gh0strat | 832e06a61add7817a67de98b9a7bb8eb8dcb89d3ee557920a3dc96d63a3238d2

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2024 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ChromeStdSetup.exe
Size

27.6MB
MD5

f5352630a4c4764d378d500680cd9f64
SHA1

ce80f5aa2c68cfcdd5be492b3d01f2ca31f1138f
SHA256

832e06a61add7817a67de98b9a7bb8eb8dcb89d3ee557920a3dc96d63a3238d2
SHA512

190c9fd632419600597abd2d29a02f73c976214e4fa4ffaf07f5ace920722adcaf9820f0b73d7c9bad0e0b99c612c2147de62d07036b2a375beffd7e89c211c3
SSDEEP

786432:Tbnq/vxsj6yVAqOu3T4katyXX21qyNPoBe/PFd:C/Js3VAqOuAajyeBs

Score

10^/10

gh0strat purplefox discovery evasion persistence privilege_escalation rat rootkit spyware stealer trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 5 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/4388-13163-0x0000000010000000-0x000000001019F000-memory.dmp	purplefox_rootkit
behavioral2/memory/4388-13162-0x0000000000400000-0x0000000001FA2000-memory.dmp	purplefox_rootkit
behavioral2/memory/4388-14820-0x0000000000400000-0x0000000001FA2000-memory.dmp	purplefox_rootkit
behavioral2/memory/19932-26285-0x0000000000400000-0x0000000001FA2000-memory.dmp	purplefox_rootkit
behavioral2/memory/50540-39366-0x0000000000400000-0x0000000001FA2000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/memory/4388-13163-0x0000000010000000-0x000000001019F000-memory.dmp	family_gh0strat
behavioral2/memory/4388-13162-0x0000000000400000-0x0000000001FA2000-memory.dmp	family_gh0strat
behavioral2/memory/4388-14820-0x0000000000400000-0x0000000001FA2000-memory.dmp	family_gh0strat
behavioral2/memory/19932-26285-0x0000000000400000-0x0000000001FA2000-memory.dmp	family_gh0strat
behavioral2/memory/50540-39366-0x0000000000400000-0x0000000001FA2000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\129.0.6668.100\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	ChromeStdSetup.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 30 IoCs

pid	Process
4388	wtepktomp.exe
2068	ChromeSetup.exe
2356	updater.exe
4920	updater.exe
2972	updater.exe
4336	updater.exe
1704	updater.exe
2088	updater.exe
19932	Jkcdt.exe
50324	129.0.6668.100_chrome_installer.exe
50396	setup.exe
50424	setup.exe
50540	Jkcdt.exe
7248	setup.exe
7224	setup.exe
8220	chrome.exe
8176	chrome.exe
8284	chrome.exe
8304	chrome.exe
8412	chrome.exe
8516	chrome.exe
8528	chrome.exe
8608	elevation_service.exe
8892	chrome.exe
9080	chrome.exe
9316	chrome.exe
9324	chrome.exe
9556	chrome.exe
21716	updater.exe
21732	updater.exe

Loads dropped DLL 29 IoCs

pid	Process
8220	chrome.exe
8176	chrome.exe
8220	chrome.exe
8284	chrome.exe
8304	chrome.exe
8284	chrome.exe
8304	chrome.exe
8284	chrome.exe
8284	chrome.exe
8284	chrome.exe
8284	chrome.exe
8284	chrome.exe
8284	chrome.exe
8412	chrome.exe
8412	chrome.exe
8528	chrome.exe
8528	chrome.exe
8892	chrome.exe
8516	chrome.exe
8892	chrome.exe
8516	chrome.exe
9080	chrome.exe
9080	chrome.exe
9316	chrome.exe
9324	chrome.exe
9316	chrome.exe
9324	chrome.exe
9556	chrome.exe
9556	chrome.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	Jkcdt.exe
File opened (read-only)	\??\U:	Jkcdt.exe
File opened (read-only)	\??\W:	Jkcdt.exe
File opened (read-only)	\??\G:	Jkcdt.exe
File opened (read-only)	\??\I:	Jkcdt.exe
File opened (read-only)	\??\N:	Jkcdt.exe
File opened (read-only)	\??\Q:	Jkcdt.exe
File opened (read-only)	\??\V:	Jkcdt.exe
File opened (read-only)	\??\Y:	Jkcdt.exe
File opened (read-only)	\??\B:	Jkcdt.exe
File opened (read-only)	\??\H:	Jkcdt.exe
File opened (read-only)	\??\J:	Jkcdt.exe
File opened (read-only)	\??\T:	Jkcdt.exe
File opened (read-only)	\??\K:	Jkcdt.exe
File opened (read-only)	\??\M:	Jkcdt.exe
File opened (read-only)	\??\O:	Jkcdt.exe
File opened (read-only)	\??\S:	Jkcdt.exe
File opened (read-only)	\??\X:	Jkcdt.exe
File opened (read-only)	\??\Z:	Jkcdt.exe
File opened (read-only)	\??\E:	Jkcdt.exe
File opened (read-only)	\??\L:	Jkcdt.exe
File opened (read-only)	\??\R:	Jkcdt.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jkcdt.exe	wtepktomp.exe
File opened for modification	C:\Windows\SysWOW64\Jkcdt.exe	wtepktomp.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk	setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 30 IoCs

pid	Process
4388	wtepktomp.exe
4388	wtepktomp.exe
4388	wtepktomp.exe
19932	Jkcdt.exe
4388	wtepktomp.exe
19932	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\Locales\kn.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\Locales\mr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\Locales\nl.pak	setup.exe
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\Locales\te.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\Locales\ur.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\resources.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\optimization_guide_internal.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\d3dcompiler_47.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\Locales\ja.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\Locales\lv.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\Locales\pl.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Application\129.0.6668.100\Installer\setup.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\chrome.dll.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\351dbe85-f0b6-4fec-942e-1fe7c4205bd1.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\Locales\ca.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\Locales\de.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\MEIPreload\manifest.json	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\WidevineCdm\LICENSE	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\eventlog_provider.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\prefs.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\chrome_100_percent.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\Locales\en-US.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\Locales\ru.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\libEGL.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\2a6a4ffd-6249-4dfb-bb47-cea8a72f6627.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\Locales\uk.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig	setup.exe
File created	C:\Program Files\Google\Chrome\Application\129.0.6668.100\Installer\chrmstp.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\chrome_pwa_launcher.exe	setup.exe
File created	C:\Program Files (x86)\Google2068_395311118\UPDATER.PACKED.7Z	ChromeSetup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\Locales\bg.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\v8_context_snapshot.bin	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\chrome_elf.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\Locales\vi.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\chrome.dll	setup.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1704_277936547\manifest.fingerprint	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\Locales\fr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\PrivacySandboxAttestationsPreloaded\manifest.json	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll	setup.exe
File created	C:\Program Files (x86)\Google2068_1728839781\bin\updater.exe	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe	updater.exe
File created	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\Locales\th.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\vk_swiftshader_icd.json	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\MEIPreload\preloaded_data.pb	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\metadata	updater.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1704_277936547\2aadcd17-11f0-4a4b-94fa-575f8e283c2f.tmp	updater.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1704_277936547\CR_15A47.tmp\SETUP.EX_	129.0.6668.100_chrome_installer.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\default_apps\external_extensions.json	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\Locales\af.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\Locales\zh-TW.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\Locales\ar.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\Locales\fi.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\Locales\fil.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source50396_767354343\Chrome-bin\129.0.6668.100\Locales\ro.pak	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChromeStdSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChromeSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wtepktomp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkcdt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkcdt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
50528	cmd.exe
7540	PING.EXE
50324	129.0.6668.100_chrome_installer.exe
50396	setup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jkcdt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Jkcdt.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	Jkcdt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Jkcdt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	Jkcdt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\InstallerPinned = "0"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Jkcdt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	Jkcdt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google	setup.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133730454088078693"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1588C1A8-27D9-563E-9641-8D20767FB258}\TypeLib\ = "{1588C1A8-27D9-563E-9641-8D20767FB258}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{F966A529-43C6-4710-8FF4-0B456324C8F4}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0125FBD6-CB11-5A7E-828A-0845F90C7D4E}\1.0\0\win32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\ = "IUpdaterAppStateSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{699F07AD-304C-5F71-A2DA-ABD765965B54}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\1.0\ = "GoogleUpdater TypeLib for IUpdaterSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\1.0\ = "GoogleUpdater TypeLib for IUpdaterObserverSystem"	updater.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{708860E0-F641-4611-8895-7D867DD3675B}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{DC738913-8AA7-5CF3-912D-45FB81D79BCB}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\TypeLib\ = "{6430040A-5EBD-4E63-A56F-C71D5990F827}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F966A529-43C6-4710-8FF4-0B456324C8F4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{708860E0-F641-4611-8895-7D867DD3675B}\AppID = "{708860E0-F641-4611-8895-7D867DD3675B}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F966A529-43C6-4710-8FF4-0B456324C8F4}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ = "IAppVersionWeb"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\TypeLib\ = "{699F07AD-304C-5F71-A2DA-ABD765965B54}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B685B009-DBC4-4F24-9542-A162C3793E77}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ = "IAppCommandWeb"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\ = "IPolicyStatus2System"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ = "IProcessLauncher2"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\4"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\TypeLib\ = "{D106AB5F-A70E-400E-A21B-96208C1D8DBB}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\TypeLib\ = "{F63F6F8B-ACD5-413C-A44B-0409136D26CB}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\1.0\ = "GoogleUpdater TypeLib for IAppWebSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{699F07AD-304C-5F71-A2DA-ABD765965B54}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32\ServerExecutable = "C:\\Program Files\\Google\\Chrome\\Application\\129.0.6668.100\\notification_helper.exe"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\TypeLib\ = "{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\1.0\0\win32	updater.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
7540	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2356	updater.exe
2356	updater.exe
2356	updater.exe
2356	updater.exe
2356	updater.exe
2356	updater.exe
2972	updater.exe
2972	updater.exe
2972	updater.exe
2972	updater.exe
2972	updater.exe
2972	updater.exe
1704	updater.exe
1704	updater.exe
1704	updater.exe
1704	updater.exe
1704	updater.exe
1704	updater.exe
1704	updater.exe
1704	updater.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe
50540	Jkcdt.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2068	ChromeSetup.exe
Token: SeIncBasePriorityPrivilege	2068	ChromeSetup.exe
Token: 33	50324	129.0.6668.100_chrome_installer.exe
Token: SeIncBasePriorityPrivilege	50324	129.0.6668.100_chrome_installer.exe
Token: SeIncBasePriorityPrivilege	4388	wtepktomp.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: SeShutdownPrivilege	8220	chrome.exe
Token: SeCreatePagefilePrivilege	8220	chrome.exe
Token: 33	50540	Jkcdt.exe
Token: SeIncBasePriorityPrivilege	50540	Jkcdt.exe
Token: SeShutdownPrivilege	8220	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe
8220	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 4388	2016	ChromeStdSetup.exe	86
PID 2016 wrote to memory of 4388	2016	ChromeStdSetup.exe	86
PID 2016 wrote to memory of 4388	2016	ChromeStdSetup.exe	86
PID 2016 wrote to memory of 2068	2016	ChromeStdSetup.exe	88
PID 2016 wrote to memory of 2068	2016	ChromeStdSetup.exe	88
PID 2016 wrote to memory of 2068	2016	ChromeStdSetup.exe	88
PID 2068 wrote to memory of 2356	2068	ChromeSetup.exe	89
PID 2068 wrote to memory of 2356	2068	ChromeSetup.exe	89
PID 2068 wrote to memory of 2356	2068	ChromeSetup.exe	89
PID 2356 wrote to memory of 4920	2356	updater.exe	90
PID 2356 wrote to memory of 4920	2356	updater.exe	90
PID 2356 wrote to memory of 4920	2356	updater.exe	90
PID 2972 wrote to memory of 4336	2972	updater.exe	92
PID 2972 wrote to memory of 4336	2972	updater.exe	92
PID 2972 wrote to memory of 4336	2972	updater.exe	92
PID 1704 wrote to memory of 2088	1704	updater.exe	94
PID 1704 wrote to memory of 2088	1704	updater.exe	94
PID 1704 wrote to memory of 2088	1704	updater.exe	94
PID 1704 wrote to memory of 50324	1704	updater.exe	98
PID 1704 wrote to memory of 50324	1704	updater.exe	98
PID 50324 wrote to memory of 50396	50324	129.0.6668.100_chrome_installer.exe	99
PID 50324 wrote to memory of 50396	50324	129.0.6668.100_chrome_installer.exe	99
PID 50396 wrote to memory of 50424	50396	setup.exe	100
PID 50396 wrote to memory of 50424	50396	setup.exe	100
PID 4388 wrote to memory of 50528	4388	wtepktomp.exe	101
PID 4388 wrote to memory of 50528	4388	wtepktomp.exe	101
PID 4388 wrote to memory of 50528	4388	wtepktomp.exe	101
PID 19932 wrote to memory of 50540	19932	Jkcdt.exe	102
PID 19932 wrote to memory of 50540	19932	Jkcdt.exe	102
PID 19932 wrote to memory of 50540	19932	Jkcdt.exe	102
PID 50528 wrote to memory of 7540	50528	cmd.exe	104
PID 50528 wrote to memory of 7540	50528	cmd.exe	104
PID 50528 wrote to memory of 7540	50528	cmd.exe	104
PID 50396 wrote to memory of 7248	50396	setup.exe	105
PID 50396 wrote to memory of 7248	50396	setup.exe	105
PID 7248 wrote to memory of 7224	7248	setup.exe	106
PID 7248 wrote to memory of 7224	7248	setup.exe	106
PID 2356 wrote to memory of 8220	2356	updater.exe	108
PID 2356 wrote to memory of 8220	2356	updater.exe	108
PID 8220 wrote to memory of 8176	8220	chrome.exe	109
PID 8220 wrote to memory of 8176	8220	chrome.exe	109
PID 8220 wrote to memory of 8284	8220	chrome.exe	110
PID 8220 wrote to memory of 8284	8220	chrome.exe	110
PID 8220 wrote to memory of 8284	8220	chrome.exe	110
PID 8220 wrote to memory of 8284	8220	chrome.exe	110
PID 8220 wrote to memory of 8284	8220	chrome.exe	110
PID 8220 wrote to memory of 8284	8220	chrome.exe	110
PID 8220 wrote to memory of 8284	8220	chrome.exe	110
PID 8220 wrote to memory of 8284	8220	chrome.exe	110
PID 8220 wrote to memory of 8284	8220	chrome.exe	110
PID 8220 wrote to memory of 8284	8220	chrome.exe	110
PID 8220 wrote to memory of 8284	8220	chrome.exe	110
PID 8220 wrote to memory of 8284	8220	chrome.exe	110
PID 8220 wrote to memory of 8284	8220	chrome.exe	110
PID 8220 wrote to memory of 8284	8220	chrome.exe	110
PID 8220 wrote to memory of 8284	8220	chrome.exe	110
PID 8220 wrote to memory of 8284	8220	chrome.exe	110
PID 8220 wrote to memory of 8284	8220	chrome.exe	110
PID 8220 wrote to memory of 8284	8220	chrome.exe	110
PID 8220 wrote to memory of 8284	8220	chrome.exe	110
PID 8220 wrote to memory of 8284	8220	chrome.exe	110
PID 8220 wrote to memory of 8284	8220	chrome.exe	110
PID 8220 wrote to memory of 8284	8220	chrome.exe	110
PID 8220 wrote to memory of 8284	8220	chrome.exe	110

C:\Users\Admin\AppData\Local\Temp\ChromeStdSetup.exe
"C:\Users\Admin\AppData\Local\Temp\ChromeStdSetup.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\wtepktomp.exe
  "C:\Users\Admin\AppData\Local\Temp\wtepktomp.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\WTEPKT~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:50528
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:7540
- C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Program Files (x86)\Google2068_1728839781\bin\updater.exe
    "C:\Program Files (x86)\Google2068_1728839781\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={68A8F50C-03FE-5756-A1D3-410E39B8C8FD}&lang=zh-CN&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Program Files (x86)\Google2068_1728839781\bin\updater.exe
      "C:\Program Files (x86)\Google2068_1728839781\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=130.0.6679.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x294,0x2a4,0xb7a6cc,0xb7a6d8,0xb7a6e4
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:4920
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:8220
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.100 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe55dc7bf8,0x7ffe55dc7c04,0x7ffe55dc7c10
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:8176
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1988,i,13620748464488082762,14075436385978607822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1980 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:8284
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=2144,i,13620748464488082762,14075436385978607822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2184 /prefetch:3
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:8304
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2404,i,13620748464488082762,14075436385978607822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2380 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:8412
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3032,i,13620748464488082762,14075436385978607822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3080 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:8516
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3040,i,13620748464488082762,14075436385978607822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3352 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:8528
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4552,i,13620748464488082762,14075436385978607822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4580 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:8892
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4804,i,13620748464488082762,14075436385978607822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:9080
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5028,i,13620748464488082762,14075436385978607822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5032 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:9316
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5024,i,13620748464488082762,14075436385978607822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5128 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:9324
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5164,i,13620748464488082762,14075436385978607822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5388 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:9556

C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=130.0.6679.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x111a6cc,0x111a6d8,0x111a6e4
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4336

C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=130.0.6679.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x111a6cc,0x111a6d8,0x111a6e4
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2088
- C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1704_277936547\129.0.6668.100_chrome_installer.exe
  "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1704_277936547\129.0.6668.100_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1704_277936547\2aadcd17-11f0-4a4b-94fa-575f8e283c2f.tmp"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:50324
- - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1704_277936547\CR_15A47.tmp\setup.exe
    "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1704_277936547\CR_15A47.tmp\setup.exe" --install-archive="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1704_277936547\CR_15A47.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1704_277936547\2aadcd17-11f0-4a4b-94fa-575f8e283c2f.tmp"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Network Configuration Discovery: Internet Connection Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:50396
  - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1704_277936547\CR_15A47.tmp\setup.exe
      "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1704_277936547\CR_15A47.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.100 --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x7ff7858fc628,0x7ff7858fc634,0x7ff7858fc640
      4⤵
      Executes dropped EXE
      PID:50424
  - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1704_277936547\CR_15A47.tmp\setup.exe
      "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1704_277936547\CR_15A47.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:7248
    - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1704_277936547\CR_15A47.tmp\setup.exe
        
        "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1704_277936547\CR_15A47.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.100 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff7858fc628,0x7ff7858fc634,0x7ff7858fc640
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:7224

C:\Windows\SysWOW64\Jkcdt.exe
C:\Windows\SysWOW64\Jkcdt.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:19932
- C:\Windows\SysWOW64\Jkcdt.exe
  C:\Windows\SysWOW64\Jkcdt.exe -acsi
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:50540

C:\Program Files\Google\Chrome\Application\129.0.6668.100\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\129.0.6668.100\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:8608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:9756

C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:21716
- C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=130.0.6679.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x111a6cc,0x111a6d8,0x111a6e4
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:21732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google2068_1728839781\bin\updater.exe

Filesize
4.7MB

MD5
c583e91ddee7c0e8ac2a3d3aacad2f4c

SHA1
3d824f6aa75611478e56f4f56d0a6f6db8cb1c9b

SHA256
7f67129760223e5ddf31219f0b2e247555fbac85f4b6f933212ac091a21debf9

SHA512
0edbc9a7e3b6bf77d9a94242ee88b32af1b1f03c248290e750f355e921f49d62af13acfeed118ec624fb3e2c6131226ac17bb3d206316b056c1f7cf55642e069

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\settings.dat

Filesize
40B

MD5
fc5df4dfca604a9097a7e554aacc3517

SHA1
455270b04285f2196eccb56235b54d6fa6432617

SHA256
05af3c9175267493f6791119020ff9004866f997aa02a1c050ca3bad1e3d5054

SHA512
44df47111faa51fcaf42897492b48c767c751bad9e5d193005f40dd0e1bbdc0f279288a17531300063a065872cf611a65098a754101fdb813564b816b34f6e21

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
354B

MD5
227350f44c11f7dc5e4229d041dfa72f

SHA1
66f6d2bfd37e6b9df9ead8c40500db5fbd4ea9ba

SHA256
e82892f132a5432c6e8c02d6f36faea67b272497cbc82c5f0cfabde79372ac7e

SHA512
6231d93293181be9e398a2e811a0e5a0b141fd8a02523656b6c6e6740e6aab37d53139c1cd3c30b9cc0b1dac187d594189ae0131e5f44b2739de74c5c1fa146d

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
522B

MD5
8c850b5268765d44f681d6a6de950a93

SHA1
385808705353b80cc74401a97f38b4e29a17dc08

SHA256
e231a3ec9f60a13375fa1aa8d3d8d30e21a00526cb0c3d8060b7b2d34af741b5

SHA512
e0167cf371ea3bc92887e62968f107bb726ab2526ac31d217121b5df1cf7b356cfff828d947e04fd7e5c9dda8e97af18d913bc05e2727c5526b8ff40b2d82823

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
622B

MD5
819f941d68898270132eeb5f7916cb60

SHA1
84736b45d54a093ab534d816056231fec6ee4cd8

SHA256
87612880090279a04c26efef8fe26e03ca34b070e80938933a76772811f23001

SHA512
65fe676fbe605e76d1dd29bc2d65360a3e5360f0f41669c382e84c2d5a8feb9c64311fa190f111521e19ee405cc515221c86cfe8773f381bffbd0bad1855d810

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
622B

MD5
a8da43d92b33bef4f769473c10f51d37

SHA1
0bed3cf28ccaf92cedfae6fc7726d6f93bd874ff

SHA256
38e3adfcc18e2e91bd9c78c5cdbc08cc76e2a521ae55659ea9886ffe15b2e888

SHA512
9dbfb3e671f6dde17aded7838fd5532e2be1f1c39e415f479688f816d54fa23678fc701dc6ef6734e56905bd5823648840f3ced90d30b28d5d772584c5dba324

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
49B

MD5
c88c3ad52765a523b2b598bf2c5a9216

SHA1
4ebada495c7ec0e2ae7d92aa2be7c049d2b0e512

SHA256
e450a8d057f11bb4cd98343448b3fd8a70b0f22bd7eb6b84b6fb03731b36fc32

SHA512
a21348e047b3e84ce8a14a6298f518d1c4f512a7155360e1d85121d77ab9b4d51d09dbe67e6aad5a19b758f69b1a177a54c2e848de23d6cb66f6c7ff9b2c40b5

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
6KB

MD5
ba743cf594a05a3d6489f4aa5a51147b

SHA1
8eab3eba350305463ecf52bb1f1e3a5fff05252a

SHA256
b69a93adc3fea42f6d1040aa538b5b59711c8d666b3ed7fa1dca3edbba3a873f

SHA512
184be04e6bbb2e01b805a4d3d819e60ffd4ce6f0065ff5e33c228a1a73795d2b406cf3fa435fbe4c31b8ffdcb5bfe00836f2cafabb06bb84564ede757b111766

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
2KB

MD5
85ba6134601545d335ef1f84e81f7878

SHA1
cf61ad337fb48715fdc4d2ca86c8c75e3c88c9df

SHA256
4047ba21f6b287a2ad140f2520f7e8e6cd0d7375fc92f5911412b888c2a2f812

SHA512
abb71ce6b9254aeb0c1b6641ddf047fb4e1b640021b87287da6a1f3b1950c96b9d85e275ec2d288c0d321d77a34bd4dd5989dc435aaa52fb94e0460d3abba84d

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
16KB

MD5
de6e9a490355a94083be5415e802645e

SHA1
f794fb4cc4e0758141b8b160f5c97238ae71cec0

SHA256
011268b6fc9a786b499095848eb5b2d69753e1a097b491e724f4a3635b408ffc

SHA512
dddf1a6d86e10a13c924e1a046f068e3dec25bdd08ca4541ff3f1900e10c9ce04b043f7d9b8c6446416cd903dc5735c33e8a0189b234041f7659ddc239f5e138

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
12KB

MD5
6ded65989491ad3d4e726deb791520bc

SHA1
7aa62d8bde761727d8e73338a0918290428705b2

SHA256
e835864085b4f7f0be915c8722bc0d31150d263955dc6d78a15fd9b8a9404c48

SHA512
4cffb8001bbb387a4767f57200c7b8734c5843b061cdf45cf932fea5dfd6c17b01e230db3a2b407f3093d87ab37eb091eddac3129040dba5d69153ab52d06b17

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
2KB

MD5
94d495fdf4987bfe74b32ee9058170ef

SHA1
efecf8477f305973d0caf99f68e730af6e804852

SHA256
b8f27df8fd32f9396027e36ead293f82ec9b7c6e02556d331ac70d00b6b4e47d

SHA512
eccc7832c639af303b9792d1c85ce4a637475d007f8f988bf64464dd3436089504c4997cc3fa2e772db12daffe47c1ee699613c1cc6e28e8728737edf5a843e1

Download Submit
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1704_277936547\2aadcd17-11f0-4a4b-94fa-575f8e283c2f.tmp

Filesize
684KB

MD5
7d3dcde9dad9e4952a916b799273aee7

SHA1
f5bc726de9f736cf9767cca55626330e0e1abbae

SHA256
3fa22d4ce7124a70ca6dc6b600cbb3fcfabca85d3fa400551aef82906667c6bd

SHA512
2f4db5801365d2bee7db9723be7a454913c20cfa16f1e0a483ae4ce7cf0d4fa20356d8d12ed1920f4e953e3bfdba3d129247b7cdb135e52295ee08810a4c0e72

Download Submit
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1704_277936547\CR_15A47.tmp\setup.exe

Filesize
5.8MB

MD5
15b00bd654daccbe3f3bd0002349bebb

SHA1
897a4dc5e74966b38bce545c1a359e977a28cf04

SHA256
bf686aaa1a42895665c3c74df87bb836ae8688515066de5f403afe297e91c000

SHA512
7fb0c2b7ca9e59ef2b8a39a45ea6e4d46e521f32a191ffefe3a42eedef2e1343b2d2ec348a5cf5570bbd482c4d31cfe6f41511dc8c5169c85a76d0ebb76563ac

Download Submit
C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
443abc095112c2595ba5b700f3855314

SHA1
170fc62f786300c4872a5aa4edb59ed7c9cf8e9c

SHA256
5047f6beb4793c819dbfdd947d9efea87a9a9a6194d7478e06c09f575c3c29e3

SHA512
824b022ae43e22976f6ad30dfbaaae8b30194373fbd1822b42c13851b936596fc214750a9bdc2bc8c1832816b7a74cf2c87bc74c2b5b3ea09e2717e8f905d78a

Download Submit
C:\Program Files\Google\Chrome\Application\129.0.6668.100\chrome_elf.dll

Filesize
1.2MB

MD5
cb0f6c9847b4fa5e92ab8cb77ad85aef

SHA1
088e893c50da8cc87369fea973799f3a0be553b6

SHA256
371ab400416e88184dc87f2fc3665d730938332e1c41f591d97b19aac661fd99

SHA512
2b1d743ce565e26db8226ac8891e2ca3bfe6d3283d4b7ada2fe54c1915710fbe226cef39a11dc3bfe3418c049e0ebfdea621b5ea249a717b71408c67ced5c704

Download Submit
C:\Program Files\Google\Chrome\Application\129.0.6668.100\d3dcompiler_47.dll

Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
C:\Program Files\Google\Chrome\Application\129.0.6668.100\dxcompiler.dll

Filesize
24.6MB

MD5
8af40ed8038255da6402f7b218dfe7a3

SHA1
d4465c4eeda4f310134169bd2c48c6ddba35c8d9

SHA256
4b884ac5e164eb583615c3d96be5cdf2d802446e9ddde9a83e5e1051c923d9ac

SHA512
95cdc36f61b943fe23acc4820d1bfd5b10090a1f976f9c1b8a6fa1880392d4ba6da776d7daa981c5134adca982ebf85b52f285076906329af427d36930494d5f

Download Submit
C:\Program Files\Google\Chrome\Application\129.0.6668.100\dxil.dll

Filesize
1.4MB

MD5
30da04b06e0abec33fecc55db1aa9b95

SHA1
de711585acfe49c510b500328803d3a411a4e515

SHA256
a5fe1d8d9caa2ff29daffd53f73a9a4e19c250351b2abe4fc7b57e60ce67ac68

SHA512
67790874377e308d1448d0e41df9dd353a5f63686df4eb9a8e70a4da449b0c63a5d3655ab38d24b145ad3c57971b1c6793ea6c5ac2257b6eb2e8964a44ab0f08

Download Submit
C:\Program Files\Google\Chrome\Application\129.0.6668.100\elevation_service.exe

Filesize
1.7MB

MD5
472b2328d62fec7e774166fd75c18ff6

SHA1
b8b9fd3ea8c634c39e64532be6a9fe668f705cc2

SHA256
56291421da56a296f3f0aef18ca0fb3c0925779eee7b4734a07a24e59348d9ce

SHA512
d2db62ac321186f69bcf8f57b963a2251593cb2118c28681e0081b178a654b97ad4ebfcffedaaa2d7adeb105d867899462856c953c2acf8bce1e48ee37386c30

Download Submit
C:\Program Files\Google\Chrome\Application\129.0.6668.100\libEGL.dll

Filesize
493KB

MD5
cead8b36d50fae64a2fc9d5b33021369

SHA1
839cc37ce5a2e2a96dea0f0d95a0baed40b55f14

SHA256
a33c9376c2ea5b7ce3efaf9d33e849c76a09cf90f3e054d78a7d946535d42578

SHA512
da873c4ee570cebc3343e1e3d283a4212a87dff69a2b00dd8737447c780acb7b13d70e7817c7503f43788eb7fde44fae5fd2b7ead5435be421dfd48fa6a05294

Download Submit
C:\Program Files\Google\Chrome\Application\129.0.6668.100\libGLESv2.dll

Filesize
7.9MB

MD5
7abdf3f3d392ef02de2cb7c5a3b16394

SHA1
fb8f0ee543d14aa57988d3afce749d06b09c97b3

SHA256
7263be93cf08fed039a3f92eeef8141f7fe453189aa114047d55a4291247f8a6

SHA512
7fd1855dfaa18feea547dd40c85390e0a675629d05c4c6e53fc16cba53467ad76646e6916c48736cab1c526650349160bbd5c699ab153d9b79c7aae2cbbfae71

Download Submit
C:\Program Files\Google\Chrome\Application\129.0.6668.100\vk_swiftshader.dll

Filesize
5.1MB

MD5
4067511b10f3a5d51da3cbe5b0a58660

SHA1
ec890ee4131c1548969ccc24a4e68eb94d9292be

SHA256
f13c03d0527e79d498060d29c1193b4cc9a86039c798bbec69236e1cdad4b304

SHA512
08060809446410702e89acf341273b5a207271247f38d6adcfb5bfddb43b984d6136cea59656c38ae1d42c442ab3d06c8884b8759d15b912678805ce947712d6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.6MB

