gh0strat | 94200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

银狐木马.msi
Size

28.7MB
MD5

bffddb889b7089cc6af3b9d9efb3c89d
SHA1

977fc679569271849068e704a53c57b09009f414
SHA256

94200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43
SHA512

0c3d0db3b8d0c5a071cc3a140695d8ea1b1600c36add6a4c36e24effd9d4dc579ce6953386cc624406c8fb9d6ba436b7082a5e675799d3f860fd0df6a5946e93
SSDEEP

786432:tQ05JQsMXv0z+OEoBvTT1A7IXA5hPP4WhYw70FDDV:e0Tif06OXrT1AGw70FD5

Score

10^/10

gh0strat purplefox discovery evasion persistence privilege_escalation rat rootkit spyware stealer trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 3 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/3772-126-0x000000002BA40000-0x000000002BBFB000-memory.dmp	purplefox_rootkit
behavioral2/memory/3772-128-0x000000002BA40000-0x000000002BBFB000-memory.dmp	purplefox_rootkit
behavioral2/memory/3772-129-0x000000002BA40000-0x000000002BBFB000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/memory/3772-126-0x000000002BA40000-0x000000002BBFB000-memory.dmp	family_gh0strat
behavioral2/memory/3772-128-0x000000002BA40000-0x000000002BBFB000-memory.dmp	family_gh0strat
behavioral2/memory/3772-129-0x000000002BA40000-0x000000002BBFB000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\129.0.6668.90\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	ojZEoSUznz17.exe
File opened (read-only)	\??\K:	ojZEoSUznz17.exe
File opened (read-only)	\??\N:	ojZEoSUznz17.exe
File opened (read-only)	\??\Z:	ojZEoSUznz17.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	ojZEoSUznz17.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	ojZEoSUznz17.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	ojZEoSUznz17.exe
File opened (read-only)	\??\J:	ojZEoSUznz17.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	ojZEoSUznz17.exe
File opened (read-only)	\??\X:	ojZEoSUznz17.exe
File opened (read-only)	\??\M:	ojZEoSUznz17.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	ojZEoSUznz17.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	ojZEoSUznz17.exe
File opened (read-only)	\??\H:	ojZEoSUznz17.exe
File opened (read-only)	\??\L:	ojZEoSUznz17.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	ojZEoSUznz17.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	ojZEoSUznz17.exe
File opened (read-only)	\??\V:	ojZEoSUznz17.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	ojZEoSUznz17.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_058F778FC8346DE378B15A5652BAADD9	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_058F778FC8346DE378B15A5652BAADD9	updater.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk	setup.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lTRNmTKwQzfm.exe.log	lTRNmTKwQzfm.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1604_1149118148\129.0.6668.90_chrome_installer.exe	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\Extensions\external_extensions.json	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\icudtl.dat	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\MEIPreload\manifest.json	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\libGLESv2.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\os_update_handler.exe	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\ddd755bb-41b6-4d62-9077-35c868364be9.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\ddd755bb-41b6-4d62-9077-35c868364be9.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\chrome_100_percent.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\Locales\ar.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\Locales\mr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\Locales\pl.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\VisualElements\Logo.png	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\chrome_wer.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log.old	updater.exe
File created	C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe	OoRjJglzLJCL.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\8f0b5d75-2c1a-4493-b6cc-da83a1300fb8.tmp	updater.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1604_1149118148\CR_F60A3.tmp\setup.exe	129.0.6668.90_chrome_installer.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\VisualElements\LogoBeta.png	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\VisualElements\LogoCanary.png	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\vk_swiftshader.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\settings.dat	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\Locales\bn.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\Locales\da.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\Locales\el.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\Locales\ru.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\MEIPreload\preloaded_data.pb	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\87081dba-4b1e-4525-9459-4215500de26c.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe58efca.TMP	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\chrome.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\chrome.dll.sig	setup.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1604_1149118148\_metadata\verified_contents.json	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\uninstall.cmd	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\Locales\af.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\Locales\it.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\Locales\kn.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\Locales\ml.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\VisualElements\LogoDev.png	setup.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	setup.exe
File created	C:\Program Files (x86)\Google696_135353443\updater.7z	ChromeSetup(1).exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\chrome.7z	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\Locales\tr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\d3dcompiler_47.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\Locales\fa.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\Locales\ja.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\Locales\pt-PT.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\Locales\sk.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\Locales\sl.pak	setup.exe
File created	C:\Program Files (x86)\Google696_1598435564\UPDATER.PACKED.7Z	ChromeSetup(1).exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\Locales\ur.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\87081dba-4b1e-4525-9459-4215500de26c.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\Locales\sw.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4256_936749117\Chrome-bin\129.0.6668.90\Locales\bg.pak	setup.exe
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe58a217.TMP	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\8f0b5d75-2c1a-4493-b6cc-da83a1300fb8.tmp	updater.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57bab5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57bab5.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D2129BB0-0088-4785-95E7-8B3E656E5BD9}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBBED.tmp	msiexec.exe
File created	C:\Windows\Installer\e57bab7.msi	msiexec.exe

Executes dropped EXE 40 IoCs

pid	Process
1416	OoRjJglzLJCL.exe
1264	ojZEoSUznz17.exe
696	ChromeSetup(1).exe
2460	updater.exe
4356	updater.exe
2348	updater.exe
2832	updater.exe
4056	lTRNmTKwQzfm.exe
1604	updater.exe
4076	updater.exe
4140	lTRNmTKwQzfm.exe
1416	lTRNmTKwQzfm.exe
3604	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
2456	129.0.6668.90_chrome_installer.exe
4256	setup.exe
1684	setup.exe
3080	setup.exe
3260	setup.exe
4360	chrome.exe
2040	chrome.exe
4224	chrome.exe
1316	chrome.exe
4036	elevation_service.exe
4780	chrome.exe
3736	chrome.exe
3188	chrome.exe
992	chrome.exe
1104	chrome.exe
5076	chrome.exe
5228	chrome.exe
5236	chrome.exe
5552	chrome.exe
5660	chrome.exe
5764	chrome.exe
5800	chrome.exe
6072	chrome.exe
5752	chrome.exe
5548	updater.exe
5624	updater.exe

Loads dropped DLL 41 IoCs

pid	Process
4360	chrome.exe
2040	chrome.exe
4360	chrome.exe
4224	chrome.exe
4224	chrome.exe
1316	chrome.exe
1316	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4780	chrome.exe
3736	chrome.exe
4780	chrome.exe
3736	chrome.exe
3188	chrome.exe
3188	chrome.exe
992	chrome.exe
992	chrome.exe
1104	chrome.exe
1104	chrome.exe
5076	chrome.exe
5076	chrome.exe
5236	chrome.exe
5228	chrome.exe
5228	chrome.exe
5236	chrome.exe
5552	chrome.exe
5552	chrome.exe
5660	chrome.exe
5660	chrome.exe
5764	chrome.exe
5764	chrome.exe
5800	chrome.exe
5800	chrome.exe
6072	chrome.exe
6072	chrome.exe
5752	chrome.exe
5752	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3548	msiexec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ojZEoSUznz17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChromeSetup(1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ojZEoSUznz17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OoRjJglzLJCL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ojZEoSUznz17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2456	129.0.6668.90_chrome_installer.exe
4256	setup.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000bf081c85bb6cd1e80000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000bf081c850000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900bf081c85000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dbf081c85000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000bf081c8500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ojZEoSUznz17.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ojZEoSUznz17.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Update	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\UsageStatsInSample = "0"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\safebrowsing.incidents_sent = "A3F11A4D46A5E218B2EFECFB88C8593C7A2844C8F6D296767F1213636D243974"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\enterprise_signin.policy_recovery_token = "12D40A753E2FA6DEC4B675F545B38B6E2E29D038C5BB74CB43FC2B0CD33A0798"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\BLBeacon	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\ahfgeienlihckogmohjhadlkjgocpleb = "B9E93E820CB8F9FEBE9B19D114BA8F079E61B29500F97B547423E095F5044A45"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}\dr = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google	setup.exe
Key created	\REGISTRY\USER\.DEFAULT	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\default_search_provider_data.template_url_data = "804D1708CFA0D8B83ED9E9305FD5F9BACC3DF8CBB30C567B58033B8194D579C9"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\BLBeacon\state = "1"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\Extensions	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133725209447473057"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\google.services.last_signed_in_username = "A0AD3D62ED7CDE542B5982D6D854B8115462EB2B198DDE1152E6AD3987B42417"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\module_blocklist_cache_md5_digest = "71E6E6E1D4366E20FCF81727052486DF9436B96F73001E0F2C863385A7B56518"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\nkeimhogjdpnpccoofpliimaahmaaome = "E8243A6AD05FD5584015301A76B5D28B20B21A7D0E2F09F990ED74DB457B44F6"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\nmmhkkegccagdldgiimedpiccmgmieda = "D47B6AD8D9D017BC41CD1BD4B74ACE4C10567FAAB569B84E2404927775BC461E"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\BLBeacon	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\BLBeacon\version = "129.0.6668.90"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\prefs.preference_reset_time = "F7CD553778CBD465D2E991909A4BB9EE52F531740C1CD8239FD85485F023D382"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi = "28A0F033AF18B646CA6CBA8AF1BA52B5002193DBA60007CCDA596D5CA8AF3FE4"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi = "69E15A2FBCAB650FD6D0870BCCD1E594E553616129CA1B2C705BC941FE174FA1"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\media.storage_id_salt = "B94EF5F869E4D7B84C1667826039AB9E9EA5232075BA5B6B6BBFC52BF6673A27"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\StabilityMetrics\user_experience_metrics.stability.exited_cleanly = "0"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\mhjfbmdgcfjbbpaeojofohoefgiehjai = "36F176E1B7E87A1730CE4B1885697A3D43438FBF959A6694C1CE62523ED2A6FA"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\homepage = "66588E52B743BCD4D460317F66DC0980122AF5A7FD3987EA5F50BF772FF2193F"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	updater.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\google.services.account_id = "A54CF4E89C768DB198F21F28A8DA154242A8EBF54F03D2B2CA532BC0DAB5C50E"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	updater.exe
Key created	\REGISTRY\USER\.DEFAULT	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\session.restore_on_startup = "6ABC945835B5AFC9CC48238BCB8371CD7E18A6B4C1328FA8BF24EE5AEA6A61C4"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\4"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ = "IGoogleUpdate3Web"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{8A4B5D74-8832-5170-AB03-2415833EC703}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\ = "IUpdaterAppStatesCallbackSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\1.0\ = "GoogleUpdater TypeLib for IAppWebSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{4DC034A8-4BFC-4D43-9250-914163356BB0}\1.0\0\win32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\TypeLib\ = "{0CD01D1E-4A1C-489D-93B9-9B6672877C57}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BB9212D88005874597EB8E356E6B59D\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\TypeLib\ = "{6430040A-5EBD-4E63-A56F-C71D5990F827}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\TypeLib\ = "{5F793925-C903-4E92-9AE3-77CA5EAB1716}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\1.0\ = "GoogleUpdater TypeLib for ICurrentState"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F966A529-43C6-4710-8FF4-0B456324C8F4}\ = "IPolicyStatus4System"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\1.0\0\win32\ = "C:\\Program Files\\Google\\Chrome\\Application\\129.0.6668.90\\elevation_service.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32\ = "\"C:\\Program Files\\Google\\Chrome\\Application\\129.0.6668.90\\notification_helper.exe\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{699F07AD-304C-5F71-A2DA-ABD765965B54}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\4"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34527502-D3DB-4205-A69B-789B27EE0414}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\TypeLib\ = "{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B685B009-DBC4-4F24-9542-A162C3793E77}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\TypeLib\ = "{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ = "IProcessLauncher2"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{CCA9FC90-B200-5641-99C0-7907756A93CF}\1.0\0\win32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\4"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4622B28-A747-44C7-96AF-319BE5C3B261}\1.0\ = "GoogleUpdater TypeLib for IAppBundleWebSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B685B009-DBC4-4F24-9542-A162C3793E77}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\1.0\0\win64	updater.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4428	msiexec.exe
4428	msiexec.exe
2460	updater.exe
2460	updater.exe
2460	updater.exe
2460	updater.exe
2460	updater.exe
2460	updater.exe
1264	ojZEoSUznz17.exe
1264	ojZEoSUznz17.exe
2348	updater.exe
2348	updater.exe
2348	updater.exe
2348	updater.exe
2348	updater.exe
2348	updater.exe
1604	updater.exe
1604	updater.exe
1604	updater.exe
1604	updater.exe
1604	updater.exe
1604	updater.exe
1604	updater.exe
1604	updater.exe
1416	lTRNmTKwQzfm.exe
1416	lTRNmTKwQzfm.exe
3604	ojZEoSUznz17.exe
3604	ojZEoSUznz17.exe
3604	ojZEoSUznz17.exe
3604	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe
3772	ojZEoSUznz17.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3548	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3548	msiexec.exe
Token: SeSecurityPrivilege	4428	msiexec.exe
Token: SeCreateTokenPrivilege	3548	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3548	msiexec.exe
Token: SeLockMemoryPrivilege	3548	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3548	msiexec.exe
Token: SeMachineAccountPrivilege	3548	msiexec.exe
Token: SeTcbPrivilege	3548	msiexec.exe
Token: SeSecurityPrivilege	3548	msiexec.exe
Token: SeTakeOwnershipPrivilege	3548	msiexec.exe
Token: SeLoadDriverPrivilege	3548	msiexec.exe
Token: SeSystemProfilePrivilege	3548	msiexec.exe
Token: SeSystemtimePrivilege	3548	msiexec.exe
Token: SeProfSingleProcessPrivilege	3548	msiexec.exe
Token: SeIncBasePriorityPrivilege	3548	msiexec.exe
Token: SeCreatePagefilePrivilege	3548	msiexec.exe
Token: SeCreatePermanentPrivilege	3548	msiexec.exe
Token: SeBackupPrivilege	3548	msiexec.exe
Token: SeRestorePrivilege	3548	msiexec.exe
Token: SeShutdownPrivilege	3548	msiexec.exe
Token: SeDebugPrivilege	3548	msiexec.exe
Token: SeAuditPrivilege	3548	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3548	msiexec.exe
Token: SeChangeNotifyPrivilege	3548	msiexec.exe
Token: SeRemoteShutdownPrivilege	3548	msiexec.exe
Token: SeUndockPrivilege	3548	msiexec.exe
Token: SeSyncAgentPrivilege	3548	msiexec.exe
Token: SeEnableDelegationPrivilege	3548	msiexec.exe
Token: SeManageVolumePrivilege	3548	msiexec.exe
Token: SeImpersonatePrivilege	3548	msiexec.exe
Token: SeCreateGlobalPrivilege	3548	msiexec.exe
Token: SeBackupPrivilege	2284	vssvc.exe
Token: SeRestorePrivilege	2284	vssvc.exe
Token: SeAuditPrivilege	2284	vssvc.exe
Token: SeBackupPrivilege	4428	msiexec.exe
Token: SeRestorePrivilege	4428	msiexec.exe
Token: SeRestorePrivilege	4428	msiexec.exe
Token: SeTakeOwnershipPrivilege	4428	msiexec.exe
Token: SeRestorePrivilege	4428	msiexec.exe
Token: SeTakeOwnershipPrivilege	4428	msiexec.exe
Token: SeBackupPrivilege	1460	srtasks.exe
Token: SeRestorePrivilege	1460	srtasks.exe
Token: SeSecurityPrivilege	1460	srtasks.exe
Token: SeTakeOwnershipPrivilege	1460	srtasks.exe
Token: SeRestorePrivilege	1416	OoRjJglzLJCL.exe
Token: 35	1416	OoRjJglzLJCL.exe
Token: SeSecurityPrivilege	1416	OoRjJglzLJCL.exe
Token: SeSecurityPrivilege	1416	OoRjJglzLJCL.exe
Token: SeBackupPrivilege	1460	srtasks.exe
Token: SeRestorePrivilege	1460	srtasks.exe
Token: SeSecurityPrivilege	1460	srtasks.exe
Token: SeTakeOwnershipPrivilege	1460	srtasks.exe
Token: SeRestorePrivilege	4428	msiexec.exe
Token: SeTakeOwnershipPrivilege	4428	msiexec.exe
Token: SeRestorePrivilege	4428	msiexec.exe
Token: SeTakeOwnershipPrivilege	4428	msiexec.exe
Token: SeRestorePrivilege	4428	msiexec.exe
Token: SeTakeOwnershipPrivilege	4428	msiexec.exe
Token: SeRestorePrivilege	4428	msiexec.exe
Token: SeTakeOwnershipPrivilege	4428	msiexec.exe
Token: SeRestorePrivilege	4428	msiexec.exe
Token: SeTakeOwnershipPrivilege	4428	msiexec.exe
Token: SeRestorePrivilege	4428	msiexec.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
3548	msiexec.exe
3548	msiexec.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe
4360	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 1460	4428	msiexec.exe	87
PID 4428 wrote to memory of 1460	4428	msiexec.exe	87
PID 4428 wrote to memory of 3676	4428	msiexec.exe	89
PID 4428 wrote to memory of 3676	4428	msiexec.exe	89
PID 3676 wrote to memory of 1416	3676	MsiExec.exe	90
PID 3676 wrote to memory of 1416	3676	MsiExec.exe	90
PID 3676 wrote to memory of 1416	3676	MsiExec.exe	90
PID 3676 wrote to memory of 1264	3676	MsiExec.exe	94
PID 3676 wrote to memory of 1264	3676	MsiExec.exe	94
PID 3676 wrote to memory of 1264	3676	MsiExec.exe	94
PID 3676 wrote to memory of 696	3676	MsiExec.exe	96
PID 3676 wrote to memory of 696	3676	MsiExec.exe	96
PID 3676 wrote to memory of 696	3676	MsiExec.exe	96
PID 696 wrote to memory of 2460	696	ChromeSetup(1).exe	97
PID 696 wrote to memory of 2460	696	ChromeSetup(1).exe	97
PID 696 wrote to memory of 2460	696	ChromeSetup(1).exe	97
PID 2460 wrote to memory of 4356	2460	updater.exe	98
PID 2460 wrote to memory of 4356	2460	updater.exe	98
PID 2460 wrote to memory of 4356	2460	updater.exe	98
PID 2348 wrote to memory of 2832	2348	updater.exe	102
PID 2348 wrote to memory of 2832	2348	updater.exe	102
PID 2348 wrote to memory of 2832	2348	updater.exe	102
PID 1604 wrote to memory of 4076	1604	updater.exe	106
PID 1604 wrote to memory of 4076	1604	updater.exe	106
PID 1604 wrote to memory of 4076	1604	updater.exe	106
PID 1416 wrote to memory of 3604	1416	lTRNmTKwQzfm.exe	113
PID 1416 wrote to memory of 3604	1416	lTRNmTKwQzfm.exe	113
PID 1416 wrote to memory of 3604	1416	lTRNmTKwQzfm.exe	113
PID 3604 wrote to memory of 3772	3604	ojZEoSUznz17.exe	115
PID 3604 wrote to memory of 3772	3604	ojZEoSUznz17.exe	115
PID 3604 wrote to memory of 3772	3604	ojZEoSUznz17.exe	115
PID 1604 wrote to memory of 2456	1604	updater.exe	118
PID 1604 wrote to memory of 2456	1604	updater.exe	118
PID 2456 wrote to memory of 4256	2456	129.0.6668.90_chrome_installer.exe	119
PID 2456 wrote to memory of 4256	2456	129.0.6668.90_chrome_installer.exe	119
PID 4256 wrote to memory of 1684	4256	setup.exe	120
PID 4256 wrote to memory of 1684	4256	setup.exe	120
PID 4256 wrote to memory of 3080	4256	setup.exe	122
PID 4256 wrote to memory of 3080	4256	setup.exe	122
PID 3080 wrote to memory of 3260	3080	setup.exe	123
PID 3080 wrote to memory of 3260	3080	setup.exe	123
PID 2460 wrote to memory of 4360	2460	updater.exe	125
PID 2460 wrote to memory of 4360	2460	updater.exe	125
PID 4360 wrote to memory of 2040	4360	chrome.exe	126
PID 4360 wrote to memory of 2040	4360	chrome.exe	126
PID 4360 wrote to memory of 4224	4360	chrome.exe	127
PID 4360 wrote to memory of 4224	4360	chrome.exe	127
PID 4360 wrote to memory of 4224	4360	chrome.exe	127
PID 4360 wrote to memory of 4224	4360	chrome.exe	127
PID 4360 wrote to memory of 4224	4360	chrome.exe	127
PID 4360 wrote to memory of 4224	4360	chrome.exe	127
PID 4360 wrote to memory of 4224	4360	chrome.exe	127
PID 4360 wrote to memory of 4224	4360	chrome.exe	127
PID 4360 wrote to memory of 4224	4360	chrome.exe	127
PID 4360 wrote to memory of 4224	4360	chrome.exe	127
PID 4360 wrote to memory of 4224	4360	chrome.exe	127
PID 4360 wrote to memory of 4224	4360	chrome.exe	127
PID 4360 wrote to memory of 4224	4360	chrome.exe	127
PID 4360 wrote to memory of 4224	4360	chrome.exe	127
PID 4360 wrote to memory of 4224	4360	chrome.exe	127
PID 4360 wrote to memory of 4224	4360	chrome.exe	127
PID 4360 wrote to memory of 4224	4360	chrome.exe	127
PID 4360 wrote to memory of 4224	4360	chrome.exe	127
PID 4360 wrote to memory of 4224	4360	chrome.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\银狐木马.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3548

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 2CD343AE285388CA77BF033CC412555E E Global\MSI0000
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Program Files\ImproveDefenderResilient\OoRjJglzLJCL.exe
    "C:\Program Files\ImproveDefenderResilient\OoRjJglzLJCL.exe" x "C:\Program Files\ImproveDefenderResilient\jXdmemDIXVZlyRJvLnMc" -o"C:\Program Files\ImproveDefenderResilient\" -pBWkOspNCEXRAXyVSBPgs -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1416
- - C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe
    "C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe" -number 264 -file file3 -mode mode3 -flag flag3
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1264
- - C:\Program Files\ImproveDefenderResilient\ChromeSetup(1).exe
    "C:\Program Files\ImproveDefenderResilient\ChromeSetup(1).exe"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Program Files (x86)\Google696_135353443\bin\updater.exe
      "C:\Program Files (x86)\Google696_135353443\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={FD39FE3E-F972-AC55-37EA-CE3FED473068}&lang=zh-CN&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
      4⤵
      Drops file in System32 directory
      Drops file in Program Files directory
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Program Files (x86)\Google696_135353443\bin\updater.exe
        
        "C:\Program Files (x86)\Google696_135353443\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x13ec694,0x13ec6a0,0x13ec6ac
        5⤵
        Drops file in Program Files directory
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4356
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer
        5⤵
        Checks system information in the registry
        Executes dropped EXE
        Loads dropped DLL
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4360
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.90 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8753b7bf8,0x7ff8753b7c04,0x7ff8753b7c10
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2040
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1968,i,14732160316884743660,17989965452647411560,262144 --variations-seed-version --mojo-platform-channel-handle=1964 /prefetch:2
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies data under HKEY_USERS
        
        PID:4224
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=2080,i,14732160316884743660,17989965452647411560,262144 --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:3
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies data under HKEY_USERS
        
        PID:1316
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2352,i,14732160316884743660,17989965452647411560,262144 --variations-seed-version --mojo-platform-channel-handle=2856 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3736
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3060,i,14732160316884743660,17989965452647411560,262144 --variations-seed-version --mojo-platform-channel-handle=2932 /prefetch:1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4780
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3068,i,14732160316884743660,17989965452647411560,262144 --variations-seed-version --mojo-platform-channel-handle=3292 /prefetch:1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies data under HKEY_USERS
        
        PID:3188
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4260,i,14732160316884743660,17989965452647411560,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies data under HKEY_USERS
        
        PID:992
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4636,i,14732160316884743660,17989965452647411560,262144 --variations-seed-version --mojo-platform-channel-handle=4588 /prefetch:1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies data under HKEY_USERS
        
        PID:5076
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4632,i,14732160316884743660,17989965452647411560,262144 --variations-seed-version --mojo-platform-channel-handle=4652 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies data under HKEY_USERS
        
        PID:1104
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4668,i,14732160316884743660,17989965452647411560,262144 --variations-seed-version --mojo-platform-channel-handle=4628 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies data under HKEY_USERS
        
        PID:5228
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4820,i,14732160316884743660,17989965452647411560,262144 --variations-seed-version --mojo-platform-channel-handle=4700 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5236
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5128,i,14732160316884743660,17989965452647411560,262144 --variations-seed-version --mojo-platform-channel-handle=5220 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies data under HKEY_USERS
        
        PID:5552
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5484,i,14732160316884743660,17989965452647411560,262144 --variations-seed-version --mojo-platform-channel-handle=5508 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5660
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5220,i,14732160316884743660,17989965452647411560,262144 --variations-seed-version --mojo-platform-channel-handle=5248 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5764
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5072,i,14732160316884743660,17989965452647411560,262144 --variations-seed-version --mojo-platform-channel-handle=5848 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies data under HKEY_USERS
        
        PID:5800
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5248,i,14732160316884743660,17989965452647411560,262144 --variations-seed-version --mojo-platform-channel-handle=5464 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6072
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5848,i,14732160316884743660,17989965452647411560,262144 --variations-seed-version --mojo-platform-channel-handle=6124 /prefetch:2
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x59c694,0x59c6a0,0x59c6ac
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2832

C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe
"C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe" install
1⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:4056

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --system --windows-service --service=update
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x59c694,0x59c6a0,0x59c6ac
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4076
- C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1604_1149118148\129.0.6668.90_chrome_installer.exe
  "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1604_1149118148\129.0.6668.90_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1604_1149118148\47b9fe72-93b3-4f05-a3ad-9779f22a5d9f.tmp"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1604_1149118148\CR_F60A3.tmp\setup.exe
    "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1604_1149118148\CR_F60A3.tmp\setup.exe" --install-archive="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1604_1149118148\CR_F60A3.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1604_1149118148\47b9fe72-93b3-4f05-a3ad-9779f22a5d9f.tmp"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Network Configuration Discovery: Internet Connection Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1604_1149118148\CR_F60A3.tmp\setup.exe
      "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1604_1149118148\CR_F60A3.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.90 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff66ff59628,0x7ff66ff59634,0x7ff66ff59640
      4⤵
      Executes dropped EXE
      PID:1684
  - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1604_1149118148\CR_F60A3.tmp\setup.exe
      "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1604_1149118148\CR_F60A3.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      Drops file in System32 directory
      Executes dropped EXE
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:3080
    - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1604_1149118148\CR_F60A3.tmp\setup.exe
        
        "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1604_1149118148\CR_F60A3.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.90 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff66ff59628,0x7ff66ff59634,0x7ff66ff59640
        5⤵
        Drops file in Program Files directory
        Executes dropped EXE
        
        PID:3260

C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe
"C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe" start
1⤵
- Executes dropped EXE
PID:4140

C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe
"C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe
  "C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe" -number 162 -file file3 -mode mode3 -flag flag3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe
    "C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe" -number 362 -file file3 -mode mode3 -flag flag3
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:3772

C:\Program Files\Google\Chrome\Application\129.0.6668.90\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\129.0.6668.90\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5672

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --system --windows-service --service=update
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:5548
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x59c694,0x59c6a0,0x59c6ac
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57bab6.rbs

Filesize
7KB

MD5
2034b2812a8191ca05167f85d62558f7

SHA1
7faf7edbf5317c7ed724082f711f623597d8471d

SHA256
fb2043f9e6b47e205e759ea9e76ac734b942d907d36656de86da52b7a6b85ab4

SHA512
603ae72432befa929210246f36ee880a7cdf0f1b7ee7514b2143d193a3cfa814c232fe5f8cc69fdfc7eabc575c76d559eeef544df05dfc208f156e6d4a0e14f3

Download Submit
C:\Program Files (x86)\Google696_135353443\bin\updater.exe

Filesize
4.7MB

MD5
823816b4a601c69c89435ee17ef7b9e0

SHA1
2fc4c446243be4a18a6a0d142a68d5da7d2a6954

SHA256
c2a7c0fa80f228c2ce599e4427280997ea9e1a3f85ed32e5d5e4219dfb05ddb2

SHA512
f3b38807ed1eb96c932e850b9b37551554408a628bedf12aa32bde08c442ff3663bf584335e7eab193ce2cf7552bce456737c96a2ba9faa953150e6304068fc6

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\settings.dat

Filesize
40B

MD5
a4047b7565e92acfe8b02b20ec827157

SHA1
3b953a42ad4173f1ed857f472ddc1dd98b5d1629

SHA256
eb7417f13e18f6331730bdcdf91e0b529aad488faaa9ec319a53665d858fb3a8

SHA512
152124a86144de604da4dcfd745200d902e73a0aaa46e9c9516278e1e0769d083ef98dadfa8ae531c8093709704205ab3392cbf355dd0c4b6be04cda1b85783c

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
591B

MD5
432a93e551b130f25aab427a1f312549

SHA1
85cce9e1466aee0f8aab37ceb2561bd769fc9be3

SHA256
08f1e43a2100d993b8a4592d53978ac1d27a902f8aea0356a595a26ce7d55d08

SHA512
83f0a9f2949306e3a4696db6032b6fc2f1ffe8184c1d0583a2c5c2cf6900db6b15fbdeaf48a9d6a432a88e913159aaaef8bf6a71fda7a065298863ee419f1fe4

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
354B

MD5
d4927578fc92dc543365aa4e43b202ba

SHA1
5e1aeb950ac6ac3f071fa02f90a4fbc0c8e5304c

SHA256
4ac029c04a6e82f4c588237f57a798b4285c818bdbb4250c20f11a5b95d4ecd1

SHA512
4c6cbf4bfb4279edc6d6bd816ca4d1d4dbc8b7f06d875493ffeea3a8782568f49911db28aae743a41962bbe4fe34afc531e119be58888a2acf0623e99df38e95

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
49B

MD5
7b693a82168c33ec9e8cf276859ddf7f

SHA1
d396dbbe299fe7754a6244d01e97cc4edd0693eb

SHA256
84a9a7f43db56cd6e9a408f88244e8ba5efbe48a5b5168d321f112b8c8fd8e3f

SHA512
4064c158d753d19a72e1be1c8bd5fe7f22e2032d67d1dd7ea1d85ce652d63c69b85a4292c4403b0f7729b05607f3d1ccfaf4d27d04ad09ffcec70082450320ab

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
591B

MD5
3412eb566c6eb926966aa07d4fa18aae

SHA1
4123f015ce5a0b0093f430807707c75bcffaab0e

SHA256
b75181190c9b197e9a639a150dc7c85a57203a52d797d43a8d9d7d0b9f97fc25

SHA512
6b4bb9069007fd21d2b82bd4102ba288f81674bdc013b093d848547e784d3efeb0becd98ab156894b642f091b9feb9463cec54c3045b5d0cfaeb12dfc248f6b0

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
492B

MD5
bb299c8aadc5a4c051f59133bae2d7a4

SHA1
2983e3cf4cab5cf2ad9cfb7c669af097b30c94a8

SHA256
34169f1fad9a73243a66c2b5b7cb0ed6c05056bf053eb6002f0e5f01aea29766

SHA512
e119dd4a6bc21a78547931542aeb33257e895844d61cc0e3a82a5a04fbef2746042cbbe1b127981684b56c6f24e5d93f6db545a511f8443066a504f78b2d61d2

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
1KB

MD5
f59b4e1bc3d26a6e35d46b4f06822729

SHA1
c921928760dc82afe8fa63a36760078cc8654b48

SHA256
85c5031e33488ea628e390155e2cc2c1362022e3e5228e6144f6b3e1f05e83b9

SHA512
c8c71c5af17098f55c27819227d9eb0a58240e36334d4594fc689b841c3f33f0ce171e4c6741f3bb4da80aa3ad589e70e5520e0ce1b2dc105321fb4e08b2c546

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
2KB

MD5
347a230289a8e1430e7025ca676b4c91

SHA1
910445070d4023ba4c50f77bc5c2005d7fc2820f

SHA256
e6f477576d900ec8e6150bae20a49c688987d3a74c82190c361e516acc30cc37

SHA512
f9a619162cbfae3a00eb41f9475dcd4bbf5efef3492d307614acb2c0bad92d04291c972998ba122cd13056b1ed78c3d6cf8fe0e3c4c49735a19ee20f42f189a0

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
4KB

MD5
486a69f66756e6d96c60fce128e3d72b

SHA1
f4f9cbd51fe75e6fe490855e97d81a9d9a197ceb

SHA256
c17f5fa651ca1f4c0efcc96df344e1e3a6745f51bb41069bb721a615b2890c22

SHA512
ce52bc9124b573eefcd70d6609e3a8f15ef05e6da5d55a84c17dbe3491e3e5e147f83696f0be889efd1df000cd018af9f2a2703d226db523088c421b6f16d315

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
6KB

MD5
306e51852b8da30a3daa55181014c3fe

SHA1
46f61895055abc911b19532000d99c1faea9b9e4

SHA256
28d3037a43f87706dd0463d7aedde4d4e1bd9922386e56f138eed5e246e89a73

SHA512
2f5e30c4a5e642d6fb7214e270035f05203bdbfc798907f5d3ea516abf57c4aceb3d94e9bc3f9e29f28d9df2ff1dfde912e43b8cb84d7b4a6c0163d784945778

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
9KB

MD5
ec0179db4fbf7ab7dc25d35143b81d6a

SHA1
1f63c820c115bbac9e4c1044d1a9a08aceabe1f3

SHA256
9b60ee59a6464f34e9fde98c88af93e29aeb242fc92edaa06af7363e4f68623e

SHA512
e7acba257f96785f5041a4b4f7fa6fbe1d782ee035e7afed7398ffb9ec3f1a5133b5f29bb079f35a6d9ae99b9b27ad232ce4667304f7258660236537a968db95

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
10KB

MD5
5844804bcc892d0c8fef93b607b1afec

SHA1
a36da750a08862083be2e43acb0c3ce3140f1ed4

SHA256
2dade9c26d6af6c6b6409a6f0649af1ba8b662c01bddb911f32bf33ba409b4f3

SHA512
9532137d1e3ff2f7eda478b4cf6e434b51686749654803314bc397f9b3cde05beb5e0dca2974fed9ab1fe9cbc7cafb6de1d78dafff7205a950148aedbc0f61d5

Download Submit
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1604_1149118148\47b9fe72-93b3-4f05-a3ad-9779f22a5d9f.tmp

Filesize
680KB

MD5
e8bdb8470612de48a2969dc9044a6827

SHA1
c639858bc762f1a81c7d49fb3882ecc287bf328c

SHA256
bcdb382c34a680afcef53e3e3104328f17a185bf00ca47307ded59eb4a077f0f

SHA512
8fdf5cd80eaa8c94bff22c0072ab5a4a3d510074da7f089c9cb5e8f946238ec64ca6cf0b45f643c58b580cfb39ab0c75a2ad7accca0ca0ef5dd6f27f3a1b580d

Download Submit
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1604_1149118148\CR_F60A3.tmp\setup.exe

Filesize
5.8MB

MD5
2bff61e098cb435c0680f80c6ed9b261

SHA1
62ec8eee0a1da31677eda7fdeafe0d18c86e0c0d

SHA256
c78c91a2b491d0f42c9f6754bbaa011c65c73160ebff2852ceebac41a535f4ec

SHA512
8c3bcae53a0012c8dc728d8742eaaa94feeb9644cd3387a8ba953b6b259da894dc407064b527a958b18a74a986728c3c0cbfbad8f8fbaf5c8c6544b0e3246662

Download Submit
C:\Program Files\Google\Chrome\Application\129.0.6668.90\chrome_elf.dll

Filesize
1.2MB

MD5
fc5a0077095107949395677b38aa28c4

SHA1
07f042b616804fb3d053ee0b03df39730abdc8ea

SHA256
16512b1b35bd85e9d4b41d5a6677c9ae59020bebb2c334a40233532a2474ab1c

SHA512
070af019209d635ccf13e59a5798de80627c1eeb756423066563c63db04c94b2e674a1534559ce0d4b50a14ec907b2d6dadd5b6c33ea5efb99f2dd9722132ef5

Download Submit
C:\Program Files\Google\Chrome\Application\129.0.6668.90\d3dcompiler_47.dll

Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
C:\Program Files\Google\Chrome\Application\129.0.6668.90\libGLESv2.dll

Filesize
7.9MB

MD5
d18593720dcfb0539f6d625e8f311b43

SHA1
b7aef63354e8cf733af5ecd27cf715c8461af94d

SHA256
f913d483492ceaa2e0ae63b9ed5ce605e0a9c79518a448f36dec09ad86715b0f

SHA512
092a79db1262c6f732373f1692b82dc87bd3e32e0d2244f94a55d2cef444417686549478efe912060c0e39f571f9207a8b62ccba3fb76853713fead38d9e4b9e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.6MB

MD5
2fb6428bd717b9694fc79e9115987afc

SHA1
2e9eb0b4fca60a5ede55e3e66e0c1d481b97aae9

SHA256
7a7304c716b24f97ac5c83c4f509b1820a7b116eee6716a839952a5f502bf056

SHA512
16f1530e8660f6411c890a675756c3f8a17c2ae2da6f7778ce01a285c75e72bd65a52e8ba3447d6e438fa0e85f065e4b74ebd0a521aa1e377e6ca6d5045915bd

Download Submit
C:\Program Files\ImproveDefenderResilient\ChromeSetup(1).exe

Filesize
8.5MB

MD5
5adff4313fbd074df44b4eb5b7893c5e

SHA1
d27388ef6cf34d40e0e7666f6381fcc5bbafa0f7

SHA256
d0c7a4390bdd6b442b96fc76f8a38f7b756ba2c16752ea259844420161865cae

SHA512
f5d639922b91878cf83d97563288a3aa4cba94db3ad5e8ac11d24ef7c44b019383a4414aeba6171b4c7bfa83ea1eafc1231cc9233e3b82b5ca7dc0b3ffacbf60

Download Submit
C:\Program Files\ImproveDefenderResilient\OoRjJglzLJCL.exe

Filesize
577KB

MD5
11fa744ebf6a17d7dd3c58dc2603046d

SHA1
d99de792fd08db53bb552cd28f0080137274f897

SHA256
1b16c41ae39b679384b06f1492b587b650716430ff9c2e079dca2ad1f62c952d

SHA512
424196f2acf5b89807f4038683acc50e7604223fc630245af6bab0e0df923f8b1c49cb09ac709086568c214c3f53dcb7d6c32e8a54af222a3ff78cfab9c51670

Download Submit
C:\Program Files\ImproveDefenderResilient\jXdmemDIXVZlyRJvLnMc

Filesize
1.1MB

MD5
04b529a6aef5e7c2a1f79a04b81be20f

SHA1
ee6a4c1f35ae62a42c0a4378362878769cd3aec1

SHA256
c7101b019dc7625c4036420b8c9f90ad4c6e7e57d847b1c60c6270cc67cf8aca

SHA512
328ed4939b78630cec8aa7ff3fc0af48ae4b1592241265d8f3d60d2945772686b1a1eb40b1ace635dad911482a12a985432793cf48ca9d637558982c53a11f81

Download Submit
C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.wrapper.log

Filesize
272B

MD5
1fe8dc07a1280b53004dcd90881a5e68

SHA1
e54616ebef1ddd2759b8bbbf96e64514f9a9e1cd

SHA256
da1afa49ce894171ea57ca0148636fa896d7adb7351f7c04f58f371922343e26

SHA512
ae417eb00fcc3c051c41a9e6cce0408b7300fed964a44adda00f7962b0d4bdc263e7ad7d241f73cc6697f415f96189d7503af8013b83517c837b151a876471d8

Download Submit
C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.wrapper.log

Filesize
431B

MD5
4909d22e84f2f6c74309987e806e0a07

SHA1
28eed3b866fcdb53047012a8416a7a07f8317092

SHA256
c1dc79ad02f4c8266abe7c22b1ccec4ad0ece5b0f35e52cd7934f246c50ffad7

SHA512
4edcb2ff6ee21e94ffe1c2703206a91a32e36e1b192acd2e19c821d628319a8c8eca0f2893a7d10315d840153c940f64a13253df815963698a712709a8395ebe

Download Submit
C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.wrapper.log

Filesize
600B

MD5
1fff71126f4b15e1a52b11bb91fd5926

SHA1
d8cb14aabd6ed253332fa9088b21138b503130e6

SHA256
c9df7d91b4d524dabead8df7873e0b2b058c7fc66bb254ae1af6cb70ab8f7489

SHA512
a1d657df9b6e81f0b0a3e42de6c7e6adfdcb56190106f809a66068a6a4c681ac1ae7df617fb709894b001db5d596d7cbfed098c3993dddd4ccd067a120af16ef

Download Submit
C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.wrapper.log

Filesize
749B

MD5
bbbec73eb7843f0fc748d07791a1050f

SHA1
aae0ab6593d332d3f2b463946d5fe512e9ddc41a

SHA256
db25a7f02eeb29bb960f8aaecddd61591bf7906fecf1260a6fc1f5597801ee47

SHA512
a3dd9d065b3966ecd38a8a0826df405a208882d89e42c70e3c5af9712c02038f6467e56e1f0433863c97f94acf7c4717a51b5d6a30506ee5f7ba048d18034c81

Download Submit
C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.xml

Filesize
448B

MD5
266bfe492318ff1337c913cc4635f563

SHA1
32f7a6db72b608302368b546afaf9e2307fd1dde

SHA256
23eda6decdfaeed555d8ad9f83795a90cbedef8a3b75960d6794bb231e86fc47

SHA512
872cd6a69305aae9ac776a031a4c1b2d5ce08915477225752154e45d32dcbaafa29048d9033577caedd3eb2d862373b08d61d211e55e8673265d87ca01afd341

Download Submit
C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe

Filesize
2.4MB

MD5
f85f44f7f01ac7dfe2d379dad4386920

SHA1
2d1fefb3ac611e97845659085aaccf10b74815a1

SHA256
e2dde008486ee007b634bb8012ae1fc11f79ee4a2ce6e4d5337074cfb2582e73

SHA512
56d060093e92a6663b4c17a39c209009439d09b119856890ed9200cac51a3d2c7f726b681964cce83e0daf77a177db62fa5cf5ddb639fbe25c4be5c6fa5cc7a1

Download Submit
C:\Program Files\chrome_installer.log

Filesize
21KB

MD5
6f8dfa3f9f5c5fffea00e34cedb40824

SHA1
1a47f1dd53b4133f2f85bef04fb3af19a70c6dbf

SHA256
3ce7dd6307722e6a2963f34127bca17b56e48e5fa4ee91a6c47ad1a2451d21a5

SHA512
030b7c40e3073eee42773e7589af60d4ac0c617b48d1cb2b0f1e0cb27dc0ff786ac9a6e459ba504a4d38bb3acd152e7f4a067a230713978d6c258477ae674961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
df5868125d31d9be3666d299d6918c8e

SHA1
92f1709b0bbf1ba90aa05bf82e832ec1f64c2e89

SHA256
052badff0dc82fc0644b94c6ba1984a89950935900468c3d90d7bc0d073a1916

SHA512
f846e9e653d661942c1e3f5148a728651f370be3df8838cdf2a362e3e459bb5ebdb67f978223fffb976b4bd8ad740684ab2af31471b8983c42d00ca256cc3fb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en\messages.json

Filesize
593B

MD5
91f5bc87fd478a007ec68c4e8adf11ac

SHA1
d07dd49e4ef3b36dad7d038b7e999ae850c5bef6

SHA256
92f1246c21dd5fd7266ebfd65798c61e403d01a816cc3cf780db5c8aa2e3d9c9

SHA512
fdc2a29b04e67ddbbd8fb6e8d2443e46badcb2b2fb3a850bbd6198cdccc32ee0bd8a9769d929feefe84d1015145e6664ab5fea114df5a864cf963bf98a65ffd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
505a174e740b3c0e7065c45a78b5cf42

SHA1
38911944f14a8b5717245c8e6bd1d48e58c7df12

SHA256
024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d

SHA512
7891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a0860c5ea9404aa7988fa3932610bb47

SHA1
fe5932018da2eaf855988f074b92ab6b59b706b1

SHA256
ef1ceaa57d7a83cb096c7517d55482984ac5d88029a29840c3804b0402afcb25

SHA512
fddf29318527a89b6a8dc2bdc2da0bd4544127c1eb7ec94efe832d29cc0e6e33d198ea9f104a134864d6b871321c28bc044f9e7ea8aeafa5725ab6d13494cae6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
29fdef0330fbb0355fe13b52531e6970

SHA1
e0d9fa50cbc2eac6846bc6d607dbca5690a5d18f

SHA256
182e4791519be1c6e56fb42a93d778cd2e37dd9652bbafc597f17fefc3cf5d18

SHA512
13a87e6201064e457a251c32e4a98f8293335c67797579534346ee30cd39b5fdcd2ef2232799e6ee5547ade27451d21c9551b7f4d8ed3dfd71fa83c1a409da26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
66676ff0a36165150a0b16aabda13f5e

SHA1
a8c9c0795c38c9b3b5ab116c0fb82560b2cb5e9b

SHA256
aa97217df21d1b4d267ad3ab81170993977ee5d1c657b291d647f474538774d5

SHA512
7a4c14ec49a5d452a65c67f3eb06885eebb10412a228347b3d13521c3646b90469923654523f0d31985a9a7348ac100d299ad38e5a3be541e231d29cb07af91c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
606c13e4b6810c837fddd2a1e8dd7966

SHA1
02f1dc67288e5b161065c4d9632fb0d62dca6c58

SHA256
ef6fa9216bc4cc975951b1e0e6f11d6fedd10a1d1e9dc27dbd452eba0840a008

SHA512
5c133a3db70af53b4d42ed8cdee1a5a68ecb2854758d5b8d05fdc43ff2b7990e09bcfc2e643a89f846bb122c247e51ac92608e0e30016c940f13605a9d2e47b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
adfec4f46c5481c87b8116759a79b0aa

SHA1
741a37c740b1d5420dfc8d548bc63bac0e532f19

SHA256
8a81f3d76b686c764e3195b58b341d089094b56ac6545b1feda9982400b3d5d9

SHA512
ceb7f3764013f4e170e5366f116e39209643c4ced127a9a04a35dd80b14ee5364027593e187d92a18c756ad0215b79fad476ac5b19f5b0e1e7dc4f11ffbab0ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
53d041d298983adef45d2404a0d325f2

SHA1
f86899c97020f5321ee56230376b9aadb98097df

SHA256
8d6dc0e93fdccb3e82f0a5f2e25df67676b386dd80d2718160e6362f49096dea

SHA512
0eb3be3019463415383c90331755dcb9611563736739904253a58f8e83be0cfa982d8c7cba2192384d01fafdab88d3fcb4daa44cfec813638a2eea4abeb0a79e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnGraphiteCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnGraphiteCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnGraphiteCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnGraphiteCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnGraphiteCache\index

Filesize
256KB

MD5
6da6523b503ef2a1e2469a3560062023

SHA1
9e64cf8100121d851b2bdc47dddbd753ed21d0bc

SHA256
9d539512d99490cbfb2ac473b2080450ef53e1c68e5d70d87a4ce2500c48ec4e

SHA512
f7e60bcb0653d9e0d32b8e4a1c18d6142610e3d34ec1a47b7c196bd3bfa681ee81bbecbb7288b15c69fef8d6426bc38aa4bad824da37551bbbc29885a67e20d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\trusted_vault.pb

Filesize
38B

MD5
3433ccf3e03fc35b634cd0627833b0ad

SHA1
789a43382e88905d6eb739ada3a8ba8c479ede02

SHA256
f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d

SHA512
21a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
183KB

MD5
ecfc2a429a7a887034a9f1048f214c91

SHA1
0b875a9a9ff4cb8b6dfa3579b2c2f6a6b0b0aa8b

SHA256
c3df1e3230f074505bf6bd5916ab7eee44fd5b77383f85b9606c09838957731d

SHA512
6521f43371ffa765d384c55407023cf69b36ec52a73f6e80249e4b10fa3981f7b288be5f22b246df98c8773e6b0e5a413eb232cdf8be0d4ac7d8505a3f96658c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
100KB

MD5
20dbb2a382d4f7e7163a82c7dcae4214

SHA1
9888e45ce73fc054c3e0eacd44a06c11fe4ba932

SHA256
f0ae903bdd7f2dda3b84559ba8a437fec4f3b8166c938a7b28dd63079b60c6df

SHA512
b256c4af640d79a2e7b22566c1bec5874c9f8c80a57c9d23e99271d3941b1bdba570c5f7dd86924c7b81af99e0dad92ada7496e45557ba5f39f3ed10f987a299

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
183KB

MD5
ca7d581031e1d20e02a43d2efc652cbc

SHA1
8f7ed8f8660428f921255569d394194b3e40bd0e

SHA256
24113320c2f4847ca2c2f410a58cf1c0e0e775ccd7dd8a848cf5207524483584

SHA512
4541dfe6b2802a0ff6fba63894e6c4628371e4f899a296a1395b3c919a8ebfaf137379b9f67d88bf2d7a972b53127266371768f310ea2b572637ce7fe49d6d7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
fb69816907967e4a658f349bf751a06d

SHA1
57a5a78336399babf00cf66e5c1f79fd19065f3b

SHA256
c0494b5f475c464c616c7e86ed75c2f00411fa2c1e75f268d77fde29020ae3c8

SHA512
bc341b06fa9a0dd964b67b9b9977d618713d19510b0c6b7e22ad7819a8cea71203e0e5ccaf07afaf3c1c63320bd5bf8cda9c1ddb25b68d0f8b577f503b9a301d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4360_84907779\CRX_INSTALL\_locales\en\messages.json

Filesize
450B

MD5
dbedf86fa9afb3a23dbb126674f166d2

SHA1
5628affbcf6f897b9d7fd9c17deb9aa75036f1cc

SHA256
c0945dd5fdecab40c45361bec068d1996e6ae01196dce524266d740808f753fe

SHA512
931d7ba6da84d4bb073815540f35126f2f035a71bfe460f3ccaed25ad7c1b1792ab36cd7207b99fddf5eaf8872250b54a8958cf5827608f0640e8aafe11e0071

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4360_84907779\bb822615-53ad-4210-a936-7dcf5786e053.tmp

Filesize
242KB

MD5
541f52e24fe1ef9f8e12377a6ccae0c0

SHA1
189898bb2dcae7d5a6057bc2d98b8b450afaebb6

SHA256
81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82

SHA512
d779d78a15c5efca51ebd6b96a7ccb6d718741bdf7d9a37f53b2eb4b98aa1a78bc4cfa57d6e763aab97276c8f9088940ac0476690d4d46023ff4bf52f3326c88

Download Submit
C:\Windows\Installer\e57bab5.msi

Filesize
28.7MB

MD5
bffddb889b7089cc6af3b9d9efb3c89d

SHA1
977fc679569271849068e704a53c57b09009f414

SHA256
94200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43

SHA512
0c3d0db3b8d0c5a071cc3a140695d8ea1b1600c36add6a4c36e24effd9d4dc579ce6953386cc624406c8fb9d6ba436b7082a5e675799d3f860fd0df6a5946e93

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lTRNmTKwQzfm.exe.log

Filesize
1KB

MD5
122cf3c4f3452a55a92edee78316e071

SHA1
f2caa36d483076c92d17224cf92e260516b3cbbf

SHA256
42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

SHA512
c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
d22b14052c858505ffc3400cc0d4710b

SHA1
22acd77fe3765f7daa25025b2e89d89055f8e047

SHA256
b1748842b18a9a8e9cf032b4f70703f0a1358e63b761ad74a71737f47a4403e5

SHA512
2f7dc316aa2bbd3ff4764987b3f8e0af9fde34335b5a4817ee94d2b463d9baf5e28e20c58a492acebcfc79cb66c9024256b16de55ab57f1a59dc7f04ccb54671

Download Submit
\??\Volume{851c08bf-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{57802300-8f12-48b4-9759-0ad12090160d}_OnDiskSnapshotProp

Filesize
6KB

MD5
2a48e9956fa948abc47737ee40d4a5ad

SHA1
4da350a8ebdff1d981dc0090c0645c4ef816edc9

SHA256
ec55c6d31764763df442334f86cd3684d85a96520c965369197caed9ecbff56f

SHA512
70d6aebf3812dff91a384ecb50dddc31167fb1dd3f990703725ae6dc86cd9157af2a515d28244732895e74deb67d109ee7386bbfa3a8305c0b49058d54e0fc72

Download Submit
memory/3772-129-0x000000002BA40000-0x000000002BBFB000-memory.dmp

Filesize
1.7MB

Download
memory/3772-128-0x000000002BA40000-0x000000002BBFB000-memory.dmp

Filesize
1.7MB

Download
memory/3772-126-0x000000002BA40000-0x000000002BBFB000-memory.dmp

Filesize
1.7MB

Download
memory/3772-125-0x0000000029E30000-0x0000000029E6E000-memory.dmp

Filesize
248KB

Download
memory/4056-78-0x00000000001A0000-0x0000000000276000-memory.dmp

Filesize
856KB

Download