hxxps://drive[.]google[.]com/file/d/1-GfuPqmi0Td9BFQqYiO5RWyopXjq5e3B/view

Analysis

max time kernel
60s
max time network
126s
platform
windows11-21h2_x64
resource
win11-20241007-de
resource tags

arch:x64arch:x86image:win11-20241007-delocale:de-deos:windows11-21h2-x64systemwindows
submitted
25-10-2024 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1-GfuPqmi0Td9BFQqYiO5RWyopXjq5e3B/view

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1396	pvzHE-Save-Relocate.exe
1704	pvzHE-Launcher.exe
2704	PlantsVsZombies.exe

Loads dropped DLL 10 IoCs

pid	Process
4056	植物大战僵尸杂交版v2.0安装程序.exe
4056	植物大战僵尸杂交版v2.0安装程序.exe
4056	植物大战僵尸杂交版v2.0安装程序.exe
4056	植物大战僵尸杂交版v2.0安装程序.exe
4056	植物大战僵尸杂交版v2.0安装程序.exe
4056	植物大战僵尸杂交版v2.0安装程序.exe
4056	植物大战僵尸杂交版v2.0安装程序.exe
4056	植物大战僵尸杂交版v2.0安装程序.exe
2704	PlantsVsZombies.exe
2704	PlantsVsZombies.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4572	icacls.exe
832	icacls.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
5	drive.google.com
6	drive.google.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4592	GameBarPresenceWriter.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\pvzHE\fonts\fzkt.TTF	植物大战僵尸杂交版v2.0安装程序.exe
File created	C:\Program Files (x86)\pvzHE\gdi42.dll	植物大战僵尸杂交版v2.0安装程序.exe
File created	C:\Program Files (x86)\pvzHE\app.7z	植物大战僵尸杂交版v2.0安装程序.exe
File opened for modification	C:\Program Files (x86)\pvzHE\fonts\fzyh.ttf	植物大战僵尸杂交版v2.0安装程序.exe
File opened for modification	C:\Program Files (x86)\pvzHE\pvzHE-Launcher-winXP.exe	植物大战僵尸杂交版v2.0安装程序.exe
File created	C:\Program Files (x86)\pvzHE\pvzHE-Launcher.exe	植物大战僵尸杂交版v2.0安装程序.exe
File created	C:\Program Files (x86)\pvzHE\fonts\fzjz.ttf	植物大战僵尸杂交版v2.0安装程序.exe
File created	C:\Program Files (x86)\pvzHE\fonts\fzkt.TTF	植物大战僵尸杂交版v2.0安装程序.exe
File created	C:\Program Files (x86)\pvzHE\bass.dll	植物大战僵尸杂交版v2.0安装程序.exe
File created	C:\Program Files (x86)\pvzHE\fonts\fzyh.ttf	植物大战僵尸杂交版v2.0安装程序.exe
File created	C:\Program Files (x86)\pvzHE\fonts\wryh+pico12num.ttf	植物大战僵尸杂交版v2.0安装程序.exe
File opened for modification	C:\Program Files (x86)\pvzHE\pvzHE-Save-Relocate.exe	植物大战僵尸杂交版v2.0安装程序.exe
File created	C:\Program Files (x86)\pvzHE\uninst.exe	植物大战僵尸杂交版v2.0安装程序.exe
File created	C:\Program Files (x86)\pvzHE\fonts\fzcq.ttf	植物大战僵尸杂交版v2.0安装程序.exe
File opened for modification	C:\Program Files (x86)\pvzHE\bass.dll	植物大战僵尸杂交版v2.0安装程序.exe
File created	C:\Program Files (x86)\pvzHE\pvzHE-Save-Relocate.exe	植物大战僵尸杂交版v2.0安装程序.exe
File opened for modification	C:\Program Files (x86)\pvzHE\fonts	植物大战僵尸杂交版v2.0安装程序.exe
File opened for modification	C:\Program Files (x86)\pvzHE\fonts\fzcq.ttf	植物大战僵尸杂交版v2.0安装程序.exe
File opened for modification	C:\Program Files (x86)\pvzHE\fonts\wryh+pico12num.ttf	植物大战僵尸杂交版v2.0安装程序.exe
File opened for modification	C:\Program Files (x86)\pvzHE\pvzHE-Launcher.exe	植物大战僵尸杂交版v2.0安装程序.exe
File created	C:\Program Files (x86)\pvzHE\logo.ico	植物大战僵尸杂交版v2.0安装程序.exe
File opened for modification	C:\Program Files (x86)\pvzHE\fonts\fzjz.ttf	植物大战僵尸杂交版v2.0安装程序.exe
File opened for modification	C:\Program Files (x86)\pvzHE\fonts\wryh.ttf	植物大战僵尸杂交版v2.0安装程序.exe
File created	C:\Program Files (x86)\pvzHE\fonts\wryh.ttf	植物大战僵尸杂交版v2.0安装程序.exe
File created	C:\Program Files (x86)\pvzHE\main.pak	植物大战僵尸杂交版v2.0安装程序.exe
File opened for modification	C:\Program Files (x86)\pvzHE\main.pak	植物大战僵尸杂交版v2.0安装程序.exe
File opened for modification	C:\Program Files (x86)\pvzHE\gdi42.dll	植物大战僵尸杂交版v2.0安装程序.exe
File created	C:\Program Files (x86)\pvzHE\PlantsVsZombies.exe	植物大战僵尸杂交版v2.0安装程序.exe
File opened for modification	C:\Program Files (x86)\pvzHE\PlantsVsZombies.exe	植物大战僵尸杂交版v2.0安装程序.exe
File created	C:\Program Files (x86)\pvzHE\pvzHE-Launcher-winXP.exe	植物大战僵尸杂交版v2.0安装程序.exe
File opened for modification	C:\Program Files (x86)\pvzHE\app.7z	植物大战僵尸杂交版v2.0安装程序.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pvzHE-Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PlantsVsZombies.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	植物大战僵尸杂交版v2.0安装程序.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pvzHE-Save-Relocate.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133743471565047817"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\植物大战僵尸杂交版v2.0.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1164	chrome.exe
1164	chrome.exe
4056	植物大战僵尸杂交版v2.0安装程序.exe
4056	植物大战僵尸杂交版v2.0安装程序.exe
4056	植物大战僵尸杂交版v2.0安装程序.exe
4056	植物大战僵尸杂交版v2.0安装程序.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
2924	AcroRd32.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2924	AcroRd32.exe
2924	AcroRd32.exe
2924	AcroRd32.exe
2924	AcroRd32.exe
4056	植物大战僵尸杂交版v2.0安装程序.exe
1704	pvzHE-Launcher.exe
2704	PlantsVsZombies.exe
2128	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 400	1164	chrome.exe	80
PID 1164 wrote to memory of 400	1164	chrome.exe	80
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 2880	1164	chrome.exe	81
PID 1164 wrote to memory of 4900	1164	chrome.exe	82
PID 1164 wrote to memory of 4900	1164	chrome.exe	82
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83
PID 1164 wrote to memory of 4284	1164	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1-GfuPqmi0Td9BFQqYiO5RWyopXjq5e3B/view
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1411cc40,0x7ffe1411cc4c,0x7ffe1411cc58
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1684,i,14989010791371968160,1773057555495828584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1680 /prefetch:2
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2016,i,14989010791371968160,1773057555495828584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2116 /prefetch:3
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2168,i,14989010791371968160,1773057555495828584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2180 /prefetch:8
  2⤵
  PID:4284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3052,i,14989010791371968160,1773057555495828584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3088 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,14989010791371968160,1773057555495828584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3740,i,14989010791371968160,1773057555495828584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4384 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4728,i,14989010791371968160,1773057555495828584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4964,i,14989010791371968160,1773057555495828584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5280,i,14989010791371968160,1773057555495828584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4868,i,14989010791371968160,1773057555495828584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  PID:1668

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4536

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:964

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_植物大战僵尸杂交版v2.0.zip\杂交版v2.0指南.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2924

C:\Users\Admin\AppData\Local\Temp\Temp1_植物大战僵尸杂交版v2.0.zip\植物大战僵尸杂交版v2.0安装程序.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_植物大战僵尸杂交版v2.0.zip\植物大战僵尸杂交版v2.0安装程序.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4056
- C:\Program Files (x86)\pvzHE\pvzHE-Save-Relocate.exe
  "C:\Program Files (x86)\pvzHE\pvzHE-Save-Relocate.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1396
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\ProgramData\PopCap Games\PlantsVsZombies\pvzHE" /grant Users:(OI)(CI)F
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:832
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Program Files (x86)\pvzHE" /grant Users:(OI)(CI)F
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:4572
- C:\Program Files (x86)\pvzHE\pvzHE-Launcher.exe
  "C:\Program Files (x86)\pvzHE\pvzHE-Launcher.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1704
- - C:\Program Files (x86)\pvzHE\PlantsVsZombies.exe
    "PlantsVsZombies.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2704

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004C0
1⤵
PID:3392

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
- Network Service Discovery
PID:4592

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\pvzHE\PlantsVsZombies.exe

Filesize
11.1MB

MD5
5eb4b93a103edc16ec6655485ad85982

SHA1
e2b56a04c40247175085e5c32c6367db323c105e

SHA256
acfcb9eae3409391218e69ff3fe5c9424a4486d7ec752e889a59bf6bc784d961

SHA512
fe4a81562037f4fa4c005dc27b180311eb855bcb40c8fab981ba88567ef0b90528dd780e6239b810a5cb221c32b50eb29bbf524897ed3bda57b78d42e0f0d47b

Download Submit
C:\Program Files (x86)\pvzHE\bass.dll

Filesize
90KB

MD5
6731f160e001bb85ba930574b8d42776

SHA1
aa2b48c55d9350be1ccf1dce921c33100e627378

SHA256
3627adef7e04dd7aa9b8e116d0afc11dcee40d0e09d573210a4f86bdc81a80b6

SHA512
07ae0cb85464b015b35e6157228775a6ac66e5e62a1b47f9395307b61176b6df835e00a1518846507718acffc271263008cc8a9b2c1e8a0192c5438774e12437

Download Submit
C:\Program Files (x86)\pvzHE\fonts\fzcq.ttf

Filesize
2.4MB

MD5
2167a0f0bf3f1cb718f2683d13a4c887

SHA1
bb9c3bdafa5a0032ae2fa4e1b90c08c153a40026

SHA256
5b7d4a996fc1077774a5a37c3dce400d6c7af152c95c17e80a257fdfa01b299d

SHA512
9b18e693ba428a464abfaf482559b7e602339ce2125eac06a0127f9735aece5b593329591e4f33bf3b1d609b394949ebfde6270bd68ee8efd36900d449d70403

Download Submit
C:\Program Files (x86)\pvzHE\fonts\fzjz.ttf

Filesize
1.4MB

MD5
b020f94b37feaebe8827cbe20574f3fe

SHA1
0909fab3388b8c5f0af1a88bb0ca63e825ba89b9

SHA256
d6e6bfaf209c2e6536b7fc91e73cfd0c65320913775bdd2c552b34cc6a4e3ad3

SHA512
a282e437fac567d7f27f6a1f6e99e9a37d5e5f2512c5e2f45534c5116a9e06e545dd6197367dd1c300cdfcefdbe2be3552ee4c136063f188f93f6d01225ccbd2

Download Submit
C:\Program Files (x86)\pvzHE\fonts\fzyh.ttf

Filesize
3.9MB

MD5
d8d4f4cd37f444e0d4a32e7f8d429b1f

SHA1
ffa5c01deeb65d36ffdb118e24351e958775b425

SHA256
ca830a3680be9a70c8a661d5f7327b6d24c7059ca783ad7eb6d75be7919326fb

SHA512
9577b0444fc6aebb5d7b902317d22d8a7fd39fd1fcdc7698f40d35e94905fbb3091ac536c2ca3789e9a9913f73908b756a4489b10fcb42727d93bd2eba55fbd4

Download Submit
C:\Program Files (x86)\pvzHE\fonts\wryh+pico12num.ttf

Filesize
13.7MB

MD5
ee6f32d05c738b25d7b8476f09d2a4e2

SHA1
cec7dcaa5219a47826cff8b9d35a55fe8eb23c64

SHA256
04242d27b05860c07906fbf0d5276b25e5951f892be898c59d4c9b755d79f52c

SHA512
62b72347513ec2b9d78e8f13ffe0a11433c4a288fb10ff02849d4a48c005bc28f5f6f220916fddf01d28a4e238a75860f35ba924fd93efa628812873fc173b7d

Download Submit
C:\Program Files (x86)\pvzHE\fonts\wryh.ttf

Filesize
14.3MB

MD5
c2db9c4749c6ecf521ffca0dd8f62752

SHA1
b65631674c73acb0c5b3f40b0e4cb875c15ce377

SHA256
c3c0e7bbcec69ee4765a53831c7be310acaca1ec1b408974ca4f4c73c1aa400c

SHA512
cd49890025a987d9a1754156d036b8c337c6ad50f1504c1ddbd23c50ce5a622cf0cf51784f5c99eae8e6b8f1f0f8a6f70be064a0cc731064f8aa643bb252d5fe

Download Submit
C:\Program Files (x86)\pvzHE\gdi42.dll

Filesize
2.4MB

MD5
925373c5522569c053ae3ff9a8879a40

SHA1
8e18a8dea1add62d9fb56414dfe42fc1c04b2505

SHA256
57d7f0a0290fbf80d2b3399ba102df384fbc27edaee77fec86a5c106f4bf8429

SHA512
2e239ba0fbab72d7bfef07746e287ac359341b5f96d14b754e8a16165da542ddb5431feb044ebb6b7084a06a33e65ff964b1cc2da9a6f2be0eb4a9a38b39278b

Download Submit
C:\Program Files (x86)\pvzHE\logo.ico

Filesize
264KB

MD5
6fb38ffb714d6d7d1e12697513fef822

SHA1
ce7e98021d2dbeb3108e373e217deaf3019a20d3

SHA256
ad55f328eb4dd9290a15dfbf4da474baed3269f934fd4a86de7b9487ee450cc4

SHA512
bcba7e5a9e4b619b0b9192d4e6c5efc31a2b08c65ac7339338712bc4891f9beb12625e9c816f124022129336e7ce84ba86dadd94394b09d32b0f7165361fa266

Download Submit
C:\Program Files (x86)\pvzHE\pvzHE-Launcher.exe

Filesize
1.7MB

MD5
477c0edf4d9a20eb949582457996b2e2

SHA1
09030647039b6c76128759133bafc3e3ddee7f2e

SHA256
394360c438692fd46d2576e51a87ef09a6643b491e5cc6ee405ea5575905bca5

SHA512
72f19fe6e2e60ffcbcd3e9645ff52cdaf3d1722df3a5a74d6ff1c06250e6629e3936149597a07344902bda1f02b435237965b53ec38e90a51a190bb0187712cc

Download Submit
C:\Program Files (x86)\pvzHE\pvzHE-Save-Relocate.exe

Filesize
1.7MB

MD5
c7afc46bb41f5d7f97e60b76329a2398

SHA1
d18fd7153023ebca9cdc7df6d25a4142aae8e79c

SHA256
269c238bbfd9f30c4490235cb403e2dfea3fbdc3db7c8dc367db0403ea908295

SHA512
5766213d579891763220a6c7ae1fea317721b091e3b02fad2141cf75a5e44afa99a9320f0a74faa6dd1a590ba24668a1a90d6d368ecf8b0614689764253ab9bc

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e37d2ce652fc0c9b9f4a50e3ee5be7db

SHA1
1c69a72a8ae74f4c0bb746dcf5ab2467ec902782

SHA256
18b74f486b7b181865bed28188e178060ef79d64305127bdbb4690568568f532

SHA512
b92d5c8659f6170af8c51f2cebc31fb2edfb5517247c6cbd1e17944958f946848b07b7d8add9ee171f50e43563198ef47af33401aaf06dce01f67284fbccf9cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
cde8afc2f44d0189b55d4d6e1298a56a

SHA1
22be919fe6eb9ea9f746f980db9824c39e964ea7

SHA256
445a5bdf79c396e3b7e71107a2030048d225f2ba995a437cb17d742c4d069b45

SHA512
e77c29fb3739d6face27edc64dda9cd182b91b472833813b42c6a36c101b1b3efa09d0c81a82269633c3181ea2cfed2822794dfdf394a077911cd5a92c7090c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
081c7f8da24944b46811eaead9d5cf5f

SHA1
45493828ceb488cf8ded6d0098fec7718be76265

SHA256
d728f32634942ac5ae2144bdf4083fe2fc60f4c43133d12e69a8e9e3aa6f49c0

SHA512
7e3605e182490cc438e17026c047a100de0158cd2d3d9e0688606448ff90c7ffba2107a75577cff8b9b6b7b1f948a3ca6ff664bffcf0ddefdbc78611e08f1bdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1024B

