Malware Analysis Report

2025-03-15 06:32

Sample ID 240624-s8hnestckm
Target Google Chrome.msi
SHA256 58438c739e921d761c301b1d9bf9854af4efbd740c6e83a50e623f703edcce3e
Tags
gh0strat discovery evasion persistence privilege_escalation rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

58438c739e921d761c301b1d9bf9854af4efbd740c6e83a50e623f703edcce3e

Threat Level: Known bad

The file Google Chrome.msi was found to be: Known bad.

Malicious Activity Summary

gh0strat discovery evasion persistence privilege_escalation rat spyware stealer trojan

Gh0st RAT payload

Gh0strat

Reads user/profile data of web browsers

Boot or Logon Autostart Execution: Active Setup

Checks whether UAC is enabled

Enumerates connected drives

Event Triggered Execution: Component Object Model Hijacking

Checks computer location settings

Drops file in System32 directory

Drops file in Program Files directory

Executes dropped EXE

Checks system information in the registry

Loads dropped DLL

Drops file in Windows directory

Checks installed software on the system

Enumerates physical storage devices

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-24 15:47

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 15:47

Reported

2024-06-24 15:51

Platform

win10-20240611-en

Max time kernel

208s

Max time network

218s

Command Line

msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Google Chrome.msi"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Reads user/profile data of web browsers

spyware stealer

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1" C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0" C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome" C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\126.0.6478.114\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable" C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome" C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Google1004_628357120\bin\updater.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\Locales\ru.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\Locales\sl.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\Locales\te.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\chrome_elf.dll C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\da7647f5-6a70-443d-9402-93a5dced7d35.tmp C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File created C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe58cfde.TMP C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File created C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\manifest.fingerprint C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\Locales\hr.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\Locales\nl.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\vk_swiftshader_icd.json C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files (x86)\Google\Update\GoogleUpdate.exe C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File created C:\Program Files (x86)\chrome_url_fetcher_4704_1028187858\-8a69d345-d564-463c-aff1-a69d9e530f96-_126.0.6478.114_all_i3yzopz5lnuzpsoe2mr22ardza.crx3 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\Locales\he.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe58f98e.TMP C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File created C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\SETUP.EX_ C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\126.0.6478.114_chrome_installer.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\8c174c88-d2de-4a76-b61f-0f37609f3d21.tmp C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\Locales\et.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\Locales\fr.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\Locales\ta.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\WidevineCdm\manifest.json C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\updater.log C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\uninstall.cmd C:\Program Files (x86)\Google1004_628357120\bin\updater.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\Locales\ur.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\Locales\af.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\Locales\bn.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\WidevineCdm\LICENSE C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe59b099.TMP C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File created C:\Program Files (x86)\Google\GoogleUpdater\08cb4ec3-352a-44e6-a33d-2e3dcea9f3ea.tmp C:\Program Files (x86)\Google1004_628357120\bin\updater.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\prefs.json C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\chrome.7z C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\d3dcompiler_47.dll C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\Locales\ar.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\Locales\da.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\Locales\de.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\Locales\fa.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\Locales\hu.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\Locales\it.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files (x86)\Google1004_628357120\bin\uninstall.cmd C:\Users\Public\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google\GoogleUpdater\8c174c88-d2de-4a76-b61f-0f37609f3d21.tmp C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File created C:\Program Files (x86)\Google\GoogleUpdater\da7647f5-6a70-443d-9402-93a5dced7d35.tmp C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\updater.log C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File opened for modification C:\Program Files\Crashpad\settings.dat C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files (x86)\Google1004_628357120\updater.7z C:\Users\Public\ChromeSetup.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata C:\Program Files (x86)\Google1004_628357120\bin\updater.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\chrome_proxy.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files (x86)\Google1004_808841308\UPDATER.PACKED.7Z C:\Users\Public\ChromeSetup.exe N/A
File created C:\Program Files (x86)\Google1004_628357120\bin\updater.exe C:\Users\Public\ChromeSetup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\chrome_200_percent.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\Locales\sk.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\updater.log C:\Program Files (x86)\Google1004_628357120\bin\updater.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\126.0.6478.114.manifest C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\Locales\ja.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\Locales\sw.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\settings.dat C:\Program Files (x86)\Google1004_628357120\bin\updater.exe N/A
File created C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe C:\Program Files (x86)\Google1004_628357120\bin\updater.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\notification_helper.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\vk_swiftshader.dll C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\6aadfaec-e481-4432-9faa-6f2e1d73f139.tmp C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File opened for modification C:\Program Files\Crashpad\metadata C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4416_2083887123\Chrome-bin\126.0.6478.114\Locales\es-419.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e58ac0a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAE9B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAF48.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB266.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58ac0a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAD14.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{CB9883B9-2574-434A-AE79-8FEF58247291} C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\ChromeSetup.exe N/A
N/A N/A C:\Program Files (x86)\Google1004_628357120\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google1004_628357120\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\126.0.6478.114_chrome_installer.exe N/A
N/A N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\126.0.6478.114\elevation_service.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg C:\Windows\system32\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey \??\c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache C:\Windows\system32\svchost.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133637178006761145" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122 = "Windows Firewall" C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F966A529-43C6-4710-8FF4-0B456324C8F4}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\TypeLib\Version = "1.0" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{F4334319-8210-469B-8262-DD03623FEB5B}\1.0 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\TypeLib\Version = "1.0" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{05A30352-EB25-45B6-8449-BCA7B0542CE5} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\1.0 C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\ = "IUpdaterCallbackSystem" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\TypeLib\ = "{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\TypeLib C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{699F07AD-304C-5F71-A2DA-ABD765965B54}\1.0\ = "GoogleUpdater TypeLib for IUpdaterAppStatesCallbackSystem" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\TypeLib C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib C:\Program Files (x86)\Google1004_628357120\bin\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1588C1A8-27D9-563E-9641-8D20767FB258}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}\ = "IPolicyStatusSystem" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{4DC034A8-4BFC-4D43-9250-914163356BB0}\1.0\0\win32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{34527502-D3DB-4205-A69B-789B27EE0414} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3WebMachine\CLSID C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\1.0 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4622B28-A747-44C7-96AF-319BE5C3B261}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FCD652C-D470-570F-9A74-B31F9AB8F368}\ = "IUpdaterInternalCallbackSystem" C:\Program Files (x86)\Google1004_628357120\bin\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\1.0\0 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\TypeLib\Version = "1.0" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{34527502-D3DB-4205-A69B-789B27EE0414}\1.0\0\win32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\TypeLib\Version = "1.0" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\TypeLib\Version = "1.0" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\1.0 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\ = "IPolicyStatusValueSystem" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{27634814-8E41-4C35-8577-980134A96544}\1.0\0\win32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8582249A-7E37-5C77-A5F4-1FBFEAFCBC5F}\TypeLib\Version = "1.0" C:\Program Files (x86)\Google1004_628357120\bin\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{4DC034A8-4BFC-4D43-9250-914163356BB0}\1.0\0 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\4" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\ = "ICurrentStateSystem" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\1.0\0\win32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AppID\{708860E0-F641-4611-8895-7D867DD3675B} C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\ = "IUpdaterCallbackSystem" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\TypeLib\Version = "1.0" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{8582249A-7E37-5C77-A5F4-1FBFEAFCBC5F}\1.0\0 C:\Program Files (x86)\Google1004_628357120\bin\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\1.0\0\win64 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\TypeLib C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\TypeLib\ = "{6430040A-5EBD-4E63-A56F-C71D5990F827}" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\1.0\0\win32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\ = "IPolicyStatus3System" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\1.0 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\TypeLib\Version = "1.0" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8018F647-BF07-55BB-82BE-A2D7049F7CE4}\AppID = "{8018F647-BF07-55BB-82BE-A2D7049F7CE4}" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AppID\{534F5323-3569-4F42-919D-1E1CF93E5BF6} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{F258BE54-7C5F-44A0-AAE0-730620A31D23} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{699F07AD-304C-5F71-A2DA-ABD765965B54}\1.0\0\win32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F4334319-8210-469B-8262-DD03623FEB5B}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\TypeLib\ = "{8476CE12-AE1F-4198-805C-BA0F9B783F57}" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Google1004_628357120\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google1004_628357120\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google1004_628357120\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google1004_628357120\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google1004_628357120\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google1004_628357120\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google1004_628357120\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google1004_628357120\bin\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4996 wrote to memory of 5008 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4996 wrote to memory of 5008 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4996 wrote to memory of 5008 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4996 wrote to memory of 4496 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4996 wrote to memory of 4496 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4996 wrote to memory of 5088 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4996 wrote to memory of 5088 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4996 wrote to memory of 5088 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4996 wrote to memory of 2728 N/A C:\Windows\system32\msiexec.exe C:\Users\Public\stdio\vtreamsetup.exe
PID 4996 wrote to memory of 2728 N/A C:\Windows\system32\msiexec.exe C:\Users\Public\stdio\vtreamsetup.exe
PID 4996 wrote to memory of 2728 N/A C:\Windows\system32\msiexec.exe C:\Users\Public\stdio\vtreamsetup.exe
PID 4996 wrote to memory of 1004 N/A C:\Windows\system32\msiexec.exe C:\Users\Public\ChromeSetup.exe
PID 4996 wrote to memory of 1004 N/A C:\Windows\system32\msiexec.exe C:\Users\Public\ChromeSetup.exe
PID 4996 wrote to memory of 1004 N/A C:\Windows\system32\msiexec.exe C:\Users\Public\ChromeSetup.exe
PID 1004 wrote to memory of 2088 N/A C:\Users\Public\ChromeSetup.exe C:\Program Files (x86)\Google1004_628357120\bin\updater.exe
PID 1004 wrote to memory of 2088 N/A C:\Users\Public\ChromeSetup.exe C:\Program Files (x86)\Google1004_628357120\bin\updater.exe
PID 1004 wrote to memory of 2088 N/A C:\Users\Public\ChromeSetup.exe C:\Program Files (x86)\Google1004_628357120\bin\updater.exe
PID 2088 wrote to memory of 4952 N/A C:\Program Files (x86)\Google1004_628357120\bin\updater.exe C:\Program Files (x86)\Google1004_628357120\bin\updater.exe
PID 2088 wrote to memory of 4952 N/A C:\Program Files (x86)\Google1004_628357120\bin\updater.exe C:\Program Files (x86)\Google1004_628357120\bin\updater.exe
PID 2088 wrote to memory of 4952 N/A C:\Program Files (x86)\Google1004_628357120\bin\updater.exe C:\Program Files (x86)\Google1004_628357120\bin\updater.exe
PID 292 wrote to memory of 3568 N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
PID 292 wrote to memory of 3568 N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
PID 292 wrote to memory of 3568 N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
PID 4704 wrote to memory of 5028 N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
PID 4704 wrote to memory of 5028 N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
PID 4704 wrote to memory of 5028 N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
PID 4704 wrote to memory of 968 N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\126.0.6478.114_chrome_installer.exe
PID 4704 wrote to memory of 968 N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\126.0.6478.114_chrome_installer.exe
PID 968 wrote to memory of 4416 N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\126.0.6478.114_chrome_installer.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe
PID 968 wrote to memory of 4416 N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\126.0.6478.114_chrome_installer.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe
PID 4416 wrote to memory of 3544 N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe
PID 4416 wrote to memory of 3544 N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe
PID 4416 wrote to memory of 3372 N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe
PID 4416 wrote to memory of 3372 N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe
PID 3372 wrote to memory of 3732 N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe
PID 3372 wrote to memory of 3732 N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe
PID 2088 wrote to memory of 5072 N/A C:\Program Files (x86)\Google1004_628357120\bin\updater.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2088 wrote to memory of 5072 N/A C:\Program Files (x86)\Google1004_628357120\bin\updater.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 4560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 4560 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5072 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Google Chrome.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 288061617B52270423CB688702514A89 C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 202B16844E3FC779383A5102D4029C8D

