956971282654899,3318136681182537725,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2188 /prefetch:8
3⤵
PID:4588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1436,1712956971282654899,3318136681182537725,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=4476 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1436,1712956971282654899,3318136681182537725,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2392 /prefetch:8
3⤵
PID:4032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:3832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffa4c474f50,0x7ffa4c474f60,0x7ffa4c474f70
2⤵
PID:916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1604,433744442348491378,984350485768827936,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1640 /prefetch:2
2⤵
PID:3984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,433744442348491378,984350485768827936,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1708 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3140

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:924

C:\Program Files (x86)\Google\Update\Install\{23F86CE1-FE53-4C43-8705-AF8C1C8B38B7}\109.0.5414.120_chrome_installer.exe
"C:\Program Files (x86)\Google\Update\Install\{23F86CE1-FE53-4C43-8705-AF8C1C8B38B7}\109.0.5414.120_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Program Files (x86)\Google\Update\Install\{23F86CE1-FE53-4C43-8705-AF8C1C8B38B7}\guiD284.tmp"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Program Files (x86)\Google\Update\Install\{23F86CE1-FE53-4C43-8705-AF8C1C8B38B7}\CR_83ECC.tmp\setup.exe
"C:\Program Files (x86)\Google\Update\Install\{23F86CE1-FE53-4C43-8705-AF8C1C8B38B7}\CR_83ECC.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Google\Update\Install\{23F86CE1-FE53-4C43-8705-AF8C1C8B38B7}\CR_83ECC.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Program Files (x86)\Google\Update\Install\{23F86CE1-FE53-4C43-8705-AF8C1C8B38B7}\guiD284.tmp"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
PID:4720

C:\Program Files (x86)\Google\Update\Install\{23F86CE1-FE53-4C43-8705-AF8C1C8B38B7}\CR_83ECC.tmp\setup.exe
"C:\Program Files (x86)\Google\Update\Install\{23F86CE1-FE53-4C43-8705-AF8C1C8B38B7}\CR_83ECC.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=109.0.5414.120 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff7cbe51148,0x7ff7cbe51158,0x7ff7cbe51168
4⤵
- Executes dropped EXE
PID:4372

C:\Program Files (x86)\Google\Update\Install\{23F86CE1-FE53-4C43-8705-AF8C1C8B38B7}\CR_83ECC.tmp\setup.exe
"C:\Program Files (x86)\Google\Update\Install\{23F86CE1-FE53-4C43-8705-AF8C1C8B38B7}\CR_83ECC.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
4⤵
- Executes dropped EXE
PID:2344

C:\Program Files (x86)\Google\Update\Install\{23F86CE1-FE53-4C43-8705-AF8C1C8B38B7}\CR_83ECC.tmp\setup.exe
"C:\Program Files (x86)\Google\Update\Install\{23F86CE1-FE53-4C43-8705-AF8C1C8B38B7}\CR_83ECC.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=109.0.5414.120 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff7cbe51148,0x7ff7cbe51158,0x7ff7cbe51168
5⤵
- Executes dropped EXE
PID:4484