MD5
a49506ebb05ea41f563993a2d262bc3c

SHA1
c520d2580b53f8effc08b9c6f97ca7f472accfb2

SHA256
e60ff43e66ab252eac49c64495bc1247306c0e6a59c968b7b912e4849054d3c8

SHA512
d37c17f95279600e722e8105aa73dc256c693fa8cad70a983244417041390af3c3d2ffc7251961ffdbb3c897a4eac4e42ffa9a2250529a2e6ac6b94dcf4b4684

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5076a8b54d0ab3dab21e76ae313f6497

SHA1
85cdc272f48d26b7af6a7a7c100adbae824aea5f

SHA256
7dc1da1b799e2a52f13d2750f8fd1db6f0d22bf9cf0ad79be833b8aefc6e81c2

SHA512
69a7c409dfb7a03572319aaacc4f25b844c6db0d72f3d37d617e65a84733d4de37ce1b101a945b0c00a51428cb2316e5865bb26307bb159f34eea8c2a699c0c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8d32b6378b83d770403bbeb6de08ba4b

SHA1
a667486f87dca6608a3707b5c3589b3e0f2d0274

SHA256
5783e7bd79123dde3d0dcf6147b9208069d0575e2f3b9746d52786788169ef47

SHA512
6cb2517268cfc0f7f78c2f74c830738d363264784b02a24febe738d3b7fc2ea3656d0f11edbc50f1a38f991d83d348667685689c4cae192976bfbd8ef847b8e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
76100285972e10f596913f7e72c28272

SHA1
d6aeeaf620cdb24990889c3e12dbb599ce6a43e4

SHA256
447fd398a9f6255602301d2e07daf648baf81212837d1b8cba68f65c445e4392

SHA512
cec652ed04f9f92e6935e1c11afb9ada1bcd39800a00f25b51bf98645c709b8dda1d8f4c83f5e654eb8128d93d1d45108eb6d097f36d533a9ded81bbdd1acaa8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
87c0797b58ddc6d1d3183551e8cdb779

SHA1
ac5cc32cdd9bb9ab72e42b9e1b4f92a1e304cc1d

SHA256
4a3becc46fa3bffef97a072dfaa8b1d6f874ae97fa8182f79ecd1e8f513ebe80

SHA512
2375f4ad2bb490657799798086fe47015c3d80a860ee2f6bb9aee608f0baaa7d2e43592d3637744c63fd28d721a009fd4812e3dee72f9b6de7a346f36357a969

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b2d03c4af0c63bf2bcfc2c4425b49560

SHA1
4783d8e733a69fd7db4da23e7eecee59d4da2a92

SHA256
777a2c250c5321acab1a4e40b6c8e3e944a06c1e6eb4ff9676f1670fc8ef4fd9

SHA512
3ed97fc3c12369162429a8a19ddf51771cbfbcae9bdffcf81f7f4290d82e9ed843d24b344864f7b133acb27f99f1fe0ae65ee2e31dedfb9299e206d22b0284a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d6f313e485a8794b1876b732a5b3e613

SHA1
6011f5f297e2d7339d59e2161e18e74afffa33ec

SHA256
21bfb2ce8c4c44e01bc36c3d13f565a5822a9f326a0c355e5ff44c2d3ab0f456

SHA512
2099a68b7a09a1a6d472c64af63155b38e8f92e9145a320fb02ca3e981607991415582988b6bc8566cfb14831917461ca39bcec1a07a3ea103a9c581949258a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a0e4937338c5666be069419c40d1c0da

SHA1
feb84c3897e0e2c26561c2acc0e738344d5560d8

SHA256
ed9cb9b4f2ff333318b2faf90311cdf1ed351ac8c664e236708a873d0a87540b

SHA512
88dae204ebab0ff3dbe5344395ce4db7503db152f02ea7ea234f1853fb0c9a0048d1be03b19be4758320dced4ff6adc4d630bbab277f141a6176a5125dff4f57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bd52258d7dea970a3e989da2d6f5ed90

SHA1
9c729a0e08f942869a3805c33ff4e1559781ef00

SHA256
d47ab6d0af5d124981865aecfeb719a22a9826812f1c093d8ba20f4200dad91c

SHA512
00255f544e422b52c2730733d7fbd52da7722bc30f2c48537bdcbd5058e9f52a3009043e540270764316e8a19b8a1db7f309e744aa7d2c1a503113521b75e239

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
43fc52dfed9acc2e873aa0b818dd6be2

