gh0strat | 73b6df0add9bc6b5792d274d316ecd70d636847db25ce6f3e63e77fb72369037

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33.exe
Size

27.6MB
MD5

220d1ef8904ec400ad2c63fe40c21a75
SHA1

04c5bb65b1a65e7a159c17b8bbaf4e286009370e
SHA256

689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33
SHA512

1ec2cfb174fd749bbec0a87a8cffbfe81284b68a7a09ae1a32cea51cf4d17dadad0f04f185aa8492ec186d409b1422f20ae59b530ed15598e453d923b9f3be4a
SSDEEP

786432:kbnq/UYXTOALUyampRu7cAcwKwV8dPNck+/Fj4y:H/UYXlYyad1cBwV++/Wy

Score

10^/10

gh0strat purplefox discovery evasion persistence privilege_escalation rat rootkit spyware stealer trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 4 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral6/memory/2832-13162-0x0000000010000000-0x000000001019F000-memory.dmp	purplefox_rootkit
behavioral6/memory/2832-26243-0x0000000000400000-0x0000000001F5A000-memory.dmp	purplefox_rootkit
behavioral6/memory/1876-26266-0x0000000000400000-0x0000000001F5A000-memory.dmp	purplefox_rootkit
behavioral6/memory/17564-39373-0x0000000000400000-0x0000000001F5A000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral6/memory/2832-13162-0x0000000010000000-0x000000001019F000-memory.dmp	family_gh0strat
behavioral6/memory/2832-26243-0x0000000000400000-0x0000000001F5A000-memory.dmp	family_gh0strat
behavioral6/memory/1876-26266-0x0000000000400000-0x0000000001F5A000-memory.dmp	family_gh0strat
behavioral6/memory/17564-39373-0x0000000000400000-0x0000000001F5A000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\130.0.6723.117\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	chrome.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 34 IoCs

pid	Process
2832	mxcytmx.exe
3332	ChromeSetup.exe
1036	updater.exe
4856	updater.exe
2604	updater.exe
4412	updater.exe
2372	updater.exe
2952	updater.exe
1876	Skcsk.exe
17564	Skcsk.exe
17524	130.0.6723.117_chrome_installer.exe
18872	setup.exe
18900	setup.exe
7988	setup.exe
8008	setup.exe
8596	chrome.exe
8564	chrome.exe
8820	chrome.exe
8836	chrome.exe
8852	elevation_service.exe
8936	chrome.exe
9036	chrome.exe
9028	chrome.exe
9420	chrome.exe
9556	chrome.exe
9604	chrome.exe
9896	chrome.exe
9888	chrome.exe
13884	chrome.exe
14120	chrome.exe
14584	chrome.exe
15376	chrome.exe
16064	updater.exe
16016	updater.exe

Loads dropped DLL 37 IoCs

pid	Process
8596	chrome.exe
8564	chrome.exe
8596	chrome.exe
8820	chrome.exe
8836	chrome.exe
8820	chrome.exe
8820	chrome.exe
8820	chrome.exe
8820	chrome.exe
8836	chrome.exe
8936	chrome.exe
8936	chrome.exe
8820	chrome.exe
8820	chrome.exe
8820	chrome.exe
9036	chrome.exe
9028	chrome.exe
9420	chrome.exe
9420	chrome.exe
9028	chrome.exe
9036	chrome.exe
9556	chrome.exe
9604	chrome.exe
9556	chrome.exe
9604	chrome.exe
9896	chrome.exe
9896	chrome.exe
9888	chrome.exe
9888	chrome.exe
13884	chrome.exe
13884	chrome.exe
14120	chrome.exe
14120	chrome.exe
14584	chrome.exe
14584	chrome.exe
15376	chrome.exe
15376	chrome.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	Skcsk.exe
File opened (read-only)	\??\S:	Skcsk.exe
File opened (read-only)	\??\V:	Skcsk.exe
File opened (read-only)	\??\B:	Skcsk.exe
File opened (read-only)	\??\E:	Skcsk.exe
File opened (read-only)	\??\N:	Skcsk.exe
File opened (read-only)	\??\Q:	Skcsk.exe
File opened (read-only)	\??\R:	Skcsk.exe
File opened (read-only)	\??\U:	Skcsk.exe
File opened (read-only)	\??\W:	Skcsk.exe
File opened (read-only)	\??\J:	Skcsk.exe
File opened (read-only)	\??\M:	Skcsk.exe
File opened (read-only)	\??\O:	Skcsk.exe
File opened (read-only)	\??\P:	Skcsk.exe
File opened (read-only)	\??\X:	Skcsk.exe
File opened (read-only)	\??\Z:	Skcsk.exe
File opened (read-only)	\??\G:	Skcsk.exe
File opened (read-only)	\??\I:	Skcsk.exe
File opened (read-only)	\??\K:	Skcsk.exe
File opened (read-only)	\??\L:	Skcsk.exe
File opened (read-only)	\??\T:	Skcsk.exe
File opened (read-only)	\??\Y:	Skcsk.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Skcsk.exe	mxcytmx.exe
File opened for modification	C:\Windows\SysWOW64\Skcsk.exe	mxcytmx.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk	setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 32 IoCs