C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleCrashHandler.exe
"C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleCrashHandler.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleCrashHandler64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleCrashHandler64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xNTIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xNTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODY1NjdGQkUtOTkyOS00RjU5LUIzOTctRjQ5NzkzMEQzRkFEfSIgdXNlcmlkPSJ7RUE5NDY2MTgtMDAwMS00QzIzLTk3OUMtRkQyODgzNkVBRjlFfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0FENzVGRDc1LTU2QTQtNDhEOC1CNjVELUQ5MTJGNDNGNzAxRX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iNCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNDLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTA5LjAuNTQxNC4xMjAiIGFwPSJ4NjQtc3RhYmxlLXN0YXRzZGVmXzEiIGxhbmc9ImVzIiBicmFuZD0iQ0hXTCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjE3OCIgaWlkPSJ7MTQxRDM1RjktQUVBMi0zNzdFLTcwQzktNTcxNzkzMTZCREQ4fSIgY29ob3J0PSIxOmd1L2kxOToiIGNvaG9ydG5hbWU9IlN0YWJsZSBJbnN0YWxscyAmYW1wOyBWZXJzaW9uIFBpbnMiPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vZWRnZWRsLm1lLmd2dDEuY29tL2VkZ2VkbC9yZWxlYXNlMi9jaHJvbWUvY3phbzJocnZwazV3Z3Fya3o0a2tzNXI3MzRfMTA5LjAuNTQxNC4xMjAvMTA5LjAuNTQxNC4xMjBfY2hyb21lX2luc3RhbGxlci5leGUiIGRvd25sb2FkZWQ9IjkzMTIyNjAwIiB0b3RhbD0iOTMxMjI2MDAiIGRvd25sb2FkX3RpbWVfbXM9IjY5MjYiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5NjYwOSIgc291cmNlX3VybF9pbmRleD0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9Ijc5NyIgZG93bmxvYWRfdGltZV9tcz0iODI4NiIgZG93bmxvYWRlZD0iOTMxMjI2MDAiIHRvdGFsPSI5MzEyMjYwMCIgaW5zdGFsbF90aW1lX21zPSIxMTkxNCIvPjwvYXBwPjwvcmVxdWVzdD4
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:3344

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3344_900859165\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3344_900859165\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={d802ced6-bf11-43a5-b530-5f8d34b3edd4} --system
2⤵
- Executes dropped EXE
PID:4872

C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleUpdateOnDemand.exe
"C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleUpdateOnDemand.exe" -Embedding
1⤵
- Executes dropped EXE
PID:3744

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ondemand
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3328

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4524

C:\Program Files\Google\Chrome\Application\109.0.5414.120\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\109.0.5414.120\Installer\setup.exe" --rename-chrome-exe --system-level --verbose-logging --channel=stable
2⤵
- Executes dropped EXE
PID:392

C:\Program Files\Google\Chrome\Application\109.0.5414.120\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\109.0.5414.120\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=109.0.5414.120 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff7ebd91148,0x7ff7ebd91158,0x7ff7ebd91168
3⤵
- Executes dropped EXE
PID:5108

C:\Program Files\Google\Chrome\Application\109.0.5414.120\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\109.0.5414.120\Installer\setup.exe" --channel=stable --delete-old-versions --system-level --verbose-logging
3⤵
- Executes dropped EXE
PID:3360

C:\Program Files\Google\Chrome\Application\109.0.5414.120\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\109.0.5414.120\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=109.0.5414.120 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff7ebd91148,0x7ff7ebd91158,0x7ff7ebd91168
4⤵
- Executes dropped EXE
PID:844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=109.0.5414.120 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa38ff6b58,0x7ffa38ff6b68,0x7ffa38ff6b78
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=es --service-sandbox-type=service --mojo-platform-channel-handle=2036 --field-trial-handle=1880,i,4072180250340356497,3250219191722598727,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=1784 --field-trial-handle=1880,i,4072180250340356497,3250219191722598727,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1512 --field-trial-handle=1880,i,4072180250340356497,3250219191722598727,131072 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2924 --field-trial-handle=1880,i,4072180250340356497,3250219191722598727,131072 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1880,i,4072180250340356497,3250219191722598727,131072 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --disable-gpu-compositing --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=4244 --field-trial-handle=1880,i,4072180250340356497,3250219191722598727,131072 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=4512 --field-trial-handle=1880,i,4072180250340356497,3250219191722598727,131072 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:1320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=es --service-sandbox-type=service --mojo-platform-channel-handle=4552 --field-trial-handle=1880,i,4072180250340356497,3250219191722598727,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=es --service-sandbox-type=service --mojo-platform-channel-handle=4640 --field-trial-handle=1880,i,4072180250340356497,3250219191722598727,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1880,i,4072180250340356497,3250219191722598727,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1880,i,4072180250340356497,3250219191722598727,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --mojo-platform-channel-handle=4760 --field-trial-handle=1880,i,4072180250340356497,3250219191722598727,131072 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --mojo-platform-channel-handle=5160 --field-trial-handle=1880,i,4072180250340356497,3250219191722598727,131072 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5588 --field-trial-handle=1880,i,4072180250340356497,3250219191722598727,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=es --service-sandbox-type=service --mojo-platform-channel-handle=5632 --field-trial-handle=1880,i,4072180250340356497,3250219191722598727,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5588 --field-trial-handle=1880,i,4072180250340356497,3250219191722598727,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=es --service-sandbox-type=service --mojo-platform-channel-handle=5624 --field-trial-handle=1880,i,4072180250340356497,3250219191722598727,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5448 --field-trial-handle=1880,i,4072180250340356497,3250219191722598727,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=es --service-sandbox-type=service --mojo-platform-channel-handle=3012 --field-trial-handle=1880,i,4072180250340356497,3250219191722598727,131072 /prefetch:8
2⤵
- Executes dropped EXE
PID:2828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=3032 --field-trial-handle=1880,i,4072180250340356497,3250219191722598727,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5576 --field-trial-handle=1880,i,4072180250340356497,3250219191722598727,131072 /prefetch:8
2⤵
- Executes dropped EXE
PID:3308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=es --service-sandbox-type=service --mojo-platform-channel-handle=5596 --field-trial-handle=1880,i,4072180250340356497,3250219191722598727,131072 /prefetch:8
2⤵
- Executes dropped EXE
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=es --service-sandbox-type=service --mojo-platform-channel-handle=5676 --field-trial-handle=1880,i,4072180250340356497,3250219191722598727,131072 /prefetch:8
2⤵
- Executes dropped EXE
PID:4364

