0851fd5671640a9acaf688e2886570759364135915f272d4ff7946fe001b3f4c

Analysis

max time kernel
1199s
max time network
1170s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
31/05/2024, 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update_28_05_2024_9864714.exe
Size

14.2MB
MD5

4337883699d85505097016856dea629c
SHA1

58e5e4ae453c2cded93e05a42b31437b59a8ea03
SHA256

0851fd5671640a9acaf688e2886570759364135915f272d4ff7946fe001b3f4c
SHA512

185550ae2c7cb69716349871fb4bb3e84ee079a06838c68d3be4b988af91159c998db9797c78ff0391d4136a6adb577a229dd3d2e927b58a2819d6a9b84ca509
SSDEEP

393216:h+W+VsfIVCT5UJAKQNX5bENYm5IV3TcLWGO7tZkrCfq:h+VVeIq5/Jbm5kAKq

Score

8^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Blocklisted process makes network request 9 IoCs

flow	pid	Process
2	780	rundll32.exe
13	780	rundll32.exe
35	780	rundll32.exe
41	780	rundll32.exe
46	780	rundll32.exe
48	780	rundll32.exe
50	780	rundll32.exe
52	780	rundll32.exe
55	780	rundll32.exe

Modifies Installed Components in the registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\125.0.6422.142\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe

Executes dropped EXE 28 IoCs

pid	Process
3068	MSTeamsSetup_c_l_.exe
1768	updater.exe
4236	updater.exe
4508	updater.exe
4776	updater.exe
3892	updater.exe
3748	updater.exe
5068	125.0.6422.142_chrome_installer.exe
1800	chrome.exe
3868	chrome.exe
1060	chrome.exe
4368	chrome.exe
4452	chrome.exe
244	chrome.exe
1872	chrome.exe
4612	elevation_service.exe
1932	chrome.exe
4572	chrome.exe
1888	chrome.exe
2652	chrome.exe
3284	chrome.exe
976	chrome.exe
1688	updater.exe
4152	updater.exe
1528	updater.exe
1648	updater.exe
5056	updater.exe
2884	updater.exe

Loads dropped DLL 35 IoCs

pid	Process
780	rundll32.exe
1800	chrome.exe
3868	chrome.exe
1800	chrome.exe
1060	chrome.exe
1060	chrome.exe
4368	chrome.exe
4452	chrome.exe
4368	chrome.exe
4452	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
244	chrome.exe
1872	chrome.exe
1872	chrome.exe
244	chrome.exe
1932	chrome.exe
1932	chrome.exe
4572	chrome.exe
4572	chrome.exe
1888	chrome.exe
1888	chrome.exe
2652	chrome.exe
2652	chrome.exe
3284	chrome.exe
3284	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe
976	chrome.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32\ = "\"C:\\Program Files\\Google\\Chrome\\Application\\125.0.6422.142\\notification_helper.exe\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32\ServerExecutable = "C:\\Program Files\\Google\\Chrome\\Application\\125.0.6422.142\\notification_helper.exe"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32	setup.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk	setup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\libEGL.dll	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe595971.TMP	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\2a873f99-b391-4aae-b4fe-492852f20a59.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\Locales\kn.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\MEIPreload\preloaded_data.pb	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\chrome_proxy.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\elevation_service.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\Locales\sv.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\Locales\mr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\Locales\sk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\uninstall.cmd	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\VisualElements\SmallLogoDev.png	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\7f27cd90-e6f4-4398-aeb9-f97fc816e95d.tmp	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\ec1e1100-3c74-4672-acce-ec4502ab3ade.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\Locales\da.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\vulkan-1.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\Locales\fr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\Locales\zh-TW.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	MSTeamsSetup_c_l_.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\518657d5-cda9-49d2-ae13-5998937b4efd.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\Locales\ca.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\VisualElements\LogoCanary.png	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe5c2ad0.TMP	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\d3dcompiler_47.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\Locales\ur.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\WidevineCdm\LICENSE	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\Locales\af.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\Locales\ml.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\Locales\tr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log.old	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\Locales\lv.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\Locales\sl.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\Locales\sw.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\chrome_200_percent.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\icudtl.dat	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\notification_helper.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\vk_swiftshader.dll	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\521af964-3384-4596-9f6f-3c7dafbb579a.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\Locales\hu.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\Locales\lt.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\optimization_guide_internal.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\prefs.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\default_apps\external_extensions.json	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\Locales\en-US.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\Locales\es-419.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\v8_context_snapshot.bin	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1868_2134992778\Chrome-bin\125.0.6422.142\Locales\id.pak	setup.exe