pid	Process
2832	mxcytmx.exe
2832	mxcytmx.exe
2832	mxcytmx.exe
2832	mxcytmx.exe
1876	Skcsk.exe
1876	Skcsk.exe
2832	mxcytmx.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Temp\source18872_849792601\Chrome-bin\130.0.6723.117\Extensions\external_extensions.json	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source18872_849792601\Chrome-bin\130.0.6723.117\Locales\ja.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source18872_849792601\Chrome-bin\chrome.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source18872_849792601\Chrome-bin\130.0.6723.117\WidevineCdm\LICENSE	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source18872_849792601\Chrome-bin\130.0.6723.117\chrome_wer.dll	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping8596_698583669\_locales\es_419\messages.json	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping8596_698583669\_locales\es\messages.json	chrome.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\settings.dat	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe57b093.TMP	updater.exe
File opened for modification	C:\Program Files\chrome_installer.log	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source18872_849792601\Chrome-bin\130.0.6723.117\Locales\el.pak	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping8596_698583669\_locales\vi\messages.json	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping8596_698583669\_locales\fil\messages.json	chrome.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source18872_849792601\Chrome-bin\130.0.6723.117\Locales\lt.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source18872_849792601\Chrome-bin\130.0.6723.117\Locales\mr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source18872_849792601\Chrome-bin\130.0.6723.117\chrome.dll	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping8596_698583669\_locales\hr\messages.json	chrome.exe
File created	C:\Program Files\Google\Chrome\Temp\source18872_849792601\Chrome-bin\130.0.6723.117\VisualElements\LogoBeta.png	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source18872_849792601\Chrome-bin\chrome.VisualElementsManifest.xml	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping8596_698583669\_locales\ta\messages.json	chrome.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\8c58be6e-b478-4d84-93e9-46a5516d9084.tmp	updater.exe
File created	C:\Program Files (x86)\Google3332_951824223\updater.7z	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source18872_849792601\Chrome-bin\130.0.6723.117\Locales\en-US.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source18872_849792601\Chrome-bin\130.0.6723.117\Locales\pt-BR.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source18872_849792601\Chrome-bin\130.0.6723.117\Locales\sv.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source18872_849792601\Chrome-bin\130.0.6723.117\vulkan-1.dll	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping8596_698583669\_locales\mr\messages.json	chrome.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2372_308124607\manifest.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source18872_849792601\Chrome-bin\130.0.6723.117\Locales\fi.pak	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping8596_698583669\_locales\fa\messages.json	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping8596_698583669\_locales\zh_HK\messages.json	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping8596_698583669\_locales\zh_TW\messages.json	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping8596_698583669\_locales\uk\messages.json	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping8596_698583669\_locales\pt_BR\messages.json	chrome.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\prefs.json	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\settings.dat	updater.exe
File created	C:\Program Files (x86)\chrome_url_fetcher_2372_2077574441\-8a69d345-d564-463c-aff1-a69d9e530f96-_130.0.6723.117_all_adjrals5apaczavyn4sczndfd4xq.crx3	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source18872_849792601\Chrome-bin\130.0.6723.117\dxcompiler.dll	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping8596_698583669\_locales\az\messages.json	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping8596_698583669\_locales\lo\messages.json	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping8596_698583669\manifest.json	chrome.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source18872_849792601\Chrome-bin\130.0.6723.117\Locales\es.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source18872_849792601\Chrome-bin\130.0.6723.117\Locales\te.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source18872_849792601\Chrome-bin\130.0.6723.117\VisualElements\SmallLogoDev.png	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping8596_698583669\_locales\eu\messages.json	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping8596_698583669\_locales\ru\messages.json	chrome.exe
File created	C:\Program Files\Google\Chrome\Temp\source18872_849792601\Chrome-bin\130.0.6723.117\Locales\de.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source18872_849792601\Chrome-bin\130.0.6723.117\Locales\kn.pak	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping8596_698583669\_locales\ja\messages.json	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping8596_698583669\_locales\am\messages.json	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping8596_698583669\_locales\lt\messages.json	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping8596_698583669\_locales\bn\messages.json	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping8596_698583669\_locales\lv\messages.json	chrome.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\d577ef74-85c7-41dd-8d39-e08732f207d5.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source18872_849792601\Chrome-bin\130.0.6723.117\Locales\bg.pak	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping8596_698583669\_locales\tr\messages.json	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping8596_698583669\_locales\en_GB\messages.json	chrome.exe
File created	C:\Program Files\Google\Chrome\Temp\source18872_849792601\Chrome-bin\130.0.6723.117\PrivacySandboxAttestationsPreloaded\privacy-sandbox-attestations.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChromeSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skcsk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skcsk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mxcytmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
17524	130.0.6723.117_chrome_installer.exe
18872	setup.exe
7732	PING.EXE
17580	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Skcsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Skcsk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Google	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\InstallerPinned = "0"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	Skcsk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Skcsk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	Skcsk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Skcsk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	Skcsk.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133758664576497821"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeHTML\Application\ApplicationCompany = "Google LLC"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0125FBD6-CB11-5A7E-828A-0845F90C7D4E}\TypeLib\Version = "1.0"	updater.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\TypeLib\ = "{6430040A-5EBD-4E63-A56F-C71D5990F827}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{699F07AD-304C-5F71-A2DA-ABD765965B54}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\4"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\TypeLib\ = "{C4622B28-A747-44C7-96AF-319BE5C3B261}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\ = "IAppCommandWebSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0125FBD6-CB11-5A7E-828A-0845F90C7D4E}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\ = "ICurrentStateSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\TypeLib\ = "{4DC034A8-4BFC-4D43-9250-914163356BB0}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.webp\OpenWithProgids\ChromeHTML	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{53A53FE9-0D1A-5CE1-A982-92ECA1CB48BC}\LocalService = "GoogleUpdaterInternalService130.0.6679.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\TypeLib\ = "{05A30352-EB25-45B6-8449-BCA7B0542CE5}"	updater.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\ = "IGoogleUpdate3WebSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\TypeLib\ = "{494B20CF-282E-4BDD-9F5D-B70CB09D351E}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ChromePDF\shell\open	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TypeLib\ = "{463ABECF-410D-407F-8AF5-0DF35A005CC8}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34527502-D3DB-4205-A69B-789B27EE0414}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{4DC034A8-4BFC-4D43-9250-914163356BB0}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{699F07AD-304C-5F71-A2DA-ABD765965B54}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{699F07AD-304C-5F71-A2DA-ABD765965B54}\1.0\0\win32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0125FBD6-CB11-5A7E-828A-0845F90C7D4E}\TypeLib\ = "{0125FBD6-CB11-5A7E-828A-0845F90C7D4E}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ChromePDF	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\ChromeHTML	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{4DC034A8-4BFC-4D43-9250-914163356BB0}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{DC738913-8AA7-5CF3-912D-45FB81D79BCB}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\4"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{699F07AD-304C-5F71-A2DA-ABD765965B54}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\4"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F966A529-43C6-4710-8FF4-0B456324C8F4}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1588C1A8-27D9-563E-9641-8D20767FB258}\ = "IUpdateStateSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\4"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\TypeLib\ = "{5F793925-C903-4E92-9AE3-77CA5EAB1716}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromePDF\Application\AppUserModelId = "Chrome"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27634814-8E41-4C35-8577-980134A96544}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0125FBD6-CB11-5A7E-828A-0845F90C7D4E}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\5"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalService = "GoogleUpdaterService130.0.6679.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ChromeHTML\shell\open\command	setup.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
7732	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1036	updater.exe
1036	updater.exe
1036	updater.exe
1036	updater.exe
1036	updater.exe
1036	updater.exe
2604	updater.exe
2604	updater.exe
2604	updater.exe
2604	updater.exe
2604	updater.exe
2604	updater.exe
2372	updater.exe
2372	updater.exe
2372	updater.exe
2372	updater.exe
2372	updater.exe
2372	updater.exe
2372	updater.exe
2372	updater.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe
17564	Skcsk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	3332	ChromeSetup.exe
Token: SeIncBasePriorityPrivilege	3332	ChromeSetup.exe
Token: SeIncBasePriorityPrivilege	2832	mxcytmx.exe
Token: 33	17524	130.0.6723.117_chrome_installer.exe
Token: SeIncBasePriorityPrivilege	17524	130.0.6723.117_chrome_installer.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: 33	17564	Skcsk.exe
Token: SeIncBasePriorityPrivilege	17564	Skcsk.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe
Token: SeCreatePagefilePrivilege	8596	chrome.exe
Token: SeShutdownPrivilege	8596	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe
8596	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3760 wrote to memory of 2832	3760	689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33.exe	86
PID 3760 wrote to memory of 2832	3760	689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33.exe	86
PID 3760 wrote to memory of 2832	3760	689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33.exe	86
PID 3760 wrote to memory of 3332	3760	689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33.exe	88
PID 3760 wrote to memory of 3332	3760	689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33.exe	88
PID 3760 wrote to memory of 3332	3760	689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33.exe	88
PID 3332 wrote to memory of 1036	3332	ChromeSetup.exe	89
PID 3332 wrote to memory of 1036	3332	ChromeSetup.exe	89
PID 3332 wrote to memory of 1036	3332	ChromeSetup.exe	89
PID 1036 wrote to memory of 4856	1036	updater.exe	90
PID 1036 wrote to memory of 4856	1036	updater.exe	90
PID 1036 wrote to memory of 4856	1036	updater.exe	90
PID 2604 wrote to memory of 4412	2604	updater.exe	92
PID 2604 wrote to memory of 4412	2604	updater.exe	92
PID 2604 wrote to memory of 4412	2604	updater.exe	92
PID 2372 wrote to memory of 2952	2372	updater.exe	96
PID 2372 wrote to memory of 2952	2372	updater.exe	96
PID 2372 wrote to memory of 2952	2372	updater.exe	96
PID 2832 wrote to memory of 17580	2832	mxcytmx.exe	104
PID 2832 wrote to memory of 17580	2832	mxcytmx.exe	104
PID 2832 wrote to memory of 17580	2832	mxcytmx.exe	104
PID 1876 wrote to memory of 17564	1876	Skcsk.exe	105
PID 1876 wrote to memory of 17564	1876	Skcsk.exe	105
PID 1876 wrote to memory of 17564	1876	Skcsk.exe	105
PID 2372 wrote to memory of 17524	2372	updater.exe	106
PID 2372 wrote to memory of 17524	2372	updater.exe	106
PID 17524 wrote to memory of 18872	17524	130.0.6723.117_chrome_installer.exe	107
PID 17524 wrote to memory of 18872	17524	130.0.6723.117_chrome_installer.exe	107
PID 18872 wrote to memory of 18900	18872	setup.exe	108
PID 18872 wrote to memory of 18900	18872	setup.exe	108
PID 17580 wrote to memory of 7732	17580	cmd.exe	111
PID 17580 wrote to memory of 7732	17580	cmd.exe	111
PID 17580 wrote to memory of 7732	17580	cmd.exe	111
PID 18872 wrote to memory of 7988	18872	setup.exe	112
PID 18872 wrote to memory of 7988	18872	setup.exe	112
PID 7988 wrote to memory of 8008	7988	setup.exe	113
PID 7988 wrote to memory of 8008	7988	setup.exe	113
PID 1036 wrote to memory of 8596	1036	updater.exe	116
PID 1036 wrote to memory of 8596	1036	updater.exe	116
PID 8596 wrote to memory of 8564	8596	chrome.exe	117
PID 8596 wrote to memory of 8564	8596	chrome.exe	117
PID 8596 wrote to memory of 8820	8596	chrome.exe	118
PID 8596 wrote to memory of 8820	8596	chrome.exe	118
PID 8596 wrote to memory of 8820	8596	chrome.exe	118
PID 8596 wrote to memory of 8820	8596	chrome.exe	118
PID 8596 wrote to memory of 8820	8596	chrome.exe	118
PID 8596 wrote to memory of 8820	8596	chrome.exe	118
PID 8596 wrote to memory of 8820	8596	chrome.exe	118
PID 8596 wrote to memory of 8820	8596	chrome.exe	118
PID 8596 wrote to memory of 8820	8596	chrome.exe	118
PID 8596 wrote to memory of 8820	8596	chrome.exe	118
PID 8596 wrote to memory of 8820	8596	chrome.exe	118
PID 8596 wrote to memory of 8820	8596	chrome.exe	118
PID 8596 wrote to memory of 8820	8596	chrome.exe	118
PID 8596 wrote to memory of 8820	8596	chrome.exe	118
PID 8596 wrote to memory of 8820	8596	chrome.exe	118
PID 8596 wrote to memory of 8820	8596	chrome.exe	118
PID 8596 wrote to memory of 8820	8596	chrome.exe	118
PID 8596 wrote to memory of 8820	8596	chrome.exe	118
PID 8596 wrote to memory of 8820	8596	chrome.exe	118
PID 8596 wrote to memory of 8820	8596	chrome.exe	118
PID 8596 wrote to memory of 8820	8596	chrome.exe	118
PID 8596 wrote to memory of 8820	8596	chrome.exe	118
PID 8596 wrote to memory of 8820	8596	chrome.exe	118

C:\Users\Admin\AppData\Local\Temp\689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33.exe
"C:\Users\Admin\AppData\Local\Temp\689ca565d836bb3ee3d52797c7d7c89e7d5b941259bc47403703355049c0dd33.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Users\Admin\AppData\Local\Temp\mxcytmx.exe
  "C:\Users\Admin\AppData\Local\Temp\mxcytmx.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\mxcytmx.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:17580
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:7732
- C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Program Files (x86)\Google3332_951824223\bin\updater.exe
    "C:\Program Files (x86)\Google3332_951824223\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={68A8F50C-03FE-5756-A1D3-410E39B8C8FD}&lang=zh-CN&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Program Files (x86)\Google3332_951824223\bin\updater.exe
      "C:\Program Files (x86)\Google3332_951824223\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=130.0.6679.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x85a6cc,0x85a6d8,0x85a6e4
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4856
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      Drops file in Program Files directory
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:8596
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=130.0.6723.117 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9f26c7c38,0x7ff9f26c7c44,0x7ff9f26c7c50
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:8564
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2000,i,4726348193936951114,4745705458190156732,262144 --variations-seed-version --mojo-platform-channel-handle=1996 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:8820
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=2220,i,4726348193936951114,4745705458190156732,262144 --variations-seed-version --mojo-platform-channel-handle=2256 /prefetch:3
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:8836
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2380,i,4726348193936951114,4745705458190156732,262144 --variations-seed-version --mojo-platform-channel-handle=2428 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:8936
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3248,i,4726348193936951114,4745705458190156732,262144 --variations-seed-version --mojo-platform-channel-handle=3292 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:9028
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3256,i,4726348193936951114,4745705458190156732,262144 --variations-seed-version --mojo-platform-channel-handle=3316 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:9036
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,4726348193936951114,4745705458190156732,262144 --variations-seed-version --mojo-platform-channel-handle=4508 /prefetch:2
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:9420
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4756,i,4726348193936951114,4745705458190156732,262144 --variations-seed-version --mojo-platform-channel-handle=4780 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:9556
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4952,i,4726348193936951114,4745705458190156732,262144 --variations-seed-version --mojo-platform-channel-handle=4996 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:9604
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4464,i,4726348193936951114,4745705458190156732,262144 --variations-seed-version --mojo-platform-channel-handle=5188 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:9888
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4936,i,4726348193936951114,4745705458190156732,262144 --variations-seed-version --mojo-platform-channel-handle=5280 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:9896
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5116,i,4726348193936951114,4745705458190156732,262144 --variations-seed-version --mojo-platform-channel-handle=5608 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:13884
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5832,i,4726348193936951114,4745705458190156732,262144 --variations-seed-version --mojo-platform-channel-handle=5820 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:14120
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5828,i,4726348193936951114,4745705458190156732,262144 --variations-seed-version --mojo-platform-channel-handle=4012 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:14584
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5920,i,4726348193936951114,4745705458190156732,262144 --variations-seed-version --mojo-platform-channel-handle=5912 /prefetch:2
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:15376

C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=130.0.6679.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x10aa6cc,0x10aa6d8,0x10aa6e4
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4412

C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=130.0.6679.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x10aa6cc,0x10aa6d8,0x10aa6e4
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2952
- C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2372_308124607\130.0.6723.117_chrome_installer.exe
  "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2372_308124607\130.0.6723.117_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2372_308124607\4dc98da3-58b4-4ce1-a988-4856e1b14dc5.tmp"
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:17524
- - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2372_308124607\CR_D1479.tmp\setup.exe
    "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2372_308124607\CR_D1479.tmp\setup.exe" --install-archive="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2372_308124607\CR_D1479.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2372_308124607\4dc98da3-58b4-4ce1-a988-4856e1b14dc5.tmp"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Network Configuration Discovery: Internet Connection Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:18872
  - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2372_308124607\CR_D1479.tmp\setup.exe
      "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2372_308124607\CR_D1479.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=130.0.6723.117 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff6b876ec28,0x7ff6b876ec34,0x7ff6b876ec40
      4⤵
      Executes dropped EXE
      PID:18900
  - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2372_308124607\CR_D1479.tmp\setup.exe
      "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2372_308124607\CR_D1479.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:7988
    - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2372_308124607\CR_D1479.tmp\setup.exe
        
        "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2372_308124607\CR_D1479.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=130.0.6723.117 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff6b876ec28,0x7ff6b876ec34,0x7ff6b876ec40
        5⤵
        Executes dropped EXE
        
        PID:8008

C:\Windows\SysWOW64\Skcsk.exe
C:\Windows\SysWOW64\Skcsk.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\SysWOW64\Skcsk.exe
  C:\Windows\SysWOW64\Skcsk.exe -acsi
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:17564

C:\Program Files\Google\Chrome\Application\130.0.6723.117\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\130.0.6723.117\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:8852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:14076

C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:16064
- C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=130.0.6679.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x10aa6cc,0x10aa6d8,0x10aa6e4
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:16016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google3332_951824223\bin\updater.exe

Filesize
4.7MB

MD5
c583e91ddee7c0e8ac2a3d3aacad2f4c

SHA1
3d824f6aa75611478e56f4f56d0a6f6db8cb1c9b

SHA256
7f67129760223e5ddf31219f0b2e247555fbac85f4b6f933212ac091a21debf9

SHA512
0edbc9a7e3b6bf77d9a94242ee88b32af1b1f03c248290e750f355e921f49d62af13acfeed118ec624fb3e2c6131226ac17bb3d206316b056c1f7cf55642e069

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\settings.dat

Filesize
40B

MD5
1d20a56434d93ade85edeb17dc3e7d19

SHA1
4dcb6ad7597dece96e416a33f6bd088750c29711

SHA256
46e5c94be78bde280f999e14f27db931c2595a62cf5c9e61799b3e409a6f93c4

SHA512
676b2731cfb285640176e3a5c908f2fa3724f8c982ff9102967afbc9432c9f69d616f31472916dcec4af01adaecf1141ecb004daf447ff79561b7c036feeacc1

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\43b0ba22-4e90-4317-903d-2e27a7b0f405.tmp

Filesize
602B

MD5
9f54d104161ed69b800925b0e99c68cc

SHA1
75b2cb24172bb2d6f8c3a18ff225ce924fc90c06

SHA256
1c5243948923b098fd3fe409feea77239d373e6c86cf7734096e4da2b3454eca

SHA512
e75987ef645afed5fd0125ed6d8bfaad85434ddffaea8a0a016973947ce3217bfc3cf174d400ebd89a4f764356c867c512bc3c89635a787c29d875c7eee945ff

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
502B

MD5
ff69c3dd9b05df7b80cf33b7e2f66f92

SHA1
7549f88a3d7957693c8ef952a6609658c175762b

SHA256
60c55306f7acb1a5a066e7c471d0a02acafdd414714eb97a6ea41fd151aed521

SHA512
ae9f864c5e018dc34ae4b5e91605520ccda2dac50fd23164d2a0d6a3caa89f277fc7a8316eb075d7c7b32922831274aba8bc58c6735d84195dcfbe95055ed4a6

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
354B

MD5
227350f44c11f7dc5e4229d041dfa72f

SHA1
66f6d2bfd37e6b9df9ead8c40500db5fbd4ea9ba

SHA256
e82892f132a5432c6e8c02d6f36faea67b272497cbc82c5f0cfabde79372ac7e

SHA512
6231d93293181be9e398a2e811a0e5a0b141fd8a02523656b6c6e6740e6aab37d53139c1cd3c30b9cc0b1dac187d594189ae0131e5f44b2739de74c5c1fa146d

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
49B

MD5
c88c3ad52765a523b2b598bf2c5a9216

SHA1
4ebada495c7ec0e2ae7d92aa2be7c049d2b0e512

SHA256
e450a8d057f11bb4cd98343448b3fd8a70b0f22bd7eb6b84b6fb03731b36fc32

SHA512
a21348e047b3e84ce8a14a6298f518d1c4f512a7155360e1d85121d77ab9b4d51d09dbe67e6aad5a19b758f69b1a177a54c2e848de23d6cb66f6c7ff9b2c40b5

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
602B

MD5
7075b3d565fff08eadef519bf41dc42f

SHA1
b4f28407043ad062b84876c6ad44f0f349b51c9b

SHA256
ec5ddbefa3ae82abb14d12c3190d5fbd271d97bdaedd13844179982ec120300d

SHA512
f8053a634761be43dee66a8f07f058dcc9a18ba641067bb3d3cec24d71e23f7a8e708ab8fac5b17b3011b4a838359daa00fcd99707a3aa0e19e39cc07d159578

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
7KB

MD5
13fa3c2bfa8aeafeb04c9b9a4bbe8d5c

SHA1
3c2e86b61642e69bf05bf92ce5d55bb1d17e922b

SHA256
0115fc7e611462792b69b6f6eda0794f39ebd705b9d20e70ddcc116b960b0bad

SHA512
15a4d52a5322c31f4bf11b3bd8c2eb7d3828558c8acf2a39373f9797e4cff1f3acdfe5e224bd0e3d41ea68256fb7467788cdb58a9ee814ee4ad72dcad3daf9e0

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
2KB

MD5
d366823d7df006ae6c4e1764d7ba1562

SHA1
dc0d73ce779c8ff27f44acef46e4604da28b1232

SHA256
9b1b62dda0c3325fe1b8c4b1d1c1897cc796b7e428fd73e1d1fc403aff9b3859

SHA512
f6c014e1af0ff90c18540385017761fd2a4bb92286470179545748d47599b931402d44bd45b3493325f3ab5fe41401d38f86fc99ba6d1c8f782e7947222b1175

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
11KB

MD5
2578ad423c5a325baa2afbcdc783178a

SHA1
1816224d52060b9f95cd53015b24bab5df05cea7

SHA256
5e4b0454940985bf548c423451d67392eed05420af8585606c029cdc9b67d0a2

SHA512
02b91c26db4cab8973bc9bfed5fbdef60324bee732f80712b64f46f27084b09a29c9c823662991c1990cb6552b5c63550d580bc70f4efcd0c934155495301bdd

Download Submit
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2372_308124607\4dc98da3-58b4-4ce1-a988-4856e1b14dc5.tmp

Filesize
686KB

MD5
7c742ae853ab00e7a105d741db118ac6

SHA1
f82ca16da2904c9fdcc4a70fd11385494a1b78ec

SHA256
873804dc6b39531f46cd5289ad696aefa9e103a24d18b33f52a5c275b97ec9f6

SHA512
86f9dbc66fc1ca67b191092c6a0db49c442dc140d49f2be1c68f2a66cfe4d29b4db71bb3a0c4acc767524fe87c57d710d260f909ceaba1f3b50374a1f3086078

Download Submit
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2372_308124607\CR_D1479.tmp\setup.exe

Filesize
5.7MB

MD5
975f2eaa38bb31796f08bdf7ada59b5d

SHA1
3d8bbb8cc560a5be2d73d394caf19a914140432d

SHA256
fdd374c979fdd584e6361d41a238c81436018d96d9f5be0cc1e05e7f997c1873

SHA512
a110ddf5b7df6d871c0bfe0f1821df8e127e3e5e6d1c6955f844cce4725afa06ca258c34b9488681588da0fe0594660f080525a101a2f05ef6b5c63811332051

Download Submit
C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
05a8095149ee10800b49ef0b28f8eda4

SHA1
5845882d030855cb902b1053c21d76de252d17e7

SHA256
47d3c83ac4c8104e7f5496cb026c243e7c1376aef8071461a8fe214f0efbc9e2

SHA512
ec2c2eb0fcd09af23bfb0a9b65ba3b6c81ccb2ff47f20fef2ef6d940732940059f782895bf7ec8112c9339ffd8596baaec1ccd4c684eeb7a957ad8014042de61

Download Submit
C:\Program Files\Google\Chrome\Application\130.0.6723.117\chrome_elf.dll

Filesize
1.3MB

MD5
a763044aa392bbaa224283f77a46a5bd

SHA1
fbd97bd6a4bf0f6cc6c6e3f3581f8ef76699ea0c

SHA256
5b78f93a7a160f064246e61fbd4d1f0040a46e7f9dd059f9abe36f36b4b5cb46

SHA512
e35441de5b23c3b1473276b38082782f4b771eaac2873a77483fcd551809292f2524f46579451eee240b7f7a1f950033fa142f251b010007d34b1237378f0502

Download Submit
C:\Program Files\Google\Chrome\Application\130.0.6723.117\d3dcompiler_47.dll

Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
C:\Program Files\Google\Chrome\Application\130.0.6723.117\dxcompiler.dll

Filesize
24.6MB

MD5
a81257aee093aad5806552675eca94e8

SHA1
c53d6bbbe6cce5e9f3c37522cf16794a041f9503

SHA256
c1cda098b9ec975614d39841f867ab94c2d34bec8648a7c6e549775b48c0fd36

SHA512
4aec3e23ace39e141fac49a2ff13e791d8ecd9389846fe43c7af00ce4b527d68ba08b1d3338b8482b189c50e1b2c45ca3c8d81a34ca75d669762cac7bee8eec1

Download Submit
C:\Program Files\Google\Chrome\Application\130.0.6723.117\dxil.dll

Filesize
1.4MB

MD5
30da04b06e0abec33fecc55db1aa9b95

SHA1
de711585acfe49c510b500328803d3a411a4e515

SHA256
a5fe1d8d9caa2ff29daffd53f73a9a4e19c250351b2abe4fc7b57e60ce67ac68

SHA512
67790874377e308d1448d0e41df9dd353a5f63686df4eb9a8e70a4da449b0c63a5d3655ab38d24b145ad3c57971b1c6793ea6c5ac2257b6eb2e8964a44ab0f08

Download Submit
C:\Program Files\Google\Chrome\Application\130.0.6723.117\elevation_service.exe

Filesize
1.7MB

MD5
46d8b640a7c3a328bebbd3d55a5f294e

SHA1
3e950f94b4d1e47499b0c42fad017e378a96be92

SHA256
75df96a10d7a761d290d066c6aca73f23013803003a85860f6c3935a82435be1

SHA512
10b5eeb36c9e72112a69d8f68499451440e350100a5f28048a2c90778434e112521f44a5903eeb039bf9ad2405a956ccbe8524d6958feff429b5cef4363c08bc

Download Submit
C:\Program Files\Google\Chrome\Application\130.0.6723.117\libEGL.dll

Filesize
493KB

MD5
bbddbb2aede11ea2d95a86c8a00b9e46

SHA1
539ae315d466952888c3399391695ca7fd713c92

SHA256
c63717beb11180bb663ca8e46ae0dd4c11151b2a7ac1f1387f1a9511c5bf7f3a

SHA512
b482eb96a3311d94cce56d18894214ff85707648b2a03210065afcc9da0e81439bdbad1564ef408c7e0fd3c306a3de8a4e8c7775d249086b2d3b08174d3d6c95

Download Submit
C:\Program Files\Google\Chrome\Application\130.0.6723.117\libGLESv2.dll

Filesize
7.9MB

MD5
3d59acae7a598095ef449069410a01f9

SHA1
91149193b0985898123aad870dd8daa6c0867319

SHA256
b503626b002b10e604829ce3a3c631dabdd2197717ef7311ea2dd74e468d0054

SHA512
f632a758732900f398fc5df932bfa150f58118b0e67856202d6628dc691c04c8ac17a6c33c2fe2ed7bf62a757ab4a6073bbe80fb17d3c846eb68a5695c912e61

Download Submit
C:\Program Files\Google\Chrome\Application\130.0.6723.117\vk_swiftshader.dll

Filesize
5.1MB

MD5
4d664b28f02a8bcb62df85eabfe17a43

SHA1
7f06f4ccca05ee8c8fe3e8bef2e28485b9a57498

SHA256
229127001cdd10e22c338f1fd706f29a5e32000d2e071eb7e028f66093ce739e

SHA512
96439b7aca7edda70aae4b7124a4a6e8d3b7e384ba04281ff3c32c6f05a474d82f174f489fcfb71bb8ec40847b49c5ef4b3faf96208c05da235f190b0223ffc4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.7MB

MD5
de65cbedaa19e03141fd979a5e406eb0

SHA1
5e9944d20b9bd5f6c7f62a1f77d6a91feb18292f

SHA256
5c52becfd379e90bb4446cd2b60cbfead727d2884f9b3fbd63888d41ad8b5207

SHA512
b0681dc70771946ecdb03ef01d75bace0e8dbda721a723f6759c27ddc70bc1e655f27316a15c9ea3be5a602fa4af3c189bc9b88660293a6e9f6645c41fb1f76e

Download Submit
C:\Program Files\chrome_installer.log

Filesize
21KB

MD5
3542ff7faff0494b89cbb96b322dde8f

SHA1
42460acbc6cb13943c59ef12c5290789e9c9ab24

SHA256
3d82b60080a46801da10107cb877b00f18bfa03052d3b2547c2d11205a61c7fa

SHA512
8cc10325ee53612bd868b49a6c36c9cca7903c76f0483f95c6febfa0338c28ce446896569b512bc3813dacc6caf726544e848b6c6e4b6f72fd37684ac5611c21

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk

Filesize
2KB

MD5
8ff4181f641fd3e4e245258eb37c3755

SHA1
52a35a1f4c5bbccfef4218aee2e1526f5d9ba18c

SHA256
bda911fdc16001b4a50bd6831e8610c9fd5ed737173694fc9b4d368d99023b61

SHA512
9481228bb396134514d61d0f3efb47b9190f33faef34c88b97f2c353903d46199b61248e5584536b4a0a39f1ce415d21f2b42a177b9390d6f501e0831e836c49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
5819c443611206db63a1c3765eb672eb

SHA1
fcc2f9f41b6792fd21a6042aaacdce228fa75477

SHA256
34b6068a19e28ae47ab35b4ad442b66d7fc6410f898b1db0eb6e83d1f97e8674

SHA512
f44e2d0d3d362907d82125c8307970ec8b1dab44e6a2ab57fb2459db88b9cd292a494737df877379630a027f583e06f94d4026664749e535ddfe705b94c65241

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
d037a403bea7facdd09bdacc301ef629

SHA1
a999443c06a67449617089b2b01c99be9b3a664a

SHA256
290a2991aa8022ab3018a31a4fda2c3ed24da6647406f78546b29b37c560c952

SHA512
9ea7411b9572d201164fe81312bd97395a042f1ac72eeeaad0b10779b5fb76804c623a92f6fddc09a6cc7913b9d4fb2ae9e461c069dd6a21319ba20d3f0ae122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
505a174e740b3c0e7065c45a78b5cf42

SHA1
38911944f14a8b5717245c8e6bd1d48e58c7df12

SHA256
024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d

SHA512
7891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
ef9c33079f199c2af8cf2153b53f6b2b

SHA1
a7650451275f8b50a92cbb1f872348049a47ef9f

SHA256
4cec28dc897c5d200f0d092176428ed8a132344bd712c917049af95b2d80778e

SHA512
a43db28c2c290f57036d6f859484ad07c300341f41e52e36e0ad3d08327f743bf3663814bafdaa19132b5d9d1a17fd25a7ea03ec3f031adb2a7e166b2ed21761

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f6349c4a9d295e2c46c4a466326b857e

SHA1
fb92906a1a0278ea40972bfbdb49a33e74d5cf5c

SHA256
2d832fae11e32f904935184a4f4f38b3dc8a43cfe9b218ab2eab029649e3c482

SHA512
82f1e92617e7eaaee503f11d408bae6f5c25287cea60c9c91a28349fb3eb2964d8ebe5da764d7aea5a9e6e48cb43399287093ed7b6e0642cd5aa87a7c8089c9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
fd78cabaa08747050af17c01944613eb

SHA1
26247e6e263060b403d473866b1b5f8407dcc515

SHA256
569567cc276046ee42754bd838e9729af335aa76c90cb195617fddf28eee4bfb

SHA512
279d0cbbc0f56beb1d0e18f08c142bde6dcd273dd58212451eb4c2dbc7791c0c751e4b15718d5e20943ab595f510e499fedbb7c44863b6887a7d8eae61a5d20f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
9b3a6cdad719a17edf22822187d3c07b

SHA1
314262c5975bbd10bc46a703b8e33344adb92156

SHA256
152b77a6d8d963f05407f6dfd865e1312f8064e89d87cbc132cf448e4f61ffb5

SHA512
5f314f148a2d3b3de073d7733eb0d9a8e3b7b316f228b294a727d4ce89f4a954002c08eef360ccd498b09bf43f0289bd9877748c92b83e9b32412c6f4b7c95b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\trusted_vault.pb

Filesize
38B

MD5
3433ccf3e03fc35b634cd0627833b0ad

SHA1
789a43382e88905d6eb739ada3a8ba8c479ede02

SHA256
f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d

SHA512
21a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
01aac1d2091fa7073172b83e08049c4f

SHA1
215cad6fd83101ab3444d0f60ab5426f23fe259a

SHA256
bddd7a8fc13baf6aa736a1d964b3fa50cb9df08a6df70446965b15055ac00c02

SHA512
38abc2eb6417cbf61304d26adb0cfb4ba05b7d0d44d6697f7645dc4a2c8a41eba4ba6b4dd62d884ec8df9af3f564600fa46891dbbea15d973e467e17bcb73fcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
4d1408953302e0c2dd2effc91eec2bb0

SHA1
57e413e794049381f7042f6abdcd7269ecaf5454

SHA256
61f51f484f53d67b2bfb0bbcbaf88184d1addedd28568de66cd0ce947c52c301

SHA512
401ad408a13ee27adafe0df5fafb7146d2487e073cf67e4b22cfda35a8e3ecfd23feeef568dde50a33353da627bcf43142d71d583b169ac1113933f4aab003d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
543761f53da41b3c0f6422e16293d238

SHA1
d633dd29a2d9a779deff7b3ad3f5d7d7ad0e796e

SHA256
2e769557366e3a8e25ae89bab4a9c54a09ca71a5c38999b8883a01b070037865

SHA512
516013f6c47034cf049d0d14a781f0e5804470d113f401e9cebf8e110994e8bdba90a06392e27bb3719bee4b916edc78641763e0eb7c06626ba6d5057ec6233e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
61f4122502bd52e090190c35eca739d4

SHA1
442e8f0a202ec85e107c82ea68447597d1f13966

SHA256
95cc3df999dd32af122c012016c7e3f9584532e05a99f58bfa16e0f25fdb7a8a

SHA512
dc357e1126181ecb3abf2efe364f824f5774ba2e959782e602eade965c3d2c708c6a1f63973141ab024e7c3146635ae8c90420c1875b5d32c28cee7bf5576214

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe

Filesize
8.5MB

MD5
cd32eed7ff292c4be642d7effbcb7a81

SHA1
168b1c3861b0ff480250284b70a6d57b8852a629

SHA256
2e8957863173f7c3ce0e966b7683c04c16c01bdd78e41b6dc2a4b91a1d8f9181

SHA512
597dd3315a05a0dc28a9fd31b24afbe4f6d2094fc95e8c3b5724368d5a15c97ad71c9dee178ae8ef467a32d8bc8aee304bb1b8e560bc964183ff1eaa610f83de

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddjP2D3ssR.exe

Filesize
9.2MB

MD5
4918410934e23bfbb179cb9073a14240

SHA1
45c8fb43c6af466bbd3023f191f7333c93597e40

SHA256
eeb8fb55a7de0f2c1cb177bb87f8e1644db1b2ceb4d449e4bce5f409226f799d

SHA512
a77fb8f9c4d09bd61b8ed3e37eb037d52d9690953cdfd4120ab0d311da59e87bde7126a53a94d92d007876d15128f4cb4cecf561407c3db0db96a3693491d0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxcytmx.exe

Filesize
27.4MB

MD5
d31f9bc076d52fa03f3a0879951f4694

SHA1
a2dac9662b706023d8dc78684a807a52f7347b1c

SHA256
d42d9de8e102af0f6a8bec27ffd3891ae275480febaa0d6438357f74a03cb977

SHA512
c24c805b4dd1bb9be4c4f20ba3ca2d2dc7cd5d58a80c9d05ea4ec0a1c3ebb2f54c0d02a699aa12b9d0eea002a2b363f840ba1ac79c721fc4a78f8f2843c8c652

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir8596_1735868825\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
memory/1876-26250-0x0000000000400000-0x0000000001F5A000-memory.dmp

Filesize
27.4MB

Download
memory/1876-26242-0x0000000000400000-0x0000000001F5A000-memory.dmp

Filesize
27.4MB

Download
memory/1876-19057-0x00000000753E0000-0x000000007545A000-memory.dmp

Filesize
488KB

Download
memory/1876-17048-0x0000000075670000-0x0000000075810000-memory.dmp

Filesize
1.6MB

Download
memory/1876-13174-0x00000000751C0000-0x00000000753D5000-memory.dmp

Filesize
2.1MB

Download
memory/1876-26244-0x0000000000400000-0x0000000001F5A000-memory.dmp

Filesize
27.4MB

Download
memory/1876-26245-0x0000000000400000-0x0000000001F5A000-memory.dmp

Filesize
27.4MB

Download
memory/1876-26247-0x0000000000400000-0x0000000001F5A000-memory.dmp

Filesize
27.4MB

Download
memory/1876-26266-0x0000000000400000-0x0000000001F5A000-memory.dmp

Filesize
27.4MB

Download
memory/2832-13159-0x0000000000400000-0x0000000001F5A000-memory.dmp

Filesize
27.4MB

Download
memory/2832-13140-0x0000000000400000-0x0000000001F5A000-memory.dmp

Filesize
27.4MB

Download
memory/2832-30-0x0000000000400000-0x0000000001F5A000-memory.dmp

Filesize
27.4MB

Download
memory/2832-42-0x00000000751C0000-0x00000000753D5000-memory.dmp

Filesize
2.1MB

Download
memory/2832-3941-0x0000000075670000-0x0000000075810000-memory.dmp

Filesize
1.6MB

Download
memory/2832-5952-0x00000000753E0000-0x000000007545A000-memory.dmp

Filesize
488KB

Download
memory/2832-13157-0x0000000000400000-0x0000000001F5A000-memory.dmp

Filesize
27.4MB

Download
memory/2832-13158-0x0000000000400000-0x0000000001F5A000-memory.dmp

Filesize
27.4MB

Download
memory/2832-13161-0x0000000000400000-0x0000000001F5A000-memory.dmp

Filesize
27.4MB

Download
memory/2832-13162-0x0000000010000000-0x000000001019F000-memory.dmp

Filesize
1.6MB

Download
memory/2832-26243-0x0000000000400000-0x0000000001F5A000-memory.dmp

Filesize
27.4MB

Download
memory/17564-26269-0x00000000751C0000-0x00000000753D5000-memory.dmp

Filesize
2.1MB

Download
memory/17564-30157-0x0000000075670000-0x0000000075810000-memory.dmp

Filesize
1.6MB

Download
memory/17564-32166-0x00000000753E0000-0x000000007545A000-memory.dmp

Filesize
488KB

Download
memory/17564-39351-0x0000000000400000-0x0000000001F5A000-memory.dmp

Filesize
27.4MB

Download
memory/17564-39352-0x0000000000400000-0x0000000001F5A000-memory.dmp

Filesize
27.4MB

Download
memory/17564-39373-0x0000000000400000-0x0000000001F5A000-memory.dmp

Filesize
27.4MB

Download
memory/17564-39353-0x0000000000400000-0x0000000001F5A000-memory.dmp

Filesize
27.4MB

Download
memory/17564-39354-0x0000000000400000-0x0000000001F5A000-memory.dmp

Filesize
27.4MB

Download
memory/17564-39355-0x0000000000400000-0x0000000001F5A000-memory.dmp

Filesize
27.4MB

Download
memory/17564-39357-0x0000000000400000-0x0000000001F5A000-memory.dmp

Filesize
27.4MB

Download