Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2024 05:09
Static task
static1
Behavioral task
behavioral1
Sample
3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe
Resource
win7-20241023-en
General
-
Target
3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe
-
Size
3.8MB
-
MD5
4460daa6f9f3af2fc759d3743ac31097
-
SHA1
e59f830a0ca7aa8a45d2f694ed98297f5d0355de
-
SHA256
3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46
-
SHA512
63c6fa11b2ed283920102859d9bf7334fed1293cbb05d748a1be6e7f78bf8cd8fb31013353a3b6eb6b9fbb10d034331dbdcbf346336b86a25624e0cb55e0a8cd
-
SSDEEP
98304:/ws2ANnKXOaeOgmhB/x2KB5qFb0I+0PqkWE:JKXbeO77p5sbSE
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1172-19-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1172-23-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1172-20-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3624-29-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3624-28-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3100-39-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3100-57-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3100-113-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 9 IoCs
resource yara_rule behavioral2/files/0x000b000000023b69-5.dat family_gh0strat behavioral2/memory/1172-19-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1172-23-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1172-20-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3624-29-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3624-28-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3100-39-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3100-57-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3100-113-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\131.0.6778.70\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable" setup.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatfor.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe GoogleUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe\DisableExceptionChainValidation = "0" GoogleUpdate.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\240617859.txt" R.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatfor.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation GoogleUpdate.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation chrome.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 40 IoCs
pid Process 3548 R.exe 1172 N.exe 3624 TXPlatfor.exe 3100 TXPlatfor.exe 2272 HD_3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe 4804 GoogleUpdate.exe 4416 GoogleUpdate.exe 2552 GoogleUpdate.exe 3648 GoogleUpdateComRegisterShell64.exe 4528 GoogleUpdateComRegisterShell64.exe 3296 GoogleUpdateComRegisterShell64.exe 3036 GoogleUpdate.exe 2148 GoogleUpdate.exe 4432 GoogleUpdate.exe 3580 Remote Data.exe 2612 131.0.6778.70_chrome_installer.exe 3648 setup.exe 1208 setup.exe 4560 setup.exe 552 setup.exe 5040 GoogleCrashHandler.exe 3288 GoogleCrashHandler64.exe 1872 GoogleUpdate.exe 4056 GoogleUpdateOnDemand.exe 3604 GoogleUpdate.exe 2688 chrome.exe 952 chrome.exe 732 chrome.exe 2192 chrome.exe 3044 elevation_service.exe 2732 chrome.exe 3056 chrome.exe 1492 chrome.exe 3328 chrome.exe 1744 chrome.exe 1664 chrome.exe 4832 chrome.exe 4188 chrome.exe 2976 chrome.exe 5892 chrome.exe -
Loads dropped DLL 53 IoCs
pid Process 3548 R.exe 3640 svchost.exe 4804 GoogleUpdate.exe 4416 GoogleUpdate.exe 2552 GoogleUpdate.exe 3648 GoogleUpdateComRegisterShell64.exe 2552 GoogleUpdate.exe 4528 GoogleUpdateComRegisterShell64.exe 2552 GoogleUpdate.exe 3296 GoogleUpdateComRegisterShell64.exe 2552 GoogleUpdate.exe 3036 GoogleUpdate.exe 2148 GoogleUpdate.exe 4432 GoogleUpdate.exe 4432 GoogleUpdate.exe 2148 GoogleUpdate.exe 3580 Remote Data.exe 1872 GoogleUpdate.exe 3604 GoogleUpdate.exe 3604 GoogleUpdate.exe 2688 chrome.exe 952 chrome.exe 2688 chrome.exe 732 chrome.exe 2192 chrome.exe 2192 chrome.exe 732 chrome.exe 732 chrome.exe 732 chrome.exe 2732 chrome.exe 732 chrome.exe 2732 chrome.exe 3056 chrome.exe 1492 chrome.exe 732 chrome.exe 732 chrome.exe 732 chrome.exe 1492 chrome.exe 3328 chrome.exe 3328 chrome.exe 3056 chrome.exe 1744 chrome.exe 1744 chrome.exe 1664 chrome.exe 1664 chrome.exe 4832 chrome.exe 4832 chrome.exe 4188 chrome.exe 4188 chrome.exe 2976 chrome.exe 2976 chrome.exe 5892 chrome.exe 5892 chrome.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer chrome.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ini.ini R.exe File created C:\Windows\SysWOW64\Remote Data.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Remote Data.exe svchost.exe File created C:\Windows\SysWOW64\TXPlatfor.exe N.exe File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe N.exe File created C:\Windows\SysWOW64\240617859.txt R.exe -
resource yara_rule behavioral2/memory/1172-17-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1172-19-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1172-23-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1172-20-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3624-29-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3624-27-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3624-28-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3100-39-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3100-57-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3100-113-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Temp\GUM9173.tmp\goopdateres_ja.dll HD_3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe File created C:\Program Files (x86)\Google\Temp\GUM9173.tmp\goopdateres_ta.dll HD_3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe File created C:\Program Files (x86)\Google\Temp\GUM9173.tmp\goopdateres_te.dll HD_3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe File created C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_en.dll GoogleUpdate.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\131.0.6778.70\131.0.6778.70_chrome_installer.exe GoogleUpdate.exe File created C:\Program Files (x86)\Google\Update\Install\{160FF141-1B4B-41BC-B221-CF6541595409}\CR_BFCE1.tmp\SETUP.EX_ 131.0.6778.70_chrome_installer.exe File created C:\Program Files\Google\Chrome\Temp\source3648_265222773\Chrome-bin\131.0.6778.70\Locales\ta.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3648_265222773\Chrome-bin\131.0.6778.70\optimization_guide_internal.dll setup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2688_250836669\_locales\be\messages.json chrome.exe File created C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe GoogleUpdate.exe File created C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exe GoogleUpdate.exe File created C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_pt-PT.dll GoogleUpdate.exe File opened for modification C:\Program Files\chrome_installer.log setup.exe File created C:\Program Files\Google\Chrome\Temp\source3648_265222773\Chrome-bin\131.0.6778.70\Locales\hi.pak setup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2688_250836669\_locales\sw\messages.json chrome.