xred | 2cbf4a18cf8df6a631826a5006d13b3bf36d0971b8c96678b278fc99795a9386

Analysis

max time kernel
599s
max time network
599s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stix_Advanced_Tweak.exe
Size

1.5MB
MD5

43afea647840c9ed1d2888ce8c85ed32
SHA1

a9ca7722b5d49f42ae01dc20d3b7397f67647cd0
SHA256

2cbf4a18cf8df6a631826a5006d13b3bf36d0971b8c96678b278fc99795a9386
SHA512

ffe6cb55700d3e27544315998300c6d2532fa7b9085d9dd83088eb4579124579595c06ef9abe2fcc532468c5477a6fa13c57af2ae24df28b064050691ab48bc9
SSDEEP

24576:2nsJ39LyjbJkQFMhmC+6GD9k0TO7wx6RZrLSQeMeNyUc7nyWOqmpezMJQF:2nsHyjtk2MYC5GD60TO7JRZHSSr0py

Score

10^/10

xred backdoor discovery persistence phishing

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
A potential corporate email address has been identified in the URL: currency-file@1
phishing

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Stix_Advanced_Tweak.exeSynaptics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Stix_Advanced_Tweak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

Processes:

._cache_Stix_Advanced_Tweak.exeSynaptics.exe._cache_Synaptics.exe

pid process

3172 ._cache_Stix_Advanced_Tweak.exe
3968 Synaptics.exe
2812 ._cache_Synaptics.exe

pid	process
3172	._cache_Stix_Advanced_Tweak.exe
3968	Synaptics.exe
2812	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Stix_Advanced_Tweak.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Stix_Advanced_Tweak.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

111 pastebin.com
109 pastebin.com
110 pastebin.com
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
111	pastebin.com
109	pastebin.com
110	pastebin.com

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Synaptics.exeIEXPLORE.EXEStix_Advanced_Tweak.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stix_Advanced_Tweak.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exeEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1732123750"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143000"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{92DA74DB-A04B-11EF-ADF2-DA61A5E71E4E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1732123750"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1734311022"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438108167"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31143000"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143000"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133758166873688596"	chrome.exe

Modifies registry class 2 IoCs

Processes:

Stix_Advanced_Tweak.exeSynaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Stix_Advanced_Tweak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

632 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

820 chrome.exe
820 chrome.exe
2028 chrome.exe
2028 chrome.exe
2028 chrome.exe
2028 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exe

pid process

820 chrome.exe
820 chrome.exe
820 chrome.exe
820 chrome.exe
820 chrome.exe
820 chrome.exe
820 chrome.exe
820 chrome.exe
820 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

._cache_Stix_Advanced_Tweak.exe._cache_Synaptics.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	3172	._cache_Stix_Advanced_Tweak.exe
Token: SeDebugPrivilege	2812	._cache_Synaptics.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe
Token: SeShutdownPrivilege	820	chrome.exe
Token: SeCreatePagefilePrivilege	820	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

._cache_Synaptics.exechrome.exeiexplore.exe

pid	process
2812	._cache_Synaptics.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
3996	iexplore.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe
820	chrome.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

EXCEL.EXEiexplore.exeIEXPLORE.EXE

pid	process
632	EXCEL.EXE
632	EXCEL.EXE
632	EXCEL.EXE
632	EXCEL.EXE
632	EXCEL.EXE
632	EXCEL.EXE
3996	iexplore.exe
3996	iexplore.exe
5096	IEXPLORE.EXE
5096	IEXPLORE.EXE
5096	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Stix_Advanced_Tweak.exeSynaptics.exechrome.exe

description	pid	process	target process
PID 1588 wrote to memory of 3172	1588	Stix_Advanced_Tweak.exe	._cache_Stix_Advanced_Tweak.exe
PID 1588 wrote to memory of 3172	1588	Stix_Advanced_Tweak.exe	._cache_Stix_Advanced_Tweak.exe
PID 1588 wrote to memory of 3968	1588	Stix_Advanced_Tweak.exe	Synaptics.exe
PID 1588 wrote to memory of 3968	1588	Stix_Advanced_Tweak.exe	Synaptics.exe
PID 1588 wrote to memory of 3968	1588	Stix_Advanced_Tweak.exe	Synaptics.exe
PID 3968 wrote to memory of 2812	3968	Synaptics.exe	._cache_Synaptics.exe
PID 3968 wrote to memory of 2812	3968	Synaptics.exe	._cache_Synaptics.exe
PID 820 wrote to memory of 3784	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 3784	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 4856	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1180	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1180	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1544	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1544	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1544	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1544	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1544	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1544	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1544	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1544	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1544	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1544	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1544	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1544	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1544	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1544	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1544	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1544	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1544	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1544	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1544	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1544	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1544	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1544	820	chrome.exe	chrome.exe
PID 820 wrote to memory of 1544	820	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Stix_Advanced_Tweak.exe
"C:\Users\Admin\AppData\Local\Temp\Stix_Advanced_Tweak.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Users\Admin\AppData\Local\Temp\._cache_Stix_Advanced_Tweak.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Stix_Advanced_Tweak.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3172
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2812

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffce8cbcc40,0x7ffce8cbcc4c,0x7ffce8cbcc58
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1824,i,15084328027691786651,9599572793355190118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1816 /prefetch:2
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2204,i,15084328027691786651,9599572793355190118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,15084328027691786651,9599572793355190118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2572 /prefetch:8
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,15084328027691786651,9599572793355190118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3268,i,15084328027691786651,9599572793355190118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4544,i,15084328027691786651,9599572793355190118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4452,i,15084328027691786651,9599572793355190118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4564 /prefetch:8
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4712,i,15084328027691786651,9599572793355190118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4924,i,15084328027691786651,9599572793355190118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4408 /prefetch:8
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4852,i,15084328027691786651,9599572793355190118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2944,i,15084328027691786651,9599572793355190118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5172,i,15084328027691786651,9599572793355190118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5268,i,15084328027691786651,9599572793355190118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4772,i,15084328027691786651,9599572793355190118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5244,i,15084328027691786651,9599572793355190118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5312 /prefetch:2
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5320,i,15084328027691786651,9599572793355190118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3368,i,15084328027691786651,9599572793355190118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5116,i,15084328027691786651,9599572793355190118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3200,i,15084328027691786651,9599572793355190118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=4048,i,15084328027691786651,9599572793355190118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6088,i,15084328027691786651,9599572793355190118,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2028

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4928

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3996
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3996 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.5MB

MD5
43afea647840c9ed1d2888ce8c85ed32

SHA1
a9ca7722b5d49f42ae01dc20d3b7397f67647cd0

SHA256
2cbf4a18cf8df6a631826a5006d13b3bf36d0971b8c96678b278fc99795a9386

SHA512
ffe6cb55700d3e27544315998300c6d2532fa7b9085d9dd83088eb4579124579595c06ef9abe2fcc532468c5477a6fa13c57af2ae24df28b064050691ab48bc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\546496fc-ca8e-4fa7-bae5-ba79d27205f7.tmp

Filesize
9KB

MD5
65320de727a1b27b181b943a0b96809e

SHA1
9bb307c051ba4d4270078b3f0623236caa16b8d3

SHA256
1491f7157336d9eedd425757a15d2f7bd4895ebda44a3ab08d3b82648ff0b234

SHA512
edcfba1e94150b1e79326760eeb7158dd6df8dbcce5a8bb42a00eb7eedf3100bf800ce36c3f365844a03c6f5ee83d87d9f41870b2bcf3ca3b28148c02d886648

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4e821dbbbcd95051b68de4c1497807f4

SHA1
4bacc6ec23a0730395c4de21e1ab80799c11d239

SHA256
f047b34b6ebec9f045231ecceb304ebfc7eb130e3e40fe4b0f67ca9c77f28acd

SHA512
aa7951c8b13ff64b1657a9e5e9a6bc50596a9400be1d3705cd87425cd6447928535569c52bbe3ac2dd4875664da55452d93459b60338b9ed5124f40e07b67ce1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
f4ec978fa24100c1ffbaec27b566378b

SHA1
fd4bb74004c40a5c7184fa530b4b6fa9ec1ce437

SHA256
aded00edeedb278e5a9a290b75294fe9dee55fe6f3cb8e713aafcee276188271

SHA512
fff08f5c9e9f231c3cf5310ad20c5c89d8f67a4f8068f51a436b869d8a108b0d86836143c9d274c507d4d85291f9ecf6865ebf8ed7687a43a2363a0ce1ea81c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0f26abb4f8b00cf8671b6c2ec0d986d6