Drops file in Windows directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1800_1592562912\_metadata\verified_contents.json	chrome.exe
File created	C:\Windows\SystemTemp\Google3068_228779749\bin\updater.exe	MSTeamsSetup_c_l_.exe
File opened for modification	C:\Windows\SystemTemp	updater.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_3892_1106956057\-8a69d345-d564-463c-aff1-a69d9e530f96-_125.0.6422.142_all_acutrvkmuh4txcarzlf55gttysyq.crx3	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1716632876\manifest.json	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1716632876\_metadata\verified_contents.json	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1800_2105474716\manifest.fingerprint	chrome.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1800_1592562912\LICENSE	chrome.exe
File created	C:\Windows\SystemTemp\Google3068_2117872324\UPDATER.PACKED.7Z	MSTeamsSetup_c_l_.exe
File created	C:\Windows\SystemTemp\Google3068_228779749\bin\uninstall.cmd	MSTeamsSetup_c_l_.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1716632876\manifest.fingerprint	updater.exe
File created	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1800_1592562912\manifest.fingerprint	chrome.exe
File created	C:\Windows\SystemTemp\Google3068_228779749\updater.7z	MSTeamsSetup_c_l_.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_3892_243535362\-8a69d345-d564-463c-aff1-a69d9e530f96-_125.0.6422.142_all_acutrvkmuh4txcarzlf55gttysyq.crx3	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1800_2105474716\LICENSE.txt	chrome.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1800_2105474716\manifest.json	chrome.exe
File opened for modification	C:\Windows\SystemTemp	MSTeamsSetup_c_l_.exe
File opened for modification	C:\Windows\SystemTemp	updater.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1800_2105474716\Filtering Rules	chrome.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1800_1592562912\crl-set	chrome.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1716632876\125.0.6422.142_chrome_installer.exe	updater.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1800_1592562912\manifest.json	chrome.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_3892_1033593397\-8a69d345-d564-463c-aff1-a69d9e530f96-_125.0.6422.142_all_acutrvkmuh4txcarzlf55gttysyq.crx3	updater.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1716632876\6d1e3701-f83d-450f-acbc-cac6064e9fa3.tmp	updater.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1800_2105474716\_metadata\verified_contents.json	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\NGC	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\InstallerPinned = "0"	setup.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133616575494549866"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\1.0\ = "GoogleUpdater TypeLib for IGoogleUpdate3WebSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\TypeLib\ = "{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4DC034A8-4BFC-4D43-9250-914163356BB0}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\126.0.6462.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4DC034A8-4BFC-4D43-9250-914163356BB0}\1.0\ = "GoogleUpdater TypeLib for IPolicyStatusValueSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C4622B28-A747-44C7-96AF-319BE5C3B261}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{27634814-8E41-4C35-8577-980134A96544}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B62C003B-DD12-572A-87D4-6AA073CD56B1}\ = "IUpdaterInternalSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\TypeLib\ = "{F4334319-8210-469B-8262-DD03623FEB5B}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\1.0\0\win64\ = "C:\\Program Files\\Google\\Chrome\\Application\\125.0.6422.142\\elevation_service.exe"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}\TypeLib\ = "{B685B009-DBC4-4F24-9542-A162C3793E77}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\1.0\0\win64	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\126.0.6462.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B62C003B-DD12-572A-87D4-6AA073CD56B1}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\TypeLib\ = "{F258BE54-7C5F-44A0-AAE0-730620A31D23}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\TypeLib\ = "{F63F6F8B-ACD5-413C-A44B-0409136D26CB}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{708860E0-F641-4611-8895-7D867DD3675B}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B62C003B-DD12-572A-87D4-6AA073CD56B1}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\ = "IAppWebSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\126.0.6462.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\126.0.6462.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F253E6BF-D9BE-5B1A-9E0D-23FA9FD4D571}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{27634814-8E41-4C35-8577-980134A96544}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\ = "ICompleteStatusSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\TypeLib\ = "{85AE4AE3-8530-516B-8BE4-A456BF2637D3}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B685B009-DBC4-4F24-9542-A162C3793E77}\1.0\ = "GoogleUpdater TypeLib for IPolicyStatusSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\TypeLib\Version = "1.0"	updater.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1768	updater.exe
1768	updater.exe
1768	updater.exe
1768	updater.exe
1768	updater.exe
1768	updater.exe
4508	updater.exe
4508	updater.exe
4508	updater.exe
4508	updater.exe
4508	updater.exe
4508	updater.exe
3892	updater.exe
3892	updater.exe
3892	updater.exe
3892	updater.exe
3892	updater.exe
3892	updater.exe
3892	updater.exe
3892	updater.exe
1768	updater.exe
1768	updater.exe
1800	chrome.exe
1800	chrome.exe
976	chrome.exe
976	chrome.exe
1688	updater.exe
1688	updater.exe
1688	updater.exe
1688	updater.exe
1528	updater.exe
1528	updater.exe
1528	updater.exe
1528	updater.exe
5056	updater.exe
5056	updater.exe
5056	updater.exe
5056	updater.exe
5056	updater.exe
5056	updater.exe
5056	updater.exe
5056	updater.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	3068	MSTeamsSetup_c_l_.exe
Token: SeIncBasePriorityPrivilege	3068	MSTeamsSetup_c_l_.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeCreatePagefilePrivilege	1800	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 2376	856	update_28_05_2024_9864714.exe	80
PID 856 wrote to memory of 2376	856	update_28_05_2024_9864714.exe	80
PID 2376 wrote to memory of 780	2376	rundll32.exe	81
PID 2376 wrote to memory of 780	2376	rundll32.exe	81
PID 2376 wrote to memory of 780	2376	rundll32.exe	81
PID 856 wrote to memory of 3068	856	update_28_05_2024_9864714.exe	83
PID 856 wrote to memory of 3068	856	update_28_05_2024_9864714.exe	83
PID 856 wrote to memory of 3068	856	update_28_05_2024_9864714.exe	83
PID 3068 wrote to memory of 1768	3068	MSTeamsSetup_c_l_.exe	84
PID 3068 wrote to memory of 1768	3068	MSTeamsSetup_c_l_.exe	84
PID 3068 wrote to memory of 1768	3068	MSTeamsSetup_c_l_.exe	84
PID 1768 wrote to memory of 4236	1768	updater.exe	85
PID 1768 wrote to memory of 4236	1768	updater.exe	85
PID 1768 wrote to memory of 4236	1768	updater.exe	85
PID 4508 wrote to memory of 4776	4508	updater.exe	87
PID 4508 wrote to memory of 4776	4508	updater.exe	87
PID 4508 wrote to memory of 4776	4508	updater.exe	87
PID 3892 wrote to memory of 3748	3892	updater.exe	89
PID 3892 wrote to memory of 3748	3892	updater.exe	89
PID 3892 wrote to memory of 3748	3892	updater.exe	89
PID 3892 wrote to memory of 5068	3892	updater.exe	91
PID 3892 wrote to memory of 5068	3892	updater.exe	91
PID 1868 wrote to memory of 1796	1868	setup.exe	93
PID 1868 wrote to memory of 1796	1868	setup.exe	93
PID 1868 wrote to memory of 5036	1868	setup.exe	94
PID 1868 wrote to memory of 5036	1868	setup.exe	94
PID 5036 wrote to memory of 3148	5036	setup.exe	95
PID 5036 wrote to memory of 3148	5036	setup.exe	95
PID 1768 wrote to memory of 1800	1768	updater.exe	97
PID 1768 wrote to memory of 1800	1768	updater.exe	97
PID 1800 wrote to memory of 3868	1800	chrome.exe	98
PID 1800 wrote to memory of 3868	1800	chrome.exe	98
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 1060	1800	chrome.exe	99
PID 1800 wrote to memory of 4368	1800	chrome.exe	100
PID 1800 wrote to memory of 4368	1800	chrome.exe	100

