Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 22:27
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe
-
Size
588.6MB
-
MD5
406da853741b451e074e2d66567b126a
-
SHA1
4a2e040b94eabb5e72b647db64586b4dc3e22a62
-
SHA256
89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3
-
SHA512
b47a095b79ee25cb8d794e6397b2279636f153f1919acdb8bbddd22768a99d10f1120e5587fd54301fd6b4323ac7e0eefe9e78d40fd0bf32eaf52b84de2c4eeb
-
SSDEEP
98304:qDsqmfeoT5qEM+1+LofOz7VNBLghT2tNcTWTQbictE:X5GoVasEofyrRsEEWTQ3tE
Malware Config
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Netsupport family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\131.0.6778.205\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0" setup.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe GoogleUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe\DisableExceptionChainValidation = "0" GoogleUpdate.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation GoogleUpdate.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation chrome.exe -
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetSupport.url Cunt.exe.pif -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 38 IoCs
pid Process 4136 Cunt.exe.pif 4504 Cunt.exe.pif 4328 client32.exe 2484 uninstall.exe 1916 GoogleUpdate.exe 1552 GoogleUpdate.exe 3816 GoogleUpdate.exe 2756 GoogleUpdateComRegisterShell64.exe 3380 GoogleUpdateComRegisterShell64.exe 1008 GoogleUpdateComRegisterShell64.exe 1388 GoogleUpdate.exe 3120 GoogleUpdate.exe 1580 GoogleUpdate.exe 2584 131.0.6778.205_chrome_installer.exe 1708 setup.exe 968 setup.exe 1436 setup.exe 4100 setup.exe 2756 GoogleCrashHandler.exe 2204 GoogleCrashHandler64.exe 4792 GoogleUpdateOnDemand.exe 4088 GoogleUpdate.exe 4420 GoogleUpdate.exe 1604 chrome.exe 4552 chrome.exe 1184 chrome.exe 4000 chrome.exe 3972 chrome.exe 4608 elevation_service.exe 3088 chrome.exe 3200 chrome.exe 5108 chrome.exe 3772 chrome.exe 1384 chrome.exe 4296 chrome.exe 4012 chrome.exe 3680 chrome.exe 5896 chrome.exe -
Loads dropped DLL 62 IoCs
pid Process 4136 Cunt.exe.pif 4136 Cunt.exe.pif 4136 Cunt.exe.pif 4136 Cunt.exe.pif 4136 Cunt.exe.pif 4136 Cunt.exe.pif 4328 client32.exe 4328 client32.exe 4328 client32.exe 4328 client32.exe 4328 client32.exe 4328 client32.exe 1916 GoogleUpdate.exe 1552 GoogleUpdate.exe 3816 GoogleUpdate.exe 2756 GoogleUpdateComRegisterShell64.exe 3816 GoogleUpdate.exe 3380 GoogleUpdateComRegisterShell64.exe 3816 GoogleUpdate.exe 1008 GoogleUpdateComRegisterShell64.exe 3816 GoogleUpdate.exe 1388 GoogleUpdate.exe 3120 GoogleUpdate.exe 1580 GoogleUpdate.exe 1580 GoogleUpdate.exe 3120 GoogleUpdate.exe 4088 GoogleUpdate.exe 4420 GoogleUpdate.exe 4420 GoogleUpdate.exe 1604 chrome.exe 4552 chrome.exe 1604 chrome.exe 1184 chrome.exe 4000 chrome.exe 1184 chrome.exe 1184 chrome.exe 1184 chrome.exe 1184 chrome.exe 3972 chrome.exe 4000 chrome.exe 3972 chrome.exe 1184 chrome.exe 1184 chrome.exe 1184 chrome.exe 3088 chrome.exe 3200 chrome.exe 3200 chrome.exe 3088 chrome.exe 5108 chrome.exe 5108 chrome.exe 3772 chrome.exe 3772 chrome.exe 1384 chrome.exe 1384 chrome.exe 4296 chrome.exe 4296 chrome.exe 4012 chrome.exe 4012 chrome.exe 3680 chrome.exe 3680 chrome.exe 5896 chrome.exe 5896 chrome.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" JaffaCakes118_89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer chrome.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 1140 tasklist.exe 1776 tasklist.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4136 set thread context of 4504 4136 Cunt.exe.pif 101 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Temp\GUMA7E3.tmp\goopdateres_mr.dll uninstall.exe File created C:\Program Files (x86)\Google\Temp\GUMA7E3.tmp\goopdateres_no.dll uninstall.exe File created C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateSetup.exe GoogleUpdate.exe File created C:\Program Files\Google\Chrome\Temp\source1708_1749111367\Chrome-bin\131.0.6778.205\Locales\lv.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source1708_1749111367\Chrome-bin\131.0.6778.205\Locales\uk.pak setup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping1604_1011717045\_locales\zh_CN\messages.json chrome.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping1604_1011717045\_locales\uk\messages.json chrome.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping1604_1011717045\_locales\ms\messages.json chrome.exe File created C:\Program Files (x86)\Google\Temp\GUMA7E3.tmp\goopdateres_bn.dll uninstall.exe File created C:\Program Files (x86)\Google\Update\1.3.36.132\goopdateres_es.dll GoogleUpdate.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{33A795FC-7DE1-44C0-AB6D-B4D2A11F03C8}\guiF596.tmp GoogleUpdate.exe File created C:\Program Files\Google\Chrome\Temp\source1708_1749111367\Chrome-bin\131.0.6778.205\Extensions\external_extensions.json setup.exe File created C:\Program Files\Google\Chrome\Temp\source1708_1749111367\Chrome-bin\131.0.6778.205\Locales\hr.pak setup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping1604_1011717045\service_worker_bin_prod.js chrome.exe File created C:\Program Files (x86)\Google\Update\1.3.36.132\goopdateres_id.dll GoogleUpdate.exe File created C:\Program Files (x86)\Google\Update\1.3.36.132\goopdateres_ja.dll GoogleUpdate.exe File created C:\Program Files\Google\Chrome\Temp\source1708_1749111367\Chrome-bin\131.0.6778.205\Locales\fil.pak setup.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe setup.exe File created C:\Program Files (x86)\Google\Temp\GUMA7E3.tmp\GoogleUpdateCore.exe uninstall.exe File created C:\Program Files\Google\Chrome\Temp\source1708_1749111367\Chrome-bin\131.0.6778.205\Locales\fr.pak setup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping1604_1011717045\offscreendocument_main.js chrome.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping1604_1011717045\_locales\de\messages.json chrome.exe File created C:\Program Files (x86)\Google\Temp\GUMA7E3.tmp\goopdateres_ca.dll uninstall.exe File created C:\Program Files (x86)\Google\Temp\GUMA7E3.tmp\goopdateres_it.dll uninstall.exe File created C:\Program Files (x86)\Google\Temp\GUMA7E3.tmp\goopdateres_zh-CN.dll uninstall.exe File created C:\Program Files\Google\Chrome\Temp\source1708_1749111367\Chrome-bin\131.0.6778.205\Locales\et.