neshta | 3ff5b8d4a80c9f631c2220c3f7ff9f1839bbd04d6eda9e57add7360a71774d1d

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
08-02-2025 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
Size

616KB
MD5

c0e42cf18b138205a171768f3dddf0e0
SHA1

867ebc0dae6437916f8882192652b58986d75d3c
SHA256

3ff5b8d4a80c9f631c2220c3f7ff9f1839bbd04d6eda9e57add7360a71774d1d
SHA512

887bdf246e507dbfd428916489016a6a470c668be44bc981469a89dee038179a9da67601b5dc9a1e96f8d57702abc5daa43c0f66e6f05573a3f17e49aadbc8ae
SSDEEP

12288:s7uII7WPIHFZQWoW1lADk6rOkEx5o7pKyskZWNCGNF+0W5iiUF:su78mZncDkYC5up6kENFfE5iiw

Score

10^/10

neshta defense_evasion discovery persistence privilege_escalation spyware stealer trojan

Malware Config

Signatures

Detect Neshta payload 12 IoCs

resource	yara_rule
behavioral2/memory/1596-294-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0007000000020427-297.dat	family_neshta
behavioral2/memory/2640-443-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4444-444-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2640-445-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4444-446-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2640-449-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4444-455-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2640-528-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4444-530-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2640-562-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4444-561-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Downloads MZ/PE file 1 IoCs

flow	pid	Process
64	744	Process not Found

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	GoogleUpdate.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 12 IoCs

pid	Process
3552	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
2228	GoogleUpdate.exe
1520	GoogleUpdate.exe
1596	svchost.com
1504	GOOGLE~1.EXE
4444	svchost.com
3756	GOOGLE~1.EXE
3332	GoogleUpdate.exe
1532	109.0.5414.168_chrome_installer.exe
3876	setup.exe
3508	setup.exe
3396	GoogleUpdate.exe

Loads dropped DLL 16 IoCs

pid	Process
2228	GoogleUpdate.exe
1520	GoogleUpdate.exe
1520	GoogleUpdate.exe
1520	GoogleUpdate.exe
1520	GoogleUpdate.exe
2228	GoogleUpdate.exe
1504	GOOGLE~1.EXE
3756	GOOGLE~1.EXE
3332	GoogleUpdate.exe
3332	GoogleUpdate.exe
3756	GOOGLE~1.EXE
2228	GoogleUpdate.exe
3396	GoogleUpdate.exe
3396	GoogleUpdate.exe
3396	GoogleUpdate.exe
3396	GoogleUpdate.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Update\\GoogleUpdate.exe\" /c"	GoogleUpdate.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GOOGLE~1.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GOOGLE~1.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GoogleUpdate.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GoogleUpdate.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GoogleUpdate.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GoogleUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\msedge.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~2\13195~1.43\MICROS~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~2\13195~1.43\MIA062~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\BHO\IE_TO_~1.EXE	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\NOTIFI~1.EXE	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\MSEDGE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~2\13195~1.43\MICROS~2.EXE	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	svchost.com
File opened for modification	C:\Program Files\Crashpad\metadata	chrmstp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	svchost.com
File opened for modification	C:\Program Files\Crashpad\settings.dat	chrmstp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~2\13195~1.43\MI391D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\INSTAL~1\setup.exe	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\Program Files\Crashpad\metadata	chrmstp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\MSEDGE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\MSEDGE~3.EXE	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\NOTIFI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~2\13195~1.43\MI391D~1.EXE	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1639772215-809007892-4072230623-1000Core.job	GoogleUpdate.exe
File created	C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1639772215-809007892-4072230623-1000UA.job	GoogleUpdate.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GOOGLE~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GOOGLE~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	109.0.5414.168_chrome_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1596	svchost.com
1504	GOOGLE~1.EXE
5012	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\CLSID = "{51F9E8EF-59D7-475B-A106-C7EA6F30C119}"	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}	GoogleUpdate.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\Policy = "3"	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Google\\Update"	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\AppName = "GoogleUpdate.exe"	GoogleUpdate.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Policy = "3"	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\AppName = "GoogleUpdateOnDemand.exe"	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Google\\Update\\1.3.21.57"	GoogleUpdate.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Policy = "3"	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}	GoogleUpdate.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133836518886865330"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods\ = "4"	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\CLSID\{0E55CBE1-B06A-49B6-AD8D-9EFAA0160C6F}	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Google.Update3WebControl.3	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_CLASSES\WOW6432NODE\INTERFACE\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NUMMETHODS	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32\ThreadingModel = "Both"	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ = "IRegistrationUpdateHook"	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\ = "Update3COMClass"	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{D7B9DE33-A75A-422A-8EF9-E71896654A18}	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods\ = "6"	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{9F83BFFF-E135-4F3D-9202-2C4984BBDFDE}\NumMethods\ = "37"	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_CLASSES\WOW6432NODE\INTERFACE\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NUMMETHODS	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Google\\Update\\1.3.21.57\\npGoogleUpdate3.dll"	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{D999CE21-98B3-4894-BACB-A49A1D50848F}\ = "IApp"	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32\ = "{0E55CBE1-B06A-49B6-AD8D-9EFAA0160C6F}"	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods\ = "8"	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\GoogleUpdate.OnDemandCOMClassUser.1.0\CLSID\ = "{2F0E2680-9FF5-43C0-B76E-114A56E93598}"	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\GoogleUpdate.CredentialDialogUser.1.0\CLSID	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\GoogleUpdate.CredentialDialogUser\CLSID	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Google.OneClickProcessLauncherUser\CLSID\ = "{51F9E8EF-59D7-475B-A106-C7EA6F30C119}"	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32\ = "{0E55CBE1-B06A-49B6-AD8D-9EFAA0160C6F}"	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\GoogleUpdate.Update3COMClassUser.1.0\CLSID\ = "{022105BD-948A-40C9-AB42-A3300DDF097F}"	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Google.OneClickProcessLauncherUser\ = "Google.OneClickProcessLauncher"	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Google.Update3WebControl.3	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Google.OneClickCtrl.9\CLSID	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_CLASSES\WOW6432NODE\INTERFACE\{2D363682-561D-4C3A-81C6-F2F82107562A}\NUMMETHODS	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ = "IGoogleUpdate3Web"	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{9F83BFFF-E135-4F3D-9202-2C4984BBDFDE}\ProxyStubClsid32\ = "{0E55CBE1-B06A-49B6-AD8D-9EFAA0160C6F}"	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\GoogleUpdate.CredentialDialogUser.1.0\ = "GoogleUpdate CredentialDialog"	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\LocalServer32	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_CLASSES\WOW6432NODE\INTERFACE\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NUMMETHODS	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_CLASSES\WOW6432NODE\INTERFACE\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NUMMETHODS	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{D7B9DE33-A75A-422A-8EF9-E71896654A18}	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32\ = "{0E55CBE1-B06A-49B6-AD8D-9EFAA0160C6F}"	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ = "ICredentialDialog"	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32\ = "{0E55CBE1-B06A-49B6-AD8D-9EFAA0160C6F}"	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\CLSID\{0E55CBE1-B06A-49B6-AD8D-9EFAA0160C6F}\InProcServer32	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\GoogleUpdate.Update3WebUser\CLSID	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\GoogleUpdate.Update3WebUser\CurVer	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\ProgID	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{9F83BFFF-E135-4F3D-9202-2C4984BBDFDE}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\GoogleUpdate.Update3COMClassUser\ = "Update3COMClass"	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\ProgID\ = "GoogleUpdate.Update3COMClassUser.1.0"	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Google.OneClickCtrl.9	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\GoogleUpdate.CredentialDialogUser\CLSID	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\ProgID	GoogleUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}	GoogleUpdate.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2228	GoogleUpdate.exe
2228	GoogleUpdate.exe
1360	chrome.exe
1360	chrome.exe
2228	GoogleUpdate.exe
2228	GoogleUpdate.exe
2228	GoogleUpdate.exe
2228	GoogleUpdate.exe
2228	GoogleUpdate.exe
2228	GoogleUpdate.exe
1360	chrome.exe
1360	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	GoogleUpdate.exe
Token: 33	1532	109.0.5414.168_chrome_installer.exe
Token: SeIncBasePriorityPrivilege	1532	109.0.5414.168_chrome_installer.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeDebugPrivilege	2228	GoogleUpdate.exe
Token: SeDebugPrivilege	2228	GoogleUpdate.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
4816	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 3552	2640	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe	87
PID 2640 wrote to memory of 3552	2640	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe	87
PID 2640 wrote to memory of 3552	2640	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe	87
PID 3552 wrote to memory of 2228	3552	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe	88
PID 3552 wrote to memory of 2228	3552	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe	88
PID 3552 wrote to memory of 2228	3552	JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe	88
PID 2228 wrote to memory of 1520	2228	GoogleUpdate.exe	90
PID 2228 wrote to memory of 1520	2228	GoogleUpdate.exe	90
PID 2228 wrote to memory of 1520	2228	GoogleUpdate.exe	90
PID 2228 wrote to memory of 1596	2228	GoogleUpdate.exe	91
PID 2228 wrote to memory of 1596	2228	GoogleUpdate.exe	91
PID 2228 wrote to memory of 1596	2228	GoogleUpdate.exe	91
PID 1596 wrote to memory of 1504	1596	svchost.com	92
PID 1596 wrote to memory of 1504	1596	svchost.com	92
PID 1596 wrote to memory of 1504	1596	svchost.com	92
PID 2228 wrote to memory of 4444	2228	GoogleUpdate.exe	93
PID 2228 wrote to memory of 4444	2228	GoogleUpdate.exe	93
PID 2228 wrote to memory of 4444	2228	GoogleUpdate.exe	93
PID 4444 wrote to memory of 3756	4444	svchost.com	94
PID 4444 wrote to memory of 3756	4444	svchost.com	94
PID 4444 wrote to memory of 3756	4444	svchost.com	94
PID 3332 wrote to memory of 1532	3332	GoogleUpdate.exe	100
PID 3332 wrote to memory of 1532	3332	GoogleUpdate.exe	100
PID 3332 wrote to memory of 1532	3332	GoogleUpdate.exe	100
PID 1532 wrote to memory of 3876	1532	109.0.5414.168_chrome_installer.exe	101
PID 1532 wrote to memory of 3876	1532	109.0.5414.168_chrome_installer.exe	101
PID 1532 wrote to memory of 3876	1532	109.0.5414.168_chrome_installer.exe	101
PID 3876 wrote to memory of 3508	3876	setup.exe	102
PID 3876 wrote to memory of 3508	3876	setup.exe	102
PID 3876 wrote to memory of 3508	3876	setup.exe	102
PID 3876 wrote to memory of 1360	3876	setup.exe	103
PID 3876 wrote to memory of 1360	3876	setup.exe	103
PID 1360 wrote to memory of 4500	1360	chrome.exe	104
PID 1360 wrote to memory of 4500	1360	chrome.exe	104
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105
PID 1360 wrote to memory of 3144	1360	chrome.exe	105

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\GoogleUpdate.exe
    C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\GoogleUpdate.exe /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={9ECA04EB-30F6-2EE5-C42E-459A39CD77E9}&lang=ru&browser=3&usagestats=0&appname=Google%20Chrome&needsadmin=false"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe
      "C:\Users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Modifies registry class
      PID:1520
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Google\Update\GOOGLE~1.EXE" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuMjEuNTciIGlzbWFjaGluZT0iMCIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezVDNzU2QUFGLUEzMUMtNEYxRS1BOUQxLUE2MTVFQUUyMjUwMH0iPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjIiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9Ins0MzBGRDREMC1CNzI5LTRGNjEtQUEzNC05MTUyNjQ4MTc5OUR9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMjEuNTciIGxhbmc9InJ1IiBicmFuZD0iIiBjbGllbnQ9IiIgaWlkPSJ7OUVDQTA0RUItMzBGNi0yRUU1LUM0MkUtNDU5QTM5Q0Q3N0U5fSI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjwvYXBwPjwvcmVxdWVzdD4
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:1596
    - - C:\Users\Admin\AppData\Local\Google\Update\GOOGLE~1.EXE
        
        C:\Users\Admin\AppData\Local\Google\Update\GOOGLE~1.EXE /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuMjEuNTciIGlzbWFjaGluZT0iMCIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezVDNzU2QUFGLUEzMUMtNEYxRS1BOUQxLUE2MTVFQUUyMjUwMH0iPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjIiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9Ins0MzBGRDREMC1CNzI5LTRGNjEtQUEzNC05MTUyNjQ4MTc5OUR9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMjEuNTciIGxhbmc9InJ1IiBicmFuZD0iIiBjbGllbnQ9IiIgaWlkPSJ7OUVDQTA0RUItMzBGNi0yRUU1LUM0MkUtNDU5QTM5Q0Q3N0U5fSI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjwvYXBwPjwvcmVxdWVzdD4
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1504
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Google\Update\GOOGLE~1.EXE" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={9ECA04EB-30F6-2EE5-C42E-459A39CD77E9}&lang=ru&browser=3&usagestats=0&appname=Google%20Chrome&needsadmin=false" /installsource taggedmi
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4444
    - - C:\Users\Admin\AppData\Local\Google\Update\GOOGLE~1.EXE
        
        C:\Users\Admin\AppData\Local\Google\Update\GOOGLE~1.EXE /handoff appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={9ECA04EB-30F6-2EE5-C42E-459A39CD77E9}&lang=ru&browser=3&usagestats=0&appname=Google%20Chrome&needsadmin=false /installsource taggedmi
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:3756
  - - C:\Users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe
      "C:\Users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe" /unregserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Modifies registry class
      PID:3396

C:\Users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe
"C:\Users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe" -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Users\Admin\AppData\Local\Google\Update\Install\{BC1D4536-6456-4A1A-85A6-18F149A386FB}\109.0.5414.168_chrome_installer.exe
  "C:\Users\Admin\AppData\Local\Google\Update\Install\{BC1D4536-6456-4A1A-85A6-18F149A386FB}\109.0.5414.168_chrome_installer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Users\Admin\AppData\Local\Google\Update\Install\{BC1D4536-6456-4A1A-85A6-18F149A386FB}\CR_904D3.tmp\setup.exe
    "C:\Users\Admin\AppData\Local\Google\Update\Install\{BC1D4536-6456-4A1A-85A6-18F149A386FB}\CR_904D3.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Google\Update\Install\{BC1D4536-6456-4A1A-85A6-18F149A386FB}\CR_904D3.tmp\CHROME.PACKED.7Z"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3876
  - - C:\Users\Admin\AppData\Local\Google\Update\Install\{BC1D4536-6456-4A1A-85A6-18F149A386FB}\CR_904D3.tmp\setup.exe
      C:\Users\Admin\AppData\Local\Google\Update\Install\{BC1D4536-6456-4A1A-85A6-18F149A386FB}\CR_904D3.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=109.0.5414.168 --initial-client-data=0x27c,0x280,0x2b0,0x2b8,0x334,0x748ba8,0x748bb8,0x748bc4
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3508
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1360
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff5562cc40,0x7fff5562cc4c,0x7fff5562cc58
        5⤵
        
        PID:4500
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,110940025506522063,14179073134290236607,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=1944 /prefetch:2
        5⤵
        
        PID:3144
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1532,i,110940025506522063,14179073134290236607,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2128 /prefetch:3
        5⤵
        
        PID:4032
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,110940025506522063,14179073134290236607,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2468 /prefetch:8
        5⤵
        
        PID:4252
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,110940025506522063,14179073134290236607,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=3148 /prefetch:1
        5⤵
        
        PID:3920
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,110940025506522063,14179073134290236607,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=3196 /prefetch:1
        5⤵
        
        PID:4036
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4532,i,110940025506522063,14179073134290236607,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4528 /prefetch:1
        5⤵
        
        PID:5096
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4412,i,110940025506522063,14179073134290236607,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=3692 /prefetch:8
        5⤵
        
        PID:4888
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,110940025506522063,14179073134290236607,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4696 /prefetch:8
        5⤵
        
        PID:4588
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4916,i,110940025506522063,14179073134290236607,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4924 /prefetch:8
        5⤵
        
        PID:4640
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3676,i,110940025506522063,14179073134290236607,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=5072 /prefetch:8
        5⤵
        
        PID:1144
    - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
        5⤵
        Drops file in Program Files directory
        
        PID:4684
      - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff6aa104698,0x7ff6aa1046a4,0x7ff6aa1046b0
        6⤵
        Drops file in Program Files directory
        
        PID:1848
      - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
        6⤵
        Suspicious use of FindShellTrayWindow
        
        PID:4816
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff6aa104698,0x7ff6aa1046a4,0x7ff6aa1046b0
        7⤵
        Drops file in Program Files directory
        
        PID:1564
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3996,i,110940025506522063,14179073134290236607,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4752 /prefetch:8
        5⤵
        
        PID:4936
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4004,i,110940025506522063,14179073134290236607,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=5080 /prefetch:8
        5⤵
        
        PID:3256

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1152

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEVDMjkwMzMtRDdEOS00RjZBLUI0OUItMzNFRUUyQ0ZFMjFBfSIgdXNlcmlkPSJ7NTBBOTI1NjUtRDYwRC00QjFBLUIxQjAtQjMwNzJGQ0Q5ODAyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NjE5QUYzRjMtQTg4RS00NjA5LTkxQ0YtMUFGNTJBQjg3Q0RBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzUyNjMxMjEyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
9.4MB

MD5
58f9bc16408d4db56519691315bb8a75

SHA1
ac94543044371e3ea49918eb0f114a29ab303004

SHA256
5562973f2b3aa9d0c6184143360f7861b4129605f5e63b896ad815f381e6475b

SHA512
e1884456f86bb7cf7d268942f6fc1bacaa550eac31aaf186d9e95c15bdc41d05638cfdea1762c92681225af72008d251b101e8f291e3a74f382832336b82d39d

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\65dd41eb-df4a-4d22-9052-d764ba96e989.tmp

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\6b79b7fd-207e-46b6-b9b9-7567bf331004.tmp

Filesize
247KB

MD5
cc9ba3a2c943bd114bf2100732b060ea

SHA1
603a51724ae7c25b1d9378a902dbdcdf5e24b169

SHA256
ddcef53cd33faf40d218a6d1188321f5958c368ac879eee84f050c68923a690f

SHA512
1cd7d1d0809928fe03532edb3ebc1abae214557ddbc0c37da32172f389bfde2a49e8d571390d8d089eeefd070e73067d444e67065a7422882624f006ec9dc609

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8d652d26f1e62498f0e886742afafea5

SHA1
c8a4fba83c6b9463aeaea96e8c2019075dc0416a

SHA256
1cfcb3f815f8fd811e533f216f591534a106b6353568f8d07e06489a220ecb4f

SHA512
a3843720363c719ea809e6890bc61c7c8974d621a1607b7073a6dbc2bf57a50483938a95fb77b001d854831678c929dab2d6790adac85afebabedd2a30b4f1b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
cad201092892a8d9a0863f51a5cf7cd7

SHA1
6d51ea3b1005bac0f919b72df5518ec39222bee7

SHA256
facec9ac6b8f2cefdd67091164ed910aab672fe4b79e3390f2f0600de73b4b00

SHA512
b63227bc46bc54dff374ef127bf5343bc918d8d1a77c585d2e83d46c4514f027a0a28f7241b7a3cfb8a4ee47aea7df43b878b5b30667b3178d0fc90318ebde66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0eb059de063c7a85eae291157b7ae7d3

SHA1
7fb65210f5ad5a681fea13de85307016d5b25d08

SHA256
f5890cc8a79dab8a85dfc8e1f43f89384323ffe811129b9b47b971adc6cceebf

SHA512
2919cd6246dd36cdf0d252f382f3ecfe49fc1ed8ac1a33f51e37a8b5823c3a099d772fda3df1ea8f124657b838bc2cd6e649e491b0eafa52660d7baaae29858a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5b8270c67c0d146b30f1bb40ab16840a

SHA1
588db8eac902f3a34a61d822d71ab8e04edb1684

SHA256
2888fea7058354d76cd3328235da6be82e6b801d9a7a59d1768e9f7fbf64ed20

SHA512
cb4aa16b6c30267b09b09960ea829ceb213482ee535473b3ae218afdcfcaff335a115616089a46b5b3bfc2abe347ce249068066b08b3635105265fde0d91deaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a018e1448d4df25649772c06a4287a71

SHA1
fc1efdf1295c0886fde619a11d63afe3d62fcee0

SHA256
aa42d03889651c084bf816db6eb15b1f4977ba740e7f026dd721d781c803e13a

SHA512
764b97d59a550c381f17037c798a7826ac3289f25fa0b8717c5f26009e9bbfa565fdd0f5ef3df1d77ceb4dc9da926f65b9ccee6611b39b5487c6f7aa0e191c51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
9c283c71c7be3788e3de636257cd0592

SHA1
aa7876f0c246e4b94826fd25ea287a2209f2cdc1

SHA256
9a2cdb9fb90a9c801ced4a9b6f4197835084fa44964abc640b7428e3a402341d

SHA512
b17f4a1a0f6635658b95dfe4d5bb49f2c69f5cf596eea6cc82c6915d9d23ef986b0cb0e4678028f49b4d9b17cf2cb7e1256ec81d2a6655437b9ad0a5066f7b69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5892e4.TMP

Filesize
1KB

MD5
5469cf021ad87838c8b17707f07ba63c

SHA1
ed8dababf0cc62fa696e2d197b926c8c13ab2ef8

SHA256
71b3409c29bc768c7aa85b8ece66cb742411599dd9b5fb8bc363a66e47987baf

SHA512
59a6eeab30eeed3bc130e498760158e9e6d010215962c0b2b5a3c1754b2f7e7ba4a43142022cfe5a505f3fe7a4e5335931c2000983f766fb0cb5ad05d125c764

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
935a8f018dcf441005d1f8911002c529

SHA1
e9a715a363d8222ca8100e37ae48794f149727e0

SHA256
aaa40d5fc4023194464d3d69ff6e36b79a20ab6a7da1e0771997bd83ee6486c9

SHA512
0a7c1c1d041cf28541f6375c60a494ae7ae85f9ef954b5125907bc664214e29f6545c6e2d86f5c6548215ef74b6904a3f17b0ba6c98e319c4025db671105eafd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
126KB

MD5
4f1ddc338e3684a1e25011d4012b03ab

SHA1
67429b8c5b4b947ab253aeaf2c1da4e8b7bd95af

SHA256
6a5170e0fdc6b47bd44508d71d744ac605b4eaad02fa76095ef1bace5e4515b7

SHA512
54b7f58d7d5b161a2f0d8c53f0f52ae2606934c063e2bba31deeb68dfd5c4e352b6286055bb2862afebfae04e148bdb3d0f543894c706898a966e3b73ea503b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
247KB

MD5
e6310a99153a9644c5b0a01fea0ff8a1

SHA1
9c173c808881a3efec1aa364564c2b33835137e4

SHA256
a24c89f74f032d4e3ea74861040bcf37ed4ad33f6e9b5737a5737b21e6539c99

SHA512
884ff3850c894d9b06386e7b132db2ea171ccae3d450e55b638dd0de03921dc39efffe4b0494a26522bc0a91685836035720c7dee4f052e988a923e980412c16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
312KB

MD5
265f8f5071180d95ea3c70c9b20c5143

SHA1
9c3ebc0e2770f73a80255f9f5db687eafce0c102

SHA256
8ce893af700d5430429bda83d80a5ffc33e1a37d8cec971111d41b72db09aa4a

SHA512
559214687ae62017fd64a6537a17855a8b57fcd4b136e595433c738076363797d48e40cbb83a8ae1da52e7c9d6a9b206666dc66bec4e7c168cd77d67ea367c1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
247KB

MD5
b3ae690207d7f2b0f8809b28e4d2a1b7

SHA1
b8acb6999963a080315d16bc95fab89e462d5f5e

SHA256
ddbdf5cbf8b773d3870f3890cc651379b29eed626c45396b83e7128d5342586c

SHA512
784a2ae485557cfa8393a45f44306cdd3a3f80fac388d24240e3e400dd4c35071772a127e70de62f0eff80ce0333e8aa6f2e953b41c638d5ffc249192a382dc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Update\1.3.21.57\npGoogleUpdate3.dll

Filesize
230KB

MD5
b226054bfa3d3a1920f7b95e54f3e87d

SHA1
d3fab46d5b3ccb5ea420beee3d5d8e4501698aa6

SHA256
efb0c3315e9305fa57d6ce1f5c44ba26950f8fae3e8355d47c55dc2c2a8e3fcb

SHA512
a7a2ca9ba4850e3ca4b61a298027f78480eb03c95ebb1c3298550c2fe9f8cbc29282120b5e930134af287fe2c7b3674d91839046d11ffa0e2e08c4dce0dae837

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_c0e42cf18b138205a171768f3dddf0e0.exe

Filesize
575KB

MD5
7efbfce1182197a893cbf4b241207c37

SHA1
5cbe163cd842e30dd60e50e5fc58e500e4e6b46d

SHA256
12cb4c27cc587e377816abd8c0dd85d13f9afd6736ca40ca486f49df715c5bdf

SHA512
f2de4fab8e13ec642672f67a8cbb581b6c1bca26573e2ccbce6f053bcb7246db5b1a8553cd89cc380ea5a70830fa7988b9d5c9e88ead8dcd8eb6892d9f26cc04

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\GoogleCrashHandler.exe

Filesize
137KB

MD5
a5f28c8e37b3d4f310f1b52f4db4b47f

SHA1
2b90ea0a3408f691aa8c467fc137f77cddc8c233

SHA256
83839635f3a98ed82d60ffb404854b0890e8f8b5e7433a0e33b29e6c3efc7a66

SHA512
0a57d4047f65d83c158d31db4be8ca4a800a5e2ca4d4f421f6ab16a7bb7371da2a735c7394e03be475b864e6e89f8f554a6c59056918c7957f29948a1af5adae

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\GoogleUpdate.exe

Filesize
132KB

MD5
f02a533f517eb38333cb12a9e8963773

SHA1
258810d71436c5157cd0752bd13ce1de20f27eb2

SHA256
1f72cd1cf660766fa8f912e40b7323a0192a300b376186c10f6803dc5efe28df

SHA512
1fd44fd4b6b73327a913dd85efe2d8125896e3dd4b5c7801d7d9afd594d6536f4e825a767fad4af13f03397783ff4dd448e0071037e72fd8fdf685825ee6b4fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\GoogleUpdateHelper.msi

Filesize
24KB

MD5
ca1c1f1d727d052f025d6d1555efaa80

SHA1
4ce8401c1ad8d96a6ae384ff553bcfb28a87da70

SHA256
1813c41d2d4e1c5e25158b5f85839bcb05d68041ec5946a6f902a5669e918cb8

SHA512
59f6548a7d681dbd0d99def5d7ca173ee3e9fb81255c85e5ea7b8da6643ae68de23b30801d3ab47467d91b79c73b38c8756dd1234969326adaece78583117aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdate.dll

Filesize
780KB

MD5
070d588ceeb2f486a949a9b0895fc7b7

SHA1
0330a98b3727b153d9d4e5bd72f3133aac704ef1

SHA256
b240b39cf84a58a17e6bc4414b09e15eb02b43eaee156d617e7501a19870133c

SHA512
791bbc6d9bdf780bab37e41b3aa40256e000b18b80a5d57e9223634fc7f493d13610f0244b6f1dbe016d49943e6e7cc1192898194e641fb865e9ef50c416add8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_am.dll

Filesize
22KB

MD5
7183dacb521277c9836f6b48dfae48be

SHA1
7dcfb0a06839ec9221ec4ff043f0694168bf9f2e

SHA256
79d849878ffc3f8d10f90720a75483ba7bdd06f28a4175125cfd683bd31175e6

SHA512
5007232e03efb305a975468042a26c5b55bd25c5d48b4e8d02e9728598df97dd26eddf636b4d41cd6448947b131e8c284621285a740b37912a41ad78134b91c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_ar.dll

Filesize
24KB

MD5
1c4ff0ded5d2284916b443e3458f5ed7

SHA1
3d49eea3f8a85e5079a6bf9434a99485725ea3fb

SHA256
f76899eba1a1dea68bae8bf7ca30e33dc8a6e301a32511cc3cb957939ae67fc2

SHA512
231d3ecc8e095237655ff036db58d26ed8398a5e4c7b82e12fd53c8768b63eb4318666ee7855b527ad63f57b6c99cc447fa4d23516d5c19cba4d5f6063c0428d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_bg.dll

Filesize
27KB

MD5
fd853bd1bc3fe3d9f28ba8d945b647f6

SHA1
8b72222e177a6a9b7ed8294f65df9e57462a0989

SHA256
3b3e5197263ff011f2af2dcba5523998fd07d6a78b2cd950ef5663cebabcce82

SHA512
aa43a78b27bfebe8b2a178d9d05a5dc32eb4ba01a7a49da471209ca486c25d5690a84c9b3d1cf673c0e08d55edcd4c33f0c6cc7d5cca6f958d64835f42a2cb62

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_bn.dll

Filesize
26KB

MD5
3c65dae36d34501bdd86b93f41001f9b

SHA1
8b3b5e7e79f848d33dea982d1a7293a6e58c7125

SHA256
0e80f1c50f410d1b38b65e6657a7ddbce3fc952d3df5abd2066cc1ccda1cb59e

SHA512
1888d585635362a5eb8479d30001b22e6ec3c57713bef942da8a098a8489a3d93ca67efb96870f600e5a606f804e5e89fe6da9324ae90d97d50ba0d13fba598f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_ca.dll

Filesize
26KB

MD5
1b285c65b8de72316606c98028beb378

SHA1
962c8b14cc0a3f79897635dace029f7783763a93

SHA256
7c4144f351b37e6c182561b81881cc8e7972bfcb15f62082c6c53341dee29bae

SHA512
55499fc30a72990a41bcbd1751d25615ed0fccd3d08530c30a0c761f63b54921d6f732cf1b6a38a49bb65b333465e7a5c6a5482fce46e1a5df4b1d1aff41debf

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_cs.dll

Filesize
26KB

MD5
afd9977892db5b78affb03efacaa24b6

SHA1
373a236b17c2f16c6398d1911e2a8fb26b4aa436

SHA256
ff02fb2624d4d9c22152fb07021f081bcca1f75e87fe1f961fe48c2f9c3501e1

SHA512
324f58bd7aaf946fceca92197b5144c7700aa4036a72fcdc3ea60b479225cb9383709ea4747438fbd23705da20f7be64ccf226564aa6e239d2fd1cd01b4341ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_da.dll

Filesize
26KB

MD5
a03c28667bc5d8a3bb37f8a065abbfca

SHA1
ab0d589645f30b5394a969eb70180046f56c4983

SHA256
d373050be5caf4ef40d4ab3caca11126493f2060247dad4eca59382996e9bcd2

SHA512
c1af060d8e09feca7747daba1f1789bc9f8d1f6021945b8af88d1e3a0f6f143adb7cdb3b1937ea79c555773530636eaefee98a4d15537b9226ec9b1762e60bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_de.dll

Filesize
28KB

MD5
a10cef911e4aa1c17abfc244e635236a

SHA1
5d0cfc40ebf15f07fb05804f16bb546e09fbf6e5

SHA256
0750255ca68002635a80d0747e3769246b82a0d58c5e879cabd5ed811d90b2f1

SHA512
76f4e013ff40a9904b3ecff51c4218bd037cf150ba2b9b058cd4fb44b0ae1fd0a1c63c3275cfa5c7f4844df63e1cc6e7fbc1e27d8ce41d089f4af708b3dfe538

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_el.dll

Filesize
28KB

MD5
51430a598ed01cf12d3cdcab9bb31f07

SHA1
675140d99f12d887167e028c81e87131532e6a0d

SHA256
461edf029026df67bae514e9fae01368e984184b92a0c116b880c8310f0773aa

SHA512
5d1fc3a6854b2d91ace8184825ab090f671ac79956d34e2c67ebee471ef7201a0ca6462fc58e9887c8279d08643d392d95d7ac2afde397ce0f10b758cfb565f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_en-GB.dll

Filesize
25KB

MD5
8c49d0510c21b356ddec271f0aa9b406

SHA1
c34223858e1ed0027892a367dfd8d8b06034a53a

SHA256
f98f2c279d05555d08084bc3abef15cf30e27f37a3cff84f3fa7d0c0987d1196

SHA512
268ccaf5ea6cf304559e93592c479162790bb48ce1c7eb7ece98364390420d217387388e6357840076b34a7749ce8f10780e7ff736551e39a67927cae5c8a40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_en.dll

Filesize
25KB

MD5
2a77be94f55e658c92b987fdebb75335

SHA1
8376e83a21185c1e07658ca845d35ef30e908c8a

SHA256
c1c6c0b3e901a06d521f367846d73211f9d9204c6a4acf2b94c1fd34873a2c0d

SHA512
b89a5a58a7f0661a10c540448095a9f49af90529306f05d30a6e3ea2f01764944c590b3b3228366999cd3d819c005c993456cf29a5a3ce681965a76dd4c0ad10

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_es-419.dll

Filesize
26KB

MD5
36f2e92951df95c9def1c9873c0f2471

SHA1
81f0587db7868b371b629fd123458de360f8e55e

SHA256
f3047894635782ad8954e38258f086dfb7839806e3805ca0d51455939d9802be

SHA512
828136f0f63cc0887fa7e1ccb3abd802e64ca6fd965b10e12edba24344a6ccb583357895766693e6977025ef3b054f07127858608e9bee2c7995a3ce249fdc14

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_es.dll

Filesize
28KB

MD5
645210540d56f8b1a8dff0f9371eaa83

SHA1
f8f4bdb6cc33a80cd5e00ffc70b3950bd621de8c

SHA256
9f8f5f45eebba3dfb7e13644a3e6cbf5fb50032c31292c56d202f50051ad566c

SHA512
c475d53997ff7b74aa1cb7adf57e75b239d9acfde96a2d00df9e683a4b815aef8fa9a79787bc3b03a786f39a9ec89ad6047468f0d35165c5dd95e89b7465c54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_et.dll

Filesize
25KB

MD5
d27fbbc29d47c86fbc5715a4da77cfa6

SHA1
9019ac206b32d423d947665972bd8aea7af805c5

SHA256
68cabce0248a736d40770ed87d75bf27b70b325da654c5f31c65a5380b652238

SHA512
b0692eeb13373926de1f8ec0556a23ad288cd24e4312f94f8b6077b448be3e025f83d3f3d502faecbd0963036886077dfdbc38aca1e82e5db5db669aa528de80

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_fa.dll

Filesize
25KB

MD5
ff507b06017d68eb76f853da7d6663b5

SHA1
268202c85452f2c55fcfb29fa61f65fcb9949850

SHA256
e9f68e538ffab8ca13aa9cdb01e48ce1511e11e0a06afe0136771295ba4a79ac

SHA512
7939629d942714336677f4d500d449f10cd7b0bda0569892cf6e00f9995b8a9a3a1d97922052f6b736b2a42143aa050e8f8bffe8076ad69ad3aba5e70b1ff3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_fi.dll

Filesize
26KB

MD5
7b5c48139a4fe426abf83cee59260cbc

SHA1
a2204be88133592c7af3d5a55c06961672b6a6d1

SHA256
7a3963cf876b56fe3f5ce56594d928bcca0749aacec402be531b601a0fa149b3

SHA512
d2b0f9bacf5c2e2a3aa5bd41b1440a35c4760890bde5354edce518e9320764a8c0b3a6eee530ee0d61d3004c5e44bdd229b7c7e040fbf289e5e3db680e3dd852

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_fil.dll

Filesize
27KB

MD5
5612855ee409b5bf8835e8bfb1b2b95a

SHA1
a316deefdca27bf916560090210ff13013be05a1

SHA256
27cc78d62d0120967c155576a9eebb7a2aa06146906850f1f4957ab8bf27004f

SHA512
86dc03176d3e76003b5e9e219bca45f75e9faae7bf53a707e589c78b6129fc31b8160657cf71cd4673ecd829399021fa3137c661e506f15b7572d4272aa1aaa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_fr.dll

Filesize
27KB

MD5
334883227570e203ce235fb9738cca24

SHA1
beba0205460da7114159669bc52ecf3ebccb2ff1

SHA256
739a7b158b9b49abd093a96465222925bc3ce7140ba9ef3cd1a10aa42ea4c111

SHA512
30b4ab5ece1a2e0ab95c8d67c366b538ec11c996bc6bc26b6141442e26249aa8dfa4c856acb65f0d1a9e70b35671697d6ca812ef865be7bb02ab174d2c274777

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_gu.dll

Filesize
26KB

MD5
317bae8b775b951ba4f3ff30f845f7bf

SHA1
ec3010f83e25051fa69035adda6578a88b5e8c91

SHA256
0f1f952aa99ccb3159a3d8d9b41b6ff48031da2d35d5a99fecd91145e78d9bd9

SHA512
11d47d017eab62759d66ee913d2088b54c8fcd96a4aa3a0bc18c4d727b2eaf0fa2eb0c0496d0ee773c25cde6b5a74254ebded447e1410a59e48d2425d28c37f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_hi.dll

Filesize
26KB

MD5
55c8b142916ed9358fbe13bb35adecea

SHA1
b162e7c0497620c5da192a2c0390a58cbee93436

SHA256
da92f86bed45e3bff33b3bccb17d8f44b3cc29e62cc87d26e55a6a64f56c22b3

SHA512
02082648e51da6ad83cae3bc74297cbd940a7078892134dcace4a7e63ab5bec561102301b1e80eff2888a4c0c2511cfcf9e0dd527bf08fc3f102f252607871b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_hr.dll

Filesize
26KB

MD5
e0173a323c2dba12836ab59cd8144f11

SHA1
a895afe3b6c6bf9e21d5d8678f87fe591250803c

SHA256
963b938c22a0cd3e01c593d3efc0545be60f9a64823ce7ad702930a297a03d93

SHA512
227a25b91f5340b164223a3261186ffd531393798a657d6bd62d05a046abda5157e96533bf48ae86390bc0afddd4f3b3fe7d31141c59013e5e39dbd037ef270a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_hu.dll

Filesize
27KB

MD5
7cb9dcb2d119bd8f2cd721786df3a2ba

SHA1
ad0eb71845c23c1c2d09ddc863f26e306aa2111b

SHA256
3b6fc3944573d0342e2d58c2541746a79acb01bafe51f089c1064ffb839e1dbc

SHA512
23c8fa01a17af4e43c83cf67ea922b002be700e1f12af91579be7fa7a95dedbf3a33a43ecf6f4675a7e6cc737eafc9f937b8eb9ec71044068663b8e7c31e2a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_id.dll

Filesize
25KB

MD5
77d878aed340585b6474964fcf16eedc

SHA1
bca761a2efad03b66993c4bcc504b592868805dd

SHA256
4427d9cd955b602a8ae90d7c86542b2806034877a1f739f83d8657bbd7407910

SHA512
139185472581be12fe8e7dd3f375ddfeb8830f7f847eaca720c5e847783798e53d4ceb6b9d01f00dc8e399f8a15765bb2cc4dcfb9af236621cfb1ae87a0ec9af

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_is.dll

Filesize
25KB

MD5
f97dfe4df6343cd84472d9bcc5c778fd

SHA1
f9300edc3679c152da814fd8cef82cde4fad5db3

SHA256
afa6d1c9b6e084953a9dc7c7b71d105626f20d32c6671f3f54a4ce612d65e9e4

SHA512
b2642b75dfa0372fba88abefa1de0360227a55cdac1f2d20da2c10b45f126661b9dbaa8d6a4b105612c8f9ecc4c8e7d3d2e9de473b14d38bddb34a70595be4d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_it.dll

Filesize
27KB

MD5
a0b27e718d4a2871c7291410cbfcfa43

SHA1
6076305b1e561e9cc2f3a2fd2196986bed465c52

SHA256
a44ae550fb37baca3479be75d2ea10123d41f05e3913f4c16e74c696a965332d

SHA512
2ba10d79ad55e7c9dfa741f07d806e23ebabadff116672f7973262415cc651e942d0f6f9c69830a8298f69cc49a61c7fb08a46f0e2c7f65bd8eae1ca7f5d8b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_iw.dll

Filesize
23KB

MD5
a5fb107b517bc2983f08230a10b4091f

SHA1
193c54874b887d8b4245177cbf776346f62f8019

SHA256
097236de97c3e70463388bef7ea89d8c6725bf16822d850feec95b56039a1c7b

SHA512
66c9160f0a0137286adb2a013b2a0437118854ff094b6a4b6388b73b7c9f2b3c7e1df512b45b126c19611d9cf8a069c4809c6f96ed56e39caf51fd008a51ff6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_ja.dll

Filesize
22KB

MD5
9955d0882ec381d59409aafd8c88f881

SHA1
aafbfdd3e37d3eefbcf3315cbd6ee9fb78a5271d

SHA256
693038b07ba3705ff74bc189ed483c2c9e1b9399cd13ac134118813a0578d0af

SHA512
17fc1ca6cc0fc58f09bea5ab7c89db51ae59458c95dd88f111440664690be6a1084ffa36ac472673341ef908c99fa429c2376f4854bcab29aafe61fe47e71550

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_kn.dll

Filesize
26KB

MD5
42c4fa71db5b75131759a6443686f46b

SHA1
5c4da5b254c7e74d46fb2ff052552bd38e96cf8c

SHA256
1ed850ca7e3480f774e29a99a9dba9dfe4542856ba509a386e319ead193c218e

SHA512
3dc4d2ce27e416dcf5f9cfbc0fe487b1a5e468e6a8ed6ab895fc1d93a15a6fc85ed2eb066ca9e65edfaef14c7df934aff7d53cc3e59925d502ad54e16f0798df

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_ko.dll

Filesize
21KB

MD5
a434d98b5d43b0786c31fded934ce893

SHA1
319d855f1ea7dd241dcc6e0b14e5d5056c92f87d

SHA256
8a8dde43f2c67f5ec843f3a285aea65adfad7a9de4a7a808eb9af1aa3cf2b2b8

SHA512
b4064a0575bdcf2c0978c4007aa77a46511d9f337e8b982f17ba8b17e0a40abccc8e92ffbacc72d6ebadd0aecc359b20a2bf7ff628c4cfa7dc3ddf4dfe95c8ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_lt.dll

Filesize
25KB

MD5
c542ae7cefea6d1bed30af055ca44f6e

SHA1
f1603220c6a1446542960280516aeb437dd15e10

SHA256
c7b790c98fe9ad6bd653e69c8cc3c5d11606b8fc09eb7195492497ecb57e9212

SHA512
5c988c2f6b01f859702061ab8600e5b9002ae436d80735e6469bbfb8b890513389d16ffba176aeee5d41f236f01e93acacdf63e2142d46a3c89e3767ca6f5a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_lv.dll

Filesize
26KB

MD5
d648697f00f9041c5e32185baef52aae

SHA1
6bd63e0676173bcc3eacfb24395418811c9df880

SHA256
af50bb8900866766c4f43bb834c69594532b0f5eaae3e12a078d16306acecee2

SHA512
117a01383e711b696d108dc73245be31efabaf59ab0bdb64cdb3e2f3574715914238b49f37eac3d0c1821ea570cc4932d61a6e1f4edeefbd67445d4bb87a0b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_ml.dll

Filesize
28KB

MD5
2a7f20f369043746cb641e8b3dc04427

SHA1
1fd23fb6a7116150ff6b4c1b254f49d0f60a6bbb

SHA256
4c2bc4fc85d304aa669eee4cb95f9976dcd3898c2850bc7b91d8da8988394760

SHA512
88135f8902ffb2983063f85605c12a09d9a9edd3e76b8f9a7ee21adfb9d9762058547efb6e3db02bafef20626aac6b13cd1a152fb1ff38a515827872304d8863

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_mr.dll

Filesize
26KB

MD5
eed4575908bcbb05b023c052ff29b724

SHA1
8403d34a9096ded096089ff5f0bc039f4daebda2

SHA256
ef2c89039428ddcefda0d89580905e76b255b8243fc52540e1e361db7bf52d49

SHA512
f30ddbe858bd2f11866a7afe7de17a122a7e4b1eb6c285938e908ebd6deeb1d6fd8a9312acf4043c46ccd3ab225f97dbf0c3bab78427f0aa534a78527dba469d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_ms.dll

Filesize
25KB

MD5
26e099d4f4dc60babb4fbb794b18cc3d

SHA1
fcd6e610d6cfb786877b918e3c982978e9233cd7

SHA256
6849b5c2e3bbee2bab4ba41c52ff1029c7970d53e843b730d2ecbb0737d9c4c9

SHA512
a01c14991014c67459cbddb0d5578f00358f3293eaae4284efb325a845f60c9ea65b052e6615baa0787b4b93c178799189c916190b0de4ef940d7a6317783f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_nl.dll

Filesize
27KB

MD5
66fd82291376b0bc28710a216d3afe91

SHA1
87d987d8a584e14056896dc8904a9c9f6ea6fa56

SHA256
bae0d659dd99e8f91a9f3ef0841a96ae6aa24ea8ed41756955d6843483e3c509

SHA512
a80b77de651b8279a629154db4403dea9730fd53b2735c53ba7fcd7fd5b2347835d63ffa61f9a4e6930275ff7ac63dc1428a9ed2b0f98f1dd91a1442e8c51604

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_no.dll

Filesize
26KB

MD5
aa6cdb87b41da75cc033947b5f89a324

SHA1
cedbc1c86e9645a950e32e09cb0176944590b5fe

SHA256
9e4b15f07cb3c9cd204c5be3c413ca3ab40d6ad6695a5eb74eeba00eb232656d

SHA512
61c8ed5e48442106665965ee7aa41d9c3435c5a50e466f6c11fb8f8fd18e42c21d9e28cb608f92565641343b3054baea5d8b891afa10282b8c54e28dde664be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_pl.dll

Filesize
27KB

MD5
9d5ee1c7da2e8465217872f37a37aa2c

SHA1
97a9959de25b374ec268132d2f5031d5105b848c

SHA256
44cfa994986f3608412a18e560a565694b824e25468ebcb99cea34abe3a69bf3

SHA512
e973d45dbc7fed01d70f645a39ba824f8f141dc5a5f663225bbd1c4276684ed589cda4a512a280db2a453e312b0ba22a20afd857ac2fae6c150e8d50334d9e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_pt-BR.dll

Filesize
26KB

MD5
369a2f2df3e997291985dcc8d8733b63

SHA1
11b2314784c40f0e69f2c216fd3efd6977c15700

SHA256
f63017fb8d71f984e1985e2a3e69fe57ab31991caf5976f837fe66d38087351e

SHA512
2e19f888108d84c4509eedf686383687130a3b9fe6c617fad02d37f1db9db882f81f6da137b9e1c020af40a4e97fbd985d967a26051183ee270dda11f5f15377

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_pt-PT.dll

Filesize
26KB

MD5
b0c67d62ad2d5d8ec968c0d7db42f73b

SHA1
c28097d2607fc6af4be7cba1a18ab8eb210474e0

SHA256
4f7721b867fc8f5103a7dc0fef988a268916c89e8a2051eafebbe3854456c0e5

SHA512
f0d72eb5f70a95bb2ac300531ce6b5dfaa34f547b6c67106fd765d38e718cadbeba73651da0feb30fedb5ee844f6a406a2ea9ee4d5e124fb8bdf2019c2c7e501

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_ro.dll

Filesize
27KB

MD5
176bbb8bfcdeeb18deee17fc39abd4b4

SHA1
c42ced9c7e6f24e311362d9245b1ddceea367961

SHA256
e2a03d3e66b6dac7edb1262032f129707401de96cc3693177cf3ced0b11fdc89

SHA512
09d357b586cbbb4deaf29ddbdedc844f5e5eceeb4210741737f22e3c9dceb92d190dcf0d5cc9e332c85178f53a503eec3a857550fdfe3f89d7bd55b4e769c398

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_ru.dll

Filesize
26KB

MD5
3fb4390db660cf7d3fd4511eb791d078

SHA1
0c73203899d235fc399a344a59cc38adc201e8fb

SHA256
7565afca71bc7fd088d1b4e2fcb78cfe13ea44bd5b41c19b2909896ce79f8c08

SHA512
fded8a401720dfa1ae3d77b9cd2a03aa3c5b2bd56c3d0ea3cfca74476c856dbfd43c8970834dfb33697044b7f9f648e9e228f8bb47d7c62dcfedb79c51aa7193

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_sk.dll

Filesize
26KB

MD5
6827d7b2fe54c989aedc70671543b375

SHA1
24a1d72513ebd59b0b833cbe92fc786d06724691

SHA256
f6d8c4812a5c5d3fe12f5291127c121456b5e92cd31d9fe9d3888a41348dd40d

SHA512
e0231a1d28a2b20bbdfc5d9de3e67f0ef5cd5cf062648bd4770f9c562ae713524aa2f66ad9244157d7e6743b387048d5bb0a50b48a8eb0ace08fdac9fecfe4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_sl.dll

Filesize
26KB

MD5
207c73394ca72a499dc22c1650ce5e80

SHA1
66ffb8a41f1981c4ea128356bba93be90dc581d8

SHA256
ea67dcaf401b3ca181deb29898ce363a4e195196992eac4745f47623251376d0

SHA512
9496f90c5f19e50f592f943dd53d7d0f69c63564bb8438efdd99074081037f00d14fb7f88f1812d42466540a933cc287fbb9e85b7328ec3735822b0eb66f1440

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_sr.dll

Filesize
26KB

MD5
faff347ecb9c6958ac74b2a0f982edb5

SHA1
d6ae6afe21a3e04ccb64c6cb6d5e9012f58d1a79

SHA256
973aa605c1263dcd90b9f8f86a1aa32c8c4f769adf2dafc93011b7906eabb393

SHA512
678d18a266a9e3a954e4861c73df9701b20df6661f91e0da966d0d3adf1070bbbaed079875d1d9547ec7aaec7e636761d46f1c96eab091c00fadb663c72d12a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_sv.dll

Filesize
26KB

MD5
8a23fd96ffb123fdbcc4186519263a46

SHA1
c5432443e72629790c82b0e6894ed35539676c69

SHA256
0b566fada2bf4be8fd7abccc0e62a52ae9d2af380b0aa4b5a7d2196a8b3c0601

SHA512
ad747ccfa1b2c4019380eb3a9ae0d7547ba404d62cace2d747d470cc76d3acadbbfc232e2aacbc9ca34cb57284be1eb12364a2e4a9d300bf66313b2c09258d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_sw.dll

Filesize
26KB

MD5
1cc40ddcfc4aa426e1f54a504cdd7cf9

SHA1
00fd2b94e0b5b53cc9de329be0d16937afb04abd

SHA256
18a9f6d39754773defa69a51655c55b3c6ff9c2f3945322b53afd63aa404b072

SHA512
161e7f97c7b3c47b8da86c9556553b0d0c3dac7d46eaba12c27bc3bf9b72ef5deb886729b301114272a38f6acf9ccc0f4690cc52f0683e07727cf6715426b0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_ta.dll

Filesize
27KB

MD5
f3716b915b0dd8caaec6dbc1ad6665b0

SHA1
6e164c550eaa1f4d494eb97ea8107ff9b0b0f37d

SHA256
cd3a99b55e9e1d45cf43791525e388b27cab6c5c3ffff37d1f88a51ff4e77b31

SHA512
873a1368368765758a845301a3bc61070da7223e7111fae7edb133e0caf8f2a5a2409f35574e3a82d6464b9743927f6d96b4ca0493ce7d12b88e57a7ca42e984

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_te.dll

Filesize
26KB

MD5
1ab712c578cc0c46f5a48fdf2e518058

SHA1
3723bea95879552d3da7bc999e1d5ace7d97e7d5

SHA256
4c678f240fe900ff0b8a6bd476f6abd13cfb0b9e1501a50e56310b09bdde15de

SHA512
a729086aa80998cf2ec4d30651306da8eb10b98c8dc4348f520453eec6d22af69d33f1a705c82434d7eabaeaea81c85fdae85b1ac3a19d7d7df7ec31ef7939cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_th.dll

Filesize
25KB

MD5
51c2290e341452ece6a0777143041f9f

SHA1
f32ae35aaf522bbb3aee069311553b2b25435a4e

SHA256
4323665a90d6207a3e7ce24ef15d138d255a0e8b1526eba159472a20bc4c509d

SHA512
98741794aa8059e6d0fbec07d8446268284deb5fab2f6deb3553bfe55988c5e211ae44f1306138d36e7149e9498ed615e64c1ebe79701ac3df36821c5e0cbd49

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_tr.dll

Filesize
26KB

MD5
29a73afd4d7ba8e1dc68ddd864b6e714

SHA1
f947722452c3b4b7ede402b4bc9eaa884ad0b37f

SHA256
a4cbf44cc755d8aa914894a5cfd17f3a2302ac1e0d29c311c2a3968c6c9c8e1b

SHA512
847f0e364499586d8a9828c362c51352515818ddfc35b7a9da9d807b04c3f47791e638c1789e805c2cb005ad9c15f79196af774f4aebf054964fd8893c535efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_uk.dll

Filesize
25KB

MD5
b31255214d035757d5594cb8fd3156c7

SHA1
f7be340a1e956deb1d5dddf47832924ff24c73cf

SHA256
489aaa6686b64dd2b4019b07e68dac312ee635bb007ed8748585f2fe941f62f7

SHA512
2d009976420f04ee34e9c6abb63d53bb6bb8f3e56c9096d3d95ee89a77cf11a11a7769fd68e4d3bcdf9dfae8835e4340dd3ddc3b05f55f2050806fd4824e703e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_ur.dll

Filesize
25KB

MD5
2f650d58058020bc891d0af0f8b70c57

SHA1
559ba98e6920a85bec6d395874308d3b8f7b58c0

SHA256
ea4403830948ac2400926b25befcd4450f28c5bf480010f50d78fed223066d33

SHA512
a4c7e2b5fe270faaae63b6cf9dd22bfec17a5729a1513f1a52a3618b29a5bb476393076675d7ba0f1cd304a340f6b40dab51837830a36e4a97698193c5687625

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_vi.dll

Filesize
25KB

MD5
39e623728d1bc52039542c813dbe4ae7

SHA1
adc5cc077f1fb601fc274d8fc7dabdd298a7c5d0

SHA256
319b2edffc5e3ae5766e441942bf157ea85144516d4177fc9a149dc0aecdaa27

SHA512
e3bd9b97a80d4ebabe5f2633dbebeb66f86efa887796b4ad2e91910962094f1d3d5aa4a871f6a8b0379a724fd77053dc18fcc0a5e8b94134b00252b1227ec5a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_zh-CN.dll

Filesize
19KB

MD5
9099fdea652367adfec3393a5132f96f

SHA1
8a2b5f4fb8e66c2581e20b526144216f8eac8deb

SHA256
d7f08eb537501cdacc70d9dda944d6e9096839544d2c11fa2a562e9da56f7b56

SHA512
72898f14547c281bb0b0efbb73e9c3c5b513bbbd9ce5a8593fc248b9ccb11ae09d60718c08f89df96060e9a1c2b57173d6b6199da1c17ce2da23e60cd22a677a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\goopdateres_zh-TW.dll

Filesize
19KB

MD5
30639a53af8da39a551be70c2f09ccda

SHA1
b6ec8c315682055d0b49b45a0e0e9533dcad9375

SHA256
3b53084d2a1c5cebe876c498890e1012be29be476712c03642d5c2b7cc9ee545

SHA512
65e315900a6f2c4e4acadfaef2c9ebe358b03eed51e6620134abb21f83cd13e05cce6b0a46ebfaf921743653004fb360bb155e46fde4e03b487461d025e4dfe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME109.tmp\psuser.dll

Filesize
135KB

MD5
b0c435acad61636d966fe1d29e66e631

SHA1
be9e68040ab36b03bcd4eab3e3b3d7ec54e554b3

SHA256
31566649964fc2c3da056aaff7ad77a2f3bd715d18b1b5a9bb003f3573da3db6

SHA512
8214845584099ce081e5e57758aadf331bda8d04763454b949e2039f5d4f2bbe1bdf2a58ec07d8e9cfcf8d3539846a7b780e285b0d78542caf14e2ec28ad7ed6

Download Submit
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1639772215-809007892-4072230623-1000UA.job

Filesize
996B

MD5
97cc21bb40d129603966e4de2ed1bf71

SHA1
4319770ed465a869b78ea89dcf2a1cc40b8a1c0f

SHA256
2b5344fbcea1311776e57a6c065aa512d21f148273c98af4059388458a485e94

SHA512
ba17eeb70a5fdef63fa795be35a5333884ad3c60d1d468ae21f0e94477ea452c377c37ae63b3c5df45ece3f3527b798b6edc1816b753aaaaa8f7e1b18fb67e5c

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
ec8638e3f42faa40ba95521e084d804f

SHA1
b7ecedb16f2c65dbe44282ef6fa41fcb1a13847b

SHA256
4aa07ccc062b95cd998a3cd0d0c5d4bbfac394b925758a7126187a51e58d6738

SHA512
b6d23e8fd39e2d6e888b2db8eac903686d2e10e9c9815ad3a98dc1c5f0324d5c1495bd02b25d5bd92aed13b510377035ef03f2dacbdec20ac61e25b26e118749

Download Submit
memory/1596-294-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2228-82-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2640-445-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2640-562-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2640-528-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2640-443-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2640-449-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3756-669-0x0000000072D10000-0x0000000072D37000-memory.dmp

Filesize
156KB

Download
memory/3756-667-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3756-668-0x0000000072FD0000-0x0000000073098000-memory.dmp

Filesize
800KB

Download
memory/3756-725-0x0000000072FD0000-0x0000000073098000-memory.dmp

Filesize
800KB

Download
memory/4444-455-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4444-446-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4444-444-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4444-530-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4444-561-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download