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2688_250836669\_locales\my\messages.json chrome.exe File created C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler.exe GoogleUpdate.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2688_250836669\_locales\lo\messages.json chrome.exe File created C:\Program Files (x86)\Google\Temp\GUM9173.tmp\goopdateres_et.dll HD_3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe File created C:\Program Files (x86)\Google\Temp\GUM9173.tmp\goopdateres_sl.dll HD_3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe File created C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_fr.dll GoogleUpdate.exe File created C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ru.dll GoogleUpdate.exe File created C:\Program Files\Google\Chrome\Temp\source3648_265222773\Chrome-bin\131.0.6778.70\Locales\am.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3648_265222773\Chrome-bin\131.0.6778.70\Locales\bn.pak setup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2688_250836669\_locales\sk\messages.json chrome.exe File created C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ro.dll GoogleUpdate.exe File created C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_uk.dll GoogleUpdate.exe File created C:\Program Files\Google\Chrome\Temp\source3648_265222773\Chrome-bin\131.0.6778.70\Locales\zh-CN.pak setup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2688_250836669\_locales\zh_HK\messages.json chrome.exe File opened for modification C:\Program Files (x86)\Google\Temp\GUT9174.tmp HD_3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe File created C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_lv.dll GoogleUpdate.exe File created C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ml.dll GoogleUpdate.exe File created C:\Program Files\Google\Chrome\Temp\source3648_265222773\Chrome-bin\131.0.6778.70\Locales\ar.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3648_265222773\Chrome-bin\131.0.6778.70\chrome.dll setup.exe File created C:\Program Files\Google\Chrome\Temp\source3648_265222773\Chrome-bin\131.0.6778.70\eventlog_provider.dll setup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2688_250836669\_locales\ml\messages.json chrome.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2688_250836669\_locales\ko\messages.json chrome.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2688_250836669\_locales\pa\messages.json chrome.exe File created C:\Program Files (x86)\Google\Temp\GUM9173.tmp\goopdateres_cs.dll HD_3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe File opened for modification C:\Program Files (x86)\Google\Temp\GUM9173.tmp\GoogleUpdateSetup.exe HD_3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe File created C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_en-GB.dll GoogleUpdate.exe File created C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_hi.dll GoogleUpdate.exe File created C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_tr.dll GoogleUpdate.exe File created C:\Program Files\Google\Chrome\Temp\source3648_265222773\Chrome-bin\131.0.6778.70\Locales\fr.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3648_265222773\Chrome-bin\131.0.6778.70\Locales\th.pak setup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2688_250836669\128.png chrome.exe File created C:\Program Files (x86)\Google\Temp\GUM9173.tmp\goopdateres_ro.dll HD_3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe File created C:\Program Files (x86)\Google\Temp\GUM9173.tmp\goopdateres_sv.dll HD_3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe File created C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_da.dll GoogleUpdate.exe File created C:\Program Files (x86)\Google\Update\Install\{160FF141-1B4B-41BC-B221-CF6541595409}\CR_BFCE1.tmp\setup.exe 131.0.6778.70_chrome_installer.exe File created C:\Program Files\Google\Chrome\Temp\source3648_265222773\Chrome-bin\131.0.6778.70\vk_swiftshader.dll setup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping2688_250836669\_locales\eu\messages.json chrome.exe File created C:\Program Files\Google\Chrome\Temp\source3648_265222773\Chrome-bin\131.0.6778.70\Locales\ca.pak setup.exe File created C:\Program Files (x86)\Google\Temp\GUM9173.tmp\goopdateres_el.dll HD_3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe File created C:\Program Files (x86)\Google\Temp\GUM9173.tmp\goopdateres_ml.dll HD_3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe File created C:\Program Files (x86)\Google\Temp\GUM9173.tmp\goopdateres_ur.dll HD_3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe File created C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_bn.dll GoogleUpdate.exe File created C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_it.dll GoogleUpdate.exe File created C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateOnDemand.exe GoogleUpdate.exe File created C:\Program Files\Google\Chrome\Temp\source3648_265222773\Chrome-bin\131.0.6778.70\icudtl.dat setup.exe File created C:\Program Files\Google\Chrome\Temp\source3648_265222773\Chrome-bin\131.0.6778.70\Locales\en-GB.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3648_265222773\Chrome-bin\131.0.6778.70\WidevineCdm\manifest.json setup.exe File created C:\Program Files\Google\Chrome\Temp\source3648_265222773\Chrome-bin\131.0.6778.70\chrome_pwa_launcher.exe setup.exe File created C:\Program Files (x86)\Google\Temp\GUM9173.tmp\goopdateres_uk.dll HD_3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language R.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HD_3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleCrashHandler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdateOnDemand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Remote Data.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TXPlatfor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 212 PING.EXE 3036 GoogleUpdate.exe 1872 GoogleUpdate.exe 4780 cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133763802557252244" chrome.