C:\Users\Public\stdio\vtreamsetup.exe

"C:\Users\Public\stdio\vtreamsetup.exe"

C:\Users\Public\ChromeSetup.exe

"C:\Users\Public\ChromeSetup.exe"

C:\Program Files (x86)\Google1004_628357120\bin\updater.exe

"C:\Program Files (x86)\Google1004_628357120\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={C762F10F-9618-E247-304C-EB1133D8AFC3}&lang=zh-CN&browser=4&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2

C:\Program Files (x86)\Google1004_628357120\bin\updater.exe

"C:\Program Files (x86)\Google1004_628357120\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x254,0x258,0x25c,0x250,0x22c,0x1582604,0x1582610,0x158261c

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe

"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update-internal

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe

"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x412604,0x412610,0x41261c

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe

"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe

"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x412604,0x412610,0x41261c

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\126.0.6478.114_chrome_installer.exe

"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\126.0.6478.114_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\ebe83027-b3de-4beb-b7fa-dcfbd488402e.tmp"

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe

"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe" --install-archive="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\ebe83027-b3de-4beb-b7fa-dcfbd488402e.tmp"

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe

"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.114 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff6f97546a8,0x7ff6f97546b4,0x7ff6f97546c0

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe

"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe

"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4704_1893827515\CR_0103D.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.114 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff6f97546a8,0x7ff6f97546b4,0x7ff6f97546c0

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff49ff1c70,0x7fff49ff1c7c,0x7fff49ff1c88

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1884,i,8726103749707699030,9010729079982366029,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=1880 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1756,i,8726103749707699030,9010729079982366029,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=1916 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2136,i,8726103749707699030,9010729079982366029,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=2316 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3000,i,8726103749707699030,9010729079982366029,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=3056 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3008,i,8726103749707699030,9010729079982366029,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=3100 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3740,i,8726103749707699030,9010729079982366029,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=3640 /prefetch:2

C:\Program Files\Google\Chrome\Application\126.0.6478.114\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\126.0.6478.114\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4480,i,8726103749707699030,9010729079982366029,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=4524 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4740,i,8726103749707699030,9010729079982366029,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=4768 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4076,i,8726103749707699030,9010729079982366029,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=3004 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4948,i,8726103749707699030,9010729079982366029,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5076 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5232,i,8726103749707699030,9010729079982366029,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5236 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --field-trial-handle=5188,i,8726103749707699030,9010729079982366029,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5284 /prefetch:8

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5352,i,8726103749707699030,9010729079982366029,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5024 /prefetch:8

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s NgcCtnrSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5128,i,8726103749707699030,9010729079982366029,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5204 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5368,i,8726103749707699030,9010729079982366029,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5304 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5272,i,8726103749707699030,9010729079982366029,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5380 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5296,i,8726103749707699030,9010729079982366029,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5384 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 www.baiodu.com udp
US 8.8.8.8:53 update.googleapis.com udp
GB 216.58.204.67:443 update.googleapis.com tcp
US 8.8.8.8:53 hehua.cookielive.top udp
HK 154.197.49.2:3190 hehua.cookielive.top tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 172.217.169.67:80 o.pki.goog tcp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 123.35.104.34.in-addr.arpa udp
HK 154.197.49.2:3190 hehua.cookielive.top tcp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.google.com udp
IE 209.85.203.84:443 accounts.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 84.203.85.209.in-addr.arpa udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com tcp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 130.109.69.13.in-addr.arpa udp
HK 154.197.49.2:3190 hehua.cookielive.top tcp
HK 154.197.49.2:3190 hehua.cookielive.top tcp

Files

C:\Users\Admin\AppData\Local\Temp\MSIDC95.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Public\stdio\vtreamsetup.exe

MD5 b575cfefd5c7b14f4743ef2ad74b2736
SHA1 f433813501a7b5b96186bb02fe69ca01580627ed
SHA256 a38708da0db2003a1d14ed1e9d45a9ecb30a6294d472692f804ffb0cea70334b
SHA512 ea912b2589142f1a89ef84e503bf65999beb7aa76d2aa50e1e7edc178bf841debed906fc11da555a004fc715f52fa09baf3a3fe4b42c33e5c9cf811eba676e5e

C:\Users\Public\stdio\mfc140u.dll

MD5 06f307b7ddb0994b448b9786cf5811b8
SHA1 4d70c5206e84b23916e4c686f430e5dcdc70dfc3
SHA256 dde3c8e9e7d414913a29979798311d095c1b8869ee405a1c3fcbba14da90446d
SHA512 b26bcfca4569ce9fb4b7196c952ce38b0e3a30aeff2e7ac4b2ea1c695c658c1d92029fb7e31ad231e62de8dff2a86ab3821aa1f9d5c944d88b263d88efeca16a

C:\Users\Public\stdio\QKParameterMgr.dll

MD5 1390bc15e3d2b403d962c6c6e9e77fee
SHA1 dab2a8a69cb014c682544c94efc2a9219fd603cc
SHA256 ae1cec46aaa7841b0d4e2dd719272821469be8121b32a60609b1bc3bfd5638d3
SHA512 e794d64bd63b8bbacdd59e8ad1b2b23011f07a8de70217082f56b710cadfec4f4579756eb693ceb9a223933366bb4058d26e7c5867d4c4e67988aa4532cbad5a

C:\Users\Public\stdio\QKResource.dll

MD5 e471a8665c05062f45e343b7f89ad319
SHA1 58a98da8295458c073d10622158a6a53a20be534
SHA256 1f75c77513b2554d94c692d6e7a00b674dcec354913159aea7f324062a4fa798
SHA512 f033a1e8044b070a8f2ad4fe97e06f810747988ce5bb269bd6a502b39c24158ce0a150305666b73de74252762371e5d091ed258fc11e94259c78bcaba04dfc46

\Users\Public\stdio\QKPlugin.dll

MD5 216c638d1e32032145687d2e3851394a
SHA1 fdcb1cb31625a8023880a716205b29a1b7f71aa2
SHA256 965fd4c884b66a65c7b6800a43f1c6f9a0b5a5766606301494da227a8a80f35e
SHA512 5b50ad6f3a5aa25de08174df90db067676fb13991b93bcadba2698b0e69c096f46892467b1d6f75227825447b9eedbf40f6415d8804115fa3201a43bd7360bd0

\Users\Public\stdio\opencv_imgproc2413.dll

MD5 27e2d298d6905a73ea98b7a2c4c889c5
SHA1 600eb3e14e20f91c7e9788bf3cde864f9e1bc17c
SHA256 f67e68461b7fa1bdf83b00020affc17c203e5d5fb6d051c00d2654e181115f8f
SHA512 751cceddd052cb3a540b842ed9a69f0842f3c1a5d503555ba990838550b0e784dafc577e0070383af7cfe36bf51a4944b9a9fadfbcfdbcc92ba6deb52ff30f95

C:\Users\Public\stdio\MSVCR120.dll

MD5 7f8da89204332df95cfc41f6e85dc515
SHA1 7e8d71e1f2f9729a52b2938bfdde69e56e6de488
SHA256 1c8449f417566dd0fd69dc21ef77d46b9475fbaac731da35bdc71669f22242c8
SHA512 d48b833cbc9db97d7be4e986be25ae097d1f55a33d591c5f554ec95d0d329f7cdc50687e16429289308a212cb00a8e2a640039ca7a056c5e03f58e21d3b27b33

\Users\Public\stdio\alibabacloud-oss-cpp-sdk.dll

MD5 0aaeb781e651be69f6d643a72b15c6cb
SHA1 8be4066c628629ffe77254c2cc452aecc1fee8dc
SHA256 e9359d5c42b6767d63525ae73eb194a88c3e68111cee4ec1a2bdbb8ecf530bb9
SHA512 c6f1af6bb30005f8b89951612961ef8db706d39ace2e674cf54a14445fdfcfe8cf8c5762fe04406b9d87154a919cc47e251eaefd9cbd15e00b2ecf471854e6f5

\Users\Public\stdio\opencv_highgui2413.dll

MD5 f6a0b1bf98161f7231039f6ffceee155
SHA1 7f888d40d50ae85490e2126c9f9a14ce78d4c7d0
SHA256 1ad5b3f2447a6d48e3ade61cbdc4abb0f18f3dbc8b7dcd3b050d60c68197d0df
SHA512 69ea3f74d40a5aecedb5ea120e01a5cd348af9542f16124973b028a3e2965d3d63a804d0bab1bdd4b548e55f8bb21365605b241891993177cfc08608d895764b

\Users\Public\stdio\opencv_core2413.dll

MD5 b83a304b66f3c9799cae2be75bec361b
SHA1 d7ccc4067af699e62f9a7f9001589d3d8c7f4ac6
SHA256 b0f02252f1cee1826f3b193e682344a8d9785e424e8009b60a7700e5c88271c8
SHA512 dfa3dfa9faf6a85af25fa4f12726ec27075053112e9455461e435ff424bff0635bd624c39c2e15f962b4aab3a6374b23024e7d805e0e8f2d54df1f92e7edd6f2

