xworm | a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

Analysis

max time kernel
158s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 11:10

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

sv.exe
Size

63KB
MD5

c095a62b525e62244cad230e696028cf
SHA1

67232c186d3efe248b540f1f2fe3382770b5074a
SHA256

a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA512

5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
SSDEEP

1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM

Score

10^/10

xworm discovery evasion execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

amount-acceptance.gl.at.ply.gg:7420

Attributes

Install_directory
%ProgramData%
install_file
svhost.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

behavioral2/memory/4976-1-0x00000000000B0000-0x00000000000C6000-memory.dmp family_xworm
C:\ProgramData\svhost.exe family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

resource	yara_rule
behavioral2/memory/4976-1-0x00000000000B0000-0x00000000000C6000-memory.dmp	family_xworm
C:\ProgramData\svhost.exe	family_xworm

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\126.0.6478.127\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4408 powershell.exe
3912 powershell.exe
2276 powershell.exe
1188 powershell.exe

pid	process
4408	powershell.exe
3912	powershell.exe
2276	powershell.exe
1188	powershell.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sv.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	sv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	chrome.exe

Drops startup file 2 IoCs

Processes:

sv.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 40 IoCs

Processes:

wsosvt.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exesvhost.exe126.0.6478.127_chrome_installer.exesetup.exesetup.exesetup.exesetup.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeelevation_service.exechrome.exechrome.exechrome.exechrome.exechrome.exesvhost.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeelevation_service.exechrome.exechrome.exechrome.exechrome.exesvhost.exe

pid	process
232	wsosvt.exe
2996	updater.exe
4592	updater.exe
3876	updater.exe
744	updater.exe
1012	updater.exe
4784	updater.exe
1600	svhost.exe
908	126.0.6478.127_chrome_installer.exe
3880	setup.exe
1916	setup.exe
4560	setup.exe
1564	setup.exe
2724	chrome.exe
856	chrome.exe
464	chrome.exe
1096	chrome.exe
2576	chrome.exe
4840	chrome.exe
2004	chrome.exe
2720	elevation_service.exe
936	chrome.exe
5016	chrome.exe
4660	chrome.exe
3180	chrome.exe
2432	chrome.exe
2840	svhost.exe
2324	chrome.exe
1304	chrome.exe
3604	chrome.exe
2432	chrome.exe
1008	chrome.exe
4868	chrome.exe
1996	chrome.exe
1812	elevation_service.exe
5072	chrome.exe
2768	chrome.exe
980	chrome.exe
388	chrome.exe
2816	svhost.exe

Loads dropped DLL 56 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
2724	chrome.exe
856	chrome.exe
2724	chrome.exe
464	chrome.exe
464	chrome.exe
1096	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
2576	chrome.exe
1096	chrome.exe
2576	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
4840	chrome.exe
4840	chrome.exe
2004	chrome.exe
2004	chrome.exe
936	chrome.exe
936	chrome.exe
5016	chrome.exe
5016	chrome.exe
4660	chrome.exe
4660	chrome.exe
3180	chrome.exe
3180	chrome.exe
2432	chrome.exe
2432	chrome.exe
2324	chrome.exe
1304	chrome.exe
2324	chrome.exe
3604	chrome.exe
1008	chrome.exe
2432	chrome.exe
1008	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
2432	chrome.exe
4868	chrome.exe
1996	chrome.exe
3604	chrome.exe
3604	chrome.exe
3604	chrome.exe
1996	chrome.exe
4868	chrome.exe
5072	chrome.exe
5072	chrome.exe
2768	chrome.exe
980	chrome.exe
2768	chrome.exe
980	chrome.exe
388	chrome.exe
388	chrome.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

sv.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" sv.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe"	sv.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

updater.exeupdater.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe

Drops file in System32 directory 1 IoCs

Processes:

setup.exe

description ioc process

File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk setup.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk	setup.exe

Drops file in Program Files directory 64 IoCs

Processes:

setup.exeupdater.exeupdater.exe126.0.6478.127_chrome_installer.exeupdater.exewsosvt.exeupdater.exesetup.exeupdater.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\Locales\af.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\Locales\bn.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\Locales\fr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\Locales\ko.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\resources.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\prefs.json	updater.exe
File created	C:\Program Files\Crashpad\settings.dat	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\Locales\fil.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\chrome.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\chrome_elf.dll	setup.exe
File opened for modification	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1012_708402233\CR_B10E4.tmp\setup.exe	126.0.6478.127_chrome_installer.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe57a817.TMP	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\icudtl.dat	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\Locales\sk.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\Locales\sv.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\dxil.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\Locales\ca.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\Locales\fi.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\VisualElements\SmallLogoCanary.png	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\vk_swiftshader.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe	updater.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1012_708402233\_metadata\verified_contents.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\Locales\et.pak	setup.exe
File created	C:\Program Files (x86)\chrome_url_fetcher_1012_1359890022\-8a69d345-d564-463c-aff1-a69d9e530f96-_126.0.6478.127_all_kqgvyxebv4r63jac66435t45xq.crx3	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\Locales\am.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\Locales\es.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\Locales\ja.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\Locales\ms.pak	setup.exe
File created	C:\Program Files (x86)\Google232_218200870\updater.7z	wsosvt.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\Locales\zh-TW.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\VisualElements\SmallLogoDev.png	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\3cdaf0e2-a2ef-4335-94e0-821968360331.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\Locales\el.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\Locales\nb.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\Locales\sw.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\WidevineCdm\manifest.json	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\eventlog_provider.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata	updater.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1012_708402233\CR_B10E4.tmp\CHROME.PACKED.7Z	126.0.6478.127_chrome_installer.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\chrome.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\Locales\id.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\Locales\uk.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\libEGL.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\Locales\it.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\chrome.dll.sig	setup.exe
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\3cdaf0e2-a2ef-4335-94e0-821968360331.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\settings.dat	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\c70d306c-0319-4596-ae67-2d2a685877c0.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\c70d306c-0319-4596-ae67-2d2a685877c0.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\Locales\es-419.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\default_apps\external_extensions.json	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\settings.dat	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\Locales\th.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3880_1270724156\Chrome-bin\126.0.6478.127\vk_swiftshader_icd.json	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exeEXCEL.EXEchrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies data under HKEY_USERS 28 IoCs

