Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2024, 03:01
Static task
static1
Behavioral task
behavioral1
Sample
94200B3B4792C019EBE7BCFD16573FDEDF385369E41309D82958568078E90C43.msi
Resource
win7-20240704-en
General
-
Target
94200B3B4792C019EBE7BCFD16573FDEDF385369E41309D82958568078E90C43.msi
-
Size
28.7MB
-
MD5
bffddb889b7089cc6af3b9d9efb3c89d
-
SHA1
977fc679569271849068e704a53c57b09009f414
-
SHA256
94200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43
-
SHA512
0c3d0db3b8d0c5a071cc3a140695d8ea1b1600c36add6a4c36e24effd9d4dc579ce6953386cc624406c8fb9d6ba436b7082a5e675799d3f860fd0df6a5946e93
-
SSDEEP
786432:tQ05JQsMXv0z+OEoBvTT1A7IXA5hPP4WhYw70FDDV:e0Tif06OXrT1AGw70FD5
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4816-127-0x000000002B3D0000-0x000000002B58B000-memory.dmp purplefox_rootkit behavioral2/memory/4816-129-0x000000002B3D0000-0x000000002B58B000-memory.dmp purplefox_rootkit behavioral2/memory/4816-130-0x000000002B3D0000-0x000000002B58B000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral2/memory/4816-127-0x000000002B3D0000-0x000000002B58B000-memory.dmp family_gh0strat behavioral2/memory/4816-129-0x000000002B3D0000-0x000000002B58B000-memory.dmp family_gh0strat behavioral2/memory/4816-130-0x000000002B3D0000-0x000000002B58B000-memory.dmp family_gh0strat -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\129.0.6668.90\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components setup.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: ojZEoSUznz17.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: ojZEoSUznz17.exe File opened (read-only) \??\W: ojZEoSUznz17.exe File opened (read-only) \??\Z: ojZEoSUznz17.exe File opened (read-only) \??\G: ojZEoSUznz17.exe File opened (read-only) \??\P: ojZEoSUznz17.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: ojZEoSUznz17.exe File opened (read-only) \??\S: ojZEoSUznz17.exe File opened (read-only) \??\R: ojZEoSUznz17.exe File opened (read-only) \??\T: ojZEoSUznz17.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: ojZEoSUznz17.exe File opened (read-only) \??\O: ojZEoSUznz17.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: ojZEoSUznz17.exe File opened (read-only) \??\K: ojZEoSUznz17.exe File opened (read-only) \??\U: ojZEoSUznz17.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\N: ojZEoSUznz17.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: ojZEoSUznz17.exe File opened (read-only) \??\X: ojZEoSUznz17.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\E: ojZEoSUznz17.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: ojZEoSUznz17.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\I: ojZEoSUznz17.exe File opened (read-only) \??\J: ojZEoSUznz17.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 updater.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk setup.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData updater.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA updater.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache updater.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content updater.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA updater.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 updater.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_753AFDB6B788AB7F055EF332F4173015 updater.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_753AFDB6B788AB7F055EF332F4173015 updater.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lTRNmTKwQzfm.exe.log lTRNmTKwQzfm.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft updater.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer chrome.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\te.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\v8_context_snapshot.bin setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\os_update_handler.exe setup.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\metadata updater.exe File created C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\0ae54638-001e-4692-a738-5c59b30d2626.tmp updater.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\es.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\sw.pak setup.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\updater.log updater.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\cs.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\chrome_proxy.exe setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\notification_helper.exe setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\hr.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\nl.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\MEIPreload\manifest.json setup.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\metadata updater.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\VisualElements\SmallLogoDev.png setup.exe File created C:\Program Files\ImproveDefenderResilient\jXdmemDIXVZlyRJvLnMc msiexec.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\prefs.json updater.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\pt-PT.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\VisualElements\SmallLogo.png setup.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\updater.log.old updater.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\fil.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\hu.pak setup.exe File opened for modification C:\Program Files\Crashpad\settings.dat setup.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\698ca3fe-7fd5-4f89-a49d-96351c1b2e0b.tmp updater.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\he.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\ko.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\mr.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\tr.pak setup.exe File created C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\uninstall.cmd updater.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\settings.dat updater.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Extensions\external_extensions.json setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\de.pak setup.exe File opened for modification C:\Program Files\Crashpad\metadata setup.exe File created C:\Program Files (x86)\Google4640_2141196407\UPDATER.PACKED.7Z ChromeSetup(1).exe File created C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\CR_4A671.tmp\setup.exe 129.0.6668.90_chrome_installer.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\chrome.exe setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\libEGL.dll setup.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\settings.dat updater.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\da.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\en-US.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\chrome.exe.sig setup.exe File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe setup.exe File created C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe updater.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\updater.log updater.exe File opened for modification C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.wrapper.log lTRNmTKwQzfm.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\9fece7d5-2bd0-48ff-a302-8f0950dc984c.tmp updater.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\it.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\kn.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\eventlog_provider.dll setup.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\updater.log updater.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\settings.dat updater.exe File created C:\Program Files (x86)\chrome_url_fetcher_2216_780328711\-8a69d345-d564-463c-aff1-a69d9e530f96-_129.0.6668.90_all_adoc4766j3bivaj6ot6kye3j6isq.crx3 updater.exe File opened for modification C:\Program Files\chrome_installer.log setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\dxil.dll setup.exe File created C:\Program Files (x86)\Google4640_107721573\bin\updater.exe ChromeSetup(1).exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\ja.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\fa.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\VisualElements\LogoBeta.png setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\ar.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\zh-TW.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\dxcompiler.dll setup.exe File created C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\optimization_guide_internal.dll setup.exe File opened for modification C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe OoRjJglzLJCL.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\Installer\e57bcd8.msi msiexec.exe File opened for modification C:\Windows\Installer\e57bcd8.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{D2129BB0-0088-4785-95E7-8B3E656E5BD9} msiexec.exe File opened for modification C:\Windows\Installer\MSIBDE1.tmp msiexec.exe File created C:\Windows\Installer\e57bcda.msi msiexec.exe -
Executes dropped EXE 34 IoCs
pid Process 2112 OoRjJglzLJCL.exe 1888 ojZEoSUznz17.exe 4640 ChromeSetup(1).exe 4588 updater.exe 4856 updater.exe 4820 lTRNmTKwQzfm.exe 1564 updater.exe 2720 updater.exe 2216 updater.exe 2512 updater.exe 2944 lTRNmTKwQzfm.exe 1440 lTRNmTKwQzfm.exe 3784 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 2380 129.0.6668.90_chrome_installer.exe 3992 setup.exe 1436 setup.exe 3480 setup.exe 1644 setup.exe 1768 chrome.exe 1060 chrome.exe 4920 chrome.exe 3412 chrome.exe 644 chrome.exe 3752 chrome.exe 1780 elevation_service.exe 1860 chrome.exe 4620 chrome.exe 732 chrome.exe 4580 chrome.exe 3736 chrome.exe 4904 chrome.exe 5468 updater.exe 5484 updater.exe -
Loads dropped DLL 29 IoCs
pid Process 1768 chrome.exe 1060 chrome.exe 1768 chrome.exe 4920 chrome.exe 4920 chrome.exe 3412 chrome.exe 4920 chrome.exe 4920 chrome.exe 4920 chrome.exe 3412 chrome.exe 4920 chrome.exe 4920 chrome.exe 4920 chrome.exe 644 chrome.exe 1860 chrome.exe 644 chrome.exe 1860 chrome.exe 3752 chrome.exe 3752 chrome.exe 4620 chrome.exe 4620 chrome.exe 732 chrome.exe 732 chrome.exe 4580 chrome.exe 4580 chrome.exe 3736 chrome.exe 3736 chrome.exe 4904 chrome.exe 4904 chrome.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 3660 msiexec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojZEoSUznz17.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojZEoSUznz17.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OoRjJglzLJCL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojZEoSUznz17.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ChromeSetup(1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2380 129.0.6668.90_chrome_installer.exe 3992 setup.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000082ad35faf8c7b7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000082ad35fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090082ad35fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d82ad35fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000082ad35fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ojZEoSUznz17.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ojZEoSUznz17.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome setup.exe Key created \REGISTRY\USER\.DEFAULT\Software chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\google.services.account_id = "4159F4029358507FEC9D1EFDD9689A50F2C1FC3EAE96B0C69BAC3E36F164323B" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\enterprise_signin.policy_recovery_token = "14BEF56DE0277790AA4FA497EEFD06B992EF7D99076408CEED2857E07B672BFA" chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing updater.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\browser.show_home_button = "2B8282966A07716DF19BE758FB4174CA3F968F4CC0A8AE73EE1C9E150EE51867" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}\lastrun = "13372570959226071" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\BLBeacon\version = "129.0.6668.90" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133725709625973775" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Update\ClientState chrome.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\google.services.last_signed_in_username = "A292ADAAF787689A8992FE9A6C5F6BE4DB77E3AA2C661C7D0A387BEF3D414487" chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\StabilityMetrics\user_experience_metrics.stability.exited_cleanly = "0" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\Extensions chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\InstallerPinned = "0" setup.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Update chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\session.restore_on_startup = "274F7666EA42108127452F2CD739A4BA0E369817CFDB8F180558CCAA016267B5" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\media.cdm.origin_data = "946805C93967CFB8C75E4A78CF620C5C270440E07C48E873B0EE789AAAE61748" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\nkeimhogjdpnpccoofpliimaahmaaome = "9908585043B7FD002750B9969BA62EC2E2AEF90EF9E0FD1E23E2A92D7C5FBA5D" chrome.exe Key created \REGISTRY\USER\.DEFAULT chrome.exe Key created \REGISTRY\USER\.DEFAULT chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\BLBeacon chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\nkeimhogjdpnpccoofpliimaahmaaome = "94A424A6AE761BE4EF51091BA85619BE9CEAB0A294F5DE202523C995BDBE6E89" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall" setup.