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32\ = "{B50B3FA2-B519-4C16-A932-46E9FFD1D910}" GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachine\CLSID\ = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}" GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\ProxyStubClsid32 GoogleUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LOCALSERVER32 GoogleUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VERSIONINDEPENDENTPROGID GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID\ = "GoogleUpdate.CoreClass" GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods\ = "10" GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalizedString = "@C:\\Program Files (x86)\\Google\\Update\\1.3.36.372\\goopdate.dll,-3000" GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ = "IPolicyStatus3" GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\NumMethods GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods GoogleUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VERSIONINDEPENDENTPROGID GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603} GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32\ = "{B50B3FA2-B519-4C16-A932-46E9FFD1D910}" GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32\ = "{B50B3FA2-B519-4C16-A932-46E9FFD1D910}" GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B50B3FA2-B519-4C16-A932-46E9FFD1D910} GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32 GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ = "IProcessLauncher" GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ProxyStubClsid32 GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\ProxyStubClsid32\ = "{B50B3FA2-B519-4C16-A932-46E9FFD1D910}" GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B50B3FA2-B519-4C16-A932-46E9FFD1D910}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.372\\psmachine.dll" GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837} GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE} GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\NumMethods\ = "24" GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\ = "IPolicyStatus2" GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods\ = "5" GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3WebSvc\CLSID\ = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}" GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82} GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32 GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ChromeHTML\Application\ApplicationDescription = "访问互联网" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32 GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\ProxyStubClsid32 setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32 GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32 GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32\ = "{B50B3FA2-B519-4C16-A932-46E9FFD1D910}" GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID\ = "GoogleUpdate.Update3COMClassService" GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6} GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E} GoogleUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\PROGID GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32\ = "{B50B3FA2-B519-4C16-A932-46E9FFD1D910}" GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32 GoogleUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28} GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13} GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.PolicyStatusSvc.1.0\CLSID\ = "{1C4CDEFF-756A-4804-9E77-3E8EB9361016}" GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F} GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ = "IGoogleUpdateCore" GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF} GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.CoreClass.1\ = "Google Update Core Class" GoogleUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4C0B6D8C-1ECE-47E8-8C92-4CD88C0274DA} GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B50B3FA2-B519-4C16-A932-46E9FFD1D910} GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32\ = "{B50B3FA2-B519-4C16-A932-46E9FFD1D910}" GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272} GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ProxyStubClsid32 GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ChromePDF\Application\ApplicationName = "Google Chrome" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32\ = "{B50B3FA2-B519-4C16-A932-46E9FFD1D910}" GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ = "IGoogleUpdate3Web" GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28} GoogleUpdateComRegisterShell64.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 212 PING.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 4728 3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe 4728 3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe 4804 GoogleUpdate.exe 4804 GoogleUpdate.exe 4804 GoogleUpdate.exe 4804 GoogleUpdate.exe 4804 GoogleUpdate.exe 4804 GoogleUpdate.exe 2148 GoogleUpdate.exe 2148 GoogleUpdate.exe 1872 GoogleUpdate.exe 1872 GoogleUpdate.exe 4804 GoogleUpdate.exe 4804 GoogleUpdate.exe 4804 GoogleUpdate.exe 4804 GoogleUpdate.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3100 TXPlatfor.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1172 N.exe Token: SeLoadDriverPrivilege 3100 TXPlatfor.exe Token: SeDebugPrivilege 4804 GoogleUpdate.exe Token: SeDebugPrivilege 4804 GoogleUpdate.exe Token: SeDebugPrivilege 4804 GoogleUpdate.exe Token: 33 2612 131.0.6778.70_chrome_installer.exe Token: SeIncBasePriorityPrivilege 2612 131.0.6778.70_chrome_installer.exe Token: 33 3100 TXPlatfor.exe Token: SeIncBasePriorityPrivilege 3100 TXPlatfor.exe Token: 33 3288 GoogleCrashHandler64.exe Token: SeIncBasePriorityPrivilege 3288 GoogleCrashHandler64.exe Token: 33 5040 GoogleCrashHandler.exe Token: SeIncBasePriorityPrivilege 5040 GoogleCrashHandler.exe Token: SeDebugPrivilege 2148 GoogleUpdate.exe Token: SeDebugPrivilege 1872 GoogleUpdate.exe Token: SeDebugPrivilege 4804 GoogleUpdate.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4728 3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe 4728 3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4728 wrote to memory of 3548 4728 3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe 83 PID 4728 wrote to memory of 3548 4728 3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe 83 PID 4728 wrote to memory of 3548 4728 3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe 83 PID 4728 wrote to memory of 1172 4728 3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe 86 PID 4728 wrote to memory of 1172 4728 3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe 86 PID 4728 wrote to memory of 1172 4728 3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe 86 PID 1172 wrote to memory of 4780 1172 N.exe 90 PID 1172 wrote to memory of 4780 1172 N.exe 90 PID 1172 wrote to memory of 4780 1172 N.exe 90 PID 3624 wrote to memory of 3100 3624 TXPlatfor.exe 92 PID 3624 wrote to memory of 3100 3624 TXPlatfor.exe 92 PID 3624 wrote to memory of 3100 3624 TXPlatfor.exe 92 PID 4728 wrote to memory of 2272 4728 3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe 93 PID 4728 wrote to memory of 2272 4728 3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe 93 PID 4728 wrote to memory of 2272 4728 3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe 93 PID 2272 wrote to memory of 4804 2272 HD_3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe 95 PID 2272 wrote to memory of 4804 2272 HD_3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe 95 PID 2272 wrote to memory of 4804 2272 HD_3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe 95 PID 4780 wrote to memory of 212 4780 cmd.exe 96 PID 4780 wrote to memory of 212 4780 cmd.exe 96 PID 4780 wrote to memory of 212 4780 cmd.exe 96 PID 4804 wrote to memory of 4416 4804 GoogleUpdate.exe 97 PID 4804 wrote to memory of 4416 4804 GoogleUpdate.exe 97 PID 4804 wrote to memory of 4416 4804 GoogleUpdate.exe 97 PID 4804 wrote to memory of 2552 4804 GoogleUpdate.exe 98 PID 4804 wrote to memory of 2552 4804 GoogleUpdate.exe 98 PID 4804 wrote to memory of 2552 4804 GoogleUpdate.exe 98 PID 2552 wrote to memory of 3648 2552 GoogleUpdate.exe 99 PID 2552 wrote to memory of 3648 2552 GoogleUpdate.exe 99 PID 2552 wrote to memory of 4528 2552 GoogleUpdate.exe 100 PID 2552 wrote to memory of 4528 2552 GoogleUpdate.exe 100 PID 2552 wrote to memory of 3296 2552 GoogleUpdate.exe 101 PID 2552 wrote to memory of 3296 2552 GoogleUpdate.exe 101 PID 4804 wrote to memory of 3036 4804 GoogleUpdate.exe 102 PID 4804 wrote to memory of 3036 4804 GoogleUpdate.exe 102 PID 4804 wrote to memory of 3036 4804 GoogleUpdate.exe 102 PID 4804 wrote to memory of 2148 4804 GoogleUpdate.exe 103 PID 4804 wrote to memory of 2148 4804 GoogleUpdate.exe 103 PID 4804 wrote to memory of 2148 4804 GoogleUpdate.exe 103 PID 3640 wrote to memory of 3580 3640 svchost.exe 105 PID 3640 wrote to memory of 3580 3640 svchost.exe 105 PID 3640 wrote to memory of 3580 3640 svchost.exe 105 PID 4432 wrote to memory of 2612 4432 GoogleUpdate.exe 115 PID 4432 wrote to memory of 2612 4432 GoogleUpdate.exe 115 PID 2612 wrote to memory of 3648 2612 131.0.6778.70_chrome_installer.exe 117 PID 2612 wrote to memory of 3648 2612 131.0.6778.70_chrome_installer.exe 117 PID 3648 wrote to memory of 1208 3648 setup.exe 118 PID 3648 wrote to memory of 1208 3648 setup.exe 118 PID 3648 wrote to memory of 4560 3648 setup.exe 119 PID 3648 wrote to memory of 4560 3648 setup.exe 119 PID 4560 wrote to memory of 552 4560 setup.exe 120 PID 4560 wrote to memory of 552 4560 setup.exe 120 PID 4432 wrote to memory of 5040 4432 GoogleUpdate.exe 122 PID 4432 wrote to memory of 5040 4432 GoogleUpdate.exe 122 PID 4432 wrote to memory of 5040 4432 GoogleUpdate.exe 122 PID 4432 wrote to memory of 3288 4432 GoogleUpdate.exe 123 PID 4432 wrote to memory of 3288 4432 GoogleUpdate.exe 123 PID 4432 wrote to memory of 1872 4432 GoogleUpdate.exe 124 PID 4432 wrote to memory of 1872 4432 GoogleUpdate.exe 124 PID 4432 wrote to memory of 1872 4432 GoogleUpdate.exe 124 PID 4056 wrote to memory of 3604 4056 GoogleUpdateOnDemand.exe 126 PID 4056 wrote to memory of 3604 4056 GoogleUpdateOnDemand.exe 126 PID 4056 wrote to memory of 3604 4056 GoogleUpdateOnDemand.exe 126 PID 3604 wrote to memory of 2688 3604 GoogleUpdate.exe 127
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe"C:\Users\Admin\AppData\Local\Temp\3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\R.exeC:\Users\Admin\AppData\Local\Temp\\R.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3548
-
-
C:\Users\Admin\AppData\Local\Temp\N.exeC:\Users\Admin\AppData\Local\Temp\\N.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:212
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\HD_3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exeC:\Users\Admin\AppData\Local\Temp\HD_3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Program Files (x86)\Google\Temp\GUM9173.tmp\GoogleUpdate.exe"C:\Program Files (x86)\Google\Temp\GUM9173.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={F403DCC2-7F09-8811-74F4-EE2B00D4CD16}&lang=zh-CN&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty"3⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4416
-
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3648
-
-
C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4528
-
-
C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3296
-
-
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4zNzIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4zNzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzY0NDc0Q0YtNDkyQy00MjRELTg2NjUtNTA3ODYzQTA4OTBCfSIgdXNlcmlkPSJ7RTcyNTY3OEYtMjc5MC00N0FGLThDOEEtMDRCOTQ2MTdBQUU3fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezMyMUUxN0JDLTczMEMtNDFDQi1BODNDLTVEQ0RFQzdGMzI5NX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjM3MSIgbmV4dHZlcnNpb249IjEuMy4zNi4zNzIiIGxhbmc9InpoLUNOIiBicmFuZD0iIiBjbGllbnQ9IiIgaWlkPSJ7RjQwM0RDQzItN0YwOS04ODExLTc0RjQtRUUyQjAwRDRDRDE2fSI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSIxMjQ4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3036
-
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={F403DCC2-7F09-8811-74F4-EE2B00D4CD16}&lang=zh-CN&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty" /installsource taggedmi /sessionid "{C64474CF-492C-424D-8665-507863A0890B}"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵PID:1964
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Remote Data.exe"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240617859.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3580
-
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Program Files (x86)\Google\Update\Install\{160FF141-1B4B-41BC-B221-CF6541595409}\131.0.6778.70_chrome_installer.exe"C:\Program Files (x86)\Google\Update\Install\{160FF141-1B4B-41BC-B221-CF6541595409}\131.0.6778.70_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Program Files (x86)\Google\Update\Install\{160FF141-1B4B-41BC-B221-CF6541595409}\gui1E1.tmp"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Program Files (x86)\Google\Update\Install\{160FF141-1B4B-41BC-B221-CF6541595409}\CR_BFCE1.tmp\setup.exe"C:\Program Files (x86)\Google\Update\Install\{160FF141-1B4B-41BC-B221-CF6541595409}\CR_BFCE1.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Google\Update\Install\{160FF141-1B4B-41BC-B221-CF6541595409}\CR_BFCE1.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Program Files (x86)\Google\Update\Install\{160FF141-1B4B-41BC-B221-CF6541595409}\gui1E1.tmp"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Program Files (x86)\Google\Update\Install\{160FF141-1B4B-41BC-B221-CF6541595409}\CR_BFCE1.tmp\setup.exe"C:\Program Files (x86)\Google\Update\Install\{160FF141-1B4B-41BC-B221-CF6541595409}\CR_BFCE1.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=131.0.6778.70 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff621957d68,0x7ff621957d74,0x7ff621957d804⤵
- Executes dropped EXE
PID:1208
-
-
C:\Program Files (x86)\Google\Update\Install\{160FF141-1B4B-41BC-B221-CF6541595409}\CR_BFCE1.tmp\setup.exe"C:\Program Files (x86)\Google\Update\Install\{160FF141-1B4B-41BC-B221-CF6541595409}\CR_BFCE1.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Program Files (x86)\Google\Update\Install\{160FF141-1B4B-41BC-B221-CF6541595409}\CR_BFCE1.tmp\setup.exe"C:\Program Files (x86)\Google\Update\Install\{160FF141-1B4B-41BC-B221-CF6541595409}\CR_BFCE1.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=131.0.6778.70 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff621957d68,0x7ff621957d74,0x7ff621957d805⤵
- Executes dropped EXE
PID:552
-
-
-
-
-
C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler.exe"C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
-
C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler64.exe"C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler64.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3288
-
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4zNzIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4zNzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzY0NDc0Q0YtNDkyQy00MjRELTg2NjUtNTA3ODYzQTA4OTBCfSIgdXNlcmlkPSJ7RTcyNTY3OEYtMjc5MC00N0FGLThDOEEtMDRCOTQ2MTdBQUU3fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0U1ODkyODBDLTZFMzYtNEJGRC1BRDQ3LUQ4MjMzMDNGRjlEMn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNDLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTMxLjAuNjc3OC43MCIgYXA9Ing2NC1zdGFibGUtc3RhdHNkZWZfMSIgbGFuZz0iemgtQ04iIGJyYW5kPSIiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0MSIgaWlkPSJ7RjQwM0RDQzItN0YwOS04ODExLTc0RjQtRUUyQjAwRDRDRDE2fSIgY29ob3J0PSIxOmd1L2kxOToiIGNvaG9ydG5hbWU9IlN0YWJsZSBJbnN0YWxscyAmYW1wOyBWZXJzaW9uIFBpbnMiPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vZWRnZWRsLm1lLmd2dDEuY29tL2VkZ2VkbC9yZWxlYXNlMi9jaHJvbWUvYWNpbXl4dGc1Y3c1dXRtc2N5MnBhd2hvdHpscV8xMzEuMC42Nzc4LjcwLzEzMS4wLjY3NzguNzBfY2hyb21lX2luc3RhbGxlci5leGUiIGRvd25sb2FkZWQ9IjExNjAwMDYyNCIgdG90YWw9IjExNjAwMDYyNCIgZG93bmxvYWRfdGltZV9tcz0iMTc2NzIiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5NjcwNyIgc291cmNlX3VybF9pbmRleD0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjkwNyIgZG93bmxvYWRfdGltZV9tcz0iMTkzOTIiIGRvd25sb2FkZWQ9IjExNjAwMDYyNCIgdG90YWw9IjExNjAwMDYyNCIgaW5zdGFsbF90aW1lX21zPSIzNzE2OCIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872
-
-
C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateOnDemand.exe"C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateOnDemand.exe" -Embedding1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ondemand2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2688 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=131.0.6778.70 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc8ddded08,0x7ffc8ddded14,0x7ffc8ddded204⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1888,i,10421711012029145905,8955384028618427015,262144 --variations-seed-version --mojo-platform-channel-handle=1884 /prefetch:24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:732
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=1872,i,10421711012029145905,8955384028618427015,262144 --variations-seed-version --mojo-platform-channel-handle=2212 /prefetch:34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2392,i,10421711012029145905,8955384028618427015,262144 --variations-seed-version --mojo-platform-channel-handle=2536 /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3212,i,10421711012029145905,8955384028618427015,262144 --variations-seed-version --mojo-platform-channel-handle=3240 /prefetch:14⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,10421711012029145905,8955384028618427015,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:14⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:1492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3860,i,10421711012029145905,8955384028618427015,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:24⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3328
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4740,i,10421711012029145905,8955384028618427015,262144 --variations-seed-version --mojo-platform-channel-handle=4764 /prefetch:14⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:1744
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4816,i,10421711012029145905,8955384028618427015,262144 --variations-seed-version --mojo-platform-channel-handle=4748 /prefetch:14⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:1664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5592,i,10421711012029145905,8955384028618427015,262144 --variations-seed-version --mojo-platform-channel-handle=5608 /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5640,i,10421711012029145905,8955384028618427015,262144 --variations-seed-version --mojo-platform-channel-handle=5724 /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4188
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5968,i,10421711012029145905,8955384028618427015,262144 --variations-seed-version --mojo-platform-channel-handle=5976 /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5924,i,10421711012029145905,8955384028618427015,262144 --variations-seed-version --mojo-platform-channel-handle=6124 /prefetch:24⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5892
-
-
-
-
C:\Program Files\Google\Chrome\Application\131.0.6778.70\elevation_service.exe"C:\Program Files\Google\Chrome\Application\131.0.6778.70\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3044
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4408
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
294KB
MD54c3832fbe84b8ce63d8e3ab7d76f9983
SHA1eea2d91b7d7d2cdf79bb9f354af7a33d6014f544
SHA2568fe2226e8bec5a45d4b819359192ab92446b54859bf8877573ab7a3c8b4ada76
SHA512e6e316bf3414ffb2674bf240760b2617ced755b8a34ad4b3213bcca6ea9a0aa3c2e094319d709a958f603b72197bfa34b100dbe87b618e17601b2e0dac749f84
-
Filesize
392KB
MD5dae993327723122c9288504a62e9f082
SHA1153427b6b0a5628360472f9ab0855a8a93855f57
SHA25638903dec79d41abda6fb7750b48a31ffca418b3eab19395a0a5d75d8a9204ee7
SHA512517fc9eaf5bf193e984eee4b739b62df280d39cd7b6749bec61d85087cc36bb942b1ebaed73e4a4a6e9fa3c85a162f7214d41ea25b862a4cf853e1129c10293d
-
Filesize
158KB
MD5baf0b64af9fceab44942506f3af21c87
SHA1e78fb7c2db9c1b1f9949f4fcd4b23596c1372e05
SHA256581edeca339bb8c5ebc1d0193ad77f5cafa329c5a9adf8f5299b1afabed6623b
SHA512ee590e4d5ccdd1ab6131e19806ffd0c12731dd12cf7bfb562dd8f5896d84a88eb7901c6196c85a0b7d60aee28f8cfbba62f8438d501eabd1bb01ec0b4f8d8004
-
Filesize
181KB
MD50fe3644c905d5547b3a855b2dc3db469
SHA180b38b7860a341f049f03bd5a61782ff7468eac7
SHA2567d5c0ed6617dbc1b78d2994a6e5bbda474b5f4814d4a34d41f844ce9a3a4eb66
SHA512e2cf9e61c290599f8f92214fae67cce23206a907c0ab27a25be5d70f05d610a326395900b8ed8ed54f9ecbddfd1b890f10280d00dbcdad72e0272d23f0db1e53
-
Filesize
217KB
MD5021c57c74de40f7c3b4fcf58a54d3649
SHA1ef363ab45b6fe3dd5b768655adc4188aadf6b6fd
SHA25604adf40ba58d0ab892091c188822191f2597bc47dab8b92423e8fc546dc437ef
SHA51277e3bbb08c661285a49a66e8090a54f535727731c44b7253ea09ffe9548bae9d120ef38a67dfa8a5d8da170dde3e9c1928b96c64dfc07b7f67f93b478937c018
-
Filesize
1.9MB
MD5dce0fd2b11b3e4c79a8f276a1633e9ae
SHA1568021b117ace23458f1a86cd195d68de7164fa9
SHA256c917ad2bf8c286ae0b4d3e9203ab3da641af4c8d332e507319ee4df914d6219c
SHA512ba89867fd2bea6166b6e27c2a03a9a4759aee1affe75d592f381d9cb42facba1af1535f009a26f2613338b50de13b6576ab23c4e24d90827739f1678923ff771
-
Filesize
42KB
MD546f8834dd275c0c165d4e57e0f074310
SHA17acbfb7e88e9e29e2dc45083f94a95a409f03109
SHA25691ac6c9686d339baa0056b1260f4fd1394ce965b1957aa485e83ae73492f46b5
SHA512b615fe41b226273693da423969a834b72c5148f5438e7a782d39191ad3013e2abfa10d651fa2ded878abb118e31831dc7dec51729b3235cebb2b5d7f3ba2ade1
-
Filesize
41KB
MD5d1c81b89825de4391f3039d8f9305097
SHA1ecfcf4b50dfbb460e1d107f9d21dd60030bf18c3
SHA256597fe53d87f8aa43b7e2deb4a729fc77131e4a2b79dc2686e8b86cc96989428e
SHA512a2be34c226c0a596efa78240984147196a4de8c93187af5835f0cec90ed89e7dffd7030cd27e7a1f1bd7f26d99322e785e195f5d41bf22e00c4af08270699642
-
Filesize
44KB
MD50d7125b1bda74781d8f1536e43eb0940
SHA139818cacce52ff2edfb2a065beb376d43fdb0a93
SHA25600dfe30f3e747b5788f7ae89b390e63760561a411b7e39257376cd13700a1e0b
SHA512c34d7405acceb7186cf63e75083981b9230d2755e207fdfd1dbce7d59a96f30ec04c28c12dbe0ed96fb595c63dec8819c08d406840787d9b9797568fbf50dec2
-
Filesize
44KB
MD564ed14e0070b720fcefe89e2ab323604
SHA1495c858c55151e2400a1a72023aa62216033f928
SHA256635f3a7fd3c1f62eb91117189ac84e1a1e5c3a8e104863d125c16e8be570e3d1
SHA5124fab73de11e595c7e4edd9a66137f8e7b0b13db1799dbe4c10dd766783079d38d560c6cc1bf9af4bc1abd71f1706643bd9a31c0f58e55df3d0dd7d739e1480b7
-
Filesize
44KB
MD5ba783ac59839551280618c83c760d583
SHA153d1d10955e322a6135b047eecd88a4815f9b6da
SHA256c2d15f8da32907d8cea1aaa0d51f16bc692a74141fdace43a84c78647433a086
SHA512a635d52c20164a02dc3fc4ddb961bf36177014e0cb27e50588013a0e9f3787194de3c9da160672b62b25eb94ddcea366bcaa44b6bfa593da77c97aba48f8a50b
-
Filesize
43KB
MD58041b1db1f5a00dc1a617f02d9cd9744
SHA1963bb4e81134089d12b26ad1631bb0825e9b8fa3
SHA256c823d54a7777e3cb0ff2bbec829833f0ad5bfbe58290af02e0f85a877db50fb7
SHA512bfa81a184e2985e2755c941137562c40ad4903a9b883f84471ff10636c363be909db0044bb4320c1fb615303ee375d64675a894abe08414ff1c0a5da0e22d450
-
Filesize
43KB
MD513bb66cf80aea019219f9181496b5b74
SHA18bbd83fff1bcdc01e93ed263b8564519a7c6fe7c
SHA256c9e878e8c3a2ebe17df25c3406a0c449d93e56620e3006e83ce777952f47a488
SHA512e7c84e8c600767cb4df43b9ed1c5220becde79c32f832158bd78368ec9b04422f272715bbca5a261da967fcb019dbf01d154467c77d2775e46e19ab3f6d64f9c
-
Filesize
45KB
MD5c1dd450c8f536604579902fb23013233
SHA1ae60094a4a1a2a33624a65b0ce3132a77de6c6e6
SHA256a8422f753e831ea71c41867cfdc767fcbc05874fc039a0101bd05c571f8d822b
SHA51235ab265a6363856e40156185bffb93d6481ea321f63a033160847cb88cc0764a18f14f9a72265e2f1f9caeff4702efdd147a46b23614fce090e08b78cd3ebc4f
-
Filesize
44KB
MD559ba1742a224cb96c89ca335ff208409
SHA12b595feed6efe926cc87c16534c3b8bafc511cdb
SHA2562836ec2d0830b66f281d65cb24f9ea2311e6464f13d4d0e41547be5ce994582e
SHA512a4e7bd47af97387ef0828daa4d1b6f820faef02c28e77dda0da08e0a4766f2beac42d4ac5dfec82e7c3fd1a39e9d6a1359d45750ebce4c0e6722567b1df6e919
-
Filesize
42KB
MD568420a06ad032bd6a79b2472c3350476
SHA14e301f757c209dc928ab05370a51abca66bd38d8
SHA256bbd19a75809f516726289377f97d67ae5f9122fdad0ad9f34974cbbbc91b9968
SHA5129829cb34552d85b99441273174e801f401b1d7df3c7140e8bbdb74b77008e3e258bbafab2afb3f01f7909198c1376a3ae9360c941c7df60ad49309fb916b5f8f
-
Filesize
42KB
MD50d30a76bbcbc637382fad5a927297a2f
SHA139dbd1bcb5372e06aa4ffa3a6fe0010bf8652517
SHA256dc22cbd055cfae79301c7906ca1e2a1e926aaf943fb11d8060b91202bd5759aa
SHA5121d73f9a223ff1d292a4886c1377a2dca0459b6f757f814d73e66746f25b4e97fbaf90188d96cc1829bc9a288b5a118ff472fabb1c401994b1524d70e92953f8d
-
Filesize
43KB
MD54a28036303c7f36827a757d0950669b1
SHA1af5fa8d2dbbd8f8bdac508f187731cf33ff8b960
SHA2560047475c9353a570604d437d8985cebc7230b26f010ef30f4176f93f0c2361b4
SHA512b5eaf77b729142abc233974c3900c39cd75fd2252e8ed49059bfe607d2b1c74b28f347b86793aa8e5a12c87701bfce8e9c87d34e262df7be559ecbd0f56e9c0f
-
Filesize
45KB
MD5f49411f7f8feb475ee096db6a5938290
SHA16926ddaf08b3f701fb357f032e76bb33e63f50f0
SHA256e7a76d367bffea50a8f0b2f8daee91b3e5250431127a9dfdaa25980c39b22573
SHA5120f95d6cf92882a30dedf4b51bda94cff87da327843569aa4f3c763fa2c658378795adaedbc3d93958128376e51d2d0792958def24a2e19c57d6717153d3512ff
-
Filesize
42KB
MD56d9e77d00e750d6c56784bd03dfe7137
SHA1e0c8e15adfb6b3efdc2eb1f7f3fbf5301d185ee6
SHA256feececd2144da0f8d7006695f2e915fef34b1cf1c00c867e2a08cf8d9e5b5bc5
SHA5128082e6bbf590212cdfd5b844557b66702e60220cd02d5850fb821a4a6527d4d5e82f1fa7595fab01f76090e8992ebab92de614205db4413ffb6bc48c9c10f185
-
Filesize
42KB
MD566e75aac042e5776513c1a20f360df78
SHA12916825a831048eae55402371591221be27eba3b
SHA2562528329f2177422671714b67c9d292e681791c26e6fca8d3e99d92434f23d686
SHA5126985d5004b6e919b7977c608be044004d2c1aafe1f855dd4b47dedb2f3a22cb04608df2c6079480b7cb3d08f8605c8aad1b3279c78482afd44280db143508839
-
Filesize
43KB
MD50ff6b7be8cceae26bd9ade3914b987c3
SHA16bb771e7c844ca501cbd1a05c0c19bb2078a784b
SHA25652e75123d0c6ca6904a613aebef15dc9e662a7296089923ea690b4e627e5cbe9
SHA51298e13a07d13691eb113ae63eff36c7c9041582ddfffb26f3918c0e87f484315930a0e924868c83dab46349bc09dddcb5bf0ae7a01155d9b1e2d90aba5ac4834b
-
Filesize
44KB
MD5b039877936c8bc88efd93656e8e2fc3a
SHA1b27e928267e2b7085e45cf6f450ba8bcc0af66e2
SHA2567ffa28c0273c63aad16d3ac3419144f5bb8ce3484be73c45130927aa3ada6e43
SHA51226992d60966d56b64b0ca2047f9149bbac8e6522d14ac2a9b2a4e57d5991f26a050e02fcb475243f0787221fc2307d5523f2c33b6abc3f6c7aa5daa1938f67f3
-
Filesize
44KB
MD5048033bd00459d6a545744ba1d46ab45
SHA11f9cb02b84da6b603b8be9a717f4ae3f32cb3f4a
SHA25652099330cdfdb45b04db7bc0b2003762906afdca4ce16e7a33f0b4f7aebefe7b
SHA51266a676c37e03dd326777534aba889410a6ecf43e17a5f5736415a5be179d4f8aefd626a1f28b4869d3dd17a296b04eaa88d20c90796f9a9cfc3899007a08748c
-
Filesize
44KB
MD59acb142c6097bef9a56847eaff078a5c
SHA1d69d206d06dcf09b46b0e8bb47c177cb2a5bd8e6
SHA256125b6ee3b4fee064eabc9baf671a366e4e88f68c97e582972cf741d914284628
SHA51249f06023c4c70b75aabb81b586114704bc905480f4c0978e8d4315c232ea0b5d7d9545b7d02a9b24b71f72b066e926839908e2ace1ccf245716e6ef2fcf1193c
-
Filesize
43KB
MD58d62d3b71591fcb40f59b6d0f651614d
SHA12c7b1831cead9e2acb85cebaf1c2c53784476f38
SHA256ad368ca65db3e0a9417634d6bd2ac81c38858f875c1cdc6d641c2389b99d5a59
SHA5129ad0a199148eb21927c1ee3976fde7be2968063955b1a5526fe18b62bc12c3b4d6e2d7dad7b5b1e8f76937733ae4a38289a32bcebfe60ab50f0f80648ce80711
-
Filesize
43KB
MD5b9114cc4de1128c5156e3afc7f8123f0
SHA1ff0fe96553ade4200d68305dd2e694dc91a2995d
SHA2562846c112a3f0a3c6b050fbac7ea96dd3733f117068a5cccc8b6cf16ede9d4c47
SHA5123bb6519556cef59d91ad92e11987ae6a36c9436cee5fe79b2a08b24fbbc04207c1114d466c0dc05f63221b368cd13b818b0c87188feb2511716a2ad75675a478
-
Filesize
43KB
MD55601a611f2801a57025ac0f6725ce7e3
SHA1bd2f8d12a70b19546adfd22fe6a590a4274d2669
SHA256bd765a07250856c9ecb5a8319f04b9bdf4d2251827324ab5066b3d731b18ac18
SHA51241ea26924ebf780e5d91ff8e5383d31b04076197b43ba964860556484b845e0590bf4cd805876cafb7cfb3082002cb35454bfc34c55e17113d9778a73182bc38
-
Filesize
42KB
MD5e8706af39491f7a579a4a03d7e97ee86
SHA12f0cb0de6a34f368803003bc33f260137741d525
SHA25615dbad35e7fa0dcf3ac2f08adbfb56981e3365f91d801c71f913fc0ab7c4cb52
SHA512b3544f99cbfd0dec7bd2b9169364cb2daac8aa388f24f27862de71e4bcf40a24ae42900510aad30cdcfddd0594b62083ce67c9b573c8fe3a3055873ffab7297a
-
Filesize
42KB
MD5d9bd75ad7a3a353cee9c40044ce5b794
SHA15cfae92b010c7f15c0de3faa2d556501077eba6c
SHA256569ae0a08a78a956848b5a468247a02a0a0917657de3dfd17ebd67cfc929f38d
SHA512256c11f9c5adc1efb11a3eb0807226afe72bdf02e6657104001b11c12961accd2e9ce4b7c6f8ec8dc577f8b25d6049f18f143786f2b9b5b2b9b6f14bb480b7ee
-
Filesize
44KB
MD549a37b39ed5f6fc7f8ed271afb7b4b00
SHA1e688384442cf0c87d95afe2dd4ac9219e2ac6862
SHA256d6a2194ed9fc11cf4ee229d6282225e732594c345b3a948d78e1e25287e2bb92
SHA512d75608306a0b44a1a6c8264804fc77dda034a83a2e1198a982a388b99e595687aa2b1c34d49f4ebc92b05f4932319eb0f66caa5d749e1a8f0b33b51a379367aa
-
Filesize
40KB
MD57c89d57d66e73d8f09ebafa1733e61c2
SHA1d2cdf93717da261437a841dc7bea321dda20736a
SHA256936ca4058d17ceff0ad72ffd721ec87e76a7df8066fb10110a8ae7bf311d5c27
SHA512205eae74837c601e459ba5d7a994f3ba76b279ca67ffc8d694d9b75baf72bedaf72f18443417010c19fd3c97560aa7c1284b319a738afea5a2402d7763fb1674
-
Filesize
39KB
MD556c037987597e28377c43df3fd64a2a0
SHA11e769ef90a0c8c5bf3c4a6d4e4ff5897a4e1ab84
SHA256d158b0a602fafda9a117ad6065ecab3f02159ec1055adbac8979b311db83e1c7
SHA512b2982807011cc473842aa89aa425fcc504d91072e384246122ebdc33b56ecafe16b746cf5206d2686412f90ee663b1545565cc050dda600295aa8bb4fa0f6828
-
Filesize
44KB
MD578ba7d33500cfa4639519609f7cedec8
SHA19b0d9c945917d61f8a0caf2c3e11d0cb2c7e6c7f
SHA2566c8c7692fcce08684ead91e0a68c09121e46e45c1aa5d30aa9342d9ff099a3e8
SHA512f3e7acbaaee401a2a3b0a68db88fbf6fb620940cfe2891d822f38ef18ee5739d0ce66d5f440eb8ccc1d336ac5a406bb668ca20eba9fb494c0adff3bde8c73d96
-
Filesize
38KB
MD55c8d844a20331d1753b38babc1ec567e
SHA1ebf130fb8c1550d329aa2eb008780c2a8a69dc06
SHA2562da70429e0e6b931da700861a2c0b416d9420c3973531edef460079fd2d95c8d
SHA5120a27588c7f5791940ac4d8946533a1572d70f8c4fbdf0ce35a3c15a3ae56d77d2094b2b2c1ed4090bfad4ce11488d616d5bedfe6dc62ba32ab33714abce8ec65
-
Filesize
42KB
MD5979ddd15d4625f2d9442308ac23b093e
SHA141bdaf8e7930a788e72b2e8d812d3ad8cc9614d9
SHA256546ec90e214472e91048428924aea9853eb1a0baea8fca9af87f5b4640440078
SHA512148e0c38279d1ae560713fa4c0f2bf1c0245b6971d71d7b4a2cf44c4d512ad1fc8a9cb33ce7554f4a4855cc0ef319c6e72784cb2c4b87b324990ba945c31ef9f
-
Filesize
43KB
MD5dd5164441187cd34cf6b4571ad06b02f
SHA112acf5a1184c074ef04b52f2e855866b815fe61f
SHA256df49a28d88b5a20f2bd26fe17fd049a04baa5c27c0c9d96203335c4ee52d4413
SHA512c1bb517c682f211f6894c06810bf13079dabbc1912d8f6932746c0dc774b1ad836c21cb2e7f19f7575eb4ba989644f7806f13fca2653dab7b44960a567788a57
-
Filesize
46KB
MD51a68c9a98363c381f08922f560250758
SHA15c8fab19a6fce550c541ddae84c1ed1eeb1d9a8f
SHA2562a308897298977866c0199c137f679773ed63ed703b1286d07cf0e1de45225f1
SHA512c22490c4660ba897c34eaf2f1681b9ef713bb8da72969db4a462ec8f639eef1a3403a7cbafe8f86906d69a4c716e8d638caf89aa9911996d1d1600b0659bce07
-
Filesize
44KB
MD5b7479d97664ff3f68883a4665ad46f03
SHA1fed7419a8408adecd531d6f7e1a24bfbbb97a25b
SHA256d8b54b04a01467927702a439f875de02577721da3d6b393fc9b6d5f81f0e363b
SHA5123885c46f4763961ac41ecf4e33ef67f560b14672087894bc0d72b6fdf1e73feecc5a4990f0df52759032085ae4b9cf918355010954166614b18e3cfed2e82645
-
Filesize
42KB
MD57f3113def8e50c086bbe84273477bad4
SHA1f29165a7988ed9b46fa162b02cbc58e3baf9dc8d
SHA25660821a3672d3170f4d2e230e4c72aa3fef58cdeea16d0af22b5c2077bd76750a
SHA5123fb6f5ea722e81ccfbaf01110fa341f8299a81b71ae072f52d11e2c8b3bcf202175f9c8e176c289aeac9d405d9919e406ae75929a942b52f49cc52a0858611dd
-
Filesize
44KB
MD5092df8fbd33220a72d1a81745cd61722
SHA116ee50224dc792a144dd8445c1b1017f0b22d252
SHA256001666ead47d5efa71ccfa9818269e137f0c4ad90f32d758a9e6d9bc4560bb9d
SHA512d2da63cfb76879745de3d2b537673f584bd2f28fca9582a8476f78b69ae0caa156085b61c33f03737748b942a1196ec0f1a4628766ad85ad6de60c6d68cb5ea2
-
Filesize
43KB
MD59efb18e27e49361b5ca0fe4eebb286b2
SHA17e522beabde6ad87aec419f4c26395c64d8382a8
SHA2563c066ff77d407ad1547372027f0c569ff65b06f1a5e34ed578ab9e6b87ce4876
SHA5125c034c37801cea6fa3219d24f81b62bd416e4ce2e9102285be34ade76d80ed0229d7951c8b4626e2aa602991a8ba5424c2409a50f9dc8909d335a84d6bccc52b
-
Filesize
43KB
MD5355fe9ce9db81686db356a30c17212a4
SHA16eb7892a5ab482f9f2e4c91dc12700e1e0eeffac
SHA2565a6d70da9a5ebae1d28d8fa97ec40e40b271d5386648a5d00e28d49fd41a2bb0
SHA512b76653623bbef763639ab79f75173811962727b677bfd359952224d61a4537f8ec8067ce9281145f1500d68b4133792c1a03beae9708067d3a57bf2138e63d9b
-
Filesize
43KB
MD59dd85190c1ca43e4ea964f6695f34865
SHA1f0c597a48312d55a6b820eeea05747b99d815a96
SHA256ee5403a3ea60d3308d4999e6092aa4ad80fec2a90a701e7ede44f29298c48737
SHA5123ba6b4143dfd3be9f9f5cf4d80e54f99bc68976f7bb662f97bccc80bc1789494a35fa958921589d65131d5cb1784fd09c48f7bbe940ced165ef4b0dc9afb998b
-
Filesize
43KB
MD582ef6ec70333a490acfa9e46680a5d50
SHA17dee942e0af205b0d5e65a237fcb571602080d61
SHA25621193d4beead2b2d43ad2417219018803103b5e0db94273005c0f480c3ef5d73
SHA512c819ba1f42fbf11e446dcd2e4a51e9f2d607a941d0380768747286d0f8dcc7872fd76669f411a4a61e9e0417aae4e2d6085611abae62777feac6e9a4e1cd6061
-
Filesize
43KB
MD5dd97a63df7ddfc0ed38f09dcfb8f31f8
SHA1ed049d9162f9216ee6b440ede178af8ae489501c
SHA25669333435afbc6821a0f40497466f98fa8e20a10ee928b2a85ec711ac77d7442c
SHA512f2b99a9fde86c21bf99423d1686a0d9a7d4a064ae9b648346db65ec071e86e6070b0bd72d24a2806a316108ed7cb9b1bdfe8713e1c8f661bd66ef5f540e1207c
-
Filesize
42KB
MD56534fdfc9541218c0cc45450ff5cf322
SHA1e34f0094597907895db8e5460a2177231c4e3c82
SHA25608fb286a2823fef7a25b8359beef81f6f1ba65de7a9e76ca598612a981e3bc8e
SHA5124c86efbab153ef7fd06f5283737f1859cf6f10dc3f64d36684ab0cd81d3eb5b2a7ac2fbe6c1ef2f21c3eceb67694560894e162e57dfa1e177a64d67cd8537e52
-
Filesize
43KB
MD559e7c6d09737f36d43dc66cf6550109b
SHA14bdc91ba8fc182ed213345e49b2806918cc03712
SHA25699c406740386846de02fd0b8af6d63b1b6de586f0d3125846b904c8b2f35ffef
SHA512bbac8e066927efb40545e2d474dad921dca646407e2bb2360f6f7802e0cbfb71c4b60ae8eca6c13b49cbe469141a301194cc43cb12464e1e826c56ba0a04e4cd
-
Filesize
43KB
MD510c0234687254950bb93f7c379c1da49
SHA145b21d2531ca4f8ed67767c3e813b3a5f51845d3
SHA2560eaf7f8721f2b51d10ff36c1ef0bc7cd958b351a81a720e0b8908f93048fb88d
SHA5121a6ea2cdc3b55618f8145ba957089f01c613e407797256fa540a7ac9723a216419463a07a0a99fdc62d827dccc5f6290f84e79b21e810ded9f990331e422d70d
-
Filesize
37KB
MD53238536195c72141bf60ee15ce6413dd
SHA15d89916a8f72b9836e3e2e1eb93077b515a231e9
SHA2565c0e33d4cbda0d878a48c51a7286e6ce3884ef0aa06ce4fc306b888d3e8f07f4
SHA51278fcc97db95b720e1ce7fa24ec9820d784a8013f791837629021176f8ae416775ed8a25b3afbce33fc18b29de5375f3ea2818a5a345ba0ad87bc71dfb72cbe0c
-
Filesize
5.8MB
MD51b71bae8bb7536b2f4a9b240720763d8
SHA1628bd4608a0fa1c11388c9aa500174e9af05625a
SHA256b8c6e44308a0282dde16d7a8206ecdb43fe2a25697a6b074d5ec0e1fc997064c
SHA5123b893a3508d9b0fa59e00da2c9307868c13b9fb86086ffb16145fe0703b5a1d1cd3ee4b098f76373d46736c6142f90807854640264843490a58e770c135c2a45
-
Filesize
414B
MD59522d2ff6c9e90affb99c93d86b0b018
SHA1898e3904da4d3f56e0ee2ff1520224a521be48c2
SHA256c8ba22280f759f595e2dc99af4b385c5916bf3508ac58531c7628908368bddef
SHA512bb10e708d284441633a05fe2c6a05a842556543d45fce2a677a5c0ad1066687a1c723679ca52a41150272a5d0ce385f12e9fa7b8f26cd1d75863e424ffd29728
-
Filesize
96B
MD50e35b51c80639498224a5618a2f44a9a
SHA1631743f0ed41c75e1671762993471953314986fa
SHA256bb169a71078c552b568616916b2d4ccb07107113c0fb317df2645206bad6c26e
SHA51268061a607b60fe3d1f73b7baa4c584d1a85307332b94d3bcfa10f9a5f19243e803d907f788a27d100ba092c881ddcf37632517d7152d67905a313bce5d17010a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
2KB
MD5e646383dd714835738f387150b7be67d
SHA1b035ec285d4458f35a5047382a39bea5bd645d7d
SHA25632968290c287a7dad12cd0e34020c369ca695d05c47a85fbc9c27d6ef2e93b4b
SHA5128850b0a88165b4c4c8cffde141d30649dbdacb2dfa81ce7b14842d4e3c07a2cb560c4c27334a685d874e0956f0bb84f9cc269e512217f4459d88543d11f00905
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD529d6fcebe89ec9cfd73d0506a8b51acb
SHA1523c1659fe55eb6c2ffc9144f7649708f1b093fd
SHA256817514963e722ca8e5fceeec998c822fc7de4234025af5ccb50da4e48ac66d50
SHA51277e7709725ccb221f40dd3d8a3158ea94ae79c50248de95fddcee147d7a6161ebfa94505220d96a72599b42d26c2753f5ae94e01d72882261357d82fb5382a9c
-
Filesize
11KB
MD5016a5c8e7e576eb00710b93b4c511232
SHA1d0544130cc34cc00d8c69f8f135371913cef588a
SHA2566eb81abdc684aad4fd6c974229158554e071a4c9f74fdbb1ce7dd8c5ecb73799
SHA512ce625bd8022ba079fcf3b1a7c10b5b588580f2c9e55e9a8ab1cfa1a796ea0a81c62937526558dab45e99c3913629b78321353035c191421fb6d12d406604933e
-
Filesize
15KB
MD5666b2f8a5c714ec2894a7058678852e9
SHA1a758d1b694dda68a2595f080987d31e811799184
SHA2563e0ae772b8dab130fade3244ba89567442972e9ef018dae597f31a60e6fff7f8
SHA5124d573922330d0766dbf75d41d46b4bf03b7263b51e42efe62f3d3739b004566a3fe5989e82b3df2534ab5a94bd341d8ba802cb17701eb967f623bbbed2ac5346
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD571d2a7a7c3d52d0768bc24f1c5057172
SHA1960af05eb1e2dc55748fdcf2b4ee4a388b5dd34d
SHA256962022f6a12cc4ac164aa4625c429d81f26707b0154c66ebcd9ae46cb8f0baec
SHA5127967254cf5bb17b66c4a634500565d27be002bc482e07d6713bc7850bb3311ad3bf1bcdc61dbf84c51c939c25bbb0161c1bfbfb4345726cc3741e4b469ca6aab
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\df097c29-8eef-49d5-b360-95ff0aa54d1e.tmp
Filesize192KB
MD5505a174e740b3c0e7065c45a78b5cf42
SHA138911944f14a8b5717245c8e6bd1d48e58c7df12
SHA256024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d
SHA5127891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911
-
Filesize
38B
MD53433ccf3e03fc35b634cd0627833b0ad
SHA1789a43382e88905d6eb739ada3a8ba8c479ede02
SHA256f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d
SHA51221a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c
-
Filesize
196KB
MD5d7d819839196170d5b4741a044a4144d
SHA1bf99946fd6fdfb43ce2f6a50884eda5accb92683
SHA25652f0e8a9fe8acd3d340b47c53e1017a7429f88e2b272e70c68bf3e842a9ab33b
SHA5121fd7b8ebc49c8cabbc95d3e758546e4e92e2d632f15db6ff8ffbc48fcb6bfe194809de020c76e5daa434295ecce8e6334cbb931010444b38bc2d1f120e8bfa56
-
Filesize
196KB
MD524f9290f970bf857e2dd46ded1f483df
SHA1e9cf6fd52e5dbfbea44caff1b806ddad50a8b128
SHA256cb7b9eb86b79e1e895c4c26de6c6f59c0d8850d96f766b818c53d2bcac90693f
SHA512b8dfb6e9ed52d758174e4a8ffb6d3bf64becaa338da8075846f4f8c11e6fd6f373faf186c0903bca5e3bc2e0d9a08949c1006258ccaf5e5d201432959c2c64d2
-
Filesize
116KB
MD5323c7fcea1fee57dacd5df981a6ff64e
SHA17ac428aec1d6b82b8c7d720d9661c493ef37a6c8
SHA256cbc722d2ea5a9cea32ad2e0712d4a6a502068763f94779a144d8b7288a1c4d61
SHA51260f4b1119d45c6ca406badf5f01649d272e205efe88c35b31e84f9beeee1359d61769cf6d357d1d15d1259ae199a22ffca39d76a54e890e4fd00861450e62965
-
Filesize
115KB
MD5fd13cf7529bd00779fc0454dcaa0a1bb
SHA1a905e3c1c09f2a936aa86ba7ae775a65c091515c
SHA25667943a5ae83e6bfe40eb4128b18195e1a9f15d7a4581231d4d1302b4692824f8
SHA512fb1e42b636acf6f25fe322385fc8bd3573e876a9d4b807302dc58fdfe4a6d94590c38321b5e4edcedf2bd3fb1bbb4221954415b5a638035b9146106bbb548436
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
Filesize132KB
MD5da75bb05d10acc967eecaac040d3d733
SHA195c08e067df713af8992db113f7e9aec84f17181
SHA25633ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA51256533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef
-
C:\Users\Admin\AppData\Local\Temp\HD_3b890b103509bbe71c22752c61efff21a04d9c93bf4d7219ac9b4b452fd7ec46.exe
Filesize1.3MB
MD54c5f20e3e05f9d56c291d6dfe2f6417b
SHA1610fcce6bd9738958202f49bb3557fadfeade9e6
SHA2569a19b74e9247f9c4980f985bd4796e65b856081b2b12c9d66bfec3ee1f761ac7
SHA512efd2b8733737015b5e6d09146fb709d0cffb5ed81dac3c692576a2a880a2935eb1d0ad7996e9cb3485016e5331c94e8e7842c557901815f580884f53335cc49a
-
Filesize
2.5MB
MD54256e159d84900202b80f998b0d24d51
SHA1d5fa1d523eab526d025c61404aa7340fd771e153
SHA256e741c94ecfcf316b573ea23d9a0d3c0b63efa570329353a7e12e8012af545777
SHA512a2f80d6460e6165dcc6215c7493b71a0d8ace7850f7f034e4b514bf6f6bc8cc9cf2290ebce1bf8e4a9ce270734f6d6223890d639f528e73c830d01d328a1b30c
-
Filesize
377KB
MD54a36a48e58829c22381572b2040b6fe0
SHA1f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA2563de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA5125d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0
-
Filesize
941KB
MD58dc3adf1c490211971c1e2325f1424d2
SHA14eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
899KB
MD57a0a3a5a4df84d73965a486668ac584d
SHA18bd004ca9da6d92998ac3a09a00cd3aa14f6475f
SHA256172df2a77d34d319d569023c3b6b5ba55cde0e214304303883fd2f1f319cd3e0
SHA512a7cf84e296072eaf3bf7a996c0af1344e8257b9bdebbac80d7acbaf019e16beac6751962919a38cc5fad13377eb8c43c3902af67e41f2c205d96773306fb4fad