SHA1
71e82f96e728480052d7952bd89cadabccc21e0d

SHA256
e07c487b06786e84fb0c04f093cf2aa1c2e48aec13fe607412b3ddf48ba2afce

SHA512
f0c6ce8ac28e5fd8abb536a0b2805e577a5b94d7e7bc49a97ab7fd90af1e1aa57dcec5b1ed5e7647058cc4362e271098c2e722a3eec89a0a4f28058176d380f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
12KB

MD5
d8ab0fd3902028f265d48823cc4a6dd3

SHA1
8d793aa598ea0233c086372bea754bcc5a3621b9

SHA256
cc0f247988fe39d4d98006327bc64cfec86eab50be9576d2a63c67274d85da37

SHA512
3d332fd64ff9aa07b1ee2cedbcf58f9a367fd691737360661009ad8ab99a82e4b0f5a1ea0f72db8a03899312c339d3b138c3e77fdf171a394529e9d2b264d2ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
12KB

MD5
49f1822e1579f6b13536842dd82a4027

SHA1
f495c30ec804f0e46b035fea15697ae111723cf6

SHA256
fc18f6daa925b6a717d0eff7622c26dfbc70b71fcca193631a5d66d63b9a4ce6

SHA512
ad85e6c670a7fdd68d975a5f9cef220e0a0abb38cb1e1d739b8952bc961a9e5b655df212c24b45e527f3483266a9839d15ba30bf667008037cbeaa10ca69fec8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b53e8c3fc54d267783c9b2191b0a03d1

SHA1
2df46ec43bdd5e71a2dff2c326ca4bca8e77a999

SHA256
c41deaae2bec02465532c13abb1447a4799b564943a3bf7a65a83f333834128d

SHA512
e3fbd1c96db28f0ec9163b2adb21d530224b689b38b7ffd9b51710a3e288bee5a5c0ad75a3020058edf9e9592bf995cfbfa5978a248edbdbc88b9ec90ea527a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
9fbfbe114d5520a84e073f5f4ba0b5d4

SHA1
1549233265f27e7838f3655a798f7b9f310dbf44

SHA256
04a864bc1673e9f9ad5fc7b3e67dc558c4f2d5d0e3cc30fa24e32ec2ce14a146

SHA512
eaea075ac2bafcac03dee564177e104002a4e51a5110e56adcaefc75098908ba963b618bf400262e8ccf89d750db662b61570975c3e60f6f1ebe8f375a1fa430

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3bcd3adccccefc89bc1145defb382c21

SHA1
66d0ea09c38f03a0dfe685c86cba59871bf59d0c

SHA256
42cc848637d152e4872dc31e147ef9bf8d4c70017911bca91ba6fe842eed9c8c

SHA512
74eeacf2a1805dbd0485168b4889c2df547f1a674b345e462db802afde378f4728db41af5027872c7ef733aaf3800cb247a1ec59c36e197172457ed9f9074449

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f8103007ccb2eb2b6975fcf48137bd16

SHA1
ac31ba231d5b324f1324bbdb562eec087ec8fa38

SHA256
0f83e576106e53f2fd92caedf1290bc28fb9942d46162e42f5b9b4f571103a31

SHA512
0d39520880fd829aa0cab933426b371e13220da79b7765715adc17f785197480953e463c46c214fa8ca55df85e488f0aaa7db5a494243ccc97adea1f0eae5ef6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
98057e1ff4585180262301c2fad934ce

SHA1
c7cd067e52cfb7193daedd4c7ddbaff21bc51d8f

SHA256
a3ec1bb82838d77f5657bf4a48b2f548749099dcd9acff175b6673485f961377

SHA512
78a7f977e3f2450f31aecd2eaa01f0638f73bcb89d51137b8bb574754678dd2b48f5b08414ec222a4c6e857e633ee856a3fe4e0d2187278cfc943b83683ca229

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b60b2bb517b67fbd12ea16825804ccb7

SHA1
a1c1decf336407fc3f4716b8ee62048aaebf268a

SHA256
8239acf49f2e445b1dc22dbd0b0dd02839cb1bc86ce42683d3eeb9024aadb30f

SHA512
241ecdcfe4ed59acf1409a306bc9508644e9273709b8dfb9a63b44bd8535fe1894ae7940c350221d7361161b8c63dc2237a94a5a36829139e8fe2944aa4aa03d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3af864ac73e32d571c6aa11a43a80556

SHA1
81ef8777adc812897ca56aaa567b1d221762e7d6

SHA256
1054b0570708506a202e01b5b203a80e6d749fb4c5d45449fe13edfb0cc91f84

SHA512
dc801c7a7018796435a38b11ec378b55d1699d494f4f9b7bc7af63888cfd3419196b8f3eece55d350162a2ba60929e5adc0aab1fb6b5636e3d8daf34fc74dc39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4a602c87ccc499d3dd11982e77e74da7

SHA1
97e3a4cfaa6c655aa09c070848804669eb11113b

SHA256
5688d8b118f064572973f57b64e6f9f1761418bfa3e9e38af57bb83e1f4b8576

SHA512
c568a3961958283733ec79aa8c1836064401ff99ca77c6229d3a546b66f92b87e5995e131283e5d296af2ef529eeb62e8b4d77ab27a67a923a5f0e38db1d11a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
82ad7af2b3a20bdccdc715f7366f71a1

SHA1
8b35e7ca7326b80d9d9e2c098a38c204bc705c9b

SHA256
3b0003168796d40306fa522c3f9942f57c173d4b7ad3ad9dc3233d43622caf48

SHA512
771531c6eecea7a7433e078e3012a2d3f4506e7ab83c9606a834f56dc83e93f2100ef7866ecf94b56e30402bfaedec8deee2be2f388a129b5611f9512d0556cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f83e4c05c994b3cf5856fe56a496302b

SHA1
2ef61bb8eceada6855fa8cc544012ca3ec89248b

SHA256
4f49dceae14a5df07ff6b0ca964080f922e29fc3b0c998eb1affc7c4f805e577

SHA512
116c680fcb23a9a06328965057bc2df27258802a38eb779d1c7438f759be99245756afd45cda94688266b6391da38d80fb5ac6cf22175c66a5a563d6f9398982

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
589c23ccd6850a6f200c7292bf2793fc

SHA1
c9172eb210543d670ae9f17cdcd8dbdad0f2fabe

SHA256
3b65dfd38bb5b34b4fe43efd6b0cf6ea341113c0610c9e635761ee5bb6599b8d

SHA512
633e0bdec05a5d20318b0a40a14df71eab3ca2bfc03efccc9e77da8fb30307919c588146a4abb03dc8281282e604d4adc65ea0117617e8192897faf61686bb22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
63f281c544bbafeef19c08a9995a982c

SHA1
7780b4a662e96c7e8eea5d7f2ae76f8c8f57e965

SHA256
7377058a5927ee336e3cc69b6b348a124543f89afbf477ced24fa25328d9a919

SHA512
fa2012d96588deb9f03cb92e852bb530d1f31858ee421db69edb2cbc2bca7bb472fb841e510ae5112d3fbb130ff7ac8e26572058c974e97752c1a75cf7000087

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b8834966b1302daf54869d5cf8c89a9e

SHA1
7a1b671a4ed42b10e2cf32e37bd693a88a449158

SHA256
f14d37a9ef99d96484fd9bffc989d33735b1ede0fa5439a741d59b7ecdd07795

SHA512
df8f4c8424fa03c4853595b428d18e5d80f123a9b0843f27a91b0e7df01459cd090c0db6ed3db332ae3d7ad4a6a921035bb0c51fbba5c876c261ca6fef7cecfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dbbd6710338c2b9997a88a4971107447

SHA1
a493354189f0e88d8f1057135c55ba4c32c9d26b

SHA256
93db572429b8e6499a7ab6af45f6b844509cd99c20fb453b92b355540a092a9c

SHA512
5cb9c7846bcb6a44ad7874ad3fdd1784656836743b5ae79aca40c4339bc05cec4ef15fdb6558b7560386f1aca74113e5c6e6a34dc89a53bb5aaeaea8eebc59fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f37c41ba8651af9cc749e34fe7a47626

SHA1
b7692e0344b41ecf09d14d83dbc68e3fce2ba98b

SHA256
fb9bf5bfa0c358ec48093080b0e7013d6ca87c97ac7a1bb39a41879815d02bae

SHA512
7c9e6c9645c6713c530d1f42eb71e9902804f65ec9eaedc7dffbdeb480e06623ac52b16af2bf32cce8e1d1dc5352ee7e67a852caf5c8091915757bf8592ca2c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ab35778d8aa24778f7853aa10f13f282

SHA1
b36b8525029e6ea4652e13eaa2cf8129563e5999

SHA256
ca79b07306d99d847a1f4e4e0adde05f20d9a11585903c6591b9bbd3fb27be60

SHA512
4c3144a2aaf4432ae8dfa4b0e272a74be009745aaec1d5bace65007e2a6e2a0a087ac9ceca428afbf23e81c908e4b77b54081daaa43bb8f8e964931e5aa05b47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d30bcb75093863aef1be684f0c2f6457

SHA1
bf7702828d4c74c030ee07b3879e848494425006

SHA256
155ef2beffa8c53d89914891dd189a2f2dd87d3c069fc6fe0c1d5acc3d0802ba

SHA512
8b4ffaef1781a81412dd9b76964e9d78d557b8973b5d9097893747089de5f334e66659aa70d1e7379bc7361bcb0777366c9df550423df62bab137f9854ee56b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2d9e7d6a152d725dec2161baebe1a826

SHA1
0f21c34f1500aa5ed2aba3992e014256ac8002a8

SHA256
ea3a9c373a72f5d251ab37555681f52a9fb7ad8a9bbee269e3d618406fed7892

SHA512
b1a74c5f52bc4690c7a8936a6354e3cc09efcdcf7e2af7e57885512d3eccfff34a88e95131e968ea7606b133a5dc067f1d36e1f2fb74e7a58d8828572ee4eab0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1c59879038741ef86d524366ffe4087e

SHA1
c8e522b08499dc896d1b9440ccb8c1356176e440

SHA256
75dc5e017fd7a62facf5ae7c1e6bc08a5949a19e804798e241ea0a4efb70d3b3

SHA512
a51b7a6b54e2258a96a5a02116adcb7740fba9ad50e6d8ed46839c83d3a5f79984024cebc075eb14db010ebc5b61b88552157f2236cbcb4b518d2d14d792690c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
77658e882d52fa1354b7372297a4c956

SHA1
c51d077490f6f0fbbb112c4eeabfb7acc0c7aa04

SHA256
299a106d45f99a699db7a6b6112fd62141e7bbacc87d60e98d83fcb66c671ccf

SHA512
68c088882a3410713ed8fa4f961818447881d4b6d60c3f60156cf7e21d05adfeaa73ffcbc38b75bd14b9557bbead1daff70a3f98214621c64d69fb4b21026a25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0a03c1efbaae60157bc69706db643e82

SHA1
3b7dbb3566aa3e4229116c77852d97dc8681fb90

SHA256
fbcd62550894c1a2b52ff1e87db8c3d17ca8a5735baa8c19b9b5c98a6197aeed

SHA512
67b92f1af89f6e1e8bc695532fb8c708e88e1ec364742b7e95cdbde9155ce048072f1533be1ad782088750599cdadfcea9fa2f6e5f29705ba440ac72c7e58d69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c2889b55e1e566dede540571986ee56b

SHA1
777383e800c97153f7404e270c197e0fe6c2957c

SHA256
a0d53be43976d37a46473e62c8a14e87396b62ef0f44ab8177c57c6ddf6e4843

SHA512
87f8d207f9335b15bde6f46828d951710b749f987dd71fbc196384e52ed5f8e239125366801aa32a46215ebd87519cb1ce7d5078feb38c159fea9e5b0b00068a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
476c148f224119cb200cbf6d42e356f9

SHA1
2bdc927d36d99a5e7791c8199d946e6a72e0223e

SHA256
de50a9e708c48543b7ee86ee4fe9b29c8bbe7873a57976b69cf6750fd4b21709

SHA512
9851ad4333de8f5c3ce848ed3a0064aa1e2a439887d59eedbda1b58c94148fb548075f1ee6b47ad81813add8f9f9cd561ae430e4acbc8fa88d36e6af90cc952b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4fa4ac074ca1bc8ad7abd78f66abf0cf

SHA1
50e1c7d6984a081910e997a70731c27bda897178

SHA256
70f33d681407344ace1a7d47df483394a65b266761b9c8fd9cea6639e17691e9

SHA512
5ef2446f4209e148c9df4e0a42417136b84ab561f3bfbbc5224ff31ae42ce209dca02478a8351b90fe72f0c8f889421ee842a25cd8dadf0881a20c0f2679ad6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b2ba28d35c123948b02f116617d7ed3f

SHA1
ebf870661d8d4405c16e800cd5c0a9ba14504c7a

SHA256
f721009a0ef49c9f0f39054acb715a26c6875134d9b0dbb4ea1d32188bd5a8b9

SHA512
165bf9e098f681b0ea78b6ddf2cbba548884ea985896ad5aae45ded5ad0a8f241c47a04b997e24bea551cf699a2877e304e22d686fcea19bbbc617ed87f7f13f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b2f1fe430f16606a074e1176bf80e64a

SHA1
364aee8caa6a329b73981b5a5429f430141aa414

SHA256
39e1bfcc917ce44f0d1304dd84378731704f3a7894ea5baa9b4699802918464d

SHA512
729ff1326caaf566f04d257e28787bb14520dcf4b1fba019b7a80eefbf0aab84568e60d7290379034fdb07654fb0ad0e73c39204c4e301096b7b06f6410cfb61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
939a08593546145c04030a00275db3d3

SHA1
350e918b88a60b93020d0ad5b4372419b8e91a31

SHA256
0941034089732af148424cdc7fb7d5e9affdb244bbfb5ab707f2bd064758df86

SHA512
8d7a5eb53232d639c9d7c6e0ca4338e7dd0195228a365b450f31623b58453f456d835621abf45810d0e940382b29e6903c25adfc9c36b3bf75b0e79303290648

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
49fb038790571743d7fd522ddb0304f8

SHA1
fcdf47401cc4e937a8f954c7846b336b4c3ec1d6

SHA256
bac354eb71a9931988cc520ae58116bf3eeb4a337d6d0f869039c0fe84f89026

SHA512
e3398aab4732a6c3925d9ff19de1dad62d84f6ee12e71dbeae369a16c3c9bd5c0ce7697faf177fa9cd8c33190aad8202a73266d99be375ccab8cab114b5d51ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Stix_Advanced_Tweak.exe

Filesize
766KB

MD5
204feb8a295ab9432b3ec64419c98484

SHA1
d2ccef786b20d3c3a3ff164c51beb149583011df

SHA256
7267c4fe27fd5e9aaf8d564f209a12c496d0e053c501504d42cf7234a789cf08

SHA512
6d216e8f82bd0f2e9db49e67d5fa440bd1fa6dedeea2476585a8c01029ffbfa093088ac3bf5293edd49e0509c04821cebbfc63e47c6aae44eb7b8db67f6ee088

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CB75E00

Filesize
23KB

MD5
578cbd155c796acd1ccfb9040ba418ff

SHA1
f72f2040d6a90f6092f2fb3bb8745ccf1e5da389

SHA256
3c302a65f447bd8bcd1dac7555e122ca1a7733122d0583cb7fc0d7b5ac06a7d6

SHA512
a26a963b73a9314e36fd3ff7d69dcd3f0b7856661260a7502a8b7644865728bed60581c14cc75f71bed405df7ee23471af0c9155f171d512f8465626ea591459

Download Submit
C:\Users\Admin\AppData\Local\Temp\4gntiU3c.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir820_134109801\7e0af23e-23f8-4575-b0ca-9303fc2bc188.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir820_134109801\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
\??\pipe\crashpad_820_DHBXQJMOUKYUOHMX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/632-262-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/632-201-0x00007FFCC8D20000-0x00007FFCC8D30000-memory.dmp

Filesize
64KB

Download
memory/632-198-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/632-199-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/632-261-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/632-259-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/632-195-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/632-196-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/632-200-0x00007FFCC8D20000-0x00007FFCC8D30000-memory.dmp

Filesize
64KB

Download
memory/632-197-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/632-260-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/1588-0-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/1588-130-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/2812-254-0x000001539F150000-0x000001539F18C000-memory.dmp

Filesize
240KB

Download
memory/2812-252-0x000001539C6E0000-0x000001539C6F2000-memory.dmp

Filesize
72KB

Download
memory/3172-61-0x00007FFCED2A3000-0x00007FFCED2A5000-memory.dmp

Filesize
8KB

Download
memory/3172-263-0x00007FFCED2A3000-0x00007FFCED2A5000-memory.dmp

Filesize
8KB

Download
memory/3172-183-0x0000024C8D470000-0x0000024C8D476000-memory.dmp

Filesize
24KB

Download
memory/3172-66-0x0000024C8B840000-0x0000024C8B904000-memory.dmp

Filesize
784KB

Download
memory/3172-184-0x0000024CA5E20000-0x0000024CA5E30000-memory.dmp

Filesize
64KB

Download
memory/3172-134-0x0000024CA5D10000-0x0000024CA5DFE000-memory.dmp

Filesize
952KB

Download
memory/3968-264-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/3968-265-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/3968-290-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/3968-131-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download

pid	process
820	chrome.exe
820	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe