821a15cebe42d5fffcb9d3b320d2681f666d67c542b146d1773c046d148bf22a

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Google Chrome-Setup.msi
Size

93.0MB
MD5

76f805e3362d8a4def6cf6504465e4eb
SHA1

1580d5dc8ab764ad761d8cc9e88e58aeefc94ead
SHA256

821a15cebe42d5fffcb9d3b320d2681f666d67c542b146d1773c046d148bf22a
SHA512

841eca8697e5d022721ae5c454ffdbbbb9c4b487821b048eb6fa30562aa9e11d2fc58f8fcd6c83be6fa3381dffdbbdb0cb7a3fa861a8057349b053a06c520efd
SSDEEP

1572864:U4gwS8N/MScQm38g5LPZA0W257RvU7UPcs4QfDqQyHxIbBI4oCSKmDYYPb8sQHXX:R9S8N/M/xLP4aO7S9ffU0SxHsH1XR

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdata_Service = "C:\\programdata\\Mylnk\\dick.lnk"	reg.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	tracerpt.exe
File opened (read-only)	\??\V:	tracerpt.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	tracerpt.exe
File opened (read-only)	\??\J:	tracerpt.exe
File opened (read-only)	\??\L:	tracerpt.exe
File opened (read-only)	\??\T:	tracerpt.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	tracerpt.exe
File opened (read-only)	\??\S:	tracerpt.exe
File opened (read-only)	\??\Z:	tracerpt.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	tracerpt.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	tracerpt.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	tracerpt.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	tracerpt.exe
File opened (read-only)	\??\Y:	tracerpt.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	tracerpt.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	tracerpt.exe
File opened (read-only)	\??\X:	tracerpt.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	tracerpt.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	tracerpt.exe
File opened (read-only)	\??\O:	tracerpt.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	tracerpt.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4068 set thread context of 5528	4068	Agghosts.exe	123

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Googlr Setup\Googlr Setup\qucc.dll	msiexec.exe
File created	C:\Program Files (x86)\Googlr Setup\Googlr Setup\CR_3BC48.tmp\setup.exe	1.exe
File opened for modification	C:\Program Files (x86)\Googlr Setup\Googlr Setup\CR_3BC48.tmp\SETUP.EX_	1.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	chrmstp.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	chrmstp.exe
File created	C:\Program Files (x86)\Googlr Setup\Googlr Setup\1.exe	msiexec.exe
File created	C:\Program Files (x86)\Googlr Setup\Googlr Setup\CR_3BC48.tmp\SETUP.EX_	1.exe
File opened for modification	C:\Program Files (x86)\Googlr Setup\Googlr Setup\CR_3BC48.tmp\setup.exe	1.exe
File opened for modification	C:\Program Files\Crashpad\metadata	chrmstp.exe
File opened for modification	C:\Program Files\Crashpad\metadata	chrmstp.exe
File created	C:\Program Files (x86)\Googlr Setup\Googlr Setup\CR_3BC48.tmp\CHROME.PACKED.7Z	1.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{FFB560CF-9930-43E9-9D6E-6193956B7D00}	msiexec.exe
File created	C:\Windows\Installer\e5834b9.msi	msiexec.exe
File created	C:\Windows\Installer\e5834b7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3564.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3544.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI373A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5834b7.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Executes dropped EXE 4 IoCs

pid	Process
4068	Agghosts.exe
4364	1.exe
3624	setup.exe
4936	setup.exe

Loads dropped DLL 10 IoCs

pid	Process
1376	MsiExec.exe
1376	MsiExec.exe
1376	MsiExec.exe
1376	MsiExec.exe
1376	MsiExec.exe
4132	MsiExec.exe
4132	MsiExec.exe
4132	MsiExec.exe
4068	Agghosts.exe
4068	Agghosts.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tracerpt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agghosts.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c9aa8484b1ca68e90000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c9aa84840000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c9aa8484000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc9aa8484000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c9aa848400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133683712568552857"	chrome.exe

Modifies registry class 29 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FC065BFF03999E34D9E6163959B6D700\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FC065BFF03999E34D9E6163959B6D700\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0138AA8F0C790F942BC9C2FEB477D4B5	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FC065BFF03999E34D9E6163959B6D700\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FC065BFF03999E34D9E6163959B6D700	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FC065BFF03999E34D9E6163959B6D700\PackageCode = "B7FF347B94E6FC442B67E35D2A6B977F"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FC065BFF03999E34D9E6163959B6D700\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FC065BFF03999E34D9E6163959B6D700\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FC065BFF03999E34D9E6163959B6D700\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0138AA8F0C790F942BC9C2FEB477D4B5\FC065BFF03999E34D9E6163959B6D700	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FC065BFF03999E34D9E6163959B6D700\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FC065BFF03999E34D9E6163959B6D700\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FC065BFF03999E34D9E6163959B6D700\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FC065BFF03999E34D9E6163959B6D700\ProductName = "Googlr Setup"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FC065BFF03999E34D9E6163959B6D700\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FC065BFF03999E34D9E6163959B6D700	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FC065BFF03999E34D9E6163959B6D700\Language = "4100"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\HELPDIR	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FC065BFF03999E34D9E6163959B6D700\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FC065BFF03999E34D9E6163959B6D700\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FC065BFF03999E34D9E6163959B6D700\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FC065BFF03999E34D9E6163959B6D700\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FC065BFF03999E34D9E6163959B6D700\SourceList\PackageName = "Google Chrome-Setup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FC065BFF03999E34D9E6163959B6D700\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
652	msiexec.exe
652	msiexec.exe
4132	MsiExec.exe
4132	MsiExec.exe
4132	MsiExec.exe
4132	MsiExec.exe
4132	MsiExec.exe
4132	MsiExec.exe
1924	chrome.exe
1924	chrome.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe
5528	tracerpt.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4196	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4196	msiexec.exe
Token: SeSecurityPrivilege	652	msiexec.exe
Token: SeCreateTokenPrivilege	4196	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4196	msiexec.exe
Token: SeLockMemoryPrivilege	4196	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4196	msiexec.exe
Token: SeMachineAccountPrivilege	4196	msiexec.exe
Token: SeTcbPrivilege	4196	msiexec.exe
Token: SeSecurityPrivilege	4196	msiexec.exe
Token: SeTakeOwnershipPrivilege	4196	msiexec.exe
Token: SeLoadDriverPrivilege	4196	msiexec.exe
Token: SeSystemProfilePrivilege	4196	msiexec.exe
Token: SeSystemtimePrivilege	4196	msiexec.exe
Token: SeProfSingleProcessPrivilege	4196	msiexec.exe
Token: SeIncBasePriorityPrivilege	4196	msiexec.exe
Token: SeCreatePagefilePrivilege	4196	msiexec.exe
Token: SeCreatePermanentPrivilege	4196	msiexec.exe
Token: SeBackupPrivilege	4196	msiexec.exe
Token: SeRestorePrivilege	4196	msiexec.exe
Token: SeShutdownPrivilege	4196	msiexec.exe
Token: SeDebugPrivilege	4196	msiexec.exe
Token: SeAuditPrivilege	4196	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4196	msiexec.exe
Token: SeChangeNotifyPrivilege	4196	msiexec.exe
Token: SeRemoteShutdownPrivilege	4196	msiexec.exe
Token: SeUndockPrivilege	4196	msiexec.exe
Token: SeSyncAgentPrivilege	4196	msiexec.exe
Token: SeEnableDelegationPrivilege	4196	msiexec.exe
Token: SeManageVolumePrivilege	4196	msiexec.exe
Token: SeImpersonatePrivilege	4196	msiexec.exe
Token: SeCreateGlobalPrivilege	4196	msiexec.exe
Token: SeCreateTokenPrivilege	4196	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4196	msiexec.exe
Token: SeLockMemoryPrivilege	4196	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4196	msiexec.exe
Token: SeMachineAccountPrivilege	4196	msiexec.exe
Token: SeTcbPrivilege	4196	msiexec.exe
Token: SeSecurityPrivilege	4196	msiexec.exe
Token: SeTakeOwnershipPrivilege	4196	msiexec.exe
Token: SeLoadDriverPrivilege	4196	msiexec.exe
Token: SeSystemProfilePrivilege	4196	msiexec.exe
Token: SeSystemtimePrivilege	4196	msiexec.exe
Token: SeProfSingleProcessPrivilege	4196	msiexec.exe
Token: SeIncBasePriorityPrivilege	4196	msiexec.exe
Token: SeCreatePagefilePrivilege	4196	msiexec.exe
Token: SeCreatePermanentPrivilege	4196	msiexec.exe
Token: SeBackupPrivilege	4196	msiexec.exe
Token: SeRestorePrivilege	4196	msiexec.exe
Token: SeShutdownPrivilege	4196	msiexec.exe
Token: SeDebugPrivilege	4196	msiexec.exe
Token: SeAuditPrivilege	4196	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4196	msiexec.exe
Token: SeChangeNotifyPrivilege	4196	msiexec.exe
Token: SeRemoteShutdownPrivilege	4196	msiexec.exe
Token: SeUndockPrivilege	4196	msiexec.exe
Token: SeSyncAgentPrivilege	4196	msiexec.exe
Token: SeEnableDelegationPrivilege	4196	msiexec.exe
Token: SeManageVolumePrivilege	4196	msiexec.exe
Token: SeImpersonatePrivilege	4196	msiexec.exe
Token: SeCreateGlobalPrivilege	4196	msiexec.exe
Token: SeCreateTokenPrivilege	4196	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4196	msiexec.exe
Token: SeLockMemoryPrivilege	4196	msiexec.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4196	msiexec.exe
1924	chrome.exe
1924	chrome.exe
1924	chrome.exe
5984	chrmstp.exe
4196	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4132	MsiExec.exe
5528	tracerpt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 1376	652	msiexec.exe	87
PID 652 wrote to memory of 1376	652	msiexec.exe	87
PID 652 wrote to memory of 1376	652	msiexec.exe	87
PID 652 wrote to memory of 1716	652	msiexec.exe	103
PID 652 wrote to memory of 1716	652	msiexec.exe	103
PID 652 wrote to memory of 4132	652	msiexec.exe	105
PID 652 wrote to memory of 4132	652	msiexec.exe	105
PID 652 wrote to memory of 4132	652	msiexec.exe	105
PID 4132 wrote to memory of 2948	4132	MsiExec.exe	108
PID 4132 wrote to memory of 2948	4132	MsiExec.exe	108
PID 4132 wrote to memory of 2948	4132	MsiExec.exe	108
PID 4132 wrote to memory of 4364	4132	MsiExec.exe	110
PID 4132 wrote to memory of 4364	4132	MsiExec.exe	110
PID 4364 wrote to memory of 3624	4364	1.exe	111
PID 4364 wrote to memory of 3624	4364	1.exe	111
PID 3624 wrote to memory of 4936	3624	setup.exe	112
PID 3624 wrote to memory of 4936	3624	setup.exe	112
PID 3624 wrote to memory of 1924	3624	setup.exe	113
PID 3624 wrote to memory of 1924	3624	setup.exe	113
PID 1924 wrote to memory of 3836	1924	chrome.exe	114
PID 1924 wrote to memory of 3836	1924	chrome.exe	114
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 2632	1924	chrome.exe	115
PID 1924 wrote to memory of 3844	1924	chrome.exe	116
PID 1924 wrote to memory of 3844	1924	chrome.exe	116
PID 1924 wrote to memory of 2800	1924	chrome.exe	117
PID 1924 wrote to memory of 2800	1924	chrome.exe	117
PID 1924 wrote to memory of 2800	1924	chrome.exe	117
PID 1924 wrote to memory of 2800	1924	chrome.exe	117
PID 1924 wrote to memory of 2800	1924	chrome.exe	117
PID 1924 wrote to memory of 2800	1924	chrome.exe	117
PID 1924 wrote to memory of 2800	1924	chrome.exe	117
PID 1924 wrote to memory of 2800	1924	chrome.exe	117
PID 1924 wrote to memory of 2800	1924	chrome.exe	117
PID 1924 wrote to memory of 2800	1924	chrome.exe	117
PID 1924 wrote to memory of 2800	1924	chrome.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Google Chrome-Setup.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4196

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E1E0704C257B81B8136E80A4BB4BAE1B C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1376
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1716
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 79B3B446E06389853426E810C90EE0C0
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\Mylnk\dick.lnk" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2948
- - C:\Program Files (x86)\Googlr Setup\Googlr Setup\1.exe
    "C:\Program Files (x86)\Googlr Setup\Googlr Setup\\1.exe"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\Program Files (x86)\Googlr Setup\Googlr Setup\CR_3BC48.tmp\setup.exe
      "C:\Program Files (x86)\Googlr Setup\Googlr Setup\CR_3BC48.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Googlr Setup\Googlr Setup\CR_3BC48.tmp\CHROME.PACKED.7Z"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3624
    - - C:\Program Files (x86)\Googlr Setup\Googlr Setup\CR_3BC48.tmp\setup.exe
        
        "C:\Program Files (x86)\Googlr Setup\Googlr Setup\CR_3BC48.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=109.0.5414.120 --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x7ff660ed1148,0x7ff660ed1158,0x7ff660ed1168
        5⤵
        Executes dropped EXE
        
        PID:4936
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
        5⤵
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1924
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe42f7cc40,0x7ffe42f7cc4c,0x7ffe42f7cc58
        6⤵
        
        PID:3836
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1988,i,923331186338007552,9475067286382861047,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1984 /prefetch:2
        6⤵
        
        PID:2632
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1916,i,923331186338007552,9475067286382861047,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2020 /prefetch:3
        6⤵
        
        PID:3844
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,923331186338007552,9475067286382861047,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2468 /prefetch:8
        6⤵
        
        PID:2800
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,923331186338007552,9475067286382861047,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3104 /prefetch:1
        6⤵
        
        PID:380
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2888,i,923331186338007552,9475067286382861047,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3140 /prefetch:1
        6⤵
        
        PID:1612
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4572,i,923331186338007552,9475067286382861047,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4528 /prefetch:1
        6⤵
        
        PID:1972
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4816,i,923331186338007552,9475067286382861047,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4828 /prefetch:8
        6⤵
        
        PID:5832
      - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
        6⤵
        Drops file in Program Files directory
        
        PID:5900
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff62fed4698,0x7ff62fed46a4,0x7ff62fed46b0
        7⤵
        Drops file in Program Files directory
        
        PID:5920
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
        7⤵
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:5984
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff62fed4698,0x7ff62fed46a4,0x7ff62fed46b0
        8⤵
        Drops file in Program Files directory
        
        PID:6000
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5032,i,923331186338007552,9475067286382861047,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5012 /prefetch:8
        6⤵
        
        PID:5972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2816

C:\hnqfbf\Agghosts.exe
"C:\hnqfbf\Agghosts.exe" 67
1⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4068
- C:\Windows\SysWOW64\tracerpt.exe
  "C:\Windows\SysWOW64\tracerpt.exe"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5528
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe
    3⤵
    PID:5736

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5834b8.rbs

Filesize
8KB

MD5
fe6b47c0c44a16cfaa3b9925284a73f7

SHA1
a228ec65a787932172d9e9ed1e5ca1b30d33b5e1

SHA256
1c3863bb43affa45c624da447834300e64de8d749cefa300efdecdab1b4930e9

SHA512
b34d65b179722d386506daed7c260a1cca7e8b76f2dcc46c6f0f910eabde00e9323b31fdf680a7d078c1dc8e13021980f4f7c77ca80b05b78ee38858f08880cf

Download Submit
C:\Program Files (x86)\Googlr Setup\Googlr Setup\CR_3BC48.tmp\setup.exe

Filesize
4.7MB

MD5
b42b8ac29ee0a9c3401ac4e7e186282d

SHA1
69dfb1dd33cf845a1358d862eebc4affe7b51223

SHA256
19545e8376807bce8a430c37cab9731e85052103f769dd60a5da3d93ca68c6ec

SHA512
b5269e7392e77a0fa850049ff61e271c5aab90d546945b17a65cc2ea6420432ae56321e1e39cfd97ccdb3dfc37ddbd6ff77907f5685cc2323b8635c8cdb4a84f

Download Submit
C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
7e5aa4109d15ecfd7c800777bf8536df

SHA1
daf9a682a914271118ffacd309e494b2a85badb0

SHA256
905a21267d0d2781d4b381e80503c5151f9ad33dac3be6dca83f50dfb7cdee02

SHA512
7ff72305ba56d94f76c514667b49683e2f53c308b1313d91d632810823c6a6b2b7ef7313d58fd343b2bc753e875dc7ceea967f8eb5a96b64f4e5bd639a5154eb

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\2d2dc4ac-ffe6-4e17-8683-e813ded8b25d.tmp

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
eb942bdb6305f3315f94ae3c05f48dbb

SHA1
7674299d7f21d68d74ebbcb1de993f2c99ea6a1a

SHA256
e306a68470836c921619dbbd8ec7c697a25625402fc95add71250d41231787dc

SHA512
1509991d75b19506b3c4fbee4b75b5caee8e5f1ec7c810d4cbe21ef9ffc32b472851c25da616fcf8cdd9a4b4e57bc5625eafa3d1803f2e41c888d449a2972c4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d968f50e9da99ff35d0f0fe5445c0f36

SHA1
c802cc27020f10ac3f5cc55acb838aaa877438a6

SHA256
135da6657fd7a08f5ac0c2d93057200d7934f7bb72ecf2fdfb1e07f5468ebaa7

SHA512
110f93b5d52f028baa459e040f254b6c8f62ce61b062a374ffb82d125fcb6a76b0c68e42ad9861bd083d011a1bd24620d46f01ac1c04eda8b1ac60c873209a7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
37f42a06977a6c056f895118355711bb

SHA1
48a9ed08bd07f630b380a7003d1f505cfe3e52db

SHA256
ab520fd5a30e7cab22f83066c67bb2064583b5e7d3868a792df7a600fa4130b3

SHA512
89bcb8816f65336edc78cbe44b3edf15fdbda9e2476f806b631750d2808a8b55130d4058b9b8f5e9e2679f9db754331adb624aad9add0445bea759b01fcc3107

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e52ff18ef9695a10b47b7ac40c3f2a5e

SHA1
e1d50d0e2c8fc99e2435eac831d68cca640f1933

SHA256
2afa0c1eb1ba5bc4e285058dd8a9f8663d52dd7ef957237075fcc8cf57a194e1

SHA512
ef26f66eae5fdd7b2927803015f683d7ae56049884319748ca82e9c6f1a79692d90a88074a7e960bd6ae0a4bcc563f68ef32164a65765dd41b4cdb7a128aba04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b93218d5715805643d83c5e0a0527161

SHA1
dc19b96c76eec111718370de4a2b7fecc7055f9b

SHA256
b329d4734189ddaf6d2d811da899fb54205a70b8fbe434a84b660db1c2efe901

SHA512
7589d5160d513f17a287c1de1f136fcc6f21df8e21f6ede1d7d20ca4943a86cbf0ada497f49d01a30b8eb026ebe56d54afbc6bccc930ade0ee1ee028a842307c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
006fdbfb9b1c463f13cfb455f6751d73

SHA1
2335a4e2675863717c464f7cac819801bcc3e4b6

SHA256
61429204af1e1fa8f38912adbd5dd4c818f30eec249be7dc670626318d3f51b2

SHA512
23a9ff89f9d704ca4db6db6de0e67121b9cd7a4ef624226cf1ea8dc428db48c3d21b92d9051b63bb677c60cc5ce8636ca273c53b62b3d68e1f153d564bbfb405

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6611f38ceef9b6827a6c568d11ef1d66

SHA1
46d5b3b1d544c08c436209dc87de2c0abfe087a9

SHA256
8b489b1eb78a27ff60ef9de97b1009ec261e66825f0246a57be0eb507acbfb5c

SHA512
68a542e418998531b871167b890a29e2766cf9c72c794afbc67c7cc3a3084877ffdf199259055101d133a075c64c8c92d54508424ac6b67b84fd80c4e45576ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe588596.TMP

Filesize
1KB

MD5
b77390e666804d2d4b63ee7d333869de

SHA1
bef199c56bdd8befde72369097fb517cae3e5653

SHA256
3ab6d2b4d9d99f7da257f2693bb90b05f5fc8a9bf6b1b718a4f080780df2a4c7

SHA512
915a5ba9fcfd7da0c355f4ceea7c23603176263f92d5d8ff9955785e79121e5c1c4dd222133c65e778b2f0dfe6dcbcbf5fda5622859c9b37832447a68fb0305e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a5056ae885512010e38a34ea4e0bd399

SHA1
0078664822c00874ccfb7c86a888ee9780bcd4e0

SHA256
d7f11492a7aec1f181de369c10a68e932154679fb2ddc5d7ce9653fb1f9b198c

SHA512
f7e6f78f404251669c8d1e68da692f5c693b7159e1068b9d7f2f5738a8e865b0827df3503875946e776699b3a6590c3567267308e0d037c9dca98742adc66761

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
24cfd0d3db240c677b13d3fa8f5d2477

SHA1
c9f0ed00cde629e8a811b5f163cf1d66fdb83fd7

SHA256
57285dee14aa061c4a9e6f55a7a4ba560371193af4555dbbe41e26d586afa3b9

SHA512
848f6ebff3411dccaa3e41c24c15798366fc55e6218ac212b310c9726c2443b0bf5bda7aa4a0dcefe4a937574c25b5357eee22b9ffd84ec1de1f752058581527

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
cf40a4cd634d8ad8b6f85c4de149422d

SHA1
518f9367cd2079c80280e1dfe124cbf4e5dc03f7

SHA256
4a81faf46df2c8a4ccacf7ee86842b80d7f600cb77286b8fe3b321b89c00e365

SHA512
5ecd8f61feb038db6ebd712cb6382075f36bd6983eeb819fc9c9392450aaec22ccd744f8acb6766c28a893f6621884b8860b5ce3649b1613a88f54ae686f8d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIACE9.tmp

Filesize
550KB

MD5
bda991d64e27606ac1d3abb659a0b33b

SHA1
a87ee1430f86effa5488ae654704c40aca3424c6

SHA256
ffea8222126b77f8da93e27edbadeb8b97fb023ef0d6a51522c35688f66283ca

SHA512
94fe1eadd4b4325fc1a8c769180c6ecf92e2dbf9f8262d6746fada603929977f3d40100ba84cffb4074c6900a2b2d307355e6a5116e6f16d9d3173fa17ad461f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
2a43deb1bffb801c6c1502d63710e1c2

SHA1
76fac2b6b27476115ed31751d769acc21952aa6d

SHA256
e7c6c7a6d041cbbe9c356defb33aa387e1caec48b4c15f2caabbd5feb981c75f

SHA512
ed5699cb481d106516934de5cc7c8f0a8704b0dfa9ebcf4f7510542c6eb8566c81153ea9a1a4203155665eb6fe905fe0cbc8a0a3a402367338665498022e200b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
ea5c611bc599b5619cefcc20defe95c4

SHA1
50d16f6e99712c9a73f6e48442fe4d4c5d62ae79

SHA256
c117dc4b5f8e342ac424c63483a1fa47ec3a795d1473151d293ac78a6274dfdf

SHA512
243d7f105784c6e6daaf7044691cf1122bab1019b11116d0de1fd60da76fb232a55a13b906f33409d6320977a1514d78b843c0c22da769eb98d0c67674d9d43b

Download Submit
C:\hnqfbf\1.lnk

Filesize
1KB

MD5
4714b8fd760072cb8ba2c795bcd54b99

SHA1
385a49127225a0e826b8e5ca1a9fc11565911c6e

SHA256
6b1433f1569e524a37b029b2e77c824c988c645a18074e865c5b6881ece6fdca

SHA512
9e6bac25de1cb751ac17fd7f1a9f074ded0427c7d23a945f655b2f0a7f8be81b296662b57f4a90bcce7b86a53c7c48ace9213d16f5ccc16c5fb92518ea4dae20

Download Submit
C:\hnqfbf\Agghosts.exe

Filesize
111KB

MD5
a9b40e0b76aa5a292cb6052c6c2fd81d

SHA1
e15bba9e662ef45350720218617d563620c76823

SHA256
f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c

SHA512
ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f

Download Submit
C:\hnqfbf\Ensup.log

Filesize
218KB

MD5
0ea5c7021018a45083ea4eb31f0fc34d

SHA1
d636419a870e4774feb272b73e5c9d57dae9485e

SHA256
b80d53a3d3ae6db48a7b1835aedb52e85291f35d55b61aa363994217b890dc8a

SHA512
a26e6461361b84da71396bdf8227c0d70f84589b92dd33c6549e1e035c4f5cfa778b4ca22b9ebfc380bd593a43260b53cb4b8f6ccb66381bdc64deb7755f9d79

Download Submit
C:\hnqfbf\vcruntime140.dll

Filesize
77KB

MD5
f107a3c7371c4543bd3908ba729dd2db

SHA1
af8e7e8f446de74db2f31d532e46eab8bbf41e0a

SHA256
00df0901c101254525a219d93ff1830da3a20d3f14bc323354d8d5fee5854ec0

SHA512
fd776f8ceaac498f4f44819794c0fa89224712a8c476819ffc76ba4c7ff4caa9b360b9d299d9df7965387e5bbcb330f316f53759b5146a73b27a5f2e964c3530

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
ba663155b2784da3311d5f844641dd49

SHA1
f89947139bc7a019d1fb3ec2d474089c8a8c1497

SHA256
2845ee86fb041fef7ecbc30eb4f228fca90e43449770bcacf3feb801dea3beae

SHA512
7543e387ee3e5aa7bfbd19c9479bf44701d9a29e5235488887ee27835af7cac886fffa043fb1256cafd40311abd174e8b4ec3298c85888670f8b78ef9ab23239

Download Submit
\??\Volume{8484aac9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{447ade21-87d3-4bd6-b96d-242c19bc69ec}_OnDiskSnapshotProp

Filesize
6KB

MD5
aaaf91314ddb4918b503af718cb01cab

SHA1
7ba9f8eb93272fe5da1d289cac4a57cde001591a

SHA256
d89af9b67c96c3f3a449f8e7e8c7cd989b83fc53eda0d706dcd610dda379f952

SHA512
0a175b2b022d9b57e1c473fd47d2457c27748020ff089b29454cc0bc3e7aecd347a7b7d058b409a7059da8fc790fc9efd22a84da8dc5fb067bfff2288a84a279

Download Submit
memory/4068-64-0x0000000010000000-0x0000000010022000-memory.dmp

Filesize
136KB

Download
memory/5528-198-0x0000000001180000-0x00000000011B8000-memory.dmp

Filesize
224KB

Download
memory/5528-203-0x0000000001180000-0x00000000011B8000-memory.dmp

Filesize
224KB

Download
memory/5528-204-0x0000000001180000-0x00000000011B8000-memory.dmp

Filesize
224KB

Download
memory/5528-177-0x0000000001180000-0x00000000011B8000-memory.dmp

Filesize
224KB

Download
memory/5528-199-0x0000000001180000-0x00000000011B8000-memory.dmp

Filesize
224KB

Download