Processes:

LogonUI.exechrome.exesvchost.exesetup.exechrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "111"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133643058992345341"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\InstallerPinned = "0"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	setup.exe

Modifies registry class 64 IoCs

Processes:

updater.exesetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\TypeLib\ = "{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}	updater.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1588C1A8-27D9-563E-9641-8D20767FB258}\ = "IUpdateStateSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\TypeLib\ = "{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\1.0	updater.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{8476CE12-AE1F-4198-805C-BA0F9B783F57}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}\ = "IPolicyStatusSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F966A529-43C6-4710-8FF4-0B456324C8F4}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{34527502-D3DB-4205-A69B-789B27EE0414}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34527502-D3DB-4205-A69B-789B27EE0414}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\ = "Interface {463ABECF-410D-407F-8AF5-0DF35A005CC8}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ = "IAppWeb"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\ProgID	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\TypeLib\ = "{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4622B28-A747-44C7-96AF-319BE5C3B261}\1.0\ = "GoogleUpdater TypeLib for IAppBundleWebSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\1.0\ = "GoogleUpdater TypeLib for IAppWebSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{708860E0-F641-4611-8895-7D867DD3675B}\LocalService = "GoogleChromeElevationService"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\ = "ICompleteStatusSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\4"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ = "IProcessLauncher"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\TypeLib\Version = "1.0"	updater.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}	updater.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4760 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

836 EXCEL.EXE

pid	process
4760	schtasks.exe

pid	process
836	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeupdater.exeupdater.exeupdater.exechrome.exechrome.exe

pid	process
2276	powershell.exe
2276	powershell.exe
2276	powershell.exe
1188	powershell.exe
1188	powershell.exe
1188	powershell.exe
4408	powershell.exe
4408	powershell.exe
4408	powershell.exe
3912	powershell.exe
3912	powershell.exe
2996	updater.exe
2996	updater.exe
2996	updater.exe
2996	updater.exe
2996	updater.exe
2996	updater.exe
3876	updater.exe
3876	updater.exe
3876	updater.exe
3876	updater.exe
3876	updater.exe
3876	updater.exe
1012	updater.exe
1012	updater.exe
1012	updater.exe
1012	updater.exe
1012	updater.exe
1012	updater.exe
1012	updater.exe
1012	updater.exe
2996	updater.exe
2996	updater.exe
2724	chrome.exe
2724	chrome.exe
2324	chrome.exe
2324	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exechrome.exe

pid process

2724 chrome.exe
2724 chrome.exe
2724 chrome.exe
2724 chrome.exe
2324 chrome.exe
2324 chrome.exe
2324 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sv.exepowershell.exepowershell.exepowershell.exepowershell.exewsosvt.exesvhost.exe126.0.6478.127_chrome_installer.exechrome.exesvhost.exe

description	pid	process
Token: SeDebugPrivilege	4976	sv.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	4976	sv.exe
Token: 33	232	wsosvt.exe
Token: SeIncBasePriorityPrivilege	232	wsosvt.exe
Token: SeDebugPrivilege	1600	svhost.exe
Token: 33	908	126.0.6478.127_chrome_installer.exe
Token: SeIncBasePriorityPrivilege	908	126.0.6478.127_chrome_installer.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeDebugPrivilege	2840	svhost.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe

Suspicious use of FindShellTrayWindow 62 IoCs

Processes:

chrome.exechrome.exe

pid	process
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe

Suspicious use of SendNotifyMessage 56 IoCs

Processes:

chrome.exechrome.exe

pid	process
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe
2324	chrome.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXELogonUI.exe

pid process

836 EXCEL.EXE
836 EXCEL.EXE
836 EXCEL.EXE
836 EXCEL.EXE
836 EXCEL.EXE
836 EXCEL.EXE
836 EXCEL.EXE
836 EXCEL.EXE
836 EXCEL.EXE
836 EXCEL.EXE
836 EXCEL.EXE
836 EXCEL.EXE
836 EXCEL.EXE
3364 LogonUI.exe

pid	process
836	EXCEL.EXE
836	EXCEL.EXE
836	EXCEL.EXE
836	EXCEL.EXE
836	EXCEL.EXE
836	EXCEL.EXE
836	EXCEL.EXE
836	EXCEL.EXE
836	EXCEL.EXE
836	EXCEL.EXE
836	EXCEL.EXE
836	EXCEL.EXE
836	EXCEL.EXE
3364	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sv.exewsosvt.exeupdater.exeupdater.exeupdater.exe126.0.6478.127_chrome_installer.exesetup.exesetup.exechrome.exe

description	pid	process	target process
PID 4976 wrote to memory of 2276	4976	sv.exe	powershell.exe
PID 4976 wrote to memory of 2276	4976	sv.exe	powershell.exe
PID 4976 wrote to memory of 1188	4976	sv.exe	powershell.exe
PID 4976 wrote to memory of 1188	4976	sv.exe	powershell.exe
PID 4976 wrote to memory of 4408	4976	sv.exe	powershell.exe
PID 4976 wrote to memory of 4408	4976	sv.exe	powershell.exe
PID 4976 wrote to memory of 3912	4976	sv.exe	powershell.exe
PID 4976 wrote to memory of 3912	4976	sv.exe	powershell.exe
PID 4976 wrote to memory of 4760	4976	sv.exe	schtasks.exe
PID 4976 wrote to memory of 4760	4976	sv.exe	schtasks.exe
PID 4976 wrote to memory of 232	4976	sv.exe	wsosvt.exe
PID 4976 wrote to memory of 232	4976	sv.exe	wsosvt.exe
PID 4976 wrote to memory of 232	4976	sv.exe	wsosvt.exe
PID 232 wrote to memory of 2996	232	wsosvt.exe	updater.exe
PID 232 wrote to memory of 2996	232	wsosvt.exe	updater.exe
PID 232 wrote to memory of 2996	232	wsosvt.exe	updater.exe
PID 2996 wrote to memory of 4592	2996	updater.exe	updater.exe
PID 2996 wrote to memory of 4592	2996	updater.exe	updater.exe
PID 2996 wrote to memory of 4592	2996	updater.exe	updater.exe
PID 3876 wrote to memory of 744	3876	updater.exe	updater.exe
PID 3876 wrote to memory of 744	3876	updater.exe	updater.exe
PID 3876 wrote to memory of 744	3876	updater.exe	updater.exe
PID 1012 wrote to memory of 4784	1012	updater.exe	updater.exe
PID 1012 wrote to memory of 4784	1012	updater.exe	updater.exe
PID 1012 wrote to memory of 4784	1012	updater.exe	updater.exe
PID 1012 wrote to memory of 908	1012	updater.exe	126.0.6478.127_chrome_installer.exe
PID 1012 wrote to memory of 908	1012	updater.exe	126.0.6478.127_chrome_installer.exe
PID 908 wrote to memory of 3880	908	126.0.6478.127_chrome_installer.exe	setup.exe
PID 908 wrote to memory of 3880	908	126.0.6478.127_chrome_installer.exe	setup.exe
PID 3880 wrote to memory of 1916	3880	setup.exe	setup.exe
PID 3880 wrote to memory of 1916	3880	setup.exe	setup.exe
PID 3880 wrote to memory of 4560	3880	setup.exe	setup.exe
PID 3880 wrote to memory of 4560	3880	setup.exe	setup.exe
PID 4560 wrote to memory of 1564	4560	setup.exe	setup.exe
PID 4560 wrote to memory of 1564	4560	setup.exe	setup.exe
PID 2996 wrote to memory of 2724	2996	updater.exe	chrome.exe
PID 2996 wrote to memory of 2724	2996	updater.exe	chrome.exe
PID 2724 wrote to memory of 856	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 856	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 464	2724	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sv.exe
"C:\Users\Admin\AppData\Local\Temp\sv.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Users\Admin\AppData\Local\Temp\wsosvt.exe
"C:\Users\Admin\AppData\Local\Temp\wsosvt.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:232

C:\Program Files (x86)\Google232_218200870\bin\updater.exe
"C:\Program Files (x86)\Google232_218200870\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={1E5E5C4F-2824-A1A8-B948-33835CA392B5}&lang=en&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2996

C:\Program Files (x86)\Google232_218200870\bin\updater.exe
"C:\Program Files (x86)\Google232_218200870\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0xeb2604,0xeb2610,0xeb261c
4⤵
- Executes dropped EXE
PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0xf8,0xfc,0x100,0xa4,0x104,0x7ffb60221c70,0x7ffb60221c7c,0x7ffb60221c88
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,7019381850374336298,518951964747293796,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=1900 /prefetch:2
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=2156,i,7019381850374336298,518951964747293796,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=2188 /prefetch:3
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2264,i,7019381850374336298,518951964747293796,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=2656 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,7019381850374336298,518951964747293796,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=3156 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,7019381850374336298,518951964747293796,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=3280 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:2004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4448,i,7019381850374336298,518951964747293796,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=4504 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4800,i,7019381850374336298,518951964747293796,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=4844 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4832,i,7019381850374336298,518951964747293796,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=4816 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5024,i,7019381850374336298,518951964747293796,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5052 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --field-trial-handle=4808,i,7019381850374336298,518951964747293796,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5052 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiysxr.bat" "
2⤵
PID:4684

C:\Windows\system32\shutdown.exe
shutdown -r -t 0
3⤵
PID:3928

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3876

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x1252604,0x1252610,0x125261c
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:744

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1012

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x1252604,0x1252610,0x125261c
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4784

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1012_708402233\126.0.6478.127_chrome_installer.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1012_708402233\126.0.6478.127_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1012_708402233\01ed42d0-be58-4513-866e-43760e6112fa.tmp"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1012_708402233\CR_B10E4.tmp\setup.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1012_708402233\CR_B10E4.tmp\setup.exe" --install-archive="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1012_708402233\CR_B10E4.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1012_708402233\01ed42d0-be58-4513-866e-43760e6112fa.tmp"
3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3880

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1012_708402233\CR_B10E4.tmp\setup.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1012_708402233\CR_B10E4.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff62c9646a8,0x7ff62c9646b4,0x7ff62c9646c0
4⤵
- Executes dropped EXE
PID:1916

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1012_708402233\CR_B10E4.tmp\setup.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1012_708402233\CR_B10E4.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4560

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1012_708402233\CR_B10E4.tmp\setup.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1012_708402233\CR_B10E4.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x270,0x274,0x278,0x22c,0x27c,0x7ff62c9646a8,0x7ff62c9646b4,0x7ff62c9646c0
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1564

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Program Files\Google\Chrome\Application\126.0.6478.127\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\126.0.6478.127\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:2204

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\UnpublishGrant.xla"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb60221c70,0x7ffb60221c7c,0x7ffb60221c88
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2412,i,17909104663222594502,4192237455743483170,262144 --variations-seed-version=20240630-180241.146000 --mojo-platform-channel-handle=2408 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1944,i,17909104663222594502,4192237455743483170,262144 --variations-seed-version=20240630-180241.146000 --mojo-platform-channel-handle=2444 /prefetch:3
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2052,i,17909104663222594502,4192237455743483170,262144 --variations-seed-version=20240630-180241.146000 --mojo-platform-channel-handle=2548 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,17909104663222594502,4192237455743483170,262144 --variations-seed-version=20240630-180241.146000 --mojo-platform-channel-handle=3220 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,17909104663222594502,4192237455743483170,262144 --variations-seed-version=20240630-180241.146000 --mojo-platform-channel-handle=2240 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:1996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4628,i,17909104663222594502,4192237455743483170,262144 --variations-seed-version=20240630-180241.146000 --mojo-platform-channel-handle=3756 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4776,i,17909104663222594502,4192237455743483170,262144 --variations-seed-version=20240630-180241.146000 --mojo-platform-channel-handle=4772 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4892,i,17909104663222594502,4192237455743483170,262144 --variations-seed-version=20240630-180241.146000 --mojo-platform-channel-handle=4908 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --field-trial-handle=4972,i,17909104663222594502,4192237455743483170,262144 --variations-seed-version=20240630-180241.146000 --mojo-platform-channel-handle=4872 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:388

C:\Program Files\Google\Chrome\Application\126.0.6478.127\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\126.0.6478.127\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1812

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38dd855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3364

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google232_218200870\bin\updater.exe
Filesize
4.4MB

MD5
512a822caed80f9fa3f0dfce20d4faa1

SHA1
16f470de73681ce7ec9b3251ac081879fb37798c

SHA256
8de9266347276d18fe49f84b86f09e6035df2c10e39f22d85bf33d43cf0f5f2c

SHA512
9fc3d74dddd28b325fe3b803c1217d7374b61ae6d7eecb46aa2dafb643b7a45387caba015421da524cc0416c9b3bdbb3d871120c1275e421f86e9d80a3781802

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\settings.dat
Filesize
40B

MD5
5ab8d5b4d17386e23c532f8d66c0145f

SHA1
2a46cb91ad36bbe3f96882c1e038032d4222ec39

SHA256
b52fd4e04cac6f21076e13afbdc152f13826c79679567b3e65f75edd78997152

SHA512
c00b03ca157dee234ff49aad84e3b21ed6fd6688a218c747505bd8069d831e89b4ea89691cf56eba6f9a8b6e7633873f568a564d2f8a53bd4111b5293e7f1cad

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json
Filesize
354B

MD5
e0ee4da712ce8c124aa6591511138c42

SHA1
3c995aa84f0c88624b3998304a39803bd99f116e

SHA256
44ea110f766b1c1df4863665f334421b1d0dd450b859f2d75a53a96d005ab7ff

SHA512
dd93f581ecbf41c75c85388d0eeb809fe64f5c5e0e8b24f13b20b8d2b88cb98c873ebfaeff8a6bdc985b548ed6e866ffc53f465ac5a01018fcd9c58c7faec17c

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json
Filesize
492B

MD5
7139b44a7922ffe0df7d92516c3ed8e0

SHA1
8d8cc41b5d62bcc09365483bff2be5062e5d0373

SHA256
270d2d63fef418e595bb00ebf039a3929df81fbe4b08507acd0a77f27a4ecd14

SHA512
ea6353a88c1550fbc609ff24edf649dad4a7960110728a4349c090a20977e44ac99e6195170b89b591b304f543be7d85869378d8bb35c54434457f9437d453ee

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json
Filesize
592B

MD5
b8527cc2e579bbfbc438226db7da9162

SHA1
3adc57dceb1a31b84e1bb2cd7f4f9f7cd789a71e

SHA256
9a5d45fec4078d65b5b956b86366433e5bb8941ef484e14a70ff37df4c9ebc32

SHA512
f8844761071a707204702f26f28d2ce999cf678ee3087ec7c862301f757926debb9161bae680ddd47d0f0a51eea0482548a48f3c35e95ce59801e9f0e197bd36

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json
Filesize
49B

MD5
a640ca2e70d5d86ee61c65b5fa0a5de3

SHA1
932854c7284e88d764a5f455c2559430282630e3

SHA256
143f8c59a52692d27d38a2da2d510f37237faeee74850381917768adee0975e6

SHA512
855f3de6bda41d5a015922c4127947bd9ad51b2b137ccdbef5232b2f373c24b7c99f0806466c1cbd49387a4d6984f10f71e69dc7ab9a9274e4ec1d376758cdf2

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log
Filesize
9KB

MD5
d4905e193eba64570364d8e8a0e928cd

SHA1
44afe9baed42caf025172ac77e3a440e81b519b0

SHA256
e537a2c0f4f9a5a19cd37a25ce63ab4cc251dcc56fef2c9057f0a6e3614c4da3

SHA512
221b23af0bfe382d9330c95e69a7f2f2c36465fc030b78699f94d7028692728ca0029c707d8400b8a71a07bf3b0c95e6e22035ec3ec8a20080445c7ac83932d1

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log
Filesize
11KB

MD5
e564979037cf36627b3cfa92ef168595

SHA1
86c7702bea3bb224576bc6050669c1462c6dcd6e

SHA256
d4b03547d7b6269fb4a19355fb52dec30cd14091c87ed40167272ee313185aa6

SHA512
44c8bdad8823d4159e4d998e351ba39854c030b7751501b1948b4601146dbe847ca8a05f61c67b669aa61785405c8370ffd0a1a967b0eefb2e91b13e475d4b93

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log
Filesize
1KB

MD5
94c33f46651aa39f7e73b813415f467b

SHA1
79b850c087d636c2edf15d840854dc45a059cb8e

SHA256
a2ccc12fa81a9e09417eb520352825dd7bf709c7f4cdfde058282bfe35457e8a

SHA512
002597b4f42fab6bbbb639b3bc26ddbba2645fb6a196a4b8edbd7fee75696a4dccac5a2a20c802657e61709bee092c2bd4b28db51fb792a92e56d1f3a2f26d3d

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log
Filesize
4KB

MD5
23d08d0290788dfef8b7fc077731bed4

SHA1
51fa0542e16208843259f2732a95ad33ccbeeeb2

SHA256
ca3887bfa13893dde5c0c92ec497fb60e02e5c9a7d191380ecef753ac3127860

SHA512
fe98286b0e8ae8772442bb30b1e43e21e7dae2cf2176b863c80559a74e1b18263b43e4c9317e172469d3da37149b5dfc65cabf58a3b2fa0a15716382fdb4f884

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log
Filesize
5KB

MD5
f1e13b1539e276d8df66226b30cd6308

SHA1
c02b0d3b1e9e2e3fbb0a77e526a9d2e1fcb06348

SHA256
2249c36f2d66fe7228be1d1da2e0033e055dfeb2394ecec84c9e09bc6fc644b5

SHA512
cb61515ab381ad05971c211e78134cdb0515f167b102fa3a83f80d9c8e9d3631ec394c518b6030083ffb32df6ce5df96daa17212dfabf8d3b8989eaadf6d8f46

Download Submit
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1012_708402233\01ed42d0-be58-4513-866e-43760e6112fa.tmp
Filesize
652KB

MD5
44c7f06f320e8068a00af6f8930c0511

SHA1
e68c5ff16e0c28a2ec146198b96bfad291743c4b

SHA256
c0dd8ff1c80385821da0fe5102b40420ebe4b476b5832382553dbb6d51ae33c9

SHA512
82343ada963b593fce6718b9d460bfc7d359be629de1b8cf38dc638ba30495d0b5d271d658a9125fe674fe5b3375767e88ce7d8ae6f23d34f89e342d796aa644

Download Submit
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1012_708402233\CR_B10E4.tmp\setup.exe
Filesize
4.1MB

MD5
0849095a80f74794bcac8b3561fc4a58

SHA1
5b27f31892bb7b04c62d3b1f612a45415a3bc32e

SHA256
27dbc6e6ac8630b50fc5473e9a7f341c7d759806f762aa522698ec10bf2f2e62

SHA512
1f52e20fc2812af55e00b7aea59b00af262ea87bc7b652504a3be9b26e500fffeffbed52dc21132b22645f46f2a59f546485e9089e7cfb5f0154041918f52e5c

Download Submit
C:\Program Files\Crashpad\settings.dat
Filesize
40B

MD5
9099622f60c49f1144b2e44141fdc650

SHA1
bc0cc7606d5b843e800c1535137b4919161c8627

SHA256
a3afed6d7c9a7d62d2e240e79bbfb7bdff78d12252521a61383dfcba94f44654

SHA512
7236ce4b35fe5f8c2daa8893c7ba59b984a1b6d1c1dff3072961ca52ab2b5357e09fe9dcfbc7770ebd194ea26b30225059a6b35c95badc989ef74d06f01ffb3b

Download Submit
C:\Program Files\Google\Chrome\Application\126.0.6478.127\chrome_elf.dll
Filesize
1.2MB

MD5
576f4379df97be0689013c7de1ae64b0

SHA1
6751967e285bb8008c5a582dc87f1e3c132bee15

SHA256
114b6fb306bbc3e5f0a903c7bd2c3ccf01a6df1ef12a31f418a478ccc7b5ebdc

SHA512
e70a1698880f654d0ca2d63ab74ed01c4f4d6e7b3979c726d9e9b11b4d93622967a494f91bf014ad6def451c38815b5ca9dabb7db8613a3174e25a0c64a78c4b

Download Submit
C:\Program Files\Google\Chrome\Application\126.0.6478.127\d3dcompiler_47.dll
Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
C:\Program Files\Google\Chrome\Application\126.0.6478.127\dxcompiler.dll
Filesize
21.0MB

MD5
a68af7f67a2f2e45f5025aba6aebc80d

SHA1
221ec780ef522b8005d3c4bbaf01b5888b280d84

SHA256
369fa1f39fa991a63f4926e4bce7b1bd0e0e2ff195d503db78ddbb0e61018ad6

SHA512
18e865e68e0005daa52a3b4e971aa0cbb55d310fb8d4fd97aa35496d4d06ca10330a4ac9cc0189a3534ccf54154eabbbd08f9455232f34629b3174f2d3c19d91

Download Submit
C:\Program Files\Google\Chrome\Application\126.0.6478.127\dxil.dll
Filesize
1.4MB

MD5
30da04b06e0abec33fecc55db1aa9b95

SHA1
de711585acfe49c510b500328803d3a411a4e515

SHA256
a5fe1d8d9caa2ff29daffd53f73a9a4e19c250351b2abe4fc7b57e60ce67ac68

SHA512
67790874377e308d1448d0e41df9dd353a5f63686df4eb9a8e70a4da449b0c63a5d3655ab38d24b145ad3c57971b1c6793ea6c5ac2257b6eb2e8964a44ab0f08

Download Submit
C:\Program Files\Google\Chrome\Application\126.0.6478.127\libEGL.dll
Filesize
471KB

MD5
cdced1a4260cdc41d3e9be5cc6aec522

SHA1
822ae5e7d93e5c62a880fe4dd9672a8b7ce73897

SHA256
c37efa9208dc887d45a0afe04158f309ad71bd3e7d325715ace3c792a5079942

SHA512
feda57975b129af62198498b01f971f8096ff341c396890253059a2e6218a4f47d39d77f8d3ce0b92bba26366fbcf33e45666747619b970e8ee0137b8a08b1bc

Download Submit
C:\Program Files\Google\Chrome\Application\126.0.6478.127\libGLESv2.dll
Filesize
7.7MB

MD5
b01b66222632a03ee1d229205c509fc1

SHA1
0446bb4057138da8f0610eaf85e1df5cd8055107

SHA256
392baff224b58a9f448a726556422cf374e0ff3a28f480692c5e54e4f7fb4e58

SHA512
fb6b5190c3107de3f070461aee8c697611940eb82777a466565a7b311b7ec6634d285c1281727166b5b21ad85ba5af6b826ff32d104e300a2e0c0c8ec581dc26

Download Submit
C:\Program Files\Google\Chrome\Application\126.0.6478.127\vk_swiftshader.dll
Filesize
5.1MB

MD5
d6285e5802f833f3a1db44180251b032

SHA1
b018c660e1685118df520211b08168f1316d3258

SHA256
2dbf576a11ec521dcfa42528339fd20b7d711e90610c360e77cc5783c1ef5f73

SHA512
4c5ef6340e70754ebc6a65b53cd529ee0392eb62f760b5e2f66734dacd921f0259a34259be0b835e293ca87c034041ef95246ff07c7732e15aeac9f2c0fcb4b6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe
Filesize
2.7MB

MD5
d09b0bceaaccb0b4c2fc6b95b9a5241a

SHA1
5ada2eddc6954dfc50aff07276909866418ce799

SHA256
13e2a3b4ddff74975fd41b9a1d4ed57de5ec67c0f377791dbbba5c8402690eb8

SHA512
aec811b8ae222d21108fff90c501278cfccc1d76f4b01469339f08f09514ff31d508e2abec7ed3c53e196f34ab73544be969e5e284a220e0206d680d8e602ba7

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
Filesize
2KB

MD5
c875561ecdefcad213c578bc25a0da80

SHA1
8f1df6fb9e3d7c96778dc7bd3c8ae965facac8a0

SHA256
3b40b1e52b755f0312e5c8b2b8d340d5e0edea1fa1819e2aeb0ce5061a3c574d

SHA512
03a34a9e0b32e7abe1992e9b5d8eb546402f9d7adf9afb20575a51711a860add3867c418295c5c3939a7b9b6fb35fede56326e7231bb8e3abb36e88a4b081689

Download Submit
C:\ProgramData\svhost.exe
Filesize
63KB

MD5
c095a62b525e62244cad230e696028cf

SHA1
67232c186d3efe248b540f1f2fe3382770b5074a

SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
a85e5add31f209ed527bf82ac0768582

SHA1
9551a7f1878b70b64d4ed23aa8f5d69cc6f272b9

SHA256
9b28265c7c93e93355a28432984cef0ab471397329c2924745ff139d2a585c43

SHA512
4e216dc0fb62569a58c05a34e91658cf481db11e2d27589f1cc556ed2e986bf6d999a51dd35a6cc98c59be97f9f64df3ff084bdd8b8f1739f4589e7c47e11bbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
192KB

MD5
505a174e740b3c0e7065c45a78b5cf42

SHA1
38911944f14a8b5717245c8e6bd1d48e58c7df12

SHA256
024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d

SHA512
7891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
e54a152d7fdcd44ff966624fc85aa94e

SHA1
cc71460cf27e9f250a46eedab40ee23cb3bb6bf1

SHA256
6542011653c41d566c553c1f6343c4e2d379f3b8070a0d787ab51d0870e643dd

SHA512
5a723d34a721e55229a8719759832ba5834dfa67b6351d8b16d668bc6b82485de6800a874cf7d9f589620506029ba8841b2d2021a9dbad9f6abf700f3e580a88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
15ce8260d135c95da17a9b16334ba2ac

SHA1
4b0474a08341ce807660f626526dfe689d385c09

SHA256
bee24892d5406acbcd24caf96165f6146355e31b7a4ceaa875d78fc5f91f1e72

SHA512
2181e33b8795a7acc37e74d1582dabfdaf7d4110875f74772b0e1d55e6b7f12c0a96932853430cc7a838856a19db23101971412150101def5b3a30ad267fcd13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
fb6601709cd88d24d9ab913aab33e30e

SHA1
400c4a469aed5d650e8729588992ba4454a78470

SHA256
be1061f586f1daa302cc372098ed29bbe28c1d5bfeb95e4641489b9bbd2f9108

SHA512
85f06dfcf82400aa11cef007de2e748d598f21be273be59d3860f21b9658d9f4506407e592d3c7954cffb7386e7c2fb6273ba8d0d609bac1266e8d55a6525bbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\fc4ff03e-841c-450e-855d-11c7efe9e822.tmp
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
55c057692a0da41884948840e1b47ffc

SHA1
042d523d168dcb715f132b3f0160226a115a87d5

SHA256
03e05634e40b2d751477ec153b0773f6a33e5bb74b1c3517c7171d54627c94d6

SHA512
c8fa45d313c3a0a881b972916b685d4253311f7b04ed9e4f9e60a3dff30389bd3bb4549c5d9a7480f9056b5cdf217e7de65739fff3e6b4ff0d58f20500e22084

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
12KB

MD5
77a4486ac706114659cd143fc786d924

SHA1
ff03febae243350d341943c388bd38bb7e1f9a15

SHA256
dd3a806a2789274abd3c7dd8bb6374363779f82ad067c706d5ef5309a7cb3918

SHA512
f112a506d865caced1d41e995c4dc2bcbe12cf9b9d15a7333ef99e4512d9c30c610e6f61f1f6e0c68c7971b4b1d71a1a09e6820779adf40ed51dbc1211a1419e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
09a808a61aa1e351d194f508a59b37cb

SHA1
91f369d60bb70e4a412aff0296296c83b3252346

SHA256
f7c4ccd46781e262b636264f1b34f128942dda6523ae799d01c528d4334950a3

SHA512
60524481bf0460744b4d8e23311a19254e4f936f7128d421dfb464b762ae3d1262393a6ca91754a14ec9024ab668c6b9283516ee3f6311be536eb965dd7ffab3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
12KB

MD5
a4751333b1bc633f6d3b27a7a1e48ef9

SHA1
0518ae5c0483177a488cb068a1812c48ade827b7

SHA256
1c2a988372ce9cdec2109767d7adad74f4267617a081fb433ef38f2e1a42a0d0

SHA512
4bf49b1a9a8a9c5bdba907a2aa5af5f252f5885eef8bcad5e3fec195bf74b146ca8a5f15a1fc1fe16441dab5fb6aa443b47446b2e1192c93ce4632325f893ecc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
12KB

MD5
9fd202ad4863d0077c6ec3949482e763

SHA1
026ba5ab398b5bde21ef5026bdb00d9c0b563258

SHA256
733910f27d6b4a4010007c8f7d39053c97f2954b4baddf7b0aeb57ca11588263

SHA512
89451b93f4faac0be5dcdd87de70516eaefe4691364380ff9849e8292d6cddb5dc3a4955312ebb8f4c037bc89ab6b1663937c31270674b36f353b94ad4ce7c20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
b392476f6c63f885dfdb1763da1d7cfc

SHA1
66c479fcf0b2ea142b0c9856f59513a0e40940f3

SHA256
59869373775a6b0ca8d446dee7194781bb2a4dc694038fe526baf9ee03b02ddd

SHA512
a2d7b06b36a63df6bd1d93dc2dd94a34d0cba278b7d84ff85ecbd7380354d056ab366328e761dbb9accd405437cc2a3864bca2a40a0bff1d83d8111aace73ecf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
12KB

MD5
ae87459bbb5204b011a8446f0314f3ee

SHA1
7db3d2834fc02fa3b94f995d27564849d32141e5

SHA256
8f1c866e9c7261a8eafb251ce44f2e9d640c1e6d2f0d5fcdeda514477772ef1f

SHA512
c0cf352fde22fb26a1cee11c9b968878450d892b9063c244db1881d085a504c9f20e8196eb085bfe2202483a0805a4abae3c0ba745a69bd351b8f14bba1b7ce6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
6b073a5cd9cd52f8eb12ba2a9d5d33a8

SHA1
893f05cd75ebafd9df026b9b7c04477f8418e145

SHA256
cee0b0a0ba9d10ad3bd74fa371d43ef9a627ab1c2ca196b0b1ae94e394962661

SHA512
912be32b4089079c2d5ff535b7c0ccf05da7c5ecd9b21f793cbb8a5b2e5727b107f0c2d9d11aff25c3ca44202abbc15848027c3773269ee918d9f431fbd65cb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\trusted_vault.pb
Filesize
38B

MD5
3433ccf3e03fc35b634cd0627833b0ad

SHA1
789a43382e88905d6eb739ada3a8ba8c479ede02

SHA256
f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d

SHA512
21a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
218KB

MD5
9f54e3efb552f02bac861aa1ea5fe948

SHA1
c5ac89ebd8e22da196a64046cfb652dfd12dd07a

SHA256
989f45c1e950677bae2ea70cf9a385e18d0e41a98ed67452984d88c9c01475a5

SHA512
30e8f18a8ca4ffe3bb14378a55ab03a852f7b9473f9582fd6c75fa60314a3334e065c19660a1cf787972e32f1a53f5b65476b5a0467fdc0ac465df2f3430b452

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
139KB

MD5
9eddbb2110d03aa5110958e1e6e801a9

SHA1
290dce93d6e8dbcd1cd4e72a55365a573b854f9c

SHA256
6502275719d4facdc9a42589f11ed522e3665e2436009031f9e2a22f5b0543ec

SHA512
49ee5a0a6a69fc3e14fc3541f642d99a2fe30b647000088ea0789b27edd268d9422f274cc8e71c2ed8972e35aa5f9a095d43a4469ad44b70425cf8f956a6dedd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
218KB

MD5
e859dfd44135d2122e14cb53a2f024d4

SHA1
1ece0600abe87fc37843eb8de4b84b8daf0688a1

SHA256
d49d5ef38fb9042e7a37e4ee0fb0a434f0ea01f2292d0e3a8f5d708d013549c3

SHA512
d09cc944c154ae77a5141fd7988666baf7c2bc462dfcc9796dcef0b3e69d4b58de60bc43160892e2db455c6788d52d736b5e521d2d8b4dcbd5ec7d00425ab809

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
82KB

MD5
15f12c6470d1fcd79fa1ea90a3b4eda8

SHA1
c1b708301799e5b8e8e65410a96bde9b8802c2be

SHA256
66716b676e625d1918ea08dc3bde31b658510857531bfa2f603435aeda61efd5

SHA512
dce5cc05acee94d644f3cc6cbd082bdcb3180f9c8a9c50e9b30400663b8f4312190f7d99a451eb9b4f18692fa204d3478589b43c0c342fe34beef86ca7831ac0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
138KB

MD5
16ff88f362de0335d6892e1b37378b01

SHA1
9e734e0d0b97416944ed5fb69c43280d1004f68a

SHA256
9506104a46c2a5853fe74a38865dc8a39595fc8e70fc3c6a3fc254b80ded7d89

SHA512
05c3f42b6bd06bff86a5cecf84862fbb04c1f79f107627a38212ee362315858399653765975664d6903d4c0180a60fdd705061138f3be5661ca971dccb593c2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
218KB

MD5
90e431d7ec698d8288f63067198e2605

SHA1
6eee7f0255cbdee204dd9d8209851f37875eb779

SHA256
09ac88be0226fb6d384bdf33f64acb3c589512ed4be412830995b543b042f5aa

SHA512
196da9aee009f56fe55c23153651dc1467b2784d3f988e57875b9862517960d3401a0c034b091a960dfc03fd8aa3005c3b06cd047910e0c95da62014ac750142

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
82KB

MD5
09ebf8e34b8ce313e2f4886c779411f8

SHA1
dac6452f5aace91cedcd7857379c430b3a3e2816

SHA256
86a882768b2824f02e883a60a35c4b4f088ea77225266d1207a8f6f89a77f75a

SHA512
b2d318ce5091a4261448ad97fba9e819bdec49a7fd79fcb478ca4719f939397139b8f3db9df22beac754fa50d93dcabca2f1c2c5d0bbc66882964d5a66758f76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
82KB

MD5
ef7cccd774e70a85d4542673fc0d9c24

SHA1
1109e892d58ee1212ee2edcf5eefdfe3006b11ea

SHA256
4f750887ffa2e865b18e775eef8258ecfb8f84a22a2e08904ec56ad09dadc833

SHA512
474dcd1b9a5e1520416058545927ee47d56b7b86bf6553affb455b7588fe368a8c537925fbe4327d2384976053ebd736b84ccf745b2767a0ac7ad816a81e2aaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
76692775e4781f0c9f0092f5804cfdb1

SHA1
6740e4e4110028c62282ee1e7eb8be576a2bc23a

SHA256
0c451ff3823450d544066237cbfb08556b7ca36c4a0ea085055f69ab35795b00

SHA512
6e0731e3736594d9e86da2fc33e08a663f29100074cc8d46e2716123c946b9eb150c804c7cf8428cac631e1cff984663d41ce3b5e1e77965bd8e2ecf0742af34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gshyyhht.be3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsosvt.exe
Filesize
8.0MB

MD5
780d9df36221ccd24716da39ee3e2708

SHA1
3a2e4f8bc401856f1870e9fd3a3977044db68729

SHA256
f765d1d4012f47223a47c5992da55066e81d76b0714eb347ca6a54c55f4e374c

SHA512
36b1df97a9b0a3ae9cae704f722537c877c6b8a091c513be66bd16645cdf9ab424912e6dac3ddfbbf9419a9d0acc17113dec88418b8134e641a87028e8e4d6c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
265B

MD5
83366a02252ff75277bea04c16520a90

SHA1
0c3a03dfb49b2c17cc44e60bb54eb68a73eced70

SHA256
758560a304c4813eb64516adc719119374ebeb1e60e8fba05a9c299501630b1b

SHA512
4c3e2d72d1d74471a25dafed3824090a9f9111fdda2fa611b38e4e966d0993c44344a19bd0252926b618a13b553379927e2dd32cb2c299de6b8df2d963b792d3

Download Submit
C:\Windows\TEMP\chrome_installer.log
Filesize
22KB

MD5
8dccfb918ca7941f90109ec154c5882d

SHA1
9c736567742adab70872854cd9c5b829db458784

SHA256
050899c8f62bb6e31e73239a7a3f54665b57286b5f7079e44382267d05652307

SHA512
2892690f10b2c5514a87ec2e9fe3140c51b4b60683cdd6f9b11dad7953336b4bb411b7d295416da30b3f648408250760209ca2427f85001145bd4d65bd14156a

Download Submit
\??\pipe\crashpad_2724_YNIRWSTWNXJYLYRF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/836-488-0x00007FFB41DD0000-0x00007FFB41DE0000-memory.dmp

Filesize
64KB

Download
memory/836-522-0x00007FFB43F90000-0x00007FFB43FA0000-memory.dmp

Filesize
64KB

Download
memory/836-486-0x00007FFB43F90000-0x00007FFB43FA0000-memory.dmp

Filesize
64KB

Download
memory/836-487-0x00007FFB43F90000-0x00007FFB43FA0000-memory.dmp

Filesize
64KB

Download
memory/836-484-0x00007FFB43F90000-0x00007FFB43FA0000-memory.dmp

Filesize
64KB

Download
memory/836-483-0x00007FFB43F90000-0x00007FFB43FA0000-memory.dmp

Filesize
64KB

Download
memory/836-489-0x00007FFB41DD0000-0x00007FFB41DE0000-memory.dmp

Filesize
64KB

Download
memory/836-485-0x00007FFB43F90000-0x00007FFB43FA0000-memory.dmp

Filesize
64KB

Download
memory/836-521-0x00007FFB43F90000-0x00007FFB43FA0000-memory.dmp

Filesize
64KB

Download
memory/836-524-0x00007FFB43F90000-0x00007FFB43FA0000-memory.dmp

Filesize
64KB

Download
memory/836-523-0x00007FFB43F90000-0x00007FFB43FA0000-memory.dmp

Filesize
64KB

Download
memory/2276-11-0x00000199EA480000-0x00000199EA4A2000-memory.dmp

Filesize
136KB

Download
memory/2276-12-0x00007FFB65F30000-0x00007FFB669F1000-memory.dmp

Filesize
10.8MB

Download
memory/2276-13-0x00007FFB65F30000-0x00007FFB669F1000-memory.dmp

Filesize
10.8MB

Download
memory/2276-14-0x00007FFB65F30000-0x00007FFB669F1000-memory.dmp

Filesize
10.8MB

Download
memory/2276-17-0x00007FFB65F30000-0x00007FFB669F1000-memory.dmp

Filesize
10.8MB

Download
memory/4976-1-0x00000000000B0000-0x00000000000C6000-memory.dmp

Filesize
88KB

Download
memory/4976-0-0x00007FFB65F33000-0x00007FFB65F35000-memory.dmp

Filesize
8KB

Download
memory/4976-158-0x000000001B7F0000-0x000000001B7FC000-memory.dmp

Filesize
48KB

Download
memory/4976-120-0x00007FFB65F30000-0x00007FFB669F1000-memory.dmp

Filesize
10.8MB

Download
memory/4976-56-0x00007FFB65F30000-0x00007FFB669F1000-memory.dmp

Filesize
10.8MB

Download
memory/4976-57-0x00007FFB65F33000-0x00007FFB65F35000-memory.dmp

Filesize
8KB

Download
memory/4976-633-0x00007FFB65F30000-0x00007FFB669F1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads