gh0strat | hxxp://156[.]238[.]253[.]131/

Analysis

max time kernel
168s
max time network
175s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
20-01-2025 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://156.238.253.131/

Score

10^/10

gh0strat purplefox xred backdoor discovery persistence rat rootkit trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Detect PurpleFox Rootkit 1 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/2656-490-0x0000000010000000-0x000000001019F000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2656-490-0x0000000010000000-0x000000001019F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000\Control Panel\International\Geo\Nation	SB360.exe

Executes dropped EXE 4 IoCs

pid	Process
4332	SB360.exe
2656	._cache_SB360.exe
4800	Synaptics.exe
5112	v-1.0.1速速广播.exe

Loads dropped DLL 2 IoCs

pid	Process
4800	Synaptics.exe
4800	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	SB360.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	._cache_SB360.exe
File opened (read-only)	\??\O:	._cache_SB360.exe
File opened (read-only)	\??\T:	._cache_SB360.exe
File opened (read-only)	\??\Y:	._cache_SB360.exe
File opened (read-only)	\??\G:	._cache_SB360.exe
File opened (read-only)	\??\J:	._cache_SB360.exe
File opened (read-only)	\??\P:	._cache_SB360.exe
File opened (read-only)	\??\R:	._cache_SB360.exe
File opened (read-only)	\??\N:	._cache_SB360.exe
File opened (read-only)	\??\S:	._cache_SB360.exe
File opened (read-only)	\??\U:	._cache_SB360.exe
File opened (read-only)	\??\W:	._cache_SB360.exe
File opened (read-only)	\??\E:	._cache_SB360.exe
File opened (read-only)	\??\K:	._cache_SB360.exe
File opened (read-only)	\??\L:	._cache_SB360.exe
File opened (read-only)	\??\M:	._cache_SB360.exe
File opened (read-only)	\??\X:	._cache_SB360.exe
File opened (read-only)	\??\Z:	._cache_SB360.exe
File opened (read-only)	\??\B:	._cache_SB360.exe
File opened (read-only)	\??\H:	._cache_SB360.exe
File opened (read-only)	\??\Q:	._cache_SB360.exe
File opened (read-only)	\??\V:	._cache_SB360.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SB360.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_SB360.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v-1.0.1速速广播.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_SB360.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	._cache_SB360.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133818466691235336"	chrome.exe

Modifies registry class 55 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	SB360.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000da689881c065db019a23fa7ecd65db0142cda7e02f6bdb0114000000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1568	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2964	chrome.exe
2964	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe
2656	._cache_SB360.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4856	chrome.exe
1568	EXCEL.EXE
1568	EXCEL.EXE
1568	EXCEL.EXE
1568	EXCEL.EXE
1568	EXCEL.EXE
1568	EXCEL.EXE
1568	EXCEL.EXE
1568	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2940	2964	chrome.exe	80
PID 2964 wrote to memory of 2940	2964	chrome.exe	80
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 4100	2964	chrome.exe	81
PID 2964 wrote to memory of 320	2964	chrome.exe	82
PID 2964 wrote to memory of 320	2964	chrome.exe	82
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83
PID 2964 wrote to memory of 544	2964	chrome.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://156.238.253.131/
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffaa6dacc40,0x7ffaa6dacc4c,0x7ffaa6dacc58
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,1527121875697239206,16740485460993106772,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=1764 /prefetch:2
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2160,i,1527121875697239206,16740485460993106772,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  PID:320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,1527121875697239206,16740485460993106772,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=2344 /prefetch:8
  2⤵
  PID:544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3048,i,1527121875697239206,16740485460993106772,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3076 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3060,i,1527121875697239206,16740485460993106772,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4592,i,1527121875697239206,16740485460993106772,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5188,i,1527121875697239206,16740485460993106772,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5248,i,1527121875697239206,16740485460993106772,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4988,i,1527121875697239206,16740485460993106772,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4328,i,1527121875697239206,16740485460993106772,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5268,i,1527121875697239206,16740485460993106772,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5056,i,1527121875697239206,16740485460993106772,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5220,i,1527121875697239206,16740485460993106772,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5596,i,1527121875697239206,16740485460993106772,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5940,i,1527121875697239206,16740485460993106772,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5392,i,1527121875697239206,16740485460993106772,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4916,i,1527121875697239206,16740485460993106772,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5436,i,1527121875697239206,16740485460993106772,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5876,i,1527121875697239206,16740485460993106772,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5744,i,1527121875697239206,16740485460993106772,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5556,i,1527121875697239206,16740485460993106772,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4028,i,1527121875697239206,16740485460993106772,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1076,i,1527121875697239206,16740485460993106772,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2944

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:968

C:\Users\Admin\Downloads\SB360.exe
"C:\Users\Admin\Downloads\SB360.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4332
- C:\Users\Admin\Downloads\._cache_SB360.exe
  "C:\Users\Admin\Downloads\._cache_SB360.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2656
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4800

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1568

C:\Users\Admin\Downloads\v-1.0.1速速广播.exe
"C:\Users\Admin\Downloads\v-1.0.1速速广播.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
753KB

MD5
f40e0d74d7821bff8b0a9eb6667c7c03

SHA1
f5733ed5b70b45429268695453318864fcfad3ac

SHA256
c73b424a3deb8bd8ca88a5ff2bb6c4265b8f982f7cf7558271f66dd0f697ad52

SHA512
b1ec285489048cd1984c2c59f6d5480856e578b01873bd7e0be7e5747e52ac3a097308a8c1a0803a796ee6a12037c77c6a09754291ef8a06764f683a4b0544ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
41KB

MD5
3bc2b6052ff1b9feff010ae9d919c002

SHA1
dd7da7b896641e71dca655640357522f8112c078

SHA256
483a3494759a05772019e091d3d8e5dc429d098c30007d430639926c3ffa16e5

SHA512
0b1632b73fd87e8e634922b730f83b7950e9a39697a46a3429f0bebb3f1ebd14c815a4651ee8f663a437d00ecbeb6ddaa47b2fcad719777edf1b1de8a7cad0f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
29b208c65c6dd3764d5df91a53f6b73e

SHA1
fcc0839701f82c3a4cab40c797eba2d3667c94b9

SHA256
cb5e1efc406fe31ab75b350c5f75adfb7b5cf8e53875e8e18a73c38b4fb3fcf7

SHA512
b8bedbe506e53624c498685f3c7523337dcba26a9f861c18446c13c0e0aec96fc9538749ce6f6f7e8a79bdb3d0506b2a78a18afadd5886bc988c8cb84bba2d42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
629c84642c12ed2323532a845095fb75

SHA1
3a9e7ddcf66674643d1e4344015f039e67963481

SHA256
8648a80f1e3040099fec07c9a6aa31801892a7504565f31ee3281c1fbe0e5daa

SHA512
b715f47dca6818f20da1ea250c1734b9562932562571f2cfc88e3d65ab406f55301fa47557731d75aa745fa706c7747ddc5fdf35241d3775d54f619e9903fd5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
4da27b84cecc3d55afe720a3a6ce7f5f

SHA1
22f015b418188c9ac7679b35eaec6b4532cbcf4d

SHA256
9fdb5a90049fb9c72ce89d00dc066032fd938efd9f121962099b5d4ff638d765

SHA512
76af8445f852598c3ad88858ca3c5936f10bf49dcbfb17228e4cf17a07c93eb482b3af19ee503f9b460ada2b21cb665295f85e6fb67ae59da9023327583c46a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
277808daf11d41a15eca478b8f4baced

SHA1
03637d7a6b7a1ca63a56ebd2fcd3d1230d10037f

SHA256
8039c92da97b883b96218f6dda54fdef9f0b0225408dbedaf75c5d3a8a8b32af

SHA512
12474dd1a025ce34accb3f267eb5d342b9a5948cdc271b0d0c91f5061b75ab1f46dfab1e26ff855eeba4830480fba660747429e4bb41d188c00e738480b5632e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
440ccaea0291d88b6889bcf6b2e2b867

SHA1
a0417b1ae643cc14b7d96e9492c6d8147e1a0d34

SHA256
15cc76bd77a21d96ccd4ebe54c89141f3503e227d30fa050e5caac5ff357de79

SHA512
ca657eda176ead854df6fbcff39daf47b5936e9b6115e6e969bf1ea0056c128afbc58f93eed335fcdce7f2555e162c34c3ffe46bc36c5d1c4ec45114bfee336e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
c367f79566918436ea1d66a8a4389776

SHA1
c1e5858bda8fc39efd44ec3ce25d0e04057d92cb

SHA256
6f85cb7ca895aeab22fb96a3b259f05301f571e8392f25400b3abb254677befc

SHA512
c3a057c15786abc970b19c9335a17d13726e81ca38685afcf15d5703dd8b968aa4b4064dead40235d6342e9df0e49593664f3dd80e9ee9810d27b7f8def12f71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
e20bce0fa2b8fa905a06bbd7d7150a9c

SHA1
321785752f9126972e06425d134898be869bba89

SHA256
18ec91ef925657416d89719480a548de1cc0b03cea090e05b91e64c773e9ead7

SHA512
657ffbc89d682609fb13615abf8fde8901a331ebc6edfa8625acd96d6f701b0ca1d821dcc9151fa392098ee93a80136377b3813b830c80f0d02421b76c938087

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
850B

MD5
0f24ff4fb0d986efd02499e9187a127e

SHA1
335bbc63c3324761df8b8b09aaf2b0807bfc61c5

SHA256
5283006d8ebe6ee6d77ebe2e67961131912c880591ef5873c203f53b7b67e7c7

SHA512
d4961bfe041a19226bc57853e440632d15f49e638e0e945bbbcd763defc1bbe9cd8d25d0df8beab8ac079914a5e19e3025625a250691f15d2edde1250232e38e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
519B

MD5
4d706fa876b45e674906ada7299ff046

SHA1
bb0aab790312a4c853a6bf3e60785345ba02f010

SHA256
fda9dff795cb565b55a028e3d420d06c03723d49ed498e092fe6f5f852f4f215

SHA512
8ca40d5648826fc795fe65e44b958bb01d4b4220ad2409a4ab6bd7a8428f75b020714889f13f636aa22971cc3076f56096ab5d6ea6cd620066d0262a96e2d6d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a3bb5d953e2d6ee795b3d181f21f53d4

SHA1
098a5b3b2b955234bcd7498cc19444acf61beba9

SHA256
d0b8a91d60bd8f466a1c0fce54facc2d46e70aaffee2144ba29df2933f21b5e5

SHA512
c334e150ab26c5b39d36de6966d20ad6cf36dd333f1b28288b0796b295908943f2a50d7439004a922c7e8cb6522664c4f03af91b69e31e2a1640a225bb6e7926

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
44b95a5b59ee663d25192e371ab79389

SHA1
a0a3a155b1f74219d594aa8aef303fa57b79fc15

SHA256
078ae9062cba0a6489c74c7656a18e5f0e3ae090381a8cdde2760e57c1a2cae1

SHA512
587d955474390f915fbbf2facc3a996ae73f224b061e4b7052f8637cf3c44c265064ca94cad5e713841a2a58acda49f66e7a25ecb368006dc4f89a6b58fe029a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
61b5f254adc96b3c54b2fbc1d0f558e8

SHA1
35d9dbbca2232dde1e3d4002e6d2838d818c3c43

SHA256
4ab523a1337844b3ec2123ddfe67de168881950f16ba04e0e69903739c270a62

SHA512
73f9ff888cda05b0715b6b8aa88bc779dc37446190d861cd2fa58fe1413f26ae5c1be75d7c10add440d9c390de217709c810662e7ff274b5c0ffdbe0d768cc02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
57ff78196a995cf4196eac2a5433c227

SHA1
4714fa36b831dc0f2c483d90bf95944cf403b1f2

SHA256
66d31e7e4d5aa77fdb50a06f2bdf0fbe80f9a4f44680781382a72068223c54da

SHA512
115b77fbbe277bd66529b62f6e33ccf6780c549ec93c1a51191204c0461dcda05ef67f38aef1420c881281535985e08bc333ee0b6bf39fa78167886e8a045615

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
70d187ac4f9197ce4b168a064813caf1

SHA1
b5d4cc144067941cf49a42f81e4a130a9dea2ac4

SHA256
ea893a054052299cc26c2bd409c43efdeb56a6bcb0dadaae51f11fc80777273b

SHA512
3933600af43bd94a05a8bdd6e52b047bf485f0261ca21151833fecc102affe4f466f3fe7f9e7cfd5762fac18c9304cacd0142b8849f66c86b7919fc1b9fa6ab7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
975094aaa63432efb630779015618fa6

SHA1
d76942005a2410ab50748abd0e8a93ee8e90d72f

SHA256
22422fa7ef0224ad2f3cfc58d6953c9c2de8f940c1883720fa50771493b96b22

SHA512
6129e32f1f5eb1283968a844dd70cba1a06b61105cacfa64561d1f5c9799245e5ae14cc5f12ac0911d401a13dd6f79c9e11297a0b2170bff79a7d31fef8d9ed3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
780d7dec0af6a32f041d31ff251dd1fa

SHA1
9bfad9f69fa5c652d612e6588811cbd2f3277c05

SHA256
dc09da56a400304070f8a4e2830f94617ec3f97cf3cdc0485e4f6481bbd3f4cb

SHA512
ce3b126a7bc9d0e5196b23e82bb166b94ce30d46bbe32fae6065348b2d6d4cbe3f646b27b1e64ce7e38b1ffaf0f60cb485759268d1d421911287b2ca9a580df8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
48c049c9cd0a1eb8ab116baf4fbb6982

SHA1
d436723eecbf298b8ba255caa6afe902ac745eda

SHA256
fd596fcb35f1be8697659848ca47f6f33a668b55e4468855fb0cd34fe95ada17

SHA512
a129cfa126940c41d15f2c739ecb11c4d3d39ead36603314112963a33a1ce99619601d51d3bed36cca32582c0b231846ba82637b6c30347db7a11c0e5431b583

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
052acd73b81dbc67ad4be697ae291525

SHA1
ccf485ef1dde2789ba8145c17272f39650d9d110

SHA256
3fad0cd40b301c26252c7386a098b19a5f6db02b694ab649a6784ef115eb9fda

SHA512
0ef4327cb3cbfabccb839a6bc68bdaf180cf366fb945497139f84db26b560a3de6eac80073983f356b236cd3374a9f2fec422d68570e3b4d38d3bd05a2c89bdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
37094fdbad15fa4cd8a1a56a6a8ea6e7

SHA1
c28274bed12291aacb4ebe8333380117a97787ee

SHA256
64eccf5882039cc783cbfbb5ce05e9a651b860a388fd8ccc3845a16c3a136a3c

SHA512
354deb4d2be60a5ef5710c06efc05f69fc3ceac9f80d4ad9dcf1396547c57b4edef18b8cea566dcd4f31b3eaaf1e79c03cd24f2f80833994f369927246cea1b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e301fd425c78f596922f8c56f9e1f8ce

SHA1
c1a66e518c1df4a0ddecd14dbee90eb1fdece25d

SHA256
879a2c8e8c9ed4d6fb6f707c8dc7eac032a2bded6ed0cf4082cfbdede6460b15

SHA512
c66e6f576c9c8bfe6744d201c0ed5e1d791f1a6fcfd973af62d776a6e858711c7c97a1396f804b5a8145d3c48dfe20bec6b1d00e5a7a6976ceaf79afec28f9e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
04f2d90faf094f59482b4b0236c25255

SHA1
091781945e20d86eab21a1c1f0c397da009d5b8b

SHA256
0d6cefab28170d52710e28dd41a5bb23d5aa686aa8aeae90635d6f35f5a2085a

SHA512
a528a4733533980a6a612c2ce8682b26c78f554525f997c98e213f7c32f9f6fa9036e29fe65d081019a657d981c9bc302c637f41d29587d9680e52e82e313709

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
31b9060e9d0e857d30c40eaa5f95cf8d

SHA1
d689e6cb9b2dc7c9a4d3b0cf55fb3b92628a2516

SHA256
1858d956dc7455f195fa7d198ad08426967eea783c688e7a8815e099e8bfd61e

SHA512
4f9452c0e442c97e0e80ffdd9a7eb08b2efa56d8ecd65adbbffc02707eb55346f8ca71eb241a9de3ea75c8bcb6aed9f6342877b9305e366992051d5295e421b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
d318244a77de6ddd7004089da642fa54

SHA1
41fbc723a4895874ea16d49c48d675f681638730

SHA256
c9138d718f1591a094948092e850e9ca2b9227c1981b1f648b4a0bfa51bb9a35

SHA512
b95e7fe4450806357a0f194e57c59052ebc9b1924743f18320fe74a59e0f1c899845a81c996ecaf0d3f0d87ee1c947fb415768ec2c37e96edd3537138b6c32e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
0a6c90a123afd2dca271fadcdae23e27

SHA1
12dc908f382b7ab843e82a7194f3e0c637fcfbfb

SHA256
60cdb519df69a6bca1aa7d26041adc420523c5d00f4c6ba67693112612623f9f

SHA512
63e85730be2f24c70b8e804822777af4f08342cbe32083e2e638cd786bfb79b132e31c64257abcba59dad17484df9dff6494c52b3fc82fb3445f0a72f9a8bb5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
a45df7936f519b7637e3848fef0cb700

SHA1
a9dd1bdd5020fa7f85d9453f8e36c0f4347aa231

SHA256
17be0e7a687afa9fade2d96b8fc74482c61139a7418e82820a38f020fe11aafd

SHA512
55b3a1eb2e484e59cfe79459ef1bd998d3b155bee1c9e81ace10217404ceae8607ae821d2850d2d80a9980750995890efecbf202692f0d7d7d9ad82515594813

Download Submit
C:\Users\Admin\AppData\Local\Temp\71D95E00

Filesize
23KB

MD5
27d12fa04e3f42c4bcf1d0daf144e3a3

SHA1
e3a64a30d2b031c2159576dd7798566d7105647a

SHA256
9b363dd48cca78614935b6691f44adc8979338f80c139dc42dd4fc369eece435

SHA512
16c2499268214b9903e276bf1c520f9bf65a8e67d63475758ed6d075a38f27ff2fbb38805c39a0bd1c0e1d62a197f7232afb9ede94604fc916f515df866e4e89

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwSxtzyR.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\Downloads\._cache_SB360.exe

Filesize
1.4MB

MD5
ec2bcb5269acb8f1e08dc2229e0c7bfc

SHA1
4296fc0c43f12ff76b74c0048248028b65055094

SHA256
24594c3b8e426a31b7973998bac62da5c444b0819deb0ca04af6339a795a1775

SHA512
6f32910285c4e56af2d1c0cf569deeb2f5fb7324a18b4f9dd080038e4ed5396963dc36b162981f5c56367b248baaefbaba243f6f48b257536c2eb73432daa860

Download Submit
C:\Users\Admin\Downloads\SB360.exe

Filesize
2.2MB

MD5
f5833e4240fc851ce0e588dade670c6e

SHA1
2dee3c9577e4c83a5e94b6e9617907f81d77e0aa

SHA256
314e52bf0a3a1915073a3124d7e57c65ce72e6fde0941ed261d81457cd5253ba

SHA512
6784473ff67f7e73d2a4dc4097690327bffece7186391b065dfecfeffedae81948dc279e2cb2ed0e96253495d9e1ff512bcf6455379e298a9b3c39add6b7899b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 200479.crdownload

Filesize
3.8MB

MD5
f32400c7694f2771df78577a3ffe3989

SHA1
f41213b476d34760f2b7340fbe4181a7dde02714

SHA256
6074751ce4d24381e83cccaa7e5961e757cd7cef73b29f92ac16766aee1c0831

SHA512
d136e9b0836895bb58e703f1cc42616969fcfe8ff379b8e2805bb9a6889e60dacde47a9cda24811afd618150c8852123bb38850d7608f27e3c55dbfc76436cd5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 586276.crdownload

Filesize
2.3MB

MD5
3f5b78aaa506d032b5df8ce409d6b6b7

SHA1
9ea00aa593d1ffe784f5ebb69486627bb2c9c1f4

SHA256
54db594f7931eca7cd5ea0381ecfd6475a52a1f6fc85fb585c1c0fad0773313f

SHA512
058683ed72ba57cd70d3df2601a5cda7a35bd5911cdf40454dbdf3cd754cebff2118b2732420b7b9fa67c81c615eaccc1b8aba13316908374fd22aaf906da45d

Download Submit
C:\Users\Admin\Downloads\v-1.0.1速速广播.exe

Filesize
2.3MB

MD5
8ee3e5ce730e0099bdb2f017e7fb5059

SHA1
f3abe934f2355f90cd3df8777c6edc08278b5508

SHA256
5bdd7593ef96eed9108b8edf3fa087bda7fa8e755e9cc709fbd9a978f15d91e1

SHA512
3ef00fc2812bf6daab2756d3eb8c4d479cd8360da34aa752cd864c657253ac22175790c2a16c11be56849a9ff5e8f5247af38421e7362ad2db89257c4178202e

Download Submit
memory/1568-523-0x00007FFA76290000-0x00007FFA762A0000-memory.dmp

Filesize
64KB

Download
memory/1568-526-0x00007FFA76290000-0x00007FFA762A0000-memory.dmp

Filesize
64KB

Download
memory/1568-524-0x00007FFA76290000-0x00007FFA762A0000-memory.dmp

Filesize
64KB

Download
memory/1568-528-0x00007FFA74130000-0x00007FFA74140000-memory.dmp

Filesize
64KB

Download
memory/1568-529-0x00007FFA74130000-0x00007FFA74140000-memory.dmp

Filesize
64KB

Download
memory/1568-527-0x00007FFA76290000-0x00007FFA762A0000-memory.dmp

Filesize
64KB

Download
memory/1568-525-0x00007FFA76290000-0x00007FFA762A0000-memory.dmp

Filesize
64KB

Download
memory/2656-490-0x0000000010000000-0x000000001019F000-memory.dmp

Filesize
1.6MB

Download
memory/4332-519-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/4332-375-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/4800-598-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download