C:\Program Files\Google\Chrome\Application\109.0.5414.120\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\109.0.5414.120\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies
Filesize
20KB

MD5
ca64aec56f6077c78b3fadd80310d41f

SHA1
4bf02f59cac6fbfad030def4159af83926a06317

SHA256
ff1cbcebf83465baf1dab7cd0e5d5f0fd0a85672233b5b9ab8d279d74d53e174

SHA512
94a3b7c8f9df262213d17b18c78f05b3e3f76e27e88bb7175b51a79b18c78ef9fd97adb8ffbd09a2a17f429c452450e1d9825cc784892b97fd2a3d61ab831a8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History
Filesize
116KB

MD5
acff595a714835757a7a5303c5dac3f7

SHA1
a41972f40787c3dbbfe5ac12b3f956e430644293

SHA256
40ed9baa1d71f8f08a9c7a7025833c432a96ef56dc52ec974dede995cc1491c5

SHA512
806773b1a05a6d4a4bd7d48d7f7a330baf1dc5601615c04273478f0fce346794b1e52c310b27d06f7e8228f725c747ba307f16c15c9b1751bebe2a48e1ba7e01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
110KB

MD5
963d75dd5991abea3d21adf41ed9f7c1

SHA1
136114e5047ab9c2a6a8d50622430a4c45beae40

SHA256
f57fe552d84e01120a6eddba8b617a95a0a2e82c74d91134780f7e7ae979a822

SHA512
7aa010ae5cb4b96933ccc9faf6801bfd936570d38fc2aa25ab5339ee122b8a4d6b190a8905658ef019d4d0bb1fdefd14bc6940d515fc793099def6d2c250fcee

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\cache2\doomed\7109
Filesize
118KB

MD5
cb9afd25a8027373052466490b6ccbe4

SHA1
e0cac1a5a8f18d64e6d3b0f3385c51550de3f1d7

SHA256
6b879b3f32951c69be1bdd694f1b010e9a7bd0a8a7052a2c1127a8ae585c7a1b

SHA512
e5a8ab99e66f6fa122c201136537700f317a4fc0ef289a3b59dc53d5e6b182eb812df98bc5ff1ef45ae5644465573ede502f2caaefe09201f0f2f0cc5d3e88c9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\cache2\doomed\8343
Filesize
38KB