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source1708_1749111367\Chrome-bin\131.0.6778.205\v8_context_snapshot.bin setup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping1604_1011717045\_locales\ca\messages.json chrome.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping1604_1011717045\_locales\gl\messages.json chrome.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping1604_1011717045\dasherSettingSchema.json chrome.exe File created C:\Program Files (x86)\Google\Temp\GUMA7E3.tmp\goopdateres_ro.dll uninstall.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping1604_1011717045\_locales\th\messages.json chrome.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping1604_1011717045\_locales\kk\messages.json chrome.exe File created C:\Program Files\Google\Chrome\Temp\source1708_1749111367\Chrome-bin\131.0.6778.205\Locales\sr.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source1708_1749111367\Chrome-bin\131.0.6778.205\Locales\vi.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source1708_1749111367\Chrome-bin\131.0.6778.205\VisualElements\SmallLogoBeta.png setup.exe File created C:\Program Files\chrome_url_fetcher_1604_832349795\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx chrome.exe File created C:\Program Files (x86)\Google\Temp\GUMA7E3.tmp\goopdateres_en-GB.dll uninstall.exe File created C:\Program Files (x86)\Google\Update\1.3.36.132\goopdateres_ru.dll GoogleUpdate.exe File created C:\Program Files\Google\Chrome\Temp\source1708_1749111367\Chrome-bin\131.0.6778.205\Locales\fi.pak setup.exe File created C:\Program Files (x86)\Google\Update\1.3.36.132\goopdateres_fi.dll GoogleUpdate.exe File created C:\Program Files (x86)\Google\Update\1.3.36.132\goopdateres_it.dll GoogleUpdate.exe File created C:\Program Files (x86)\Google\Update\1.3.36.132\goopdateres_zh-TW.dll GoogleUpdate.exe File created C:\Program Files\Google\Chrome\Temp\source1708_1749111367\Chrome-bin\131.0.6778.205\chrome.dll.sig setup.exe File created C:\Program Files\Google\Chrome\Temp\source1708_1749111367\Chrome-bin\131.0.6778.205\default_apps\external_extensions.json setup.exe File created C:\Program Files\Google\Chrome\Temp\source1708_1749111367\Chrome-bin\131.0.6778.205\Locales\pt-PT.pak setup.exe File created C:\Program Files (x86)\Google\Temp\GUMA7E3.tmp\goopdateres_da.dll uninstall.exe File created C:\Program Files (x86)\Google\Update\1.3.36.132\goopdateres_bn.dll GoogleUpdate.exe File created C:\Program Files (x86)\Google\Update\1.3.36.132\goopdateres_te.dll GoogleUpdate.exe File created C:\Program Files (x86)\Google\Update\Install\{33A795FC-7DE1-44C0-AB6D-B4D2A11F03C8}\CR_7B080.tmp\CHROME.PACKED.7Z 131.0.6778.205_chrome_installer.exe File created C:\Program Files\Google\Chrome\Temp\source1708_1749111367\Chrome-bin\131.0.6778.205\notification_helper.exe setup.exe File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe setup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping1604_1011717045\_locales\fr\messages.json chrome.exe File created C:\Program Files (x86)\Google\Temp\GUMA7E3.tmp\goopdateres_pt-BR.dll uninstall.exe File created C:\Program Files (x86)\Google\Update\1.3.36.132\goopdateres_en-GB.dll GoogleUpdate.exe File created C:\Program Files (x86)\Google\Update\1.3.36.132\goopdateres_pt-BR.dll GoogleUpdate.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping1604_1011717045\_locales\it\messages.json chrome.exe File created C:\Program Files (x86)\Google\Temp\GUMA7E3.tmp\goopdateres_es-419.dll uninstall.exe File created C:\Program Files (x86)\Google\Temp\GUMA7E3.tmp\goopdateres_fil.dll uninstall.exe File created C:\Program Files (x86)\Google\Update\1.3.36.132\goopdateres_hr.dll GoogleUpdate.exe File created C:\Program Files\Google\Chrome\Temp\source1708_1749111367\Chrome-bin\131.0.6778.205\Locales\pl.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source1708_1749111367\Chrome-bin\131.0.6778.205\Locales\zh-TW.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source1708_1749111367\Chrome-bin\131.0.6778.205\WidevineCdm\manifest.json setup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping1604_1011717045\_locales\sr\messages.json chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdateOnDemand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uninstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cunt.exe.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cunt.exe.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleCrashHandler.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4088 GoogleUpdate.exe 4556 cmd.exe 3844 PING.EXE 2996 PING.EXE 1388 GoogleUpdate.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133792938376435643" chrome.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.132\\psmachine_64.dll" GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods\ = "4" GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ = "ICoCreateAsync" GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32 GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32 GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID\ = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}" GoogleUpdate.exe Key created \REGISTRY\MACHINE\Software\Classes\ChromeHTML\DefaultIcon setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A50E9E56-BA18-4FCD-8DDF-B91F12D0B6B9} GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ = "IProcessLauncher2" GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ = "Google Update Process Launcher Class" GoogleUpdate.exe Key created \REGISTRY\MACHINE\Software\Classes\.shtml\OpenWithProgids setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6B5068B-8F3E-4850-B5C8-B004AFE2B38B}\ = "PSFactoryBuffer" GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ = "IAppCommandWeb" GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32\ = "{A6B5068B-8F3E-4850-B5C8-B004AFE2B38B}" GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57} GoogleUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\PROGID GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32\ = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.132\\GoogleUpdateOnDemand.exe\"" GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32\ = "{A6B5068B-8F3E-4850-B5C8-B004AFE2B38B}" GoogleUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A50E9E56-BA18-4FCD-8DDF-B91F12D0B6B9}\InprocHandler32 GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503} GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.CoCreateAsync\CurVer\ = "GoogleUpdate.CoCreateAsync.1.0" GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32\ = "{A6B5068B-8F3E-4850-B5C8-B004AFE2B38B}" GoogleUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LOCALSERVER32 GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{27634814-8E41-4C35-8577-980134A96544}\ProxyStubClsid32\ = "{A6B5068B-8F3E-4850-B5C8-B004AFE2B38B}" GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2} GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A50E9E56-BA18-4FCD-8DDF-B91F12D0B6B9}\InprocHandler32 GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6B5068B-8F3E-4850-B5C8-B004AFE2B38B} GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32\ = "{A6B5068B-8F3E-4850-B5C8-B004AFE2B38B}" GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ = "IJobObserver" GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F} GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.PolicyStatusSvc\CurVer\ = "GoogleUpdate.PolicyStatusSvc.1.0" GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ = "IPolicyStatus3" GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ = "IApp" GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32 GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410} GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32 GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3WebMachineFallback.1.0\ = "GoogleUpdate Update3Web" GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32 GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ = "Google Update Legacy On Demand" GoogleUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ELEVATION GoogleUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\APPID\GOOGLEUPDATE.EXE GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32 GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32\ = "{A6B5068B-8F3E-4850-B5C8-B004AFE2B38B}" GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods\ = "9" GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TypeLib\Version = "1.0" setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32 GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32\ = "{A6B5068B-8F3E-4850-B5C8-B004AFE2B38B}" GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ = "GoogleUpdate CredentialDialog" GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID\ = "GoogleUpdate.OnDemandCOMClassSvc.1.0" GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.PolicyStatusSvc\CLSID\ = "{1C4CDEFF-756A-4804-9E77-3E8EB9361016}" GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ = "IAppBundleWeb" GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\NumMethods GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32 GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ = "ICoCreateAsync" GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods\ = "17" GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32\ = "{A6B5068B-8F3E-4850-B5C8-B004AFE2B38B}" GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32 GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221} GoogleUpdate.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 3844 PING.EXE 2996 PING.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 4136 Cunt.exe.pif 4136 Cunt.exe.pif 4136 Cunt.exe.pif 4136 Cunt.exe.pif 4136 Cunt.exe.pif 4136 Cunt.exe.pif 1916 GoogleUpdate.exe 1916 GoogleUpdate.exe 1916 GoogleUpdate.exe 1916 GoogleUpdate.exe 1916 GoogleUpdate.exe 1916 GoogleUpdate.exe 3120 GoogleUpdate.exe 3120 GoogleUpdate.exe 4088 GoogleUpdate.exe 4088 GoogleUpdate.exe 1916 GoogleUpdate.exe 1916 GoogleUpdate.exe 1916 GoogleUpdate.exe 1916 GoogleUpdate.exe 1604 chrome.exe 1604 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1140 tasklist.exe Token: SeDebugPrivilege 1776 tasklist.exe Token: SeSecurityPrivilege 4328 client32.exe Token: SeDebugPrivilege 1916 GoogleUpdate.exe Token: SeDebugPrivilege 1916 GoogleUpdate.exe Token: SeDebugPrivilege 1916 GoogleUpdate.exe Token: 33 2584 131.0.6778.205_chrome_installer.exe Token: SeIncBasePriorityPrivilege 2584 131.0.6778.205_chrome_installer.exe Token: SeDebugPrivilege 3120 GoogleUpdate.exe Token: 33 2756 GoogleCrashHandler.exe Token: SeIncBasePriorityPrivilege 2756 GoogleCrashHandler.exe Token: 33 2204 GoogleCrashHandler64.exe Token: SeIncBasePriorityPrivilege 2204 GoogleCrashHandler64.exe Token: SeDebugPrivilege 4088 GoogleUpdate.exe Token: SeDebugPrivilege 1916 GoogleUpdate.exe Token: SeShutdownPrivilege 1604 chrome.exe Token: SeCreatePagefilePrivilege 1604 chrome.exe Token: SeShutdownPrivilege 1604 chrome.exe Token: SeCreatePagefilePrivilege 1604 chrome.exe Token: SeShutdownPrivilege 1604 chrome.exe Token: SeCreatePagefilePrivilege 1604 chrome.exe Token: SeShutdownPrivilege 1604 chrome.exe Token: SeCreatePagefilePrivilege 1604 chrome.exe Token: SeShutdownPrivilege 1604 chrome.exe Token: SeCreatePagefilePrivilege 1604 chrome.exe Token: SeShutdownPrivilege 1604 chrome.exe Token: SeCreatePagefilePrivilege 1604 chrome.exe Token: SeShutdownPrivilege 1604 chrome.exe Token: SeCreatePagefilePrivilege 1604 chrome.exe Token: SeShutdownPrivilege 1604 chrome.exe Token: SeCreatePagefilePrivilege 1604 chrome.exe Token: SeShutdownPrivilege 1604 chrome.exe Token: SeCreatePagefilePrivilege 1604 chrome.exe Token: SeShutdownPrivilege 1604 chrome.exe Token: SeCreatePagefilePrivilege 1604 chrome.exe Token: SeShutdownPrivilege 1604 chrome.exe Token: SeCreatePagefilePrivilege 1604 chrome.exe Token: SeShutdownPrivilege 1604 chrome.exe Token: SeCreatePagefilePrivilege 1604 chrome.exe Token: SeShutdownPrivilege 1604 chrome.exe Token: SeCreatePagefilePrivilege 1604 chrome.exe Token: SeShutdownPrivilege 1604 chrome.exe Token: SeCreatePagefilePrivilege 1604 chrome.exe Token: SeShutdownPrivilege 1604 chrome.exe Token: SeCreatePagefilePrivilege 1604 chrome.exe Token: SeShutdownPrivilege 1604 chrome.exe Token: SeCreatePagefilePrivilege 1604 chrome.exe Token: SeShutdownPrivilege 1604 chrome.exe Token: SeCreatePagefilePrivilege 1604 chrome.exe Token: SeShutdownPrivilege 1604 chrome.exe Token: SeCreatePagefilePrivilege 1604 chrome.exe Token: SeShutdownPrivilege 1604 chrome.exe Token: SeCreatePagefilePrivilege 1604 chrome.exe Token: SeShutdownPrivilege 1604 chrome.exe Token: SeCreatePagefilePrivilege 1604 chrome.exe Token: SeShutdownPrivilege 1604 chrome.exe Token: SeCreatePagefilePrivilege 1604 chrome.exe Token: SeShutdownPrivilege 1604 chrome.exe Token: SeCreatePagefilePrivilege 1604 chrome.exe Token: SeShutdownPrivilege 1604 chrome.exe Token: SeCreatePagefilePrivilege 1604 chrome.exe Token: SeShutdownPrivilege 1604 chrome.exe Token: SeCreatePagefilePrivilege 1604 chrome.exe Token: SeShutdownPrivilege 1604 chrome.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
pid Process 4136 Cunt.exe.pif 4136 Cunt.exe.pif 4136 Cunt.exe.pif 4328 client32.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe -
Suspicious use of SendNotifyMessage 27 IoCs
pid Process 4136 Cunt.exe.pif 4136 Cunt.exe.pif 4136 Cunt.exe.pif 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe 1604 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2760 wrote to memory of 1716 2760 JaffaCakes118_89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe 82 PID 2760 wrote to memory of 1716 2760 JaffaCakes118_89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe 82 PID 2760 wrote to memory of 1716 2760 JaffaCakes118_89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe 82 PID 2760 wrote to memory of 4556 2760 JaffaCakes118_89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe 83 PID 2760 wrote to memory of 4556 2760 JaffaCakes118_89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe 83 PID 2760 wrote to memory of 4556 2760 JaffaCakes118_89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe 83 PID 4556 wrote to memory of 824 4556 cmd.exe 85 PID 4556 wrote to memory of 824 4556 cmd.exe 85 PID 4556 wrote to memory of 824 4556 cmd.exe 85 PID 824 wrote to memory of 1140 824 cmd.exe 86 PID 824 wrote to memory of 1140 824 cmd.exe 86 PID 824 wrote to memory of 1140 824 cmd.exe 86 PID 824 wrote to memory of 3400 824 cmd.exe 87 PID 824 wrote to memory of 3400 824 cmd.exe 87 PID 824 wrote to memory of 3400 824 cmd.exe 87 PID 824 wrote to memory of 1776 824 cmd.exe 89 PID 824 wrote to memory of 1776 824 cmd.exe 89 PID 824 wrote to memory of 1776 824 cmd.exe 89 PID 824 wrote to memory of 1892 824 cmd.exe 90 PID 824 wrote to memory of 1892 824 cmd.exe 90 PID 824 wrote to memory of 1892 824 cmd.exe 90 PID 824 wrote to memory of 4188 824 cmd.exe 91 PID 824 wrote to memory of 4188 824 cmd.exe 91 PID 824 wrote to memory of 4188 824 cmd.exe 91 PID 824 wrote to memory of 4136 824 cmd.exe 92 PID 824 wrote to memory of 4136 824 cmd.exe 92 PID 824 wrote to memory of 4136 824 cmd.exe 92 PID 824 wrote to memory of 3844 824 cmd.exe 93 PID 824 wrote to memory of 3844 824 cmd.exe 93 PID 824 wrote to memory of 3844 824 cmd.exe 93 PID 4556 wrote to memory of 2996 4556 cmd.exe 97 PID 4556 wrote to memory of 2996 4556 cmd.exe 97 PID 4556 wrote to memory of 2996 4556 cmd.exe 97 PID 4136 wrote to memory of 4504 4136 Cunt.exe.pif 101 PID 4136 wrote to memory of 4504 4136 Cunt.exe.pif 101 PID 4136 wrote to memory of 4504 4136 Cunt.exe.pif 101 PID 4136 wrote to memory of 4504 4136 Cunt.exe.pif 101 PID 4136 wrote to memory of 4504 4136 Cunt.exe.pif 101 PID 4504 wrote to memory of 4328 4504 Cunt.exe.pif 104 PID 4504 wrote to memory of 4328 4504 Cunt.exe.pif 104 PID 4504 wrote to memory of 4328 4504 Cunt.exe.pif 104 PID 4504 wrote to memory of 2484 4504 Cunt.exe.pif 105 PID 4504 wrote to memory of 2484 4504 Cunt.exe.pif 105 PID 4504 wrote to memory of 2484 4504 Cunt.exe.pif 105 PID 2484 wrote to memory of 1916 2484 uninstall.exe 106 PID 2484 wrote to memory of 1916 2484 uninstall.exe 106 PID 2484 wrote to memory of 1916 2484 uninstall.exe 106 PID 1916 wrote to memory of 1552 1916 GoogleUpdate.exe 107 PID 1916 wrote to memory of 1552 1916 GoogleUpdate.exe 107 PID 1916 wrote to memory of 1552 1916 GoogleUpdate.exe 107 PID 1916 wrote to memory of 3816 1916 GoogleUpdate.exe 108 PID 1916 wrote to memory of 3816 1916 GoogleUpdate.exe 108 PID 1916 wrote to memory of 3816 1916 GoogleUpdate.exe 108 PID 3816 wrote to memory of 2756 3816 GoogleUpdate.exe 109 PID 3816 wrote to memory of 2756 3816 GoogleUpdate.exe 109 PID 3816 wrote to memory of 3380 3816 GoogleUpdate.exe 110 PID 3816 wrote to memory of 3380 3816 GoogleUpdate.exe 110 PID 3816 wrote to memory of 1008 3816 GoogleUpdate.exe 111 PID 3816 wrote to memory of 1008 3816 GoogleUpdate.exe 111 PID 1916 wrote to memory of 1388 1916 GoogleUpdate.exe 112 PID 1916 wrote to memory of 1388 1916 GoogleUpdate.exe 112 PID 1916 wrote to memory of 1388 1916 GoogleUpdate.exe 112 PID 1916 wrote to memory of 3120 1916 GoogleUpdate.exe 113 PID 1916 wrote to memory of 3120 1916 GoogleUpdate.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\dllhost.exedllhost vfrfgh ningggfdee2⤵PID:1716
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Fox.wks & ping -n 5 localhost2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AvastUI.exe"4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
C:\Windows\SysWOW64\find.exefind /I /N "avastui.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3400
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AVGUI.exe"4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
C:\Windows\SysWOW64\find.exefind /I /N "avgui.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1892
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^xogwVTG$" Karma.wks4⤵
- System Location Discovery: System Language Discovery
PID:4188
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cunt.exe.pifCunt.exe.pif t4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cunt.exe.pifC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cunt.exe.pif5⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Users\Admin\AppData\Roaming\NetSupport_v_2.31565\client32.exe"C:\Users\Admin\AppData\Roaming\NetSupport_v_2.31565\client32.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4328
-
-
C:\Users\Admin\AppData\Roaming\NetSupport_v_2.31565\uninstall.exe"C:\Users\Admin\AppData\Roaming\NetSupport_v_2.31565\uninstall.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Program Files (x86)\Google\Temp\GUMA7E3.tmp\GoogleUpdate.exe"C:\Program Files (x86)\Google\Temp\GUMA7E3.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={1266CA4D-0917-452A-19FA-B8B51EF60ACD}&lang=ru&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty"7⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1552
-
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2756
-
-
C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3380
-
-
C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1008
-
-
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMzIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0FCNzM4MTgtMkI3OS00NjI4LThCNzQtNjhDNjVDODAyRTdCfSIgdXNlcmlkPSJ7RUE1MzM0RUMtODI3OC00OUEzLTlFRDktNkU5MUIwQjEyMjFCfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0EwNTRBMjdFLUVFQzctNDVEMy1BQjM5LTQyQzY5RTE4MzFGOH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjM3MSIgbmV4dHZlcnNpb249IjEuMy4zNi4xMzIiIGxhbmc9InJ1IiBicmFuZD0iIiBjbGllbnQ9IiIgaWlkPSJ7MTI2NkNBNEQtMDkxNy00NTJBLTE5RkEtQjhCNTFFRjYwQUNEfSI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSI4NzMiLz48L2FwcD48L3JlcXVlc3Q-8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1388
-
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={1266CA4D-0917-452A-19FA-B8B51EF60ACD}&lang=ru&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty" /installsource taggedmi /sessionid "{7AB73818-2B79-4628-8B74-68C65C802E7B}"8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3120
-
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 54⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3844
-
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2996
-
-
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Program Files (x86)\Google\Update\Install\{33A795FC-7DE1-44C0-AB6D-B4D2A11F03C8}\131.0.6778.205_chrome_installer.exe"C:\Program Files (x86)\Google\Update\Install\{33A795FC-7DE1-44C0-AB6D-B4D2A11F03C8}\131.0.6778.205_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Program Files (x86)\Google\Update\Install\{33A795FC-7DE1-44C0-AB6D-B4D2A11F03C8}\guiF596.tmp"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2584 -
C:\Program Files (x86)\Google\Update\Install\{33A795FC-7DE1-44C0-AB6D-B4D2A11F03C8}\CR_7B080.tmp\setup.exe"C:\Program Files (x86)\Google\Update\Install\{33A795FC-7DE1-44C0-AB6D-B4D2A11F03C8}\CR_7B080.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Google\Update\Install\{33A795FC-7DE1-44C0-AB6D-B4D2A11F03C8}\CR_7B080.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Program Files (x86)\Google\Update\Install\{33A795FC-7DE1-44C0-AB6D-B4D2A11F03C8}\guiF596.tmp"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
PID:1708 -
C:\Program Files (x86)\Google\Update\Install\{33A795FC-7DE1-44C0-AB6D-B4D2A11F03C8}\CR_7B080.tmp\setup.exe"C:\Program Files (x86)\Google\Update\Install\{33A795FC-7DE1-44C0-AB6D-B4D2A11F03C8}\CR_7B080.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=131.0.6778.205 --initial-client-data=0x268,0x26c,0x270,0x238,0x274,0x7ff642b6fd28,0x7ff642b6fd34,0x7ff642b6fd404⤵
- Executes dropped EXE
PID:968
-
-
C:\Program Files (x86)\Google\Update\Install\{33A795FC-7DE1-44C0-AB6D-B4D2A11F03C8}\CR_7B080.tmp\setup.exe"C:\Program Files (x86)\Google\Update\Install\{33A795FC-7DE1-44C0-AB6D-B4D2A11F03C8}\CR_7B080.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=14⤵
- Executes dropped EXE
PID:1436 -
C:\Program Files (x86)\Google\Update\Install\{33A795FC-7DE1-44C0-AB6D-B4D2A11F03C8}\CR_7B080.tmp\setup.exe"C:\Program Files (x86)\Google\Update\Install\{33A795FC-7DE1-44C0-AB6D-B4D2A11F03C8}\CR_7B080.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=131.0.6778.205 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff642b6fd28,0x7ff642b6fd34,0x7ff642b6fd405⤵
- Executes dropped EXE
PID:4100
-
-
-
-
-
C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exe"C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exe"C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMzIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0FCNzM4MTgtMkI3OS00NjI4LThCNzQtNjhDNjVDODAyRTdCfSIgdXNlcmlkPSJ7RUE1MzM0RUMtODI3OC00OUEzLTlFRDktNkU5MUIwQjEyMjFCfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezExQzJBNjIxLUQ1NEUtNDcwMi05RkVFLUIzMjYzRTZCOTE3MH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNDLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTMxLjAuNjc3OC4yMDUiIGFwPSJ4NjQtc3RhYmxlLXN0YXRzZGVmXzEiIGxhbmc9InJ1IiBicmFuZD0iIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iNzUiIGlpZD0iezEyNjZDQTRELTA5MTctNDUyQS0xOUZBLUI4QjUxRUY2MEFDRH0iIGNvaG9ydD0iMTpndS9pMTk6IiBjb2hvcnRuYW1lPSJTdGFibGUgSW5zdGFsbHMgJmFtcDsgVmVyc2lvbiBQaW5zIj48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL2VkZ2VkbC5tZS5ndnQxLmNvbS9lZGdlZGwvcmVsZWFzZTIvY2hyb21lL2xoazQ2N2I0Y3VuZDUydnFncWpuZjJzNHE0XzEzMS4wLjY3NzguMjA1LzEzMS4wLjY3NzguMjA1X2Nocm9tZV9pbnN0YWxsZXIuZXhlIiBkb3dubG9hZGVkPSIxMTYwNTk1MDQiIHRvdGFsPSIxMTYwNTk1MDQiIGRvd25sb2FkX3RpbWVfbXM9IjEwMzY3Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3MDciIHNvdXJjZV91cmxfaW5kZXg9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI1MDEiIGRvd25sb2FkX3RpbWVfbXM9IjExNDgyIiBkb3dubG9hZGVkPSIxMTYwNTk1MDQiIHRvdGFsPSIxMTYwNTk1MDQiIGluc3RhbGxfdGltZV9tcz0iMjk3NzUiLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
-
C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateOnDemand.exe"C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateOnDemand.exe" -Embedding1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4792 -
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ondemand2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4420 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1604 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=131.0.6778.205 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc04c0fd08,0x7ffc04c0fd14,0x7ffc04c0fd204⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1920,i,4615429890790605537,4856439606425295739,262144 --variations-seed-version --mojo-platform-channel-handle=1912 /prefetch:24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=2168,i,4615429890790605537,4856439606425295739,262144 --variations-seed-version --mojo-platform-channel-handle=2240 /prefetch:34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2336,i,4615429890790605537,4856439606425295739,262144 --variations-seed-version --mojo-platform-channel-handle=2500 /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3220,i,4615429890790605537,4856439606425295739,262144 --variations-seed-version --mojo-platform-channel-handle=3228 /prefetch:14⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3236,i,4615429890790605537,4856439606425295739,262144 --variations-seed-version --mojo-platform-channel-handle=3372 /prefetch:14⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4168,i,4615429890790605537,4856439606425295739,262144 --variations-seed-version --mojo-platform-channel-handle=4260 /prefetch:24⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4764,i,4615429890790605537,4856439606425295739,262144 --variations-seed-version --mojo-platform-channel-handle=4788 /prefetch:14⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5012,i,4615429890790605537,4856439606425295739,262144 --variations-seed-version --mojo-platform-channel-handle=4588 /prefetch:14⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:1384
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5560,i,4615429890790605537,4856439606425295739,262144 --variations-seed-version --mojo-platform-channel-handle=5568 /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4296
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5572,i,4615429890790605537,4856439606425295739,262144 --variations-seed-version --mojo-platform-channel-handle=5580 /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5592,i,4615429890790605537,4856439606425295739,262144 --variations-seed-version --mojo-platform-channel-handle=5956 /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=6044,i,4615429890790605537,4856439606425295739,262144 --variations-seed-version --mojo-platform-channel-handle=6068 /prefetch:24⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5896
-
-
-
-
C:\Program Files\Google\Chrome\Application\131.0.6778.205\elevation_service.exe"C:\Program Files\Google\Chrome\Application\131.0.6778.205\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3868
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Process Discovery
1Query Registry
4Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
299KB
MD5b6b844cba41f7c190a001941a9a34e9a
SHA19496eba9714f323c7e17b61ea536acc6bbbe05ff
SHA25603e91a5144ab49e6a39df0d920987e718fd36f8d5ca34e243506025e8da1db78
SHA5124a4a6452234f56221743e0a2ac5efe2f546201b1ca3e97fe5bf3b82ef179918f0b0479845225ac4f459c349ac71894295a6bc0efa1e57da3d9c9267d265e725e
-
Filesize
396KB
MD571e73162f75ef1c1094f8e8ac5e9bed3
SHA1083bccb889e8a01cabe52941dfeb8bf51e560c70
SHA2562ae4d76b2037bf4ea615e92c7064272c93fc6a5cd649a95502234f6f32b9b151
SHA5126e05aa298723a52d27f3897c8332d6c3e3c4651fe0a1cbd55e6034810556162f0c3d07056f276577925de647a5ba847846d203c3b230f9fcfd012b03e15ba295
-
Filesize
164KB
MD5e885bf92c289c674cd32f3e85ab2b922
SHA1c0a98fd8c74d031f54fda658a1c67d8886b5e076
SHA25663854e78780866d2ae56a58958a1fda017a71f54b71fe70cf5403958e961862a
SHA512618d0cb1e6b50716ad877616da547d45099d92c6d00158da0ee2a76cf08f13ee540d365f747a031f0da96b238acc7fc9c0996c8de3feb7753966a9458e5f2512
-
Filesize
187KB
MD554fdef34ec0349a9c8ee543cafa25109
SHA12b0c0ae0a7ef0ea23d5d9e0c3406cf5df969d50e
SHA256974ec719d34ac9af4d37681a8a6dfeb24f3dd136b2681be09dbc86afb6d9f616
SHA51202a381991259df41a15f2cd49e906fa926a5d979913596f8d606aa652a500ec3316d6dd7b35d836307081b1dc5344b352de92e6bd6f2f2c882764f3f976cb561
-
Filesize
222KB
MD52c6849cca1783f20415a54ff80bd6a82
SHA1555691825d70c89152ee00932412a59eb7585ff6
SHA256eae6d2053a0f4ea3af887c9244770d31cbacab69f165d4ac5fa49b619f0d6bc3
SHA512a1e66f6260dd2e63f7b2e0cee4b45e35f5d2740e6c2f129b6ba1af88cc9c12a669d76d41a59a7a067ec610b53ddfc56e8beb31659fa79734655510d182bdc075
-
Filesize
1.9MB
MD5c0afc2fd557628f98ac9b7834ce7d966
SHA17ddfcc41f315d807d36dfef3b0217614aadb0151
SHA256b31ed15eeb3e535d1318a566000adc069b793fd0f19ba9ae18342f7656121596
SHA512b3a68dc8a2707d247f6224936c629bf162b72a29e50f48d763d151d0aa83d2b95e0e9a6110005f98e40e819fb41535f4c4e90a6ba95c94b4404b7e7eb1f4d4ba
-
Filesize
48KB
MD53d047b2327fdc1490d35de702cabfd87
SHA17e95b34cdd0e778c5f8e99a719084d6058752647
SHA256dd0e5047fe6036f3fbea9d04c7563afdb31bd88e42f19879d75299c685c08dd5
SHA512bb0103fe46fa005d4b979b0304f6c4df225427d4d5ead92c3ed6deb36feae26429664a2a6d4ac046db9ff3387dade1f9ef757f3e26b9a392663f99e920ff1837
-
Filesize
47KB
MD57129735aa717dae6a2dab0574e31ceff
SHA17851be57ed9f76de24ec2a9264352679fcf9ff8c
SHA256f4a1a5b7749bafd84927ae0a281db0eee2e2a1ce9cd77ca08165f8bc587cc3b3
SHA512cadf0a4c93798139ad7a5e95b12411a927d5cc78980389aa94be7a86b6d61e6c64f807bcfe2a494a02e9ef242cc4515566c004acf8fa5d6c33685171e87a6e32
-
Filesize
50KB
MD5db8908b6627859104bfca1e777743b25
SHA1c8f25b474747183c7d453616e82c0cbee299b5f2
SHA256bb6569ad79623eed5f042982c2fe2808d8a9cd2b85b98d9bd0a0cf8999c31eba
SHA512435f779820588cb885fcbf6aefd2dda37eccd569856a144621417aa8a8ea577ef0a11d4cc708af7cb2cfafe897c75d8e247de0fad6f0ea8e87e00c11b36a1519
-
Filesize
50KB
MD5949aae7ecde2e0d1ec1e78e925dd86ad
SHA17836d5c2f0b22b22a2c3c03f3b88eb93577da660
SHA256adc617b5e3e647355e47006d5b9a130341323c1345fadd25ee880bba89eb95d3
SHA5122e89840a58c9109799846514474d09808e6c7c0bab3e09dfa0fcaaca74c966225e31586be3e47fbf04a1000fa5f0ded58915183b94ad2e3c11e3632dac31f510
-
Filesize
50KB
MD5a6bf27ef56da45d41cccd66490addf04
SHA1c6f29f1c0ef1f34d96a6339cb77ee6e54fae7c90
SHA25683898433d55d80a230b260af4f746621124c35d2a9814339372de47a57cf6619
SHA5125379586153249969e2edb0b95cac883cb98646264d20d7e837ee96b46b9cc6f54925e1518bde07ac3052edb8ba7bf48f9cb1dbdf6fa1d6855ea181fa32e06579
-
Filesize
49KB
MD55613fbf25517fbed703346cfcb5c9c4d
SHA10ff5e78e51217c7234c2c03047ef0431272132bf
SHA256dff5216c302bd82c514e053f0a7091b315b98229c9a7c67bd37a41a9a825798e
SHA512c150adf69b458ff174594ba1e994d90f16a6d2371a69eddf56ab9f1ce3ddd3e3a46ed23301c299bb4b20b641bfb326f945cab55c54c758f851c98c957626675f
-
Filesize
49KB
MD5de1a987c14f42ff6635643465fa2c60b
SHA1efc5b757c1076991bb8c3fa9b5eba30146a94c37
SHA256c768ff1ccfece2edfd19ca3c90f67a32e061cc153987d3865cc1146587b1cb26
SHA512bbd258b319786752d8ad4cc285f211f2ad269e8282c9442dcdd658d16cf0f60905d921ccd10c568705974195ac45f0a1e8fc23d9f52b73a6b5e9404ce205d7a5
-
Filesize
51KB
MD535e401fe16fcb9c81aff7bf56becac57
SHA1b23eb49d5dc11265b86d74c7eb93b76d5de23fc7
SHA2565267fbbfb123d5603cbbb60f2d00a0d446dd5885a1e5f032887a49a8a3da08f1
SHA5127f84d08778a83f32cad5b297ea559cc05cb6b52ae0e72c660e9d0ac8bdf903b797333953f8fc9aff63f997ba35bbb2012b2551e83b85ce985eb3503e30ba54bb
-
Filesize
51KB
MD59dddfb7ca127c2d1e61a6ca4961e9c0a
SHA1ab0255abc59d74e02fd6fde7f5f0893fa8e7045e
SHA256be8800221c1ffa7c0a28bbd2042bdd14bfcb8536f8ffab569b07a8c80f8252bb
SHA512981cf8ead9ea81bdbf70d2556d1843ebb49a5f3b2278d680b264b5f0b83cc50caa351325e4ab62af758e6a8ca41474d4f54355df84c796ca1dd3c6cd689067cc
-
Filesize
48KB
MD5cebb69519acdc7dd799eed5c196c6c82
SHA1cbb2d6717df5a48526968e7e269d4825cbda3257
SHA2568ac7bc668a8e1c317e9f84796b4df2f804d6ad47a60f8759f54990bf243e6981
SHA512e57f9a568d32e7fad73a7ad43bbcf1afb44361e894f1b336c0251ad21c4de09f6c1d61ef3b09334dab664c32b47f8a5c921053cbcb72ee4f3281f747c2a139ea
-
Filesize
49KB
MD52d042e395936029bce585828ebfdbb7f
SHA1f329cd1fd339a3bae7aa296c7c9059ed106c5146
SHA25622b51dc5d66d1487b5371353253ec26a6cb99c5425e800d06e670b4321e52472
SHA512f08617418537c031653f3a675cddc1a7d422301a6d639381766f8eb80efc1be92ec3c35f0e5e12aadb6fa7daa4bd854004253ac8bf2960d0a32a68c7e59bfda9
-
Filesize
50KB
MD5154e315c8210c0b4a0c33a03c1f2c0f7
SHA1c432d540d85bc8995bbc80f2ae748e22abe8ddcc
SHA256d6ef58c4f99d160dcb0690e17fc53c4cbba9584995b5c787efd7d5a03f461856
SHA51247e84f07baddeb1ef91f84f9ff0c02872b749dfcfe293fb994edc35cdf74d44235c1c75cc31e1c638ed9d9b251abf41cf9f159b8ebe844708f183f15b04e19ec
-
Filesize
51KB
MD5452eef818bfc9cfb0b25c8fcbfc87aab
SHA17a6bda3d78588b8bf979fa231fcf3ddf21c972ee
SHA256113def0d64b16936e317fe1cd64d8e76c6b0d3aa2dcf510c69205b733d6edba5
SHA5128115b59eee3acfd80ce51546af65dfb150f6ce355b0aa09c93a48774e6d97e3f6c69e34e06ccd829a60095f11681b24a8ad0bd14062f50cdda85b0540721f514
-
Filesize
49KB
MD53734e667b7ac97726ff4e77b30eb47ea
SHA113e223c19933dda3d13db6aaac23a93dd0854082
SHA2561687cc0d1b9948221fa2d005dc6aeacbc730dd5f79073118318578eeceeb0a11
SHA512e2d41c8c7bc9ba30df30ae2805a0189a901c1c05c423622099e6fdca10a5b26d7271715dd51389afeb3732d7a052d30a8bdec0b1cdcf84b01ce2b485c435a81a
-
Filesize
48KB
MD549a43c647de8381f1ec6aa7fdec9e40b
SHA13573dd447925707b7ab4f7dc20aa167e055d4c7d
SHA256107940a04c9392143b9693437832b60413e496f3a4152568001e370ff5c63b6a
SHA512c2b3c3378223d4b14dc47b9e08077cde1d631ed0a4ea1b2bdb8d056d3537b8802c2c1e7f78cf8afbf388e947a22c5e797a582fb2c3489feca491c180374fbec7
-
Filesize
49KB
MD50cea0902425885aa28ce33941ac5ba86
SHA1f7075b25ed4acb54863af75f2847461840b538c0
SHA2567b398f815cbc97a0c2182356a860f58a929beae897423fb2c918f0f6f19348b5
SHA5122c5aff3d2a6125888158e560ae85c56c4ca2d908bcdfc3df4dbeb353c01be8606aa563044a4e19a8971e197fdb1aaa03d04e4d4bc9fa525d6cc6f012eb02c028
-
Filesize
50KB
MD5b1c8a5d0e251ad0f88c33ac82daaee6c
SHA1c575c763de138d96550fd7022ee8bf737c528e3e
SHA25648e3f78b12fd65fbfa64344c86c0aaf84b3f1bbeaea4bbe71c35fc8ebef9cff2
SHA5124ab68b42d485c3d301ffd787e320dc6efb5b41d17e58e0f8cd76a02038512785b9af7599e029839218dc41abb1d5e5f4f922364edca3d691ea4f7f1b544c433e
-
Filesize
51KB
MD53769c44cc293a7894c7014b2cceb8578
SHA1d9bc63916a2d96e5c0ba2cf3e533aecc6463270c
SHA256484b8c7997926aa611bf15665f6a3482b35d5a99d91493cc822ef90d70719ba5
SHA512dd135d5e6f4af7e46233bf41e743ef25802a41f92f7fdd36da680f1edda0941ac53aaca276a38f3ec34f7b47f706d15f26e21c613d09b2a823a4bbd0d7ab60aa
-
Filesize
51KB
MD5b261ca243143132113962d060983c600
SHA1342b514ddb1566ac8d89d432b1e607536828bf85
SHA256b3111f3e780a788bb10232408a7a13bd16304cd99d6be5b2415798827f70003a
SHA5129491446f975f9ac27dd97f3459a9d463b62805440461c241ed27af0957ff0974325d58a61189bec60f626b8d3dc93caf3ae4e776e696bc92b4d6208bacbdbcd3
-
Filesize
49KB
MD51af755c765cdadb74de6f4b546588720
SHA18508af996cbe21b630095ff1afff0763b9030836
SHA256bc4d28cf08cb49c6a96f11e837b862c2570b8feae40a320979fef4689292f262
SHA512b8aaa9b789b54a07ece1e410f50e36c35943d85dda6baabb0b99ef4ce50f18db5aca61fff6ec0acc78af0f56598104f99109ae32c93bd79911c66a5d1cd8fd54
-
Filesize
50KB
MD5e47b4a862dddc6fa892bff0fd3e6c6a0
SHA1dea727187788b56e621fac92721f22f35616977b
SHA256bab75e543851c62d9f7b1c71cdaecd2aadc1bb7c6769f8341db817f2616c6b68
SHA5128dff1d00924dcd3395179a5f531ef8005b6eb3a6e577abc4204f3c41a234f8c19de76e87786934138efa996d188469bfe89c30b2a03a00979ae99275286654da
-
Filesize
50KB
MD536f712250df4a20e5a28ab54354608a4
SHA12057995d379d70b8ecd1d9b93197383f99edacae
SHA256e7005ab9665440218bd456e0512c0c7f6bdee837724a6ff28848df22baa83ae7
SHA5127fa014767238a0f490c56e75bfe27a64078479d490a4f95dfb3292236d3d6eba67e39564b2dcf4e44850c7222db530d846fb0503eca4e659bb57c627da6233ea
-
Filesize
49KB
MD59ddf346af7105078f3c5f6ca15b062d6
SHA1890727a3efb6c1752b060b12a78811bdb05c8429
SHA2563d125804addff9eb36b7fb9afeacdf7866fc2120b8e35f06aaf0bd5f98e8dfa5
SHA512d82f6bc3c532a7b61839c5a038414d9c16195cd4d0ff9a69b31bcb3afdebc24f13be53cecf931957bbf1dd3d879b15ad70375096f4bc2bbfcd62e938ae730d3b
-
Filesize
49KB
MD55c79ef8f4467dbfcf0161c384677f2dc
SHA14e31e1ac60c85c01f622166682550c615c240f99
SHA256b7ebd5f63c0268b423a37ed5606be4c5a98ac7b79c3b2c7a908e7758736ac486
SHA5125a6015f3428c3952aaf87b16a1b6bb344f42f155304172078f05cb862f386e371140ccd14798646e69ce80d8cf432888aa0d2f69245f9f33affea16cef3c3bfa
-
Filesize
51KB
MD5e1835371ee49dddcb6898b2a8015c1c4
SHA12dc11fe158cabbddaad18fe5c90a90cf02cb8468
SHA256e7f301cb7c6deb08aaafd289d4b669cb55e5979cc7703fe28e044ca7d41c40d1
SHA51257240774fc9dfe57ac58888de8ea80699a2e0b628c01ea371e0deba3564ad40a16a0c76dafb7cc6a1658117edd48e25cff8e2241a893c28717634e2ddf56951e
-
Filesize
47KB
MD52312d6b5e536f90691fd56d9552370fb
SHA1af2485771bbec5305d4928821d1b7b0695760ec1
SHA256cc985b473bb9984124d28b2d8f12b95b01ea82df9abcad99d45f0da8b38d7383
SHA512217bfbdb3e601866f820bc0bc1bef6449475848be0754ac9ce15473082892aaef64e918b3bd7ccbb423aa09ad5884247a96f75e679a425f6d33d8b3747d63797
-
Filesize
49KB
MD51f3a5baae2ef7cc12019890a025bb2e8
SHA1c4c788f9aa2dafb35f596edaea2f106779e996a4
SHA256ead8fd54f91c7f0cfaf3ce972f2a90550320cb9e8bc380ba8e938d527cfbe169
SHA5123102ed0b9913a4f9d4aa5ff1a0ba2539b64355aca6f4ea152f88ad69bf9f02105f08c82c1a065d95757ecfca6ec8ab06b14a34044907fa452d54d781624d5f42
-
Filesize
5.7MB
MD58d9c429e34fc2b32683951d765f39498
SHA121f9ac058c2532eba95bb59c6fb9628115290d12
SHA256b4e1af45853fba90f9c771026c4c6a4a259b031db9578837f038bac4d9f742f5
SHA51256e222d88583a0b49a8db3c587aa8fb173f94bec8845e2cc27c8b7119cedad2d5949c2867efd9745220514052fe398d211d1a87059b99015fd0ae574f7c806d1
-
Filesize
414B
MD5597b7795ea5a746f927ff87e90eaf2e9
SHA13c109da32751aca784a8e7c5564be34bea01b801
SHA256d265cad2ba74ddd1d9d3dffeed3ee4f87d5516fcd153ab6af65c4c5e5e1961fe
SHA512596d0313db36213a6e9ec26556407a59aa407671f9c8406ef473193ff02aa6978be0514b95c962c1d6cff69722f85652ccc0f919ee2fdae7dd13c00bc9ebf7bf
-
Filesize
96B
MD502c1d1acd613b58b8233dd674eef75d3
SHA15a061ac9be74a13d81217572a3e1e5ff7dc581c5
SHA2565317500369ad3c658574e48820e5975559ff1ad395a17c4e9c9a84d094af3e97
SHA512ad65fe6ec6861ca1bee70d4f0ed1c2394b6f4143363d6186b7352b9fad8394dc7a5e3fedda1924f3fa01c8206e0fe452699fc05f1dbfe12d3e1d1fe62160aac7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
192KB
MD5505a174e740b3c0e7065c45a78b5cf42
SHA138911944f14a8b5717245c8e6bd1d48e58c7df12
SHA256024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d
SHA5127891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\45127455-d0eb-4249-a872-0fd65517b365.tmp
Filesize2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5c4b4ed15d5ca2b9da88f23ecb0678884
SHA12815e798ef31cdb4e303f02069f23ae8c0118e0f
SHA256ca8b7d27512dfbcf4fb0fdff758dc9fd6373829d1d729b2907202bffd32a6f7a
SHA5121fda1ff05f068740bc27677c4f0e93078a1724256c312594bc810050d73d286cda712e18b9e187484dc065b5363eea868dc9e86ff9787c30c3540a4d29c91486
-
Filesize
11KB
MD5735e282386badbc323c860f1d9071c9c
SHA16882880413f4741f5cbb7e8a5d264530945b4ab1
SHA25661e590db5cd0fc2b7b52c7225d027fa6931b3837c6a2ad8cf9c762a3ee1d9b39
SHA512496988d3c28dce99dc9205e8f31d180c09092df39b61b4c758f7468387a2d8c6e4c97fff74babad2b7f176ccfb802bc75a9eb41fe5cfa12575201080d4ad7165
-
Filesize
15KB
MD5363f7cd7c04303e973085d7cf77ed369
SHA15a8102b819cb276ec4782aac6cf0b030122ce4cb
SHA2564f024c9ce77ab99c11b8d4c2fe66e8690bceec16dfd88295744dbb8f58fc46ea
SHA51282df8583ff32b9e68a5cc4ea2acd8a0ed1d454ad9ce6a551510bb005e3c7eef0e0105d40d7823aec04d4284d29a7808786e20d60b07e796d8a2055f51f29521e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5e6888485a0c7f262b07d9728d77350ea
SHA1ff11b00891fbae01b0a666e10e0a946434fa98b0
SHA256a6f33884ce3393ab9881476a3b396cad58dee9cb4872a4f7f46782533b3f13f4
SHA512c5881dedfc9e90ed8e2640ee0c5431b6ec2464d313d622f749e411a692b5968b688efe8917252c8d6033861340fdf191947d3a09b1173df15d16fbe73c322d38
-
Filesize
38B
MD53433ccf3e03fc35b634cd0627833b0ad
SHA1789a43382e88905d6eb739ada3a8ba8c479ede02
SHA256f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d
SHA51221a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c
-
Filesize
195KB
MD569b7d4ea9d888388ac8ac7c002c64e70
SHA1f1eb183d69e4dc0fe54d3426243ef7d6d9c6a15a
SHA2566ae95dc66c01353ac72e97fa6905958483b155d7e519160c69020a9dacc9776e
SHA512cdfa46fd9b1cc67dc29437cacb018e5f543c75a3d5cce83384260aa875383040d3f2a6d849e65c4593946db4d8828b1b2e47a5eff9c57b34ae784f3c512c75c2
-
Filesize
195KB
MD504c77a2a7b6f8c211d087833f6d8bd8d
SHA1349dc51b2425917d4fa3eb8f7c060da9a98c953e
SHA256833cb672a057b858ac48edbe28ced9ff706be423c8bcd402a49c93a6fad8938c
SHA512ced3ea1ed5b8a6525baca8f5590060f4ed41f5da1c32384195a381cf56561cf7cd5ed9f63657bdc747d74e8572dba45b987c1101105432b678000631534fd57f
-
Filesize
116KB
MD55d285aa1b9f0222b3aeb4ffcbcb4c7c6
SHA14661c957a6a802fa07b1de0bb12cdc7b52b4dc13
SHA2561530a974ea358fcc445dc6d069c778339195bdc5c8c72659dfaac74546dff371
SHA5125922a0772a90267fc6b215edfaca3d16b750b3af9d68fd8d10fd2ff09a7ed58d1c1cf8a35b32231b58c6383ed516720367ed436039718409c7a35496b2b436fa
-
Filesize
115KB
MD507f2df2ca1772927dc6dbddf56545f1e
SHA131c4c47d2eb5645ac79c498da700e47d48965bdc
SHA256c9c780e7fa335a18ddd8fd5a6fe3abec870a666e78a63826de9333342b39aee9
SHA512db84cf617534b45a2a56d9748ff54fcfd6b9e2305b2c134a22ff3d28c3f9e0f6ca24795eebe8bbbb16f112c4104c660983f70ebebe50476f3293fdc18ae6a5f7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff
Filesize150KB
MD514937b985303ecce4196154a24fc369a
SHA1ecfe89e11a8d08ce0c8745ff5735d5edad683730
SHA25671006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff
SHA5121d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c
-
Filesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
Filesize
10KB
MD5c39714e32d3c98a8a2afd420d527095d
SHA15b924df4bb3614a9f1358b8ed0e818277acaccea
SHA256f2f514c76e7c8411d37ea79c7be6d0dd4024a9ac83e3a5d59acb6480b2a13573
SHA512df0f89acb6535c144308ff78322416441d2f3f8b83840f4edce3348481ee94402e9b4cb0d7753c0b46db1c0a7f4305539860a2d75c6a54bacb70d53baa2c4b7f
-
Filesize
7.6MB
MD56d942fa1ae7ab3c902b73b8ff6358b09
SHA1c88abd3912d28ad2bf389f79e7958f214316c9a2
SHA256e194a2403a27f5cb5fa4ccced81512be3f9116064e2253e0af9b1506cc2090de
SHA512f4450511a30df618e7004dca4d6c08679f186153fe27107715c2700bf473bceebc12ff249fe030e13f7e3dd544d760bd34f22003c071db4a928d84a5ab63290c
-
Filesize
924KB
MD5c48ecf8c0b6236b0927ba0f0e3636176
SHA1d9dd633ff4cc6c9502ff2e3455b9aba8e0420b91
SHA256d1d6b505460c22b9851a34ecc77c1503b04a901400348921989d71688288eb61
SHA512c8917b1cc3a123c4f32120e0b1f16a3448f52054324f6df2983f0fecd07bda13f9f05285e21f44499da5feb1c889c7d7709cb5f2232dd49988a4d9c8b91bb003
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
320KB
MD5c94005d2dcd2a54e40510344e0bb9435
SHA155b4a1620c5d0113811242c20bd9870a1e31d542
SHA2563c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA5122e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
258B
MD51b41e64c60ca9dfadeb063cd822ab089
SHA1abfcd51bb120a7eae5bbd9a99624e4abe0c9139d
SHA256f4e2f28169e0c88b2551b6f1d63f8ba513feb15beacc43a82f626b93d673f56d
SHA512c97e0eabea62302a4cfef974ac309f3498505dd055ba74133ee2462e215b3ebc5c647e11bcbac1246b9f750b5d09240ca08a6b617a7007f2fa955f6b6dd7fee4
-
Filesize
18KB
MD5104b30fef04433a2d2fd1d5f99f179fe
SHA1ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA5125efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f
-
Filesize
3.6MB
MD5d3d39180e85700f72aaae25e40c125ff
SHA1f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15
SHA25638684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5
SHA512471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f
-
Filesize
103KB
MD5c60ac6a6e6e582ab0ecb1fdbd607705b
SHA1ba9de479beb82fd97bbdfbc04ef22e08224724ba
SHA2564d24b359176389301c14a92607b5c26b8490c41e7e3a2abbc87510d1376f4a87
SHA512f91b964f8b9a0e7445fc260b8c75c831e7ce462701a64a39989304468c9c5ab5d1e8bfe376940484f824b399aef903bf51c679fcf45208426fff7e4e518482ca
-
Filesize
908B
MD5af1bcdefeb28dd295d446add0d6d29a2
SHA1e2996a941e9a02613d60f277891ea04a62c610f6
SHA256ebbe579bff0988b23f05bf3518c3cf8dca296ab7088b695bd486e90580c9f5fa
SHA51206d7f5c4f911475722f07005ba0b51510ec25687c0a2b2a54dd6c24e661c649313e35cd29f0ba219dffd81e9ac7c958f6067dba4bb3210657a4097682f2bcfe7
-
Filesize
32KB
MD534dfb87e4200d852d1fb45dc48f93cfc
SHA135b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA2562d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2
-
Filesize
1.3MB
MD54e1e03e33a0ff86e7ffa9e36adfaad83
SHA1ed7f595df8910b3cb3b377acb8afdbc55ecb6651
SHA2561308e32b6dea50fa265ed488f3a247b95b97ccff3b519c549a416c88af4c5363
SHA5127f062bba2829febe9134c2c3c07d900e88be95562ecce98e5b03f14b81f23394daf0f8fe4290aee27445ea6f1dc3e4850d59d01cc7778f192e1dfbd56963075a