C:\Users\Admin\AppData\Local\Temp\update_28_05_2024_9864714.exe
"C:\Users\Admin\AppData\Local\Temp\update_28_05_2024_9864714.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\CleanUp.dll", Test
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\CleanUp.dll", Test
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:780
- C:\Users\Admin\AppData\Local\Temp\MSTeamsSetup_c_l_.exe
  "C:\Users\Admin\AppData\Local\Temp\MSTeamsSetup_c_l_.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SystemTemp\Google3068_228779749\bin\updater.exe
    "C:\Windows\SystemTemp\Google3068_228779749\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={90A80F2A-B840-306F-8897-2D6DFDCBD55C}&lang=en&browser=3&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\SystemTemp\Google3068_228779749\bin\updater.exe
      C:\Windows\SystemTemp\Google3068_228779749\bin\updater.exe --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x75965c,0x759668,0x759674
      4⤵
      Executes dropped EXE
      PID:4236
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      Drops file in Windows directory
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1800
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=125.0.6422.142 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfa661c70,0x7ffcfa661c7c,0x7ffcfa661c88
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3868
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1868,i,4112357579873796410,16005456358887563609,262144 --variations-seed-version=20240507-180133.206000 --mojo-platform-channel-handle=1864 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1060
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=2120,i,4112357579873796410,16005456358887563609,262144 --variations-seed-version=20240507-180133.206000 --mojo-platform-channel-handle=2132 /prefetch:3
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4368
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2224,i,4112357579873796410,16005456358887563609,262144 --variations-seed-version=20240507-180133.206000 --mojo-platform-channel-handle=2276 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4452
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,4112357579873796410,16005456358887563609,262144 --variations-seed-version=20240507-180133.206000 --mojo-platform-channel-handle=3148 /prefetch:1
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:244
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,4112357579873796410,16005456358887563609,262144 --variations-seed-version=20240507-180133.206000 --mojo-platform-channel-handle=3172 /prefetch:1
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1872
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4432,i,4112357579873796410,16005456358887563609,262144 --variations-seed-version=20240507-180133.206000 --mojo-platform-channel-handle=4468 /prefetch:1
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1932
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4708,i,4112357579873796410,16005456358887563609,262144 --variations-seed-version=20240507-180133.206000 --mojo-platform-channel-handle=4736 /prefetch:1
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4572
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --field-trial-handle=4712,i,4112357579873796410,16005456358887563609,262144 --variations-seed-version=20240507-180133.206000 --mojo-platform-channel-handle=4984 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1888
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=744,i,4112357579873796410,16005456358887563609,262144 --variations-seed-version=20240507-180133.206000 --mojo-platform-channel-handle=5304 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2652
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5180,i,4112357579873796410,16005456358887563609,262144 --variations-seed-version=20240507-180133.206000 --mojo-platform-channel-handle=5240 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3284
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5224,i,4112357579873796410,16005456358887563609,262144 --variations-seed-version=20240507-180133.206000 --mojo-platform-channel-handle=5300 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:976

C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x11d965c,0x11d9668,0x11d9674
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4776

C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x11d965c,0x11d9668,0x11d9674
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3748
- C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1716632876\125.0.6422.142_chrome_installer.exe
  "C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1716632876\125.0.6422.142_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1716632876\6d1e3701-f83d-450f-acbc-cac6064e9fa3.tmp"
  2⤵
  - Executes dropped EXE
  PID:5068
- - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1716632876\CR_1E73B.tmp\setup.exe
    "C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1716632876\CR_1E73B.tmp\setup.exe" --install-archive="C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1716632876\CR_1E73B.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1716632876\6d1e3701-f83d-450f-acbc-cac6064e9fa3.tmp"
    3⤵
    - Modifies Installed Components in the registry
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1716632876\CR_1E73B.tmp\setup.exe
      C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1716632876\CR_1E73B.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=125.0.6422.142 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff663b22698,0x7ff663b226a4,0x7ff663b226b0
      4⤵
      Drops file in Windows directory
      PID:1796
  - - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1716632876\CR_1E73B.tmp\setup.exe
      "C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1716632876\CR_1E73B.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:5036
    - - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1716632876\CR_1E73B.tmp\setup.exe
        
        C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1716632876\CR_1E73B.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=125.0.6422.142 --initial-client-data=0x24c,0x250,0x254,0x88,0x258,0x7ff663b22698,0x7ff663b226a4,0x7ff663b226b0
        5⤵
        Drops file in Windows directory
        
        PID:3148

C:\Program Files\Google\Chrome\Application\125.0.6422.142\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\125.0.6422.142\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:2608

C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --wake --system
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1688
- C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x208,0x27c,0x2a0,0x108,0x2a4,0x11d965c,0x11d9668,0x11d9674
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4152

C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1528
- C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x2a4,0x2a8,0x2ac,0x280,0x2b0,0x11d965c,0x11d9668,0x11d9674
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1648

C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:5056
- C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x11d965c,0x11d9668,0x11d9674
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad\settings.dat

Filesize
40B

MD5
950d1792c59e531105917efb1e585355

SHA1
9d1e8d7ab34434a2f2af77db09d740fa157a0cad

SHA256
822440998309497a7ed8929bc66765a80101679f6eb010dfd8db4a31ff7c3d1b

SHA512
f71d445c43e4f3b894b22aaeb31d515afcf2b311490ebac4daed6856f56ff60619c773e3d82811e077ea4575d8000656d7891ac5b6cc91c64b085eb4afce79f2

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
354B

MD5
0fa4d538d8cfadfd48c3e6c0c43cc38e

SHA1
c1ed9ecf5289fd64720221b04e1cbe9c1d1cd53d

SHA256
6e360fc67364c1c5db0c0811dbe024dbc132b97e370eb7e7c6f5bb121a154f6b

SHA512
373ebc3effd0da9335d211902acd31d511b67fac1a6b76441c0e348f240e0af03ebbece3df11b9182e90cbb5c1a0571a2bd535e95321fe6a34e20dd0c6c1e4b8

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
520B

MD5
4fd97bcf91aa84ace4617455277fd390

SHA1
a69556469120ae4889a6ff426eb1279d3c193845

SHA256
3fbb34e90f363d4a5d68c21cb93801ab82cb3f703328027ac138a16c6eedb9c4

SHA512
39e84bbbaf13f0482a0aafa0f87813a69ba9d7b957d9596e3d00173d69c5e7a76db08d47f0dade91c071fabf82e30995e63f34416911340e2a3920d7d5344960

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
49B

MD5
2738e30424bb4f0dddb94575f10d5f86

SHA1
21573096eca9b8b7b3d9d68ad6a996807631b5e1

SHA256
5e58028edd1d27fb853a4b05e62bf20cfc4d042123db9ae2e7de01870cb18819

SHA512
0dccb0267e80a74402d01b0447d9c63178473830a146b5b9c530132ac52e7c73ae940f65d2879bfa5a39f811b61b70ebca03f85931b15cf63e69fa4f4c12e9f5

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
711B

MD5
524a7beebbf3dd743408345842fe99bb

SHA1
07e3e336b81bdfb68d473a381f8dad57dc241511

SHA256
33b653afdc6414a6bde0cbce5197dcfde9493506f0f4ca183108f43989ad1397

SHA512
fc23ab819c61a8b4fcbe9f14f5371d91db23709f3c379912b3f16f4c71b0b280c6c02546cbd92f9a0be5a167cf3669f547049ef718a9e066c1e3f91707cc938d

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
683B

MD5
fac4389313b53d6c82d1eb9e0a568982

SHA1
c9e31c02bacbc8610869032610c05899f2bdfb77

SHA256
7408c33de0c9292ca00cea5f105d06365ba75298bcd5b1980ce2d8de8d06488a

SHA512
cbf63b66a52f0fe151ae701b5915226743b10b60c9f9a1553c8833f907d64b2a6aab48ee84e405d6135afed79e1f8cd455a6e6c0d752b72480e4c4088d4268ca

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
620B

MD5
1427207ad772a7e2718adb4b43b19e4b

SHA1
37b729613dcedcb399c83955110bd70117819560

SHA256
bf1ed39cc78808b5a6c1ced6a77c12035819d8c490c48ad979a3841bb8b2a78e

SHA512
fdaa334247522ee6cef3eb0d6105862c6964df18591e13744cd86855f7b10191f055b924036758e9aa8107107ef4dcf2629c978385420831887a1468236b6fde

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
1KB

MD5
4ded623f6aced21cfae3c51d0e15b762

SHA1
fe47dc9f44ad507a0bda7f46e012b4ffc5dc4f78

SHA256
fe72c39d1078a36b2117e02baa921ebc0a2bbfec2303e15ddb978ae1feaac97e

SHA512
b6a9c4293bbcc484e581700953b888c91621a294c6c6fc9e24b97fe1839fe85bf4338605b8acb6894ac4d0c3db76721efae22640cc697c4c91e2ac23a89ba95e

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
2KB

MD5
79f9d9a2f0ff6d0768f2902a242c2bc4

SHA1
52e27bc36cd5be857b970f3ab2928c0fb1832922

SHA256
02b4125c93de94b25012e3d8ba0fea78e763ae5dd2263c8640f3aca1581422cb

SHA512
f3697ebd39d48bb06c89a5b5f76f11ca429249bfb44290cf20682e208990b067147f89dd3c4b1c2453e77b463e63131f2019231ee7fe085b898534ec788592a0

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
4KB

MD5
9f9e9cd28c30b048c12f55b23325dec6

SHA1
f9b738e6554d551fe696972f896b0e2ae93ae320

SHA256
b11a2d988996902d7316331a4af7fbafec8ebdf3d453e93b7b8955e26ccd06ce

SHA512
69c40dd0daf7346cf0a0839659555d08317fb5f574b278894c60a2ca7a7dcc529aac32437b9b9e7daf7b867a93c89b21014674625185576e356f73d0a1efdf31

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
7KB

MD5
c653dad8b4d44982163ebdf3ea796937

SHA1
c36fc172a145692dd876af9e1b0ef62def2f688f

SHA256
38afd84018c0d34c725097c0ab8956e1cfdfb945a5b4262a78d07366c0de1423

SHA512
1444fb9be4ac23b40344f4c1c8572fc0f7ec91412aba83afaa529fe3262aabf5b74e72cbe15b12de92cb19d2692616425970a35d92bb2c440d03c75ae71ef3b1

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
10KB

MD5
a7c4d193e1d1364a110573dbc1336362

SHA1
69c1bd619dba78f51a8b62a9e1a5955521eecd66

SHA256
eaab0f83f4614b2199afb742d2a1e8dbb047fff14f35d1ff4e780e5278a5eee1

SHA512
9b364eb84c71d46749b04bf05b84c896b1d0a9fe9d8e44fd95f9ac216b43ec03ea5a4a23972782d000da2ed6768154e93ad300d0a599af838dccf011d99d02f8

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
11KB

MD5
3ea7cac3cf4b00debb8d3d095ef7271a

SHA1
4c48ecf5e95f0830e2ff5dbfa745926c26ec6de6

SHA256
90c02474409f0ce17ea180ce05f4b05cff59a57d117a3bd89c2d9191fdd7de3b

SHA512
599bfe5ff33952ba1986318edd718c5f3f1e0d072c88051e53d855715f35e40342052cb50e3fbeac33133b3c573159c0174c6111bef8fc6df19311824705d50d

Download Submit
C:\Program Files\Google\Chrome\Application\125.0.6422.142\chrome_elf.dll

Filesize
1.2MB

MD5
db2bc0bbc801f08687ce5acb912c29d0

SHA1
221653e12d938fe062d43cb36df7935a75ed7fe8

SHA256
3c46a2e8e29da894699c1020800ac091a8e89c61a88ecc60d7dc9f8e0092b3ab

SHA512
00095a8f54f51e2d7ac4cd4f38ddda36cee9c0155d35206dac7d87fd08fe41809ce047a20b6e6318ff70f0759d23d81ea3b8c40c2bf0b5431edfa6c6798c866c

Download Submit
C:\Program Files\Google\Chrome\Application\125.0.6422.142\d3dcompiler_47.dll

Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
C:\Program Files\Google\Chrome\Application\125.0.6422.142\dxcompiler.dll

Filesize
21.0MB

MD5
5848146d5243fd8283e2f4c54deb4b95

SHA1
26d4d783103f0929740891a4ba85a3ba6fdd7b53

SHA256
3c18cb32f095602b88670673193548276dcbb4a65ce914bd7fedbce3f3e0803a

SHA512
f8d33bb855e55c63f97f510e93547e3e6d0e979fea3479c23941ad97a58af77e5e5a6b4bcedbae8afed2dec750ace1f37b9b8083d94bc88cf1495f7af814784d

Download Submit
C:\Program Files\Google\Chrome\Application\125.0.6422.142\dxil.dll

Filesize
1.4MB

MD5
30da04b06e0abec33fecc55db1aa9b95

SHA1
de711585acfe49c510b500328803d3a411a4e515

SHA256
a5fe1d8d9caa2ff29daffd53f73a9a4e19c250351b2abe4fc7b57e60ce67ac68

SHA512
67790874377e308d1448d0e41df9dd353a5f63686df4eb9a8e70a4da449b0c63a5d3655ab38d24b145ad3c57971b1c6793ea6c5ac2257b6eb2e8964a44ab0f08

Download Submit
C:\Program Files\Google\Chrome\Application\125.0.6422.142\elevation_service.exe

Filesize
1.7MB

MD5
c2ad07cc826abe1890ea222ff18599af

SHA1
6f11128feb8d4bf80bae7d507a9bb04cb1486c1b

SHA256
1a47b422b773e0f94c20fa76d802aeff0fdff63b3b4cbabb18017a99592fd0de

SHA512
cdee258615e956d03bda4fcc854f7e5b1787185ca45917fa1659a9f84ebdbfb09a43dba784bdaef29939c9f882c30927e90a47e8802ec824add6a22b42eb5db2

Download Submit
C:\Program Files\Google\Chrome\Application\125.0.6422.142\libEGL.dll

Filesize
471KB

MD5
9162106201f4ef23f8b08a7dfaf2cbf2

SHA1
d87ff09142d84abff8819f597aeea52753962cac

SHA256
3a57d9528268b9ced2eddcae23eef79429ec3368fb337c786689331655345922

SHA512
a4648c92e784af9e163f4bb596ff62410a3ac2973e01d93588230eb00fb916ab58697a1919a1a103eb3fd46c67a4e6dc162e9ee596050e76d34076e2f411dd0b

Download Submit
C:\Program Files\Google\Chrome\Application\125.0.6422.142\libGLESv2.dll

Filesize
7.7MB

MD5
ee68413844a5513ed550c23068927bc6

SHA1
8cf60cec555d13c11dded02a682e3a1cd3f86233

SHA256
f27efd79bf444698b1b51261e6906729f46e11e93e5df4d35939a524d5323640

SHA512
1c118cd2feeba6129ab08abcb87e84f4b9850398ecf9fe8d5177d5531ebffacd51ac8d011cb6fc514d6ac51413ba2391c492eadfe6f5e450e58a77b855694789

Download Submit
C:\Program Files\Google\Chrome\Application\125.0.6422.142\vk_swiftshader.dll

Filesize
5.0MB

MD5
038ba3cd9c6a2a050b1c3bd0a3e99688

SHA1
3766875500918b41b2b16f62faaf969bd1508bf9

SHA256
b6201f7b5f789a8ab3122aca4437cb8adef22d3fad493d710b0820558fbddbb8

SHA512
dfc29715bedee7d7bd1b74de8d1a5b41b1b4ac631d2a7aa42987d73105aad07739331764c1c3b42e8d04615782a78418a45d5ef1510807f21edff78b5d359ac3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.7MB

MD5
f83f22c9da85a207e590eb8ed0c11796

SHA1
c97cdf54791461f07088762995f8419e44422729

SHA256
8b1c64f2938d58be80cc2bedfc9dd3b4028a44cd71e4088e838a7fda4aac5f06

SHA512
5b13e9757351351eaedc81bdcff45d69e70606f68ec877f07a5a0cc201346a84a88cefb28846d245587c69d6c15f59b09c0c8a17d9ca9bdff5aab538e17367cf

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk

Filesize
2KB

MD5
b58e03993114636334a4c032a2b4feb8

SHA1
30129c2e55056df1f868cfe6bee4539f30f0c712

SHA256
f4722b12344110f9dc6b74e6a101577baf11cf7c59feba6850fa2fa0210a2846

SHA512
8bd848b56f4273f4bd2212bbfff7ff05a5b21d405d92dde511460bdfadd1143059fe83f5461345a09373272b3ebb9b31bb76a0d91c3faf5a2bee3bdd8c01ce6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\547002e9-fb47-4b80-8aa3-762fc9042466.tmp

Filesize
9KB

MD5
7a9a3de545eed28fb84222e47d2bfc10

SHA1
db72f5dd4506f155c84d4726fddba37a2bf8ddd2

SHA256
b0dcff5833081392dbd78045d975f02e7cde923a14099fa224e7959abd6dbaf0

SHA512
ea901e4af0b3da4cf403852ee2f147665766f141b01c0c32afe3954212a451c22b163fd18c1653659863254eed251e05461d4984830a66b686156f47263e77f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
505a174e740b3c0e7065c45a78b5cf42

SHA1
38911944f14a8b5717245c8e6bd1d48e58c7df12

SHA256
024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d

SHA512
7891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f5d7f77b375e0c7de56a49e3ac7f1c37

SHA1
dfe0054518d1ea4f07c136ab93fdfe6869bc7bc2

SHA256
7bae02f348f9d8c0a2f8f9ae4c149b1e3d7bac0de7a73364335806c7e5a5a3e9

SHA512
f8068144cb2a0beed44266b194348df2269574064bc98c032ceb8f0f2db34157a92ddbe1a0512250cd1a026bcfb4c8e21b5bb72cde99e7365c6d4344c3b26274

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
77dedfd488468e10a6ccfc5efe160f89

SHA1
e14e0d9d63f8f05c89843a10dfcd03549a939644

SHA256
dd33a87e07445c5d0aef7b8ce7936695108d58bca52519966944e74094c35b16

SHA512
792de8163b0904f4146775a8b82a73be57d4d945922ae945052d66d54eb8b0182d3b7d4d4ec36a7432d4e1260fb017a6a465b3e20513a2f09588901e8e91770a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
bdf9fe6d0bbe4a2e24682901bc9c0972

SHA1
01cdc2972e5d1e9e629b430dee9b4456c42eb269

SHA256
8fcfec3604852e01a3b79dd93dbd5b3420ea23d9ea983ce7fa3c33d378c02729

SHA512
f2d790bca9a547f5c36bf4ec41ec475cd38ab56bc1f585517cef299301dcf10f62685ead3974dc897294f9e6d4b9694801f0e409f855dd4ff20b30d25261e999

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
95a6629559c2c02d56cbf03b604f31ca

SHA1
bc26167196c1e1132a26d4c3c398290db80cae22

SHA256
2ad2651ce93a00482f64835aeffa11a9cf6ed49287f78dbac4da172601bc6151

SHA512
e125e4c6dc76f201fd5c2506cdfb08ae45eea79dc1ec743093bcbb9a2f28f47584895adc8747e275a482411a46145e328542312f97dcd1e4d9b6c294b33a52d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
183776bbdbdc8d4d557bb9d084d42e74

SHA1
15d349fcf117b4d6c5fbcb61e2a544f28aff9fbb

SHA256
685b0dee0cac3cc74c91fcf9ced396bfdddbed3fbdd6e2795f60f66a16b621be

SHA512
84c74837f31565efc945beb52aac15cc87073f99c7cfe46fa7497e7f6ef0f7fef7f1547ee79ab91aa290f04c49ac662e756250f8e7b9109450d1fdaee63dd8df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\trusted_vault.pb

Filesize
38B

MD5
3433ccf3e03fc35b634cd0627833b0ad

SHA1
789a43382e88905d6eb739ada3a8ba8c479ede02

SHA256
f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d

SHA512
21a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
204KB

MD5
1c6dbfc385bd6672bb6f9379abcba4ae

SHA1
2e7ca96f89a3c9e1f446384ef94c6c8c496e1bdd

SHA256
f90218d3521e72347e8d9c945b5fef426fd9c6ff402622b83c3689373d2adcc6

SHA512
2c6abc5c16bbf24e122305a8806fd947fc3707be2e47e7256c2d674fbb3ad3dbdad3679f7401e28a0d757087ecf82dd1e005960f1d9ab8a8e7e7268416c372b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
204KB

MD5
211d2054c1674c8e8562b18484db0f00

SHA1
64e04ddb01be404ad5838d2c11f070b651b35507

SHA256
2d04396c872f640c3477224bc6a3ee70f059f29d1398e6984e13d550fee02e01

SHA512
4547fdb361ae03e4b6a8003a14b5d2b9b128cfc7381f18207ebbac905516a2741139c4fc4f94689a28dcc530a00987a908e326f71777ccede379657e526c579d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
208KB

MD5
617c455ac49e6d336330479226fd0718

SHA1
dc32be990b15d76eb0761abef5e3254ea744780f

SHA256
de8273a373dfccaa04c4affdffc50a771b3dc4c29f03955f21dbd27cc0faddd4

SHA512
86872f496e2d54832b89dd180958c217530f121c7f66de2167ee1ed057c7b4cf094cde85595e3f88020c90d69872c3f67ac3b452aa2d4b5ae9cc5192650ebc81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
8b9eb8eaf608e37d3b7b4fca0ddcbd06

SHA1
982a3199655fb562d41498e361ef90166b0c035d

SHA256
4fe7efb731a964b7df6887ba5207a9ea7353ba4a1beff6e788aadb0d79eb4130

SHA512
318f72aea322b1b8b7870c999965fc3b3137d8bdfffb36b04120cd8c94146b5b83fdbec2d7db3b460ad0005547798c149effddf3c9a05b975f68e09ccb807715

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
38632eb1357c2012a5aaaba5f50c8446

SHA1
c84345aea5960ad6727d069e6803918a20d22dd9

SHA256
65934f99f2af2de68fab9d77cead4995b4ab76854e4ff5713024a6cd0c6ab227

SHA512
2d45c0d5e6c64701601b86c01f77ac085287dfc74daa575ec5b7b10d5ec061697cd61dc288744d018f90e7a880f2e013341809355936244cf7ba472e9edde483

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
208KB

MD5
eedc351b36b4b60908cb796fb3223d62

SHA1
2916c8ef0b80f765d28d9acdfff7d8d983c579b3

SHA256
915efda55b5ecafb32ccce193bd9d7da67cc3ae976032f1410e8da9ee4c75c1f

SHA512
5705c25983d2413315277e6c92451e2b512d1a79db58e9c2eb83b1eaf06e0db6d65ce40f9eb77c7bd5132d7d7b0817a4e01d7b2556da42b00cea1e24fc3b2ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CleanUp.dll

Filesize
4.2MB

MD5
be5544e783c9ba14df1fa24016339224

SHA1
c82b25388814306fc66e04ce8f4658bb908221db

SHA256
64a45cc8499992de72e4fe8c2a07100e97e333c09c0c004af2b88d8aedcd19f1

SHA512
5ee012f71a0c1635153a27e7d036b8f6ffb0b3a4a80c919caadf00c74054bed942df3f87b87cd196affe1d9b992a6921dfe24059643b0ca50bad15fabcea7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSTeamsSetup_c_l_.exe

Filesize
8.3MB

MD5
a99b6655700a6ef0dfadf6dfdf7669c1

SHA1
971d2f06323c74e8355327f168f68831146ecb40

SHA256
82123965c918e3bd7f6f8442e7f77b3724cf3a66b9a8102172309b520a5636f9

SHA512
66002239eba4496cbac92c755babc5d2677e6cacf9899345ab2731ad21932b0a143407c7ae54def30eb7ba0513ab0f153fb501097629d5d7bf4c39d1d17612dd

Download Submit
C:\Windows\SystemTemp\Crashpad\settings.dat

Filesize
40B

MD5
40e7a267dd302c50cc06aa5b147f5c52

SHA1
36684a83b821b8af4867a6d04cc4f93bb75389cd

SHA256
aae1a43c60f44ac13bfe91063507302bc9358a012b0190d61031bfad87cba760

SHA512
38951245e8cd796cd955d1a3f7612db9f108e65c885bdc10a42a2d43dcea8a0e33ea1a14b14553891bdc545de5d1ab06392f1d8e81811db47e7e20221e7e5f39

Download Submit
C:\Windows\SystemTemp\Google3068_228779749\bin\updater.exe

Filesize
4.6MB

MD5
95222faeeab2cebe9502f2e123d5dd2a

SHA1
dac0e46c7b0bc998bee826538a3128fbe396e638

SHA256
b8af4588875e697e49db4e1ff5833ef8f89ffde327ab9dc9fad101551d6aec28

SHA512
aaec6212bb69d7dbf4b7d09dfa6ccfca803835c19a5974f534f7db2d6235e741bb404969b2695ff9487ee2c7ac2ab1f740a436332b740b45fbaf579c6e13bf4f

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1800_2105474716\Filtering Rules

Filesize
68KB

MD5
6274a7426421914c19502cbe0fe28ca0

SHA1
e4d1c702ca1b5497a3abcdd9495a5d0758f19ffc

SHA256
ae2fd01d2908591e0f39343a5b4a78baa8e7d6cac9d78ba79c502fe0a15ce3ee

SHA512
bf1287f502013308cdd906f6e42998c422ef1e272b348e66122dc4a4e471d01333b418f48d1bb2198c72845bdc950612597e179e612aaa1ba6cf8d48fb8f0cf5

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1800_2105474716\manifest.json

Filesize
114B

MD5
4c30f6704085b87b66dce75a22809259

SHA1
8953ee0f49416c23caa82cdd0acdacc750d1d713

SHA256
0152e17e94788e5c3ff124f2906d1d95dc6f8b894cc27ec114b0e73bf6da54f9

SHA512
51e2101bcad1cb1820c98b93a0fb860e4c46172ca2f4e6627520eb066692b3957c0d979894e6e0190877b8ae3c97cb041782bf5d8d0bb0bf2814d8c9bb7c37f3

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3892_1716632876\6d1e3701-f83d-450f-acbc-cac6064e9fa3.tmp

Filesize
632KB

MD5
e46307058c04464c70608ce487d0b0a9

SHA1
c66be1360a89fdb898ae828f453e0c6f4a797e2b

SHA256
868bbf9c55f2386021f2ec37d7af787bcc40c1ac78c9d2f43be28bbbef85f975

SHA512
35f9d5c88b47c518f8a1700382440caf9e99ebe9144b650cdacfbf4e51a9df147b4b933e2eb77ce253e8f4870fca995fc1e43d709f9cbae35aa4909906067ff5

Download Submit
C:\Windows\TEMP\chrome_installer.log

Filesize
22KB

MD5
aebc6fcc66aa48bb8af42ff7e222580f

SHA1
36c57e5c9608ecc5c9210d921dd2eb4b94c984fd

SHA256
94b51c502a9df0ec4aef411aa479b5c814fff2bfb79a11d026a61629b34d42ab

SHA512
7523588f02692d25731af668ca2dce1912338001813cfe38828920e8bc67467e2b2b3aebfeac52ff83413c683033e7820acc91813101771882de5bac66e0adf2

Download Submit
memory/856-1-0x0000000002050000-0x0000000002069000-memory.dmp

Filesize
100KB

Download
memory/856-15-0x0000000002050000-0x0000000002069000-memory.dmp

Filesize
100KB

Download