SHA1
714477b437c01310825ccaf1cb3c4155af39d9f2

SHA256
9d9b79cda55c7fd69dc3b3085feb086a7cdeb2710c4ae1700aacc1811fbe6bba

SHA512
8fadcc536bc2b503723c81420b4b8df54fdc08a7649529c6ab2c552f8cf0fe887a3084a68df70a08144ae86753bc92f20656f8796b3bf581a1e68183b09f8a53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
0dfadbe4fcef198d0e2aa97f8244f337

SHA1
6a1e2c6b292febfb056a0917c4fe7893801e7138

SHA256
941b1ceb71d21636b8ffd62f3809efd605a41455f03c624ab20ecc6165310caf

SHA512
478eccdc705db512906ca640a53df85b78b541ff3ee89e39ab444aa30bf80fb2e2cf2892e7acfcfce55f3d0da954bb93f7aeeae5ab21739a141ce5d16b63e48f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
67901d49853d13f04c1f37d8800a9120

SHA1
be104ef121eef14eb1cfe2c356a6270b7b1f5b4d

SHA256
24adf66425c52e118fc6b3040835b550bd7693ce25979c096f65d81fbf1ff000

SHA512
2f1bd7b450181fe8766c229d3dd7ce7d5265591f8626fe1a7a226765d54138f37740a9c6aed2471b8618673b9e64e18f1c9841563d882718c4394f6facc57458

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy5A51.tmp\BgWorker.dll

Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy5A51.tmp\ExecDos.dll

Filesize
6KB

MD5
774e3b33d151413dc826bf2421cd51e8

SHA1
ab2928dcf6fa54bb9eb16e5f64bfcffaaeee90fa

SHA256
91d5481f576382164703e4ac244052265769377838ac30233ad79c983ed9d454

SHA512
3cf955b13e81e4b6edb292df751ce7f64b0cf30979f57b1609f002859b4e68adc046b6674f76f7b7ce7144382316c344c11fed02d638e62fcc8464c32795a365

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy5A51.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy5A51.tmp\nsNiuniuSkin.dll

Filesize
891KB

MD5
cb9ccb0f6923b5e38221a2c9603eb669

SHA1
7214cae53f36cab79841e9d49b07cffd7ce5e1c5

SHA256
6a38b8084e7493ff57ea3eda7101fbfd6113d8470531b479ce05cefb4e34bc79

SHA512
5d510870559737ba9f10447716a654e3aa609b64a1b753e2d3722b7b92e1768980d2ff070e639add57a13a7941c1d680ffa6e13abd47c44b1d18a230590ebb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy5A51.tmp\nsProcess.dll

Filesize
4KB

MD5
88d3e48d1c1a051c702d47046ade7b4c

SHA1
8fc805a8b7900b6ba895d1b809a9f3ad4c730d23

SHA256
51da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257

SHA512
83299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy5A51.tmp\nsis7zU.dll

Filesize
313KB

MD5
06a47571ac922f82c098622b2f5f6f63

SHA1
8a581c33b7f2029c41edaad55d024fc0d2d7c427

SHA256
e4ab3064f2e094910ae80104ef9d371ccb74ebbeeed592582cf099acd83f5fe9

SHA512
04b3d18042f1faa536e1393179f412a5644d2cf691fbc14970f79df5c0594eeedb0826b495807a3243f27aaa0380423c1f975fe857f32e057309bb3f2a529a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy5A51.tmp\skin.zip

Filesize
2.4MB

MD5
293238829de472db381be13aa9173495

SHA1
75d6d4bc7992385167d1d4318edc9beb953db641

SHA256
7442eea2b3cc5865d6a18d47828840e5545b32ca8273c1d90ab55092e1c760af

SHA512
c7b44786810957f45c5e955c2880dd2f1d83fbe7715855d0f495de98372cf74b3a4a6e00e2dbe851fe69ec4212d1938fcb5fca882f722811060fccb3e5d5939a

Download Submit
C:\Users\Admin\Downloads\植物大战僵尸杂交版v2.0.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/1360-454-0x000002375C600000-0x000002375CDDA000-memory.dmp

Filesize
7.9MB

Download
memory/2704-256-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2704-480-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2704-481-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2704-470-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2704-491-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2704-455-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2704-501-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2704-453-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2704-451-0x0000000000400000-0x0000000000FC8000-memory.dmp

Filesize
11.8MB

Download
memory/2704-449-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2704-519-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2704-254-0x0000000000400000-0x0000000000FC8000-memory.dmp

Filesize
11.8MB

Download