C:\Users\Public\stdio\libmysql.dll

MD5 fcd72aa6a80b75556057d77b729f17c5
SHA1 8689cd54043136e644c82cb8eae419a5d43289ca
SHA256 6a59443d3a5cf8572e2e80b5987040ddbf2630e14036204a3bf77ce27e02d918
SHA512 e2c7c02ec1b997c3888ce20e8a3ac4c84a4e36a6e1c37aaf1a65983096ba64e60fbe61ca988821a1807872e9bf284cc577938db5957abcb57555321a7e36c7ba

\Users\Public\stdio\msc.dll

MD5 18d35237d397e8396c30356ddb12dd9c
SHA1 8f86896fd6f884f05c48c3034b7b55b7d9e50a5a
SHA256 1c1f3b6df9347b864ac879ef841196b97ed02f5be941fd490817831889b97b84
SHA512 e2e1e1fdb6e161b28e90236edd0b35d3b91f507161b50615caaaa8f9484946c72ea35298838e1b538e4d2801aff9cece97b89447e78a3dc2ae4fdc962a26c5c3

\Users\Public\stdio\libcurl.dll

MD5 ca9a7555db63862a9f0f67373543c5eb
SHA1 11d432817bb623bb043f135fc553e025b6be9913
SHA256 5a2f4ee38f33251312ba41255f33b4039413704bc4d6b4a321ba8c280f3fa520
SHA512 7fdf78db9ac9a84c1c6fd4b293bfd82fbcce97a87ba7ac45ca86ab7f338015b6ee38099ab0a4237aa938e25d97e91f10ceec9f2a6bd8c782814a82fa2e77346f

\Users\Public\stdio\vcruntime140.dll

MD5 1b171f9a428c44acf85f89989007c328
SHA1 6f25a874d6cbf8158cb7c491dcedaa81ceaebbae
SHA256 9d02e952396bdff3abfe5654e07b7a713c84268a225e11ed9a3bf338ed1e424c
SHA512 99a06770eea07f36abc4ae0cecb2ae13c3acb362b38b731c3baed045bf76ea6b61efe4089cd2efac27701e9443388322365bdb039cd388987b24d4a43c973bd1

\Users\Public\stdio\DuiLib.dll

MD5 a3b393d6604c40c51f9f28533161ab81
SHA1 19480433f1a094f135eff78e4b63c5b47411f333
SHA256 a830e40e43aef4d9d7b7eeb6d94c17cd2cb11be7f3ee8adce2399ec5c0a6049c
SHA512 12c460443ae98c0a57abe98e8d70802367d9fe2a14faf66164a094ffdb10ee6d8a6b41e4c96e58a423218f3653ea56d804ed15614ff6957948025f78389c3313

\Users\Public\stdio\QKHook.dll

MD5 32f12897dbfad3149821d503013c6a28
SHA1 52fc6755add14e6f6eb2b2f5a20d8022a32c8225
SHA256 93fcab146f4061b93e6566b1846cfefd05dae52afd763fdd261e6a0543436671
SHA512 c0547fb67c4d80e2d2744179c4b21d1e9b8694f53a6c843adc7e28df48b0e56c95c25b6cfc956f440d856add2bfc339b8178c820c28a09250854b5a57587db59

\Users\Public\stdio\QKPhotoshopMgr.dll

MD5 a1b899fd31bff8b4d87e2edd78006b31
SHA1 199280dabac2c32324c59ec8da76c0126e5710e7
SHA256 09c6a24b0714da6e4bef6ed8070f6986c005cd974c35a4f7a9f406b88ee038b3
SHA512 40d9466ee6ae644c19e9c2f505370ed647379c6d3389a908ad32f24ed0cf6ef95728192a443324fde3a312b1fd31a4eb3ea616881595dac6ee1b4a047b948a17

\Users\Public\stdio\Plugin.dll

MD5 27378e77fed60b91b9eacef55b10d3a2
SHA1 603050de753ae268e09aca9e37b30ac4e647b6b7
SHA256 553920c1b7dbcabcd18e8a17a3f0b3bd91f3fd2a3375a6163c8e85d441cb8a18
SHA512 95be8277a4ceaf29a2c7bbba6f8e06fb894bb883ff457e08851352dd751375f94c551a78204fc30838aa2c4a6741f49e30bfa6f0b6a6f0287c5d77b0e9ed6c6d

\Users\Public\stdio\QKGuide.dll

MD5 057d333133ba16ad86fa644e8b28adf7
SHA1 7542ae74dbcaef4fd60e82937080efa1c2ac954f
SHA256 51d34fdf50a1542a86f2befa3e0f7615832558d29e41cf92c9206b44b67e1350
SHA512 83a61c8da999bdcc3bb47b47d8aeea3fb8605404cda949acb91bb0b7aaba7d1c854f7cf44d8d5ba81d5be5d2c3dfc5babf66f72bf1137c2786b34bd32b853e78

\Users\Public\stdio\QKRecord.dll

MD5 428f062a15575599e0fcbef2374754a8
SHA1 5dacffd79a14ac1b3b0377885460cc1bf1023810
SHA256 0553c54a2082a89b04bfa0a8373185ffcfa202523e98159a5e20012df1ce99b5
SHA512 492d4c4e35b55abc2f0517aa4fc3235bb88b115d7dc2b666f847f2b100d84b011eb9540675b60d3d68da4de6e49bff7253cd5428c991ac7ae521b73e0eacba27

\Users\Public\stdio\msvcp140.dll

MD5 1fb93933fd087215a3c7b0800e6bb703
SHA1 a78232c352ed06cedd7ca5cd5cb60e61ef8d86fb
SHA256 2db7fd3c9c3c4b67f2d50a5a50e8c69154dc859780dd487c28a4e6ed1af90d01
SHA512 79cd448e44b5607863b3cd0f9c8e1310f7e340559495589c428a24a4ac49beb06502d787824097bb959a1c9cb80672630dac19a405468a0b64db5ebd6493590e

C:\Config.Msi\e58ac0b.rbs

MD5 3e75e3579bba61e2cd5db0f23ff57993
SHA1 1d44da55d203796957603e01a4dc20cefd23480e
SHA256 f7d41b4a91fcbf8bf65f941668bbc29d1d050a3952f9cbc6b8bcf9dd0b92173f
SHA512 64408c4dc93604dd14187d950f60cb7077694f17334c78a542b8ff380bcc5f8b906493b33acf6e1ec5e16978c5a7a089eab81e1d3df3dc51e9036ccd6de3d662

memory/2728-321-0x0000000003830000-0x00000000038C6000-memory.dmp

memory/2728-324-0x0000000003930000-0x00000000039AB000-memory.dmp

C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

MD5 2284e51f10d336086e1fd4147567d52d
SHA1 62a1e694dce8ceca5b6ebbcc35298ef2f1cfebfd
SHA256 781ff17406014aa6def5974c7bb33a97c1e504146dabb610c5d390d7ea416a4b
SHA512 480f6974b0f88b0b794b32693edc7613d21098a57195ec559813368b2be24923eb4d62c5272c03cd8a5c2300d4ec62abe8995a230f5663b6127ec760e0d163d0

C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

MD5 b79d9b23e4bfb74568e65c4e9aa2fe80
SHA1 21a3fc12acc5d65187c945756d32cb3530738907
SHA256 8673a1450e0b2f423b283f71830004a08e785dc3be6425b9070144d7740a7d7e
SHA512 e66a58e9fcf9aa8839e543aeedc939fa1d5c9a5a109e7928c23c360a064d1a821f89af4eba413ae4eae3162934c8d812cc0cb78f35a8cca429dadb56b8fe1555

C:\Program Files\Google\Chrome\Application\126.0.6478.114\Installer\setup.exe

MD5 36f9f0b7186d6d8e52ed2a794d3a0ce1
SHA1 5c79c4e65581239412bf19c0b2c8c27b94a866e6
SHA256 40c45622685f5f54588d5c397b7fb8fc509ac9f8446b0963af314a541f18a69e
SHA512 6e7b3ed8a49e435b5b548c24601b1bb23dba49628101c04ad41263926d16d6ed736e35bdd6a1ea298573e1455d15b2b8ad71668fd4e9cfdd148898139ed854d1

C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

MD5 488798ea7f769c9e4f85a7e2964b392c
SHA1 a9d1e1c5e5377f8e2685228e56e81058bc073814
SHA256 f5c7dbba9bd425a19cc76b255d37b9b2073f64f6ba8d39e3654abd4ae808e9e1
SHA512 f4dd3cca8180ac18d65524e09192df26bbf0a68435fe10bcc400074aa835724759ed943ba0d77fd1cb073c4bcbe1da1fa86ed40fa0c866fce603bfaaf31e3e11

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 55af92a30b6bb53a0cea1ec712c1f4e4
SHA1 a274b5e239ef0b539ea9b9e18219a37dedef646a
SHA256 7ce7b8b1e14d53709b152359ffc82ab33bd70fa34752df5afc4ef13daa528cf8
SHA512 eb9688d7ed7a28f55b9f26aefde3dd779f48c3df72b1799301e32a2dd84c3d11eed1b0693cdbc79da48fd0bf365ef10c0d2c25a24cc1deba0a2714343e460e2d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 d8d261a02670dfd9b84b4ff069f7c07a
SHA1 cf6c7d26eedb5c9ede7adf045776e4dbd1a2a844
SHA256 40421cb5abec2a9a40f98ba4f5618a7f94ed32045383e78937476fea1ea6c694
SHA512 ed4623784bebce5d709266008d1dccc14e3de91be65447e6f904c0f3201c15cd9cb3a35bcae2ae6d8eb52ff195360319aa03d338fea88462679ae95cb6eeca00

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

MD5 505a174e740b3c0e7065c45a78b5cf42
SHA1 38911944f14a8b5717245c8e6bd1d48e58c7df12
SHA256 024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d
SHA512 7891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\scoped_dir5072_2111437461\858e9dc2-9cda-4bf8-9f8f-f6152f7d31d4.tmp

MD5 541f52e24fe1ef9f8e12377a6ccae0c0
SHA1 189898bb2dcae7d5a6057bc2d98b8b450afaebb6
SHA256 81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82
SHA512 d779d78a15c5efca51ebd6b96a7ccb6d718741bdf7d9a37f53b2eb4b98aa1a78bc4cfa57d6e763aab97276c8f9088940ac0476690d4d46023ff4bf52f3326c88

C:\Users\Admin\AppData\Local\Temp\scoped_dir5072_2111437461\CRX_INSTALL\_locales\en\messages.json

MD5 dbedf86fa9afb3a23dbb126674f166d2
SHA1 5628affbcf6f897b9d7fd9c17deb9aa75036f1cc
SHA256 c0945dd5fdecab40c45361bec068d1996e6ae01196dce524266d740808f753fe
SHA512 931d7ba6da84d4bb073815540f35126f2f035a71bfe460f3ccaed25ad7c1b1792ab36cd7207b99fddf5eaf8872250b54a8958cf5827608f0640e8aafe11e0071

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en\messages.json

MD5 91f5bc87fd478a007ec68c4e8adf11ac
SHA1 d07dd49e4ef3b36dad7d038b7e999ae850c5bef6
SHA256 92f1246c21dd5fd7266ebfd65798c61e403d01a816cc3cf780db5c8aa2e3d9c9
SHA512 fdc2a29b04e67ddbbd8fb6e8d2443e46badcb2b2fb3a850bbd6198cdccc32ee0bd8a9769d929feefe84d1015145e6664ab5fea114df5a864cf963bf98a65ffd9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 984e9b59ac4e1dce557271d1443bde9f
SHA1 aeb10be3005ad41adc67c2ae352be54477cb7f23
SHA256 ba70bab4141292689592f3045d885c5050baa61476a2ca4fa2063b4365061899
SHA512 fafb37b0ab31910f43da7bf36e65ec8b1e2f129df846a0165c64450432565f17ab8f2bc5a2e03ea1b0d21ef40560e1028cbea641b7c85f2a8a9043f5bb217b02

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f1f3d6e8ca6fab70ea6af828be3c7137
SHA1 1c9923cf0c559a120a734d568f9dbec75cce2776
SHA256 4fc0678e69a787233024e46768b007800ef2d6d05536a393036fa6c2eb0af9f5
SHA512 43ca033dd2d258f56477c487d4b8ab7bc2161528fc8613cd666694dcae6e1fc29b01f615b6f381381a9c136b541d80c00a3d74b54c50b15a058333c98ca5ec7f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 93b3c0f4ce800eab0015146b2c8d2c1b
SHA1 9408d17a7b63cea2f26910e8da7084d3c6ebb93e
SHA256 ef92d55e42a9a614962e92c85eb1405668f418ba715147485717427629df876b
SHA512 cdedd1fbc9cfac6767d2642157529d6d3653d04ca3168f4d0f224084006b2d78d22512e3be3f0b972d566b8ad44b8c45270b71dc655b17551dc0ea0612ddd887

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 e60aca67367b4f80302eb5238cea7d00
SHA1 844993b80c301d6acb3fc6c6ea78f68267ac1c8a
SHA256 e9e102451dc970b9e886d7ec59cfb83a6d389835c10b5169203b0ce4789af5d0
SHA512 e517b6adaf3135e797a768235b05ee771ac01f81d46babc89cc523772b0a79c511a14453acc3c62019b5016f457616dcd479c2470a3a53560e8fb413eec234bd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 9ce04d45a78405295cbccd716db39f0a
SHA1 a9d0086254ef6514a60c7680bab49bf4bc276e57
SHA256 e5cffd5984d2a9420c18a7b1eb1ab00abe9e66bb31741d1f9e883576419ac6b1
SHA512 358a948a5332fe7e2176f4ef8f120036a8d358687dffdb7c3816b1b142ccce70a8d2bfa7a428c7bbae883fbbbd1802ab25c042dff7ba913c7c0317297ba6d950

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnGraphiteCache\index

MD5 5698f8ac123b0fcfda5b3f78595afbc5
SHA1 3965a4744b05870dcc9a1c2af014cf228f3b2575
SHA256 c9850c00e44df6f3cbe09aa9d00adb909a0a89c7915076a6bcbec02f49799d57
SHA512 b8bd8dec16e8ecd740bf8c263fd5fba74347f1ff68935ac75643f477455915afa9e03ba7f4c3ee0825ac69ecf8a304c3686f072dbcb437f8aec6a9bdc70e50e5

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-24 15:47

Reported

2024-06-24 15:50

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Google Chrome.msi"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Reads user/profile data of web browsers

spyware stealer

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome" C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\126.0.6478.63\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable" C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome" C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1" C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0" C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\c8fdfbb6-63d2-43fc-9d0e-68d54317a7fa.tmp C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File created C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\manifest.fingerprint C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\Locales\cs.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\MEIPreload\preloaded_data.pb C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\eventlog_provider.dll C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\chrome.exe.sig C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\126.0.6478.63_chrome_installer.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\prefs.json C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File created C:\Program Files\Google\Chrome\Application\126.0.6478.63\Installer\chrmstp.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\d3dcompiler_47.dll C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\dxil.dll C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\Locales\ro.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\VisualElements\LogoBeta.png C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\chrome_wer.dll C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\updater.log C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe N/A
File created C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe N/A
File created C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe58bee6.TMP C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File created C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\390b9936-395c-42a5-a0fd-261b00dc6d91.tmp C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\Locales\pt-BR.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\optimization_guide_internal.dll C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\manifest.json C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\Locales\pl.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\Locales\pt-PT.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\Locales\vi.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files (x86)\Google\GoogleUpdater\d63ee80a-5728-4269-91f4-e09bd7c0b7fc.tmp C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\chrome_200_percent.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\Locales\fi.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\Locales\it.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\Locales\ml.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\Locales\sr.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\mojo_core.dll C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\settings.dat C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\126.0.6478.63.manifest C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\Locales\es.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\Locales\sk.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\Locales\sw.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\VisualElements\SmallLogoCanary.png C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\Locales\el.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\uninstall.cmd C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\updater.log C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File created C:\Program Files (x86)\Google\GoogleUpdater\c8fdfbb6-63d2-43fc-9d0e-68d54317a7fa.tmp C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\updater.log C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File created C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\SETUP.EX_ C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\126.0.6478.63_chrome_installer.exe N/A
File created C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\126.0.6478.63_chrome_installer.exe N/A
File created C:\Program Files\Crashpad\settings.dat C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\Locales\en-US.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\Locales\nb.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files (x86)\Google\GoogleUpdater\6fb71c39-7ecf-4807-8762-2ec5d418bb72.tmp C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\icudtl.dat C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\Locales\ca.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\Locales\es-419.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files (x86)\Google\GoogleUpdater\efad75af-4606-4d99-9888-074d9a417c4e.tmp C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File created C:\Program Files (x86)\Google2648_1242177488\updater.7z C:\Users\Public\ChromeSetup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\Locales\nl.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\updater.log C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\prefs.json C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\Locales\ar.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\VisualElements\SmallLogoDev.png C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\126.0.6478.63\WidevineCdm\manifest.json C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source3232_2000416702\Chrome-bin\chrome_proxy.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\settings.dat C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIB0DF.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58ae0e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAF57.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{CB9883B9-2574-434A-AE79-8FEF58247291} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e58ae0e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAE7B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAF96.tmp C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\ChromeSetup.exe N/A
N/A N/A C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\126.0.6478.63_chrome_installer.exe N/A
N/A N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\126.0.6478.63\elevation_service.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b7d72a8ac39dc2e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b7d72a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b7d72a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db7d72a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b7d72a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall" C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133637177647482524" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\InstallerPinned = "0" C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Google C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19 C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft C:\Windows\system32\svchost.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\TypeLib\Version = "1.0" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\TypeLib\Version = "1.0" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\1.0\0\win64 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{8476CE12-AE1F-4198-805C-BA0F9B783F57} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\TypeLib C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\1.0\ = "GoogleUpdater TypeLib for IUpdaterObserverSystem" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{5F793925-C903-4E92-9AE3-77CA5EAB1716} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\ = "IPolicyStatusValueSystem" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\TypeLib\Version = "1.0" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\1.0 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{8582249A-7E37-5C77-A5F4-1FBFEAFCBC5F}\TypeLib C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F258BE54-7C5F-44A0-AAE0-730620A31D23} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{34527502-D3DB-4205-A69B-789B27EE0414}\1.0\0\win32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\TypeLib\ = "{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\TypeLib\ = "{6430040A-5EBD-4E63-A56F-C71D5990F827}" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\TypeLib\Version = "1.0" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\TypeLib C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8582249A-7E37-5C77-A5F4-1FBFEAFCBC5F}\TypeLib C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\ = "IUpdaterObserverSystem" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\TypeLib\ = "{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\LocalServer32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\1.0\0\win32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\TypeLib\ = "{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\TypeLib C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6430040A-5EBD-4E63-A56F-C71D5990F827}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AppID\{534F5323-3569-4F42-919D-1E1CF93E5BF6} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\1.0 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\TypeLib\Version = "1.0" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\TypeLib\ = "{27634814-8E41-4C35-8577-980134A96544}" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD} C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\1.0\0 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4DC034A8-4BFC-4D43-9250-914163356BB0}\1.0\ = "GoogleUpdater TypeLib for IPolicyStatusValueSystem" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\TypeLib\Version = "1.0" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C4622B28-A747-44C7-96AF-319BE5C3B261} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ = "IProcessLauncher" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{708860E0-F641-4611-8895-7D867DD3675B} C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TypeLib\Version = "1.0" C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\TypeLib C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\4" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\1.0\0\win64 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\TypeLib\Version = "1.0" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\ = "IPolicyStatus" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\ = "IAppVersionWebSystem" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 1004 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1720 wrote to memory of 1004 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1720 wrote to memory of 1004 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1720 wrote to memory of 4720 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1720 wrote to memory of 4720 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1720 wrote to memory of 1464 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1720 wrote to memory of 1464 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1720 wrote to memory of 1464 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1720 wrote to memory of 1572 N/A C:\Windows\system32\msiexec.exe C:\Users\Public\stdio\vtreamsetup.exe
PID 1720 wrote to memory of 1572 N/A C:\Windows\system32\msiexec.exe C:\Users\Public\stdio\vtreamsetup.exe
PID 1720 wrote to memory of 1572 N/A C:\Windows\system32\msiexec.exe C:\Users\Public\stdio\vtreamsetup.exe
PID 1720 wrote to memory of 2648 N/A C:\Windows\system32\msiexec.exe C:\Users\Public\ChromeSetup.exe
PID 1720 wrote to memory of 2648 N/A C:\Windows\system32\msiexec.exe C:\Users\Public\ChromeSetup.exe
PID 1720 wrote to memory of 2648 N/A C:\Windows\system32\msiexec.exe C:\Users\Public\ChromeSetup.exe
PID 2648 wrote to memory of 968 N/A C:\Users\Public\ChromeSetup.exe C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe
PID 2648 wrote to memory of 968 N/A C:\Users\Public\ChromeSetup.exe C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe
PID 2648 wrote to memory of 968 N/A C:\Users\Public\ChromeSetup.exe C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe
PID 968 wrote to memory of 3424 N/A C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe
PID 968 wrote to memory of 3424 N/A C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe
PID 968 wrote to memory of 3424 N/A C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe
PID 1324 wrote to memory of 2212 N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
PID 1324 wrote to memory of 2212 N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
PID 1324 wrote to memory of 2212 N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
PID 1144 wrote to memory of 4016 N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
PID 1144 wrote to memory of 4016 N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
PID 1144 wrote to memory of 4016 N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
PID 1144 wrote to memory of 2428 N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\126.0.6478.63_chrome_installer.exe
PID 1144 wrote to memory of 2428 N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\126.0.6478.63_chrome_installer.exe
PID 2428 wrote to memory of 3232 N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\126.0.6478.63_chrome_installer.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe
PID 2428 wrote to memory of 3232 N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\126.0.6478.63_chrome_installer.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe
PID 3232 wrote to memory of 1928 N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe
PID 3232 wrote to memory of 1928 N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe
PID 3232 wrote to memory of 3288 N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe
PID 3232 wrote to memory of 3288 N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe
PID 3288 wrote to memory of 4920 N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe
PID 3288 wrote to memory of 4920 N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe
PID 968 wrote to memory of 212 N/A C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 968 wrote to memory of 212 N/A C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 4904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 4904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 212 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Google Chrome.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 1D426A75E324C88C89EB2CF7A6AF93B2 C

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3916,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1036 /prefetch:8

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 2E63A71D884A087DC681EF93C624BA2C

C:\Users\Public\stdio\vtreamsetup.exe

"C:\Users\Public\stdio\vtreamsetup.exe"

C:\Users\Public\ChromeSetup.exe

"C:\Users\Public\ChromeSetup.exe"

C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe

"C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={C762F10F-9618-E247-304C-EB1133D8AFC3}&lang=zh-CN&browser=4&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2

C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe

"C:\Program Files (x86)\Google2648_1242177488\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0xd52604,0xd52610,0xd5261c

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe

"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update-internal

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe

"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x482604,0x482610,0x48261c

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe

"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe

"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x482604,0x482610,0x48261c

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\126.0.6478.63_chrome_installer.exe

"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\126.0.6478.63_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\81e1f537-991e-42c1-bb37-05dfa2d8ae2e.tmp"

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe

"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe" --install-archive="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\81e1f537-991e-42c1-bb37-05dfa2d8ae2e.tmp"

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe

"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.63 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff67c7b46a8,0x7ff67c7b46b4,0x7ff67c7b46c0

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe

"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe

"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1144_1954201575\CR_A6698.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.63 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff67c7b46a8,0x7ff67c7b46b4,0x7ff67c7b46c0

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.63 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe9dca1c70,0x7ffe9dca1c7c,0x7ffe9dca1c88

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1972,i,13362719026169125149,12154629551647078348,262144 --variations-seed-version --mojo-platform-channel-handle=1960 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=2044,i,13362719026169125149,12154629551647078348,262144 --variations-seed-version --mojo-platform-channel-handle=2200 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2268,i,13362719026169125149,12154629551647078348,262144 --variations-seed-version --mojo-platform-channel-handle=2452 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,13362719026169125149,12154629551647078348,262144 --variations-seed-version --mojo-platform-channel-handle=3164 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,13362719026169125149,12154629551647078348,262144 --variations-seed-version --mojo-platform-channel-handle=3188 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4324,i,13362719026169125149,12154629551647078348,262144 --variations-seed-version --mojo-platform-channel-handle=4368 /prefetch:1

C:\Program Files\Google\Chrome\Application\126.0.6478.63\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\126.0.6478.63\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4760,i,13362719026169125149,12154629551647078348,262144 --variations-seed-version --mojo-platform-channel-handle=4816 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4800,i,13362719026169125149,12154629551647078348,262144 --variations-seed-version --mojo-platform-channel-handle=3580 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4772,i,13362719026169125149,12154629551647078348,262144 --variations-seed-version --mojo-platform-channel-handle=5000 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --field-trial-handle=5204,i,13362719026169125149,12154629551647078348,262144 --variations-seed-version --mojo-platform-channel-handle=4824 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 www.baiodu.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 update.googleapis.com udp
GB 216.58.204.67:443 update.googleapis.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 172.217.169.67:80 o.pki.goog tcp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 123.35.104.34.in-addr.arpa udp
US 8.8.8.8:53 hehua.cookielive.top udp
HK 154.197.49.2:3190 hehua.cookielive.top tcp
HK 154.197.49.2:3190 hehua.cookielive.top tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.google.com udp
IE 209.85.203.84:443 accounts.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 84.203.85.209.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 update.googleapis.com udp
GB 142.250.179.238:443 play.google.com tcp
GB 216.58.204.67:443 update.googleapis.com tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
HK 154.197.49.2:3190 hehua.cookielive.top tcp
HK 154.197.49.2:3190 hehua.cookielive.top tcp

Files

C:\Users\Admin\AppData\Local\Temp\MSIF702.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Public\stdio\vtreamsetup.exe

MD5 b575cfefd5c7b14f4743ef2ad74b2736
SHA1 f433813501a7b5b96186bb02fe69ca01580627ed
SHA256 a38708da0db2003a1d14ed1e9d45a9ecb30a6294d472692f804ffb0cea70334b
SHA512 ea912b2589142f1a89ef84e503bf65999beb7aa76d2aa50e1e7edc178bf841debed906fc11da555a004fc715f52fa09baf3a3fe4b42c33e5c9cf811eba676e5e

C:\Users\Public\stdio\mfc140u.dll

MD5 06f307b7ddb0994b448b9786cf5811b8
SHA1 4d70c5206e84b23916e4c686f430e5dcdc70dfc3
SHA256 dde3c8e9e7d414913a29979798311d095c1b8869ee405a1c3fcbba14da90446d
SHA512 b26bcfca4569ce9fb4b7196c952ce38b0e3a30aeff2e7ac4b2ea1c695c658c1d92029fb7e31ad231e62de8dff2a86ab3821aa1f9d5c944d88b263d88efeca16a

C:\Users\Public\stdio\QKPhotoshopMgr.dll

MD5 a1b899fd31bff8b4d87e2edd78006b31
SHA1 199280dabac2c32324c59ec8da76c0126e5710e7
SHA256 09c6a24b0714da6e4bef6ed8070f6986c005cd974c35a4f7a9f406b88ee038b3
SHA512 40d9466ee6ae644c19e9c2f505370ed647379c6d3389a908ad32f24ed0cf6ef95728192a443324fde3a312b1fd31a4eb3ea616881595dac6ee1b4a047b948a17

C:\Users\Public\stdio\DuiLib.dll

MD5 a3b393d6604c40c51f9f28533161ab81
SHA1 19480433f1a094f135eff78e4b63c5b47411f333
SHA256 a830e40e43aef4d9d7b7eeb6d94c17cd2cb11be7f3ee8adce2399ec5c0a6049c
SHA512 12c460443ae98c0a57abe98e8d70802367d9fe2a14faf66164a094ffdb10ee6d8a6b41e4c96e58a423218f3653ea56d804ed15614ff6957948025f78389c3313

C:\Users\Public\stdio\libcurl.dll

MD5 ca9a7555db63862a9f0f67373543c5eb
SHA1 11d432817bb623bb043f135fc553e025b6be9913
SHA256 5a2f4ee38f33251312ba41255f33b4039413704bc4d6b4a321ba8c280f3fa520
SHA512 7fdf78db9ac9a84c1c6fd4b293bfd82fbcce97a87ba7ac45ca86ab7f338015b6ee38099ab0a4237aa938e25d97e91f10ceec9f2a6bd8c782814a82fa2e77346f

C:\Users\Public\stdio\opencv_highgui2413.dll

MD5 f6a0b1bf98161f7231039f6ffceee155
SHA1 7f888d40d50ae85490e2126c9f9a14ce78d4c7d0
SHA256 1ad5b3f2447a6d48e3ade61cbdc4abb0f18f3dbc8b7dcd3b050d60c68197d0df
SHA512 69ea3f74d40a5aecedb5ea120e01a5cd348af9542f16124973b028a3e2965d3d63a804d0bab1bdd4b548e55f8bb21365605b241891993177cfc08608d895764b

C:\Users\Public\stdio\LIBEAY32.dll

MD5 1707bc560de9c69ae7325b6f63c8ec96
SHA1 d15e908a921cd17fbcfe0000b264d52e8fd413e7
SHA256 648a673ec8504f8255de37996a21895279985e011124e8ff2c7249271d5890cb
SHA512 941b3a76d43626d3d8e369437b83e63689eb3f8ecf90737a2d2df8df1c38e19e02146938af12d0fa9850ba3154ad60d74c5e4b80cae4ff6e3bff9d2583538ad5

memory/1572-298-0x00000000039F0000-0x0000000003A86000-memory.dmp

memory/1572-299-0x0000000003B10000-0x0000000003B8B000-memory.dmp

C:\Users\Public\stdio\opencv_imgproc2413.dll

MD5 27e2d298d6905a73ea98b7a2c4c889c5
SHA1 600eb3e14e20f91c7e9788bf3cde864f9e1bc17c
SHA256 f67e68461b7fa1bdf83b00020affc17c203e5d5fb6d051c00d2654e181115f8f
SHA512 751cceddd052cb3a540b842ed9a69f0842f3c1a5d503555ba990838550b0e784dafc577e0070383af7cfe36bf51a4944b9a9fadfbcfdbcc92ba6deb52ff30f95

C:\Users\Public\stdio\opencv_core2413.dll

MD5 b83a304b66f3c9799cae2be75bec361b
SHA1 d7ccc4067af699e62f9a7f9001589d3d8c7f4ac6
SHA256 b0f02252f1cee1826f3b193e682344a8d9785e424e8009b60a7700e5c88271c8
SHA512 dfa3dfa9faf6a85af25fa4f12726ec27075053112e9455461e435ff424bff0635bd624c39c2e15f962b4aab3a6374b23024e7d805e0e8f2d54df1f92e7edd6f2

C:\Users\Public\stdio\libmysql.dll

MD5 fcd72aa6a80b75556057d77b729f17c5
SHA1 8689cd54043136e644c82cb8eae419a5d43289ca
SHA256 6a59443d3a5cf8572e2e80b5987040ddbf2630e14036204a3bf77ce27e02d918
SHA512 e2c7c02ec1b997c3888ce20e8a3ac4c84a4e36a6e1c37aaf1a65983096ba64e60fbe61ca988821a1807872e9bf284cc577938db5957abcb57555321a7e36c7ba

C:\Users\Public\stdio\msc.dll

MD5 18d35237d397e8396c30356ddb12dd9c
SHA1 8f86896fd6f884f05c48c3034b7b55b7d9e50a5a
SHA256 1c1f3b6df9347b864ac879ef841196b97ed02f5be941fd490817831889b97b84
SHA512 e2e1e1fdb6e161b28e90236edd0b35d3b91f507161b50615caaaa8f9484946c72ea35298838e1b538e4d2801aff9cece97b89447e78a3dc2ae4fdc962a26c5c3

C:\Users\Public\stdio\alibabacloud-oss-cpp-sdk.dll

MD5 0aaeb781e651be69f6d643a72b15c6cb
SHA1 8be4066c628629ffe77254c2cc452aecc1fee8dc
SHA256 e9359d5c42b6767d63525ae73eb194a88c3e68111cee4ec1a2bdbb8ecf530bb9
SHA512 c6f1af6bb30005f8b89951612961ef8db706d39ace2e674cf54a14445fdfcfe8cf8c5762fe04406b9d87154a919cc47e251eaefd9cbd15e00b2ecf471854e6f5

C:\Users\Public\stdio\vcruntime140.dll

MD5 1b171f9a428c44acf85f89989007c328
SHA1 6f25a874d6cbf8158cb7c491dcedaa81ceaebbae
SHA256 9d02e952396bdff3abfe5654e07b7a713c84268a225e11ed9a3bf338ed1e424c
SHA512 99a06770eea07f36abc4ae0cecb2ae13c3acb362b38b731c3baed045bf76ea6b61efe4089cd2efac27701e9443388322365bdb039cd388987b24d4a43c973bd1

C:\Users\Public\stdio\QKHook.dll

MD5 32f12897dbfad3149821d503013c6a28
SHA1 52fc6755add14e6f6eb2b2f5a20d8022a32c8225
SHA256 93fcab146f4061b93e6566b1846cfefd05dae52afd763fdd261e6a0543436671
SHA512 c0547fb67c4d80e2d2744179c4b21d1e9b8694f53a6c843adc7e28df48b0e56c95c25b6cfc956f440d856add2bfc339b8178c820c28a09250854b5a57587db59

C:\Users\Public\stdio\QKPlugin.dll

MD5 216c638d1e32032145687d2e3851394a
SHA1 fdcb1cb31625a8023880a716205b29a1b7f71aa2
SHA256 965fd4c884b66a65c7b6800a43f1c6f9a0b5a5766606301494da227a8a80f35e
SHA512 5b50ad6f3a5aa25de08174df90db067676fb13991b93bcadba2698b0e69c096f46892467b1d6f75227825447b9eedbf40f6415d8804115fa3201a43bd7360bd0

C:\Users\Public\stdio\QKResource.dll

MD5 e471a8665c05062f45e343b7f89ad319
SHA1 58a98da8295458c073d10622158a6a53a20be534
SHA256 1f75c77513b2554d94c692d6e7a00b674dcec354913159aea7f324062a4fa798
SHA512 f033a1e8044b070a8f2ad4fe97e06f810747988ce5bb269bd6a502b39c24158ce0a150305666b73de74252762371e5d091ed258fc11e94259c78bcaba04dfc46

C:\Users\Public\stdio\QKRecord.dll

MD5 428f062a15575599e0fcbef2374754a8
SHA1 5dacffd79a14ac1b3b0377885460cc1bf1023810
SHA256 0553c54a2082a89b04bfa0a8373185ffcfa202523e98159a5e20012df1ce99b5
SHA512 492d4c4e35b55abc2f0517aa4fc3235bb88b115d7dc2b666f847f2b100d84b011eb9540675b60d3d68da4de6e49bff7253cd5428c991ac7ae521b73e0eacba27

C:\Users\Public\stdio\Plugin.dll

MD5 27378e77fed60b91b9eacef55b10d3a2
SHA1 603050de753ae268e09aca9e37b30ac4e647b6b7
SHA256 553920c1b7dbcabcd18e8a17a3f0b3bd91f3fd2a3375a6163c8e85d441cb8a18
SHA512 95be8277a4ceaf29a2c7bbba6f8e06fb894bb883ff457e08851352dd751375f94c551a78204fc30838aa2c4a6741f49e30bfa6f0b6a6f0287c5d77b0e9ed6c6d

C:\Users\Public\stdio\QKParameterMgr.dll

MD5 1390bc15e3d2b403d962c6c6e9e77fee
SHA1 dab2a8a69cb014c682544c94efc2a9219fd603cc
SHA256 ae1cec46aaa7841b0d4e2dd719272821469be8121b32a60609b1bc3bfd5638d3
SHA512 e794d64bd63b8bbacdd59e8ad1b2b23011f07a8de70217082f56b710cadfec4f4579756eb693ceb9a223933366bb4058d26e7c5867d4c4e67988aa4532cbad5a

C:\Users\Public\stdio\QKGuide.dll

MD5 057d333133ba16ad86fa644e8b28adf7
SHA1 7542ae74dbcaef4fd60e82937080efa1c2ac954f
SHA256 51d34fdf50a1542a86f2befa3e0f7615832558d29e41cf92c9206b44b67e1350
SHA512 83a61c8da999bdcc3bb47b47d8aeea3fb8605404cda949acb91bb0b7aaba7d1c854f7cf44d8d5ba81d5be5d2c3dfc5babf66f72bf1137c2786b34bd32b853e78

C:\Users\Public\stdio\msvcp140.dll

MD5 1fb93933fd087215a3c7b0800e6bb703
SHA1 a78232c352ed06cedd7ca5cd5cb60e61ef8d86fb
SHA256 2db7fd3c9c3c4b67f2d50a5a50e8c69154dc859780dd487c28a4e6ed1af90d01
SHA512 79cd448e44b5607863b3cd0f9c8e1310f7e340559495589c428a24a4ac49beb06502d787824097bb959a1c9cb80672630dac19a405468a0b64db5ebd6493590e

C:\Config.Msi\e58ae0f.rbs

MD5 291fc41cb4832c625d40f26d7d2eccc5
SHA1 c9498d530b3ad977fb6378d351647ba92db2c737
SHA256 fcbe780dac20f2a9c77c0ec70087b94f6b30984c40b7a4c50cc7bf8bf6508de3
SHA512 f96ce1d1c8dcf9a0154f451e1ce48f9b7c1769e1842a223dfad9b774db44fc722d0801e0be7a6e8999f6aa0389e01f2887a76211cafb74d0567eb8d4ffac4709

C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

MD5 e0ee4da712ce8c124aa6591511138c42
SHA1 3c995aa84f0c88624b3998304a39803bd99f116e
SHA256 44ea110f766b1c1df4863665f334421b1d0dd450b859f2d75a53a96d005ab7ff
SHA512 dd93f581ecbf41c75c85388d0eeb809fe64f5c5e0e8b24f13b20b8d2b88cb98c873ebfaeff8a6bdc985b548ed6e866ffc53f465ac5a01018fcd9c58c7faec17c

C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

MD5 c23616c1c44fb69aad74e9901f14ceaf
SHA1 b4a35dc7fef6e3ab1b6c3d0e90af261e9aa685a9
SHA256 d630f3142dbfde480163a7bcda3d9eea010357527b39745e016e0198fffd2ef1
SHA512 012f8fc40a995180d46de4f7db6645197a3eb0e6dd5fda8bbe96213e184a846ac51e36bbd56c42347328a4282087f9752f77fdb40124ed36b42f2db048781c14

C:\Program Files\Google\Chrome\Application\126.0.6478.63\Installer\setup.exe

MD5 62a5c9e0e6d6831854f11de66065e0fb
SHA1 04f8fee830488caf3a024ab7085ae9c96178e9c8
SHA256 6d8386865733290cfe899447f3616bcce39179c3af6f4d6f624fd09d04e20538
SHA512 dd168f7e84ad23670e512ce29a0cd71361450f85409d2c452cf026e6f300b37d4543981b5cb2cfffb33975438cc7a057a37cc09453844d4236fdd7928bfa7eb4

C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

MD5 811de3b2d6ecf93359a8b1f99a6f3642
SHA1 ccdc347a57bf1e0e263ac7b3a1db90f8167b67f5
SHA256 bbba69f4082f4ebe4d48a7e71d00ab2755b8f98e17af4b26e169060d4dfc1e6d
SHA512 c05c8a0031fd5c6ef9bed5410d548d9bbb975bbad5517c79e68ccda777c487df0079448f4dfd582b0d3306ad1957c9f628852087e9afd39918030d205c62f237

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 1095f05b59bdfc449367dc932366bbaa
SHA1 a921825701e88bab7b6244e6fdd75825792b697c
SHA256 cee8045faee31108d314a86f436d25e7cb406089bd7e05680012eb311dd23397
SHA512 fbd3b88ca235b5604ca12bc5169ae0c6ebd2d04013412aeb7908a9d36f7e899940a5700ce4d4beb6dda7e550b5917da3ce74e8f5eda9544ce4bd3dc547603b20

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 efec339f7e08af2d3fbe47de193e8b19
SHA1 e695041e115172f97051d823554710c6ad3381b7
SHA256 c935c4a779aa2035d4affa9fde7d81d6e2441c2f50e763a01af0fb392fe17077
SHA512 78e3674d0ae1a42f467b17fc20012e1a3db8e12a3ef2ca73f6fc0121881f9de040e5264e0453d7e7b608840d5bd2e9423a702e51491838e8a3b53c1b1c42807a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

MD5 505a174e740b3c0e7065c45a78b5cf42
SHA1 38911944f14a8b5717245c8e6bd1d48e58c7df12
SHA256 024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d
SHA512 7891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\trusted_vault.pb

MD5 3433ccf3e03fc35b634cd0627833b0ad
SHA1 789a43382e88905d6eb739ada3a8ba8c479ede02
SHA256 f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d
SHA512 21a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 cac086c06581644e0e44a6d3f1fadb88
SHA1 ea8ff9274edd2dd04a43da5a355d8a1ee06da147
SHA256 bd65ba9b71d352bbfc08d787789b624263359e48589653af79990d40a48e54bc
SHA512 4028b76443da1e6d87efc25801bb6741446c48df578fb4f84173e0929200e62556a5b2f5828b51778618deeba9ee4d73374c89588b339bfafd6fffcf1d201ffe

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1fa953a8756001bd41af39edb02b744c
SHA1 42925913212a0651bf029dc46fcd3f11302594ee
SHA256 7e088d0a199d59965bf8e7351a5d30cf674205ce65dbe1427c2714ef4a382feb
SHA512 3561211232804db5c51d59a3c6f1c842e35b1684e3b0b29439d610643106578c5cb70eecb6fc0e9b1c2a8c838aee57541f10f1c9e5d05db71cc31b6efff188c9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 d90e46a0fb02f4921ed625aeb46e5031
SHA1 93d557998fc7a61fa2dbea745947f105279a1c5a
SHA256 ec3e706502221e9b57aa19b52c8f4ad0724574d71cd91f8edc37913d65867866
SHA512 363da239bf99bf7c6851eb1553b69a8230e190ce01f2daf61158b96d1006f6052192e54ec324f6c09e491585bd724dbc9c52dfda160e58e78a4132e69d73eb1e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 510bac698ae95fbe23a3122b73c4625b
SHA1 cdf92e5f354d1e5e5d3c0959068da4bd42460e7e
SHA256 da78dacd4383c65615fb201d890b0dfef282f9944e6ce2426dfb2d266f211503
SHA512 e9827721e22cb419ec5e8ace446abec073531ca9c4840739242a319d4cb3162e44d9cf9a64651f6b238e85cd63274bd7a5cddaf6396ddc03eca072878a2372d9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 ba40c8394bf133108ffc392d0da0ae9f
SHA1 0203fc41da621c8250e352b5e57e3094f3fa69cd
SHA256 829f17576687f7e0c3c3bc220eb2c98605673beca0c2d11a2f1a78cff0667993
SHA512 47e1ae8340383f202f79aeb3286a69661b9ecd0cbeaac0ecb5ba119e9de0b4d76a3a2284c54ea38bd5c1ab7dfc7ffeb717ebc430c870164017f7ccf3679d933e

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-24 15:47

Reported

2024-06-24 15:50

Platform

win11-20240508-en

Max time kernel

127s

Max time network

137s

Command Line

msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Google Chrome.msi"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3176 wrote to memory of 3808 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3176 wrote to memory of 3808 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3176 wrote to memory of 3808 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Google Chrome.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 31C4A9C6901EF85103061E45254E1F3E C

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MSI828E.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 15:47

Reported

2024-06-24 15:50

Platform

win7-20240611-en

Max time kernel

137s

Max time network

147s

Command Line

msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Google Chrome.msi"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI8EC8.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f768e6b.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f768e6b.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f768e6a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f768e6a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9020.tmp C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\ChromeSetup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Public\stdio\vtreamsetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2800 wrote to memory of 2252 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2800 wrote to memory of 2252 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2800 wrote to memory of 2252 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2800 wrote to memory of 2252 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2800 wrote to memory of 2252 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2800 wrote to memory of 2252 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2800 wrote to memory of 2252 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2800 wrote to memory of 1820 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2800 wrote to memory of 1820 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2800 wrote to memory of 1820 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2800 wrote to memory of 1820 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2800 wrote to memory of 1820 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2800 wrote to memory of 1820 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2800 wrote to memory of 1820 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2800 wrote to memory of 880 N/A C:\Windows\system32\msiexec.exe C:\Users\Public\stdio\vtreamsetup.exe
PID 2800 wrote to memory of 880 N/A C:\Windows\system32\msiexec.exe C:\Users\Public\stdio\vtreamsetup.exe
PID 2800 wrote to memory of 880 N/A C:\Windows\system32\msiexec.exe C:\Users\Public\stdio\vtreamsetup.exe
PID 2800 wrote to memory of 880 N/A C:\Windows\system32\msiexec.exe C:\Users\Public\stdio\vtreamsetup.exe
PID 2800 wrote to memory of 880 N/A C:\Windows\system32\msiexec.exe C:\Users\Public\stdio\vtreamsetup.exe
PID 2800 wrote to memory of 880 N/A C:\Windows\system32\msiexec.exe C:\Users\Public\stdio\vtreamsetup.exe
PID 2800 wrote to memory of 880 N/A C:\Windows\system32\msiexec.exe C:\Users\Public\stdio\vtreamsetup.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Google Chrome.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding ADE1D9220574D996E94D8C0E7D5E279F C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002C8" "000000000000057C"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B1BA862476C2A51B513863462417B7F5

C:\Users\Public\stdio\vtreamsetup.exe

"C:\Users\Public\stdio\vtreamsetup.exe"

C:\Users\Public\ChromeSetup.exe

"C:\Users\Public\ChromeSetup.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.baiodu.com udp
US 8.8.8.8:53 hehua.cookielive.top udp
HK 154.197.49.2:3190 hehua.cookielive.top tcp
HK 154.197.49.2:3190 hehua.cookielive.top tcp
HK 154.197.49.2:3190 hehua.cookielive.top tcp
HK 154.197.49.2:3190 hehua.cookielive.top tcp

Files

C:\Users\Admin\AppData\Local\Temp\MSIFD9.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Public\stdio\vtreamsetup.exe

MD5 b575cfefd5c7b14f4743ef2ad74b2736
SHA1 f433813501a7b5b96186bb02fe69ca01580627ed
SHA256 a38708da0db2003a1d14ed1e9d45a9ecb30a6294d472692f804ffb0cea70334b
SHA512 ea912b2589142f1a89ef84e503bf65999beb7aa76d2aa50e1e7edc178bf841debed906fc11da555a004fc715f52fa09baf3a3fe4b42c33e5c9cf811eba676e5e

C:\Users\Public\stdio\mfc140u.dll

MD5 06f307b7ddb0994b448b9786cf5811b8
SHA1 4d70c5206e84b23916e4c686f430e5dcdc70dfc3
SHA256 dde3c8e9e7d414913a29979798311d095c1b8869ee405a1c3fcbba14da90446d
SHA512 b26bcfca4569ce9fb4b7196c952ce38b0e3a30aeff2e7ac4b2ea1c695c658c1d92029fb7e31ad231e62de8dff2a86ab3821aa1f9d5c944d88b263d88efeca16a

C:\Users\Public\ChromeSetup.exe

MD5 49739231d51b0b2340eab5792cd088df
SHA1 74e6794622b4fc2763919c473db398a15a20f645
SHA256 eb01249647d62e30078966943bc3637ff85717335d64829f0559fa6044e6ae70
SHA512 3bc29e89dd3eefb7c3c421ce736c8e13cd3306c57f266ed875ac37dbd133bd9ba7bd983a5dcdf369727f0a0e989586aadd78765063ce147ee1018466aa7d258f

C:\Users\Public\stdio\VCRUNTIME140.dll

MD5 1b171f9a428c44acf85f89989007c328
SHA1 6f25a874d6cbf8158cb7c491dcedaa81ceaebbae
SHA256 9d02e952396bdff3abfe5654e07b7a713c84268a225e11ed9a3bf338ed1e424c
SHA512 99a06770eea07f36abc4ae0cecb2ae13c3acb362b38b731c3baed045bf76ea6b61efe4089cd2efac27701e9443388322365bdb039cd388987b24d4a43c973bd1

C:\Users\Public\stdio\api-ms-win-crt-runtime-l1-1-0.dll

MD5 fb0ca6cbfff46be87ad729a1c4fde138
SHA1 2c302d1c535d5c40f31c3a75393118b40e1b2af9
SHA256 1ee8e99190cc31b104fb75e66928b8c73138902fefedbcfb54c409df50a364df
SHA512 99144c67c33e89b8283c5b39b8bf68d55638daa6acc2715a2ac8c5dba4170dd12299d3a2dffb39ae38ef0872c2c68a64d7cdc6ceba5e660a53942761cb9eca83

C:\Users\Public\stdio\api-ms-win-core-timezone-l1-1-0.dll

MD5 c9a55de62e53d747c5a7fddedef874f9
SHA1 c5c5a7a873a4d686bfe8e3da6dc70f724ce41bad
SHA256 b5c725bbb475b5c06cc6cb2a2c3c70008f229659f88fba25ccd5d5c698d06a4b
SHA512 adca0360a1297e80a8d3c2e07f5fbc06d2848f572f551342ad4c9884e4ab4bd1d3b3d9919b4f2b929e2848c1a88a4e844dd38c86067cace9685f9640db100efb

C:\Users\Public\stdio\api-ms-win-core-file-l2-1-0.dll

MD5 3f224766fe9b090333fdb43d5a22f9ea
SHA1 548d1bb707ae7a3dfccc0c2d99908561a305f57b
SHA256 ae5e73416eb64bc18249ace99f6847024eceea7ce9c343696c84196460f3a357
SHA512 c12ea6758071b332368d7ef0857479d2b43a4b27ceeab86cbb542bd6f1515f605ea526dfa3480717f8f452989c25d0ee92bf3335550b15ecec79e9b25e66a2ca

C:\Users\Public\stdio\api-ms-win-core-localization-l1-2-0.dll

MD5 23bd405a6cfd1e38c74c5150eec28d0a
SHA1 1d3be98e7dfe565e297e837a7085731ecd368c7b
SHA256 a7fa48de6c06666b80184afee7e544c258e0fb11399ab3fe47d4e74667779f41
SHA512 c52d487727a34fbb601b01031300a80eca7c4a08af87567da32cb5b60f7a41eb2cae06697cd11095322f2fc8307219111ee02b60045904b5c9b1f37e48a06a21

C:\Users\Public\stdio\api-ms-win-core-synch-l1-2-0.dll

MD5 6e704280d632c2f8f2cadefcae25ad85
SHA1 699c5a1c553d64d7ff3cf4fe57da72bb151caede
SHA256 758a2f9ef6908b51745db50d89610fe1de921d93b2dbea919bfdba813d5d8893
SHA512 ade85a6cd05128536996705fd60c73f04bab808dafb5d8a93c45b2ee6237b6b4ddb087f1a009a9d289c868c98e61be49259157f5161feccf9f572fd306b460e6

C:\Users\Public\stdio\api-ms-win-core-processthreads-l1-1-1.dll

MD5 95c5b49af7f2c7d3cd0bc14b1e9efacb
SHA1 c400205c81140e60dffa8811c1906ce87c58971e
SHA256 ff9b51aff7fbec8d7fe5cc478b12492a59b38b068dc2b518324173bb3179a0e1
SHA512 f320937b90068877c46d30a15440dc9ace652c3319f5d75e0c8bb83f37e78be0efb7767b2bd713be6d38943c8db3d3d4c3da44849271605324e599e1242309c3

C:\Users\Public\stdio\api-ms-win-core-file-l1-2-0.dll

MD5 79ee4a2fcbe24e9a65106de834ccda4a
SHA1 fd1ba674371af7116ea06ad42886185f98ba137b
SHA256 9f7bda59faafc8a455f98397a63a7f7d114efc4e8a41808c791256ebf33c7613
SHA512 6ef7857d856a1d23333669184a231ad402dc62c8f457a6305fe53ed5e792176ca6f9e561375a707da0d7dd27e6ea95f8c4355c5dc217e847e807000b310aa05c

C:\Users\Public\stdio\api-ms-win-crt-heap-l1-1-0.dll

MD5 1776a2b85378b27825cf5e5a3a132d9a
SHA1 626f0e7f2f18f31ec304fe7a7af1a87cbbebb1df
SHA256 675b1b82dd485cc8c8a099272db9241d0d2a7f45424901f35231b79186ec47ee
SHA512 541a5dd997fc5fec31c17b4f95f03c3a52e106d6fb590cb46bdf5adad23ed4a895853768229f3fbb9049f614d9bae031e6c43cec43fb38c89f13163721bb8348

C:\Users\Public\stdio\api-ms-win-crt-string-l1-1-0.dll

MD5 ad99c2362f64cde7756b16f9a016a60f
SHA1 07c9a78ee658bfa81db61dab039cffc9145cc6cb
SHA256 73ab2161a7700835b2a15b7487045a695706cc18bcee283b114042570bb9c0aa
SHA512 9c72f239adda1de11b4ad7028f3c897c93859ef277658aeaa141f09b7ddfe788d657b9cb1e2648971ecd5d27b99166283110ccba437d461003dbb9f6885451f7

C:\Users\Public\stdio\api-ms-win-crt-stdio-l1-1-0.dll

MD5 d5166ab3034f0e1aa679bfa1907e5844
SHA1 851dd640cb34177c43b5f47b218a686c09fa6b4c
SHA256 7bcab4ca00fb1f85fea29dd3375f709317b984a6f3b9ba12b8cf1952f97beee5
SHA512 8f2d7442191de22457c1b8402faad594af2fe0c38280aaafc876c797ca79f7f4b6860e557e37c3dbe084fe7262a85c358e3eeaf91e16855a91b7535cb0ac832e

C:\Users\Public\stdio\api-ms-win-crt-convert-l1-1-0.dll

MD5 9ddea3cc96e0fdd3443cc60d649931b3
SHA1 af3cb7036318a8427f20b8561079e279119dca0e
SHA256 b7c3ebc36c84630a52d23d1c0e79d61012dfa44cdebdf039af31ec9e322845a5
SHA512 1427193b31b64715f5712db9c431593bdc56ef512fe353147ddb7544c1c39ded4371cd72055d82818e965aff0441b7cbe0b811d828efb0ece28471716659e162

C:\Users\Public\stdio\api-ms-win-crt-utility-l1-1-0.dll

MD5 70e9104e743069b573ca12a3cd87ec33
SHA1 4290755b6a49212b2e969200e7a088d1713b84a2
SHA256 7e6b33a4c0c84f18f2be294ec63212245af4fd8354636804ffe5ee9a0d526d95
SHA512 e979f28451d271f405b780fc2025707c8a29dcb4c28980ca42e33d4033666de0e4a4644defec6c1d5d4bdd3c73d405fafcffe3320c60134681f62805c965bfd9

C:\Users\Public\stdio\api-ms-win-crt-math-l1-1-0.dll

MD5 8da414c3524a869e5679c0678d1640c1
SHA1 60cf28792c68e9894878c31b323e68feb4676865
SHA256 39723e61c98703034b264b97ee0fe12e696c6560483d799020f9847d8a952672
SHA512 6ef3f81206e7d4dca5b3c1fafc9aa2328b717e61ee0acce30dfb15ad0fe3cb59b2bd61f92bf6046c0aae01445896dcb1485ad8be86629d22c3301a1b5f4f2cfa

C:\Users\Public\stdio\api-ms-win-crt-time-l1-1-0.dll

MD5 9b79fda359a269c63dcac69b2c81caa4
SHA1 a38c81b7a2ec158dfcfeb72cb7c04b3eb3ccc0fb
SHA256 4d0f0ea6e8478132892f9e674e27e2bc346622fc8989c704e5b2299a18c1d138
SHA512 e69d275c5ec5eae5c95b0596f0cc681b7d287b3e2f9c78a9b5e658949e6244f754f96ad7d40214d22ed28d64e4e8bd507363cdf99999fea93cfe319078c1f541

C:\Users\Public\stdio\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 228c6bbe1bce84315e4927392a3baee5
SHA1 ba274aa567ad1ec663a2f9284af2e3cb232698fb
SHA256 ac0cec8644340125507dd0bc9a90b1853a2d194eb60a049237fb5e752d349065
SHA512 37a60cce69e81f68ef62c58bba8f2843e99e8ba1b87df9a5b561d358309e672ae5e3434a10a3dde01ae624d1638da226d42c64316f72f3d63b08015b43c56cab

C:\Users\Public\stdio\api-ms-win-crt-multibyte-l1-1-0.dll

MD5 19d7f2d6424c98c45702489a375d9e17
SHA1 310bc4ed49492383e7c669ac9145bda2956c7564
SHA256 a6b83b764555d517216e0e34c4945f7a7501c1b7a25308d8f85551fe353f9c15
SHA512 01c09edef90c60c9e6cdabff918f15afc9b728d6671947898ce8848e3d102f300f3fb4246af0ac9c6f57b3b85b24832d7b40452358636125b61eb89567d3b17e

\Users\Public\stdio\api-ms-win-crt-environment-l1-1-0.dll

MD5 39325e5f023eb564c87d30f7e06dff23
SHA1 03dd79a7fbe3de1a29359b94ba2d554776bdd3fe
SHA256 56d8b7ee7619579a3c648eb130c9354ba1ba5b33a07a4f350370ee7b3653749a
SHA512 087b9dcb744ad7d330bacb9bda9c1a1df28ebb9327de0c5dc618e79929fd33d1b1ff0e1ef4c08f8b3ea8118b968a89f44fe651c66cba4ecbb3216cd4bcce3085

\Users\Public\stdio\api-ms-win-crt-locale-l1-1-0.dll

MD5 034379bcea45eb99db8cdfeacbc5e281
SHA1 bbf93d82e7e306e827efeb9612e8eab2b760e2b7
SHA256 8b543b1bb241f5b773eb76f652dad7b12e3e4a09230f2e804cd6b0622e8baf65
SHA512 7ea6efb75b0c59d3120d5b13da139042726a06d105c924095ed252f39ac19e11e8a5c6bb1c45fa7519c0163716745d03fb9daaaca50139a115235ab2815cc256

\Users\Public\stdio\msvcp140.dll

MD5 1fb93933fd087215a3c7b0800e6bb703
SHA1 a78232c352ed06cedd7ca5cd5cb60e61ef8d86fb
SHA256 2db7fd3c9c3c4b67f2d50a5a50e8c69154dc859780dd487c28a4e6ed1af90d01
SHA512 79cd448e44b5607863b3cd0f9c8e1310f7e340559495589c428a24a4ac49beb06502d787824097bb959a1c9cb80672630dac19a405468a0b64db5ebd6493590e

C:\Users\Public\stdio\QKGuide.dll

MD5 057d333133ba16ad86fa644e8b28adf7
SHA1 7542ae74dbcaef4fd60e82937080efa1c2ac954f
SHA256 51d34fdf50a1542a86f2befa3e0f7615832558d29e41cf92c9206b44b67e1350
SHA512 83a61c8da999bdcc3bb47b47d8aeea3fb8605404cda949acb91bb0b7aaba7d1c854f7cf44d8d5ba81d5be5d2c3dfc5babf66f72bf1137c2786b34bd32b853e78

C:\Users\Public\stdio\DuiLib.dll

MD5 a3b393d6604c40c51f9f28533161ab81
SHA1 19480433f1a094f135eff78e4b63c5b47411f333
SHA256 a830e40e43aef4d9d7b7eeb6d94c17cd2cb11be7f3ee8adce2399ec5c0a6049c
SHA512 12c460443ae98c0a57abe98e8d70802367d9fe2a14faf66164a094ffdb10ee6d8a6b41e4c96e58a423218f3653ea56d804ed15614ff6957948025f78389c3313

C:\Users\Public\stdio\QKHook.dll

MD5 32f12897dbfad3149821d503013c6a28
SHA1 52fc6755add14e6f6eb2b2f5a20d8022a32c8225
SHA256 93fcab146f4061b93e6566b1846cfefd05dae52afd763fdd261e6a0543436671
SHA512 c0547fb67c4d80e2d2744179c4b21d1e9b8694f53a6c843adc7e28df48b0e56c95c25b6cfc956f440d856add2bfc339b8178c820c28a09250854b5a57587db59

C:\Users\Public\stdio\Plugin.dll

MD5 27378e77fed60b91b9eacef55b10d3a2
SHA1 603050de753ae268e09aca9e37b30ac4e647b6b7
SHA256 553920c1b7dbcabcd18e8a17a3f0b3bd91f3fd2a3375a6163c8e85d441cb8a18
SHA512 95be8277a4ceaf29a2c7bbba6f8e06fb894bb883ff457e08851352dd751375f94c551a78204fc30838aa2c4a6741f49e30bfa6f0b6a6f0287c5d77b0e9ed6c6d

C:\Config.Msi\f768e6c.rbs

MD5 729d171c5108e0caa64d53dc8e71f528
SHA1 4a436d73204a51ed2d4bc4f103a721c266c0ac20
SHA256 f0ba867c4cc8fe5a484831db0713c5182562be7878f29b18ba95fb78eb0a2ce6
SHA512 08d3e33a2a1e145fa7a17af8022ca4f0fc7763cab66bbb193c2be803b6e924100b3fb60b4d02e40f00ae823f2c979d598728d2290d5db6cfa6e2f0b18c6ea61f

memory/880-298-0x0000000001190000-0x0000000001226000-memory.dmp

memory/880-299-0x0000000000980000-0x00000000009FB000-memory.dmp