MD5
cf782b1c6628b4161368ac97332b543b

SHA1
085a30c8a30285346705451fdd51b2aaf6b121a5

SHA256
a762fa24558444c1d06699e15ab515f028f61d0f2d0cc0660119750eaeac4661

SHA512
bc9686b947459a481a35bc3221b57566dba430f9ec256ff0a5af5dd1af8aec4ebcfdf0801c1ff3460257c7bffa0bb2f22c0c2aedb2915456fda1afdea91e86a1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\cache2\entries\017CBD36649F7732E50703710225BCEBA101C942
Filesize
9KB

MD5
7634750ec38610a94abbc050af3f9530

SHA1
fb6ffdea90cac2b4ca8c425b9c3c6d0004f49608

SHA256
940ef1e8eeac869f87141cbce285df6c63eed98d91fa510e078aafc72a73d256

SHA512
96e8f7851d3028142c020aba28b9cba762ca80e1fe48beb5759c2b83e31fc307385ee3140cb059b2d1904f422151b7950bf5a9cb8a43db099c6240a0f93c8613

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\cache2\entries\05E356F3B72718856C389BCE9FFE203B71F932FE
Filesize
8KB

MD5
c179c0d92e7cc6a7b44ee4c62ebbdde3

SHA1
f70f3ce84f82c340fdf6f085a9b064ea5e178239

SHA256
30e8f6483ebbb17ecab3f1ab10bdc329839859b5353b073cc4a324d061a6526a

SHA512
bbdb028b1a2f90679375b526186a9ee6f5a34ce08bbaea55ec9b1c4eb0d845119ac40620379145beee6bb52172ccc1ef7ccfc7c290b9f7c546eb0354f1ce95ba

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\cache2\entries\0BFD61E47E28F1F913179D1A579EA5241CA8F3A6
Filesize
22KB

MD5
82026d78987d7b07356519ec2beb49a8

SHA1
83bdce580214476a5af3cbafe84b5f61426014c5

SHA256
7ca7224d1a40526ed0bf2080921e7b42afdbd62525c8085f2b2aa10a8fc6e693

SHA512
29fbe90c64725ac3dbc33ad5861fd26d6b303893b8a78a7ee863b117a08083bca8c81e84ed72e1568c0d6c0bd1463cbd485864aab36e039af64c69d1831759a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\SiteSecurityServiceState.txt
Filesize
725B

MD5
2c4b612b7d5463670c4c6c87c15e3a0b

SHA1
946f270eb8eaf0ccd56add6ad915c11ed989b6c8

SHA256
78b21590ffa6c5c2f4263729972f5b885d6a7159f6175563625c3cf01b9a7405

SHA512
23635004a6d1cf7d9a551722d3b42628d4a51d90655e5c3177e23616cb78ff1f8d91823a5ab112b367792ffa8d018d127e071821a71f5ce4c1c777f0dfba6596

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\addonStartup.json.lz4
Filesize
1KB

MD5
bc4bd0071af0574fe57b6756f0b26071

SHA1
dfc6af6b87b58391f67679a24c28495503f9e75d

SHA256
2f0cb964330decccb1375985d126d6cd2fec171e344cdd6e21026fa9459d8ad3

SHA512
9cd3f9140a3beca18114253556281c48e0a2401d8e7bb01b518a0615caf6a1f4a8cece627c00caaf9cb3f7cf3a57a224ec5233682b5b3f8e933619b85488551d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\cert9.db
Filesize
224KB

MD5
54d40b8084386f8ed191ad14940cd503

SHA1
8fc4501534f37fefb7215958c3d4f7aa358bc559

SHA256
b8612e718f6a67152d5621f39657defc6fb8c5c8545bf5fd427ff68bfd8b8b28

SHA512
61f77a3f44397cd3d0e5200d78f94a5dd57c0cf8e955e242eee04da0d1f04658605ff87836f72623bb11fceed216ccd82b853760738660533c3b3e031bda5b37

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\cookies.sqlite
Filesize
512KB

MD5
c1e23b61b4b86f4a298c202f9cf1942b

SHA1
f53ca1ba4cb5a06c2e2bd739a26f172971283adb

SHA256
7e09ba8a2a8ac5c1d1412d645bec03a684c2b83a310e4544d3681ca141fa118d

SHA512
118f84b3cd733c28bc9a4cb5514c9ad4ce082c7e28c2ef67a3245faab70a48199c1afcf790d5399d78bc199c42179148c330faa83e34918691c16410caf15350

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\datareporting\archived\2023-02\1675723770515.4c8e2622-e4ea-4991-8e0a-5d59769de892.main.jsonlz4
Filesize
13KB

MD5
33febfa95ce980ed59559f928b188780

SHA1
542ba2b5fbc3327e1d25cf3ebf576fca4eb76b88

SHA256
a2c01bf78a75e51529307519766102f6499e6f48935acb946a9884bc1bacb188

SHA512
818d849cc21b33746ac01f7cbb3351136ab59f2fac2b5706941b6480853180079dfcad91944b7d1f9825890cac8b5cfa46443d28ec48ca0e7b52427a9eb510e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\datareporting\session-state.json
Filesize
161B

MD5
47ecc782a94fb26c7ae81366568ddcc2

SHA1
9d07cac300edb5a22af4d8e7c1a07a478288f5ba

SHA256
ea67db68940e15d5cebc16c6fb753a7403c0336c6de12bf620feb469b626a572

SHA512
59721da467b03324de3becfa128af6ba52397efa5968f0e40ef835dc908ef494794f6d37bf818e4fe7318fd481844e2fc71fa1ab2c1bb3be05dd891369586750

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\favicons.sqlite
Filesize
5.0MB

MD5
7082c95342f5bc5858f1dda7e7c18858

SHA1
3148d7ad29813d4ee38cc92fe3a83c670aaf72b5

SHA256
b8a4300eebf9a610b1513462cdf59f916d8f0388aea3167829e71c365f1e57cc

SHA512
342c3b9c52aeb7e2809a21be5a1421af1fb838573a3a529218c6ca9d5fb16b216fcd42c1d11c0627f7280cb1f2606de39fbbc8913aaf4044d45849a3265fd6e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\permissions.sqlite
Filesize
96KB

MD5
e86de40b9f2469446927d1f3258f0b6f

SHA1
9b98b55f3000455b771a1b38954bade291cba2dc

SHA256
27038de08e30fd040c10f8affed477b86e95f246617157609a572a741e64c442

SHA512
cfc0bfa15b9a69578c70b46c4bbc02ef3f2b2a10762c98b08db367c37ce76fc975af88563e2754758d73e29fa5f2e437f36d71f6112b32896a353060600a3e9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\places.sqlite
Filesize
5.0MB

MD5
d341df8b34121a0d18f84c0d1625eae0

SHA1
909ea6c4fb10041089dbc0885826f16ce13976f6

SHA256
22bae18a02c5477e189263b65903670cb63cddaf50e2e23bcdaed9735296639b

SHA512
46fcdca56fdfe544a138dc44cac08119f06f0dacca1187532edcbe293d5399bcd7b6e5601dcb81d6f709845f5c4a362a43cde10c011e7116a6fcc052a9001c36

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\prefs.js
Filesize
7KB

MD5
65a1dcd07ed8614bb4c2ed1f9ec86ec7

SHA1
761c39583d2a3afea79b6a881dafddc4599e5c77

SHA256
dd3c49c8de518a3b37abaaa195caa9ec0f1c363cd8803228a40bb323a928fad4

SHA512
0ea0c24ddd7e30f45bca21bbd599c9211c2f3a9a6931ccb54f223b79bb080e9bbf196278107e321d959098c84dadcb2156d4f5469e8ca00ef01bf8d1649e6a5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\protections.sqlite
Filesize
64KB

MD5
4dc8479224410a964fcc7226e43b2d24

SHA1
eb170e3a4aea4022de266e6eeb76ed72d3bcdd73

SHA256
5cc787bbb0151471c3c11f69478aa4e37af09dc30a136a618e97f8663611ef2b

SHA512
7d6859c6bd278cb57bf144515b99b349a6dfe39073fb2807bbd6897eed6df68424574cccabea3c0707b47d00a31c4c700e07dd7bb101ca7729ad3cfd2b08c069

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\search.json.mozlz4
Filesize
2KB

MD5
79e5d8d094a8dcd180c2ac27a760c273

SHA1
99d715c3672b871b6120e9d04910d123fb711c5c

SHA256
64046d1344ef3b04713cc03739959884409acfff7b14c201af20660be0ce5ee7

SHA512
bdfbb8b70bae8d95181aabe423ea1cb52c59223fd95f4f5bad11f76f8cf6c853d5e4c4de56d87e7f80e5c09c1941fdbda81a0f91c1a347a543e5babcba94f742

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\sessionCheckpoints.json
Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\sessionstore-backups\recovery.baklz4
Filesize
5KB

MD5
0bbb4b9f303de6ecea52f654f5a42eb5

SHA1
cc7dcc439d8dd52ea620009010bc2158d8fc1d86

SHA256
5d4edf025f4494eb480c77294696a2f029c7adf36ea5b96e0097d25ad857d41d

SHA512
28bd8cdc4f4d432c85f7e492ea032a049e61e1d4ac219b1c9d334835230bf1a96e5f26b513df35ed5026c12d489e5feee037c6586bb80b9ca71282f75c4bc99d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
b88764b7924cb38259690a427060a408

SHA1
9a8f5ff6d677ab3961e19e41b1c816e023bf615f

SHA256
0abfc7e36df74f0acb2877e61af77919a667c1d25cbe81ec5f9203092f058063

SHA512
a75a1e8b694a05dd06e1ed349d93ae719d92c698a08647022ec91f6b37b35cf50dbd3ddca7415a350639471cca0335aca409da63bd85a482c364b54e3e414d25

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\sessionstore-backups\upgrade.jsonlz4-20200403170909
Filesize
809B

MD5
92c680a8719459fff1e03f2247b84d7d

SHA1
df961ac259351428b79d40904f31d0558d73aa42

SHA256
5685247f4ac8fe94b5e8787a39f856fe96b0873103867a851b13b72a81b16758

SHA512
3f772693bdb75ce6d5ec348aeebc069ab52fcfe7e364316f37c5c582a4a1ad268d56c41525cab1c3c88951720598aaf36114940d8be3ce25c2f20fedcca6df0d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\sessionstore.jsonlz4
Filesize
5KB

MD5
699e6763eae51ab34ecf51fbf7467cb8

SHA1
f6b7ea95ee3822d198a66394c249a965e4fd3e01

SHA256
7c522e500706fb5e23c37ddf5877a5094491f826d3231a2c9cf5a6fb7c2eccdd

SHA512
c09b8664e13199db633209c0d0d8c3ba7f702b246a47ee9f227e9371afb9b7e7d081c4a40722c312e66295216331bf37e7d028dec2a6dcde0404483c0ff68952

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
Filesize
72KB

MD5
921edec56a72203cecaa865be46f1059

SHA1
ed52b1bfcaf795739eeeecb94c6ae3c65e650c5e

SHA256
9d16fcb024b8851ce1f4e64e454e64f13c2295e27688c971b48166e2f9745cd2

SHA512
073946c07938f90a04bf2b3da37337910bb9c79ab5d2bb8737c1bf0381136ee2129e71b61fa1af630082ad645ce7abeb6a453882a52651eced56a2700264589c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
3.2MB

MD5
d93520dd35c37f444082147381582944

SHA1
d9a4541bcab1c18ae920919e6f828cd859c14b7e

SHA256
4a4b1e3a2901ccf6a768fecd15ff706513892b861af3db648b14eeb6679b74f6

SHA512
f24503d386610ddffca1d746e5c77dbf75b6f314320a9d5d120abc09273a8fbf2f08be1c65ad1c5cb27f89722baaa7639defd1cf17f0254b1e589578fe02da80

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\webappsstore.sqlite
Filesize
96KB

MD5
9a3f8d676b5dcd6f38fff1a55b60e6d5

SHA1
46e7f48c6f936ba04105c4c5072cff99e9c82860

SHA256
408b8f70e4c62985a61be2245577e6bc40669619f1bc1a9447eeba19ce84b394

SHA512
e3b48de9983024d89e60815d436874fb3409869b22b2cf65d80434e79faf6f793a2a0ed52b646e0d9159f7a7417d399dc92419aaba7c47a8fbda6aab61d1a606

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2ckqv6m.default-release\xulstore.json
Filesize
141B

MD5
fcc0a4014782f3927e71baeddd2dfe68

SHA1
af19885e5f719a6485066c6317361c6858d70fe4

SHA256
a4e0791db84036961904babe1a29dcf3698bdcd8b92389dda01c699f2ee52ecd

SHA512
338fbd72c9c4e657feb9ae548601e1bd1da1c4e1ec9b7e475b34fec1feace6af6161404cc91a2babe8d6aa758a460975d859d92915d6297f48e866a5653acbc8

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
4b4a92e54654d42b044cb5023e6e5e43

SHA1
16b37e5d84ee326771820f3b0e01ed55dae49170

SHA256
f4a018551b9dc40a08067389c0a96927d240b53ba620af68590eb5d0791662a4

SHA512
2469a49ed31e0af47d020292517d0ba4107cf8dd55c2ba14838b5f994aade864cb3c54cc8e594b642518b9559307fcc8ccf5c9b9db5204d37c322315c0bdcabc

Download Submit
\??\pipe\crashpad_3700_MPXDGFVQLJEASPGM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_4676_IWDHUIXHHLPYWOAA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/392-1356-0x0000000000000000-mapping.dmp

Download
memory/812-130-0x0000000000000000-mapping.dmp

Download
memory/844-1366-0x0000000000000000-mapping.dmp

Download
memory/992-384-0x0000000000000000-mapping.dmp

Download
memory/1104-187-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-184-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-165-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-166-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-167-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-168-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-169-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-170-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-171-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-172-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-173-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-174-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-175-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-176-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-177-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-178-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-179-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-180-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-181-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-182-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-183-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-164-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-185-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-186-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-163-0x0000000000000000-mapping.dmp

Download
memory/1104-188-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-189-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-190-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-191-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-192-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-193-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-194-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-195-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1104-196-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-490-0x0000000000000000-mapping.dmp

Download
memory/1844-891-0x0000000000000000-mapping.dmp

Download
memory/1900-528-0x0000000000000000-mapping.dmp

Download
memory/2224-901-0x0000000000000000-mapping.dmp

Download
memory/2240-283-0x0000000000000000-mapping.dmp

Download
memory/2324-460-0x0000000000000000-mapping.dmp

Download
memory/2344-856-0x0000000000000000-mapping.dmp

Download
memory/2488-206-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-227-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-205-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-208-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-209-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-210-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-211-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-212-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-207-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-213-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-214-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-215-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-217-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-216-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-218-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-219-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-221-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-220-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-222-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-223-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-224-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-225-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-226-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-203-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-228-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-204-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-197-0x0000000000000000-mapping.dmp

Download
memory/2488-201-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-198-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-202-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-200-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/2488-199-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/3328-1196-0x0000000000000000-mapping.dmp

Download
memory/3360-1362-0x0000000000000000-mapping.dmp

Download
memory/3668-845-0x0000000000000000-mapping.dmp

Download
memory/3700-120-0x0000000000000000-mapping.dmp

Download
memory/4372-851-0x0000000000000000-mapping.dmp

Download
memory/4460-127-0x0000000000000000-mapping.dmp

Download
memory/4484-863-0x0000000000000000-mapping.dmp

Download
memory/4488-123-0x0000000000000000-mapping.dmp

Download
memory/4652-475-0x0000000000000000-mapping.dmp

Download
memory/4720-848-0x0000000000000000-mapping.dmp

Download
memory/4756-555-0x0000000000000000-mapping.dmp

Download
memory/4872-857-0x0000000000000000-mapping.dmp

Download
memory/5004-893-0x0000000000000000-mapping.dmp

Download
memory/5108-1359-0x0000000000000000-mapping.dmp

Download