MD5
47679449e8a738d8b1849668622e7c9e

SHA1
6cca4c66d8fb1fddded32761db2a63a8665d8d12

SHA256
2d2a32cbcced69610445d92965ca710ef2da89c3788ebb98ff8612ebffac917b

SHA512
2eabd0b2a34016334bd718b885f4f2a106be10380ba27a3c52c0e5b0a455a41583bdea7307c3209488b2662b30500245d47eb1a230199322c49901279ac58c6f

Download Submit
C:\Program Files\chrome_installer.log

Filesize
21KB

MD5
6653c9ea0741273d341fe54cf392cee2

SHA1
f01ee9349af9d584d6ee5460579c22cd68db18a6

SHA256
05dbfa9168d56ba492c4906ca34f58821161127e23a0df08e33055e0e40e8568

SHA512
15bef509c6fc13385d8df70115b25dc809f16728eafbaa077c512fe630830e737875ea12973d59ec4f0fe85183a822b450f57340be40f634e0445426b86a616f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk

Filesize
2KB

MD5
dd1a3e757214d9962ff8659bb7e9289a

SHA1
109b78b82ffe762558dfa077df70082c984d9865

SHA256
17301f18e23e8f626a2d37a7bd62b97aecb16b2ac0cf5d35474a917623988553

SHA512
408a62faea84ce35815f893281e68cd81b2067bf9a9c8a89ea09a2e5f0d73ce56b04a37ddefad5d3d4a28b9c68650769ac7dd55f07f8338fbcbab45fbbbd9036

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
505a174e740b3c0e7065c45a78b5cf42

SHA1
38911944f14a8b5717245c8e6bd1d48e58c7df12

SHA256
024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d

SHA512
7891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f6c3e93eecaf26cc5761dafd30c07b41

SHA1
f567a9943e3173e85d2f5e7d65fe854ae4be6f32

SHA256
da19648c12f1772df0f7cea2ef1dd345a3e3818dd0a0435e95dccc8c48b0b824

SHA512
95d596807bcc460e01a501c9cc1d77b7866da1c9cdc1152bdfee95f1ea758ce7c0881e413dd850e4691d20ac4262a1ffbd721006160048dfa5c178a3a70ce7b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
18c02ad4335962f03bd0a48229646667

SHA1
5eb9e1b758a777ae6e46ee659306b852ceb456e6

SHA256
dea5ff87b3f54a61435866c6f528cd3ffe7e1513eceee060297155f856907a8a

SHA512
227e2d6f12e319cd79b8f96e0e6612b5dc5cba8e799d7d0afb0bc0e467d59c4984ef5cd59622e65c61376515cbc837a84aada9a6c323dac0baf6665a3417a5c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b8f89406c3b6590f49c71fa09ae7f02c

SHA1
ef84e11447e4f683246e2dc30394fb5af0e4258d

SHA256
840ac64c79a089c469c34edfd316898bc10f69ef141ecaa80b3629a72e332564

SHA512
91f98b47af260b11acb0b3313e851191d879744d3630e1e136e5a5be3e5b0f224f5b24712e1baa7e010e570da4d11e4307545022dd18f33707aa589f2a961701

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\trusted_vault.pb

Filesize
38B

MD5
3433ccf3e03fc35b634cd0627833b0ad

SHA1
789a43382e88905d6eb739ada3a8ba8c479ede02

SHA256
f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d

SHA512
21a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
06f4c3c08807fdcef86ab4c1dcbfc193

SHA1
0c2a5cce8fb05851bab2d9d31f7aa104c1789524

SHA256
b577a0b0769a839f026dd546d4c6734bbbe4f5bde31272e28657f1ca9be23232

SHA512
c5c5604ad659cc01db6ea265f2c5812d75ce9af97814f1d69e0eb96048d2ad4939b409c188dc0c47a87d569aa50eb349a227352e9bd381fb007ac5ea995d0a28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
f4ceee8bf93a31a8dc205a663523208c

SHA1
f375a9e00c7a56eb05790536efc6f8c0fd9745fc

SHA256
c1961a444b30ba80e2daf3b63e4a78e912f28760d6f6700b4c7ea66ea58794db

SHA512
9a77197edba28e8ace8f28f02b6e66fd0e41432cebc848e69791681a67118c8ce06ba47943cee3db2408728215c329cfd6e14c8f89ea2c4f5fe5537c40ce7f1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
209002c4c74fe792452a99f3e018495b

SHA1
1e58761ba01c5ba62ed059b46de2104f3521d87f

SHA256
64e189c87d224222990a84b9fb6618aa4b02a02ad74b25ca74512a90c3d94b81

SHA512
d6da606f94581f24e394d8cf1320b100dba989997df11dd5d092f072559d7bfb97ddc3aec6a67396b0757d8c1dceb7e4a887de4c5ae4817d1e8a7519fa0e0fc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
137e761538cb7e8242acc64aa9e77a31

SHA1
f9a655660344d49685d3d1a296f7ed37c9a6cd4e

SHA256
83068e0b205d2ed41eabb30ab0abc6d9a2c79d15d464ae8368b8f953f3974a47

SHA512
a28c78de668b067c884d476d903b8c8f2fc6e05e628ae22bf3f26f12fb24b908699a7759e79950df3dd5bb98b200f8ec58ebacea8534b6c9b16b2d69c38297e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe

Filesize
8.5MB

MD5
cd32eed7ff292c4be642d7effbcb7a81

SHA1
168b1c3861b0ff480250284b70a6d57b8852a629

SHA256
2e8957863173f7c3ce0e966b7683c04c16c01bdd78e41b6dc2a4b91a1d8f9181

SHA512
597dd3315a05a0dc28a9fd31b24afbe4f6d2094fc95e8c3b5724368d5a15c97ad71c9dee178ae8ef467a32d8bc8aee304bb1b8e560bc964183ff1eaa610f83de

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSWWpOOCvT0g70l.exe

Filesize
5.8MB

MD5
82b07eaf5b509df826c8a9268df0fb16

SHA1
1151a73ff6ff839f48f7f0d46e343b41c1ccd53b

SHA256
63cc4a2c48ede5aae448420f6ccefb9b7fd4739f6ce17733b453e804ba91977f

SHA512
065198bb5413029daad01edb7aa8bf7d70fcab71aeb8e7638f2493d63c6da1efecf0f7df9ffd96586c51317626f9b36ab86e9cdc9a65e3ce86808f24d9269988

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtepktomp.exe

Filesize
27.6MB

MD5
4ce843f56cbad3ab43caec3ba7f6071d

SHA1
999ecf6203235a3efc3ffa2d599ac4b4ad3e3c2a

SHA256
ae783b3c7bcb5ea06fb5eb671da35cbab84fed9ce035c3a322733f409d1dbebe

SHA512
fc5992edb859c064a31128dc227158d79d29446d1036c453513e01ba201364b20be118243a36fffdd3deb8f3ec1da85a0896edc99e2de9e4dcdeaf49131e5b96

Download Submit
memory/4388-13149-0x0000000000400000-0x0000000001FA2000-memory.dmp

Filesize
27.6MB

Download
memory/4388-14820-0x0000000000400000-0x0000000001FA2000-memory.dmp

Filesize
27.6MB

Download
memory/4388-31-0x0000000000400000-0x0000000001FA2000-memory.dmp

Filesize
27.6MB

Download
memory/4388-42-0x00000000758C0000-0x0000000075AD5000-memory.dmp

Filesize
2.1MB

Download
memory/4388-5964-0x0000000077400000-0x000000007747A000-memory.dmp

Filesize
488KB

Download
memory/4388-3955-0x0000000077480000-0x0000000077620000-memory.dmp

Filesize
1.6MB

Download
memory/4388-13158-0x0000000000400000-0x0000000001FA2000-memory.dmp

Filesize
27.6MB

Download
memory/4388-13159-0x0000000000400000-0x0000000001FA2000-memory.dmp

Filesize
27.6MB

Download
memory/4388-13157-0x0000000000400000-0x0000000001FA2000-memory.dmp

Filesize
27.6MB

Download
memory/4388-13161-0x0000000000400000-0x0000000001FA2000-memory.dmp

Filesize
27.6MB

Download
memory/4388-13163-0x0000000010000000-0x000000001019F000-memory.dmp

Filesize
1.6MB

Download
memory/4388-13162-0x0000000000400000-0x0000000001FA2000-memory.dmp

Filesize
27.6MB

Download
memory/19932-26254-0x0000000000400000-0x0000000001FA2000-memory.dmp

Filesize
27.6MB

Download
memory/19932-26285-0x0000000000400000-0x0000000001FA2000-memory.dmp

Filesize
27.6MB

Download
memory/19932-26274-0x0000000000400000-0x0000000001FA2000-memory.dmp

Filesize
27.6MB

Download
memory/19932-26271-0x0000000000400000-0x0000000001FA2000-memory.dmp

Filesize
27.6MB

Download
memory/19932-26272-0x0000000000400000-0x0000000001FA2000-memory.dmp

Filesize
27.6MB

Download
memory/19932-19060-0x0000000077400000-0x000000007747A000-memory.dmp

Filesize
488KB

Download
memory/19932-17051-0x0000000077480000-0x0000000077620000-memory.dmp

Filesize
1.6MB

Download
memory/19932-13176-0x00000000758C0000-0x0000000075AD5000-memory.dmp

Filesize
2.1MB

Download
memory/19932-26275-0x0000000000400000-0x0000000001FA2000-memory.dmp

Filesize
27.6MB

Download
memory/50540-39355-0x0000000000400000-0x0000000001FA2000-memory.dmp

Filesize
27.6MB

Download
memory/50540-26286-0x00000000758C0000-0x0000000075AD5000-memory.dmp

Filesize
2.1MB

Download
memory/50540-30160-0x0000000077480000-0x0000000077620000-memory.dmp

Filesize
1.6MB

Download
memory/50540-32169-0x0000000077400000-0x000000007747A000-memory.dmp

Filesize
488KB

Download
memory/50540-39354-0x0000000000400000-0x0000000001FA2000-memory.dmp

Filesize
27.6MB

Download
memory/50540-39356-0x0000000000400000-0x0000000001FA2000-memory.dmp

Filesize
27.6MB

Download
memory/50540-39366-0x0000000000400000-0x0000000001FA2000-memory.dmp

Filesize
27.6MB

Download
memory/50540-39359-0x0000000000400000-0x0000000001FA2000-memory.dmp

Filesize
27.6MB

Download
memory/50540-39358-0x0000000000400000-0x0000000001FA2000-memory.dmp

Filesize
27.6MB

Download