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\prefs.preference_reset_time = "3B55CD90837996C1E9193E796103586544C609D686D0549A4D4E027BE860FD38" chrome.exe Key created \REGISTRY\USER\.DEFAULT chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software chrome.exe Key created \REGISTRY\USER\.DEFAULT chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ updater.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi = "2D22BB09D9244779219CE623910E9A784D85E56A67A0433F93A88737D5EAA325" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\StabilityMetrics chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" updater.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96} chrome.exe Key created \REGISTRY\USER\.DEFAULT chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs chrome.exe Key created \REGISTRY\USER\.DEFAULT chrome.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\BLBeacon chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness chrome.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\default_search_provider_data.template_url_data = "B2DBD6B8C7EFAD3A4CC47F03B235688B7E567EE9E78826232BD34D94EE5471B2" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\safebrowsing.incidents_sent = "F4D96C4D6C36690822B6ED40782931F1D15A51EFFECA33416136CEE1508B86AD" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" updater.exe Key created \REGISTRY\USER\.DEFAULT\Software setup.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google setup.exe Key created \REGISTRY\USER\.DEFAULT\Software chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\BLBeacon chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\BLBeacon\state = "1" chrome.exe Key created \REGISTRY\USER\.DEFAULT chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi = "2526012FD20ACEADCE7D352E67B29C29B418CCA1BB18A263044DFCF76EBC6B53" chrome.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\1.0\ = "GoogleUpdater TypeLib for ICurrentState" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ = "IGoogleUpdate3Web" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32 setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32\ = "\"C:\\Program Files\\Google\\Chrome\\Application\\129.0.6668.90\\notification_helper.exe\"" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{8A4B5D74-8832-5170-AB03-2415833EC703}\1.0\0 updater.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\TypeLib\Version = "1.0" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\TypeLib updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\1.0\0\win32 updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\TypeLib updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\TypeLib\Version = "1.0" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\TypeLib\ = "{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0\0\win64 updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27634814-8E41-4C35-8577-980134A96544}\1.0\ = "GoogleUpdater TypeLib for IPolicyStatusValue" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ = "IProcessLauncher" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF} updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\4" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\TypeLib\Version = "1.0" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F966A529-43C6-4710-8FF4-0B456324C8F4}\TypeLib\Version = "1.0" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\TypeLib\ = "{DD42475D-6D46-496A-924E-BD5630B4CBBA}" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\1.0\0\win64 updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4} updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\TypeLib\ = "{F4334319-8210-469B-8262-DD03623FEB5B}" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0\ = "GoogleUpdater TypeLib for IProcessLauncher" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\ProxyStubClsid32 updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32 updater.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5} updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}\TypeLib\Version = "1.0" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\TypeLib updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TypeLib\ = "{463ABECF-410D-407F-8AF5-0DF35A005CC8}" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\TypeLib updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\TypeLib\Version = "1.0" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0\0\win32 updater.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962} updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\ = "IPolicyStatus2" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\TypeLib\Version = "1.0" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716} updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\TypeLib\ = "{6430040A-5EBD-4E63-A56F-C71D5990F827}" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\4" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\TypeLib\ = "{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\1.0 updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\1.0\ = "GoogleUpdater TypeLib for IPolicyStatus" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BB9212D88005874597EB8E356E6B59D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\ = "IUpdaterAppStateSystem" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\TypeLib\Version = "1.0" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32 updater.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\ProxyStubClsid32 updater.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\ProxyStubClsid32 updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\TypeLib\Version = "1.0" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\TypeLib updater.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\ProxyStubClsid32 updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\ProxyStubClsid32 setup.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\1.0\0\win64 updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962} updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\TypeLib\ = "{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\1.0\0 updater.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 812 msiexec.exe 812 msiexec.exe 1888 ojZEoSUznz17.exe 1888 ojZEoSUznz17.exe 4588 updater.exe 4588 updater.exe 4588 updater.exe 4588 updater.exe 4588 updater.exe 4588 updater.exe 1564 updater.exe 1564 updater.exe 1564 updater.exe 1564 updater.exe 1564 updater.exe 1564 updater.exe 2216 updater.exe 2216 updater.exe 2216 updater.exe 2216 updater.exe 2216 updater.exe 2216 updater.exe 2216 updater.exe 2216 updater.exe 1440 lTRNmTKwQzfm.exe 3784 ojZEoSUznz17.exe 3784 ojZEoSUznz17.exe 3784 ojZEoSUznz17.exe 3784 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe 4816 ojZEoSUznz17.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3660 msiexec.exe Token: SeIncreaseQuotaPrivilege 3660 msiexec.exe Token: SeSecurityPrivilege 812 msiexec.exe Token: SeCreateTokenPrivilege 3660 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3660 msiexec.exe Token: SeLockMemoryPrivilege 3660 msiexec.exe Token: SeIncreaseQuotaPrivilege 3660 msiexec.exe Token: SeMachineAccountPrivilege 3660 msiexec.exe Token: SeTcbPrivilege 3660 msiexec.exe Token: SeSecurityPrivilege 3660 msiexec.exe Token: SeTakeOwnershipPrivilege 3660 msiexec.exe Token: SeLoadDriverPrivilege 3660 msiexec.exe Token: SeSystemProfilePrivilege 3660 msiexec.exe Token: SeSystemtimePrivilege 3660 msiexec.exe Token: SeProfSingleProcessPrivilege 3660 msiexec.exe Token: SeIncBasePriorityPrivilege 3660 msiexec.exe Token: SeCreatePagefilePrivilege 3660 msiexec.exe Token: SeCreatePermanentPrivilege 3660 msiexec.exe Token: SeBackupPrivilege 3660 msiexec.exe Token: SeRestorePrivilege 3660 msiexec.exe Token: SeShutdownPrivilege 3660 msiexec.exe Token: SeDebugPrivilege 3660 msiexec.exe Token: SeAuditPrivilege 3660 msiexec.exe Token: SeSystemEnvironmentPrivilege 3660 msiexec.exe Token: SeChangeNotifyPrivilege 3660 msiexec.exe Token: SeRemoteShutdownPrivilege 3660 msiexec.exe Token: SeUndockPrivilege 3660 msiexec.exe Token: SeSyncAgentPrivilege 3660 msiexec.exe Token: SeEnableDelegationPrivilege 3660 msiexec.exe Token: SeManageVolumePrivilege 3660 msiexec.exe Token: SeImpersonatePrivilege 3660 msiexec.exe Token: SeCreateGlobalPrivilege 3660 msiexec.exe Token: SeBackupPrivilege 436 vssvc.exe Token: SeRestorePrivilege 436 vssvc.exe Token: SeAuditPrivilege 436 vssvc.exe Token: SeBackupPrivilege 812 msiexec.exe Token: SeRestorePrivilege 812 msiexec.exe Token: SeRestorePrivilege 812 msiexec.exe Token: SeTakeOwnershipPrivilege 812 msiexec.exe Token: SeRestorePrivilege 812 msiexec.exe Token: SeTakeOwnershipPrivilege 812 msiexec.exe Token: SeBackupPrivilege 2204 srtasks.exe Token: SeRestorePrivilege 2204 srtasks.exe Token: SeSecurityPrivilege 2204 srtasks.exe Token: SeTakeOwnershipPrivilege 2204 srtasks.exe Token: SeRestorePrivilege 2112 OoRjJglzLJCL.exe Token: 35 2112 OoRjJglzLJCL.exe Token: SeSecurityPrivilege 2112 OoRjJglzLJCL.exe Token: SeSecurityPrivilege 2112 OoRjJglzLJCL.exe Token: SeBackupPrivilege 2204 srtasks.exe Token: SeRestorePrivilege 2204 srtasks.exe Token: SeSecurityPrivilege 2204 srtasks.exe Token: SeTakeOwnershipPrivilege 2204 srtasks.exe Token: SeRestorePrivilege 812 msiexec.exe Token: SeTakeOwnershipPrivilege 812 msiexec.exe Token: SeRestorePrivilege 812 msiexec.exe Token: SeTakeOwnershipPrivilege 812 msiexec.exe Token: SeRestorePrivilege 812 msiexec.exe Token: SeTakeOwnershipPrivilege 812 msiexec.exe Token: SeRestorePrivilege 812 msiexec.exe Token: SeTakeOwnershipPrivilege 812 msiexec.exe Token: SeRestorePrivilege 812 msiexec.exe Token: SeTakeOwnershipPrivilege 812 msiexec.exe Token: SeRestorePrivilege 812 msiexec.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 3660 msiexec.exe 3660 msiexec.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 812 wrote to memory of 2204 812 msiexec.exe 87 PID 812 wrote to memory of 2204 812 msiexec.exe 87 PID 812 wrote to memory of 1780 812 msiexec.exe 89 PID 812 wrote to memory of 1780 812 msiexec.exe 89 PID 1780 wrote to memory of 2112 1780 MsiExec.exe 90 PID 1780 wrote to memory of 2112 1780 MsiExec.exe 90 PID 1780 wrote to memory of 2112 1780 MsiExec.exe 90 PID 1780 wrote to memory of 1888 1780 MsiExec.exe 92 PID 1780 wrote to memory of 1888 1780 MsiExec.exe 92 PID 1780 wrote to memory of 1888 1780 MsiExec.exe 92 PID 1780 wrote to memory of 4640 1780 MsiExec.exe 94 PID 1780 wrote to memory of 4640 1780 MsiExec.exe 94 PID 1780 wrote to memory of 4640 1780 MsiExec.exe 94 PID 4640 wrote to memory of 4588 4640 ChromeSetup(1).exe 95 PID 4640 wrote to memory of 4588 4640 ChromeSetup(1).exe 95 PID 4640 wrote to memory of 4588 4640 ChromeSetup(1).exe 95 PID 4588 wrote to memory of 4856 4588 updater.exe 96 PID 4588 wrote to memory of 4856 4588 updater.exe 96 PID 4588 wrote to memory of 4856 4588 updater.exe 96 PID 1564 wrote to memory of 2720 1564 updater.exe 100 PID 1564 wrote to memory of 2720 1564 updater.exe 100 PID 1564 wrote to memory of 2720 1564 updater.exe 100 PID 2216 wrote to memory of 2512 2216 updater.exe 102 PID 2216 wrote to memory of 2512 2216 updater.exe 102 PID 2216 wrote to memory of 2512 2216 updater.exe 102 PID 1440 wrote to memory of 3784 1440 lTRNmTKwQzfm.exe 107 PID 1440 wrote to memory of 3784 1440 lTRNmTKwQzfm.exe 107 PID 1440 wrote to memory of 3784 1440 lTRNmTKwQzfm.exe 107 PID 3784 wrote to memory of 4816 3784 ojZEoSUznz17.exe 109 PID 3784 wrote to memory of 4816 3784 ojZEoSUznz17.exe 109 PID 3784 wrote to memory of 4816 3784 ojZEoSUznz17.exe 109 PID 2216 wrote to memory of 2380 2216 updater.exe 119 PID 2216 wrote to memory of 2380 2216 updater.exe 119 PID 2380 wrote to memory of 3992 2380 129.0.6668.90_chrome_installer.exe 120 PID 2380 wrote to memory of 3992 2380 129.0.6668.90_chrome_installer.exe 120 PID 3992 wrote to memory of 1436 3992 setup.exe 121 PID 3992 wrote to memory of 1436 3992 setup.exe 121 PID 3992 wrote to memory of 3480 3992 setup.exe 122 PID 3992 wrote to memory of 3480 3992 setup.exe 122 PID 3480 wrote to memory of 1644 3480 setup.exe 123 PID 3480 wrote to memory of 1644 3480 setup.exe 123 PID 4588 wrote to memory of 1768 4588 updater.exe 125 PID 4588 wrote to memory of 1768 4588 updater.exe 125 PID 1768 wrote to memory of 1060 1768 chrome.exe 126 PID 1768 wrote to memory of 1060 1768 chrome.exe 126 PID 1768 wrote to memory of 4920 1768 chrome.exe 127 PID 1768 wrote to memory of 4920 1768 chrome.exe 127 PID 1768 wrote to memory of 4920 1768 chrome.exe 127 PID 1768 wrote to memory of 4920 1768 chrome.exe 127 PID 1768 wrote to memory of 4920 1768 chrome.exe 127 PID 1768 wrote to memory of 4920 1768 chrome.exe 127 PID 1768 wrote to memory of 4920 1768 chrome.exe 127 PID 1768 wrote to memory of 4920 1768 chrome.exe 127 PID 1768 wrote to memory of 4920 1768 chrome.exe 127 PID 1768 wrote to memory of 4920 1768 chrome.exe 127 PID 1768 wrote to memory of 4920 1768 chrome.exe 127 PID 1768 wrote to memory of 4920 1768 chrome.exe 127 PID 1768 wrote to memory of 4920 1768 chrome.exe 127 PID 1768 wrote to memory of 4920 1768 chrome.exe 127 PID 1768 wrote to memory of 4920 1768 chrome.exe 127 PID 1768 wrote to memory of 4920 1768 chrome.exe 127 PID 1768 wrote to memory of 4920 1768 chrome.exe 127 PID 1768 wrote to memory of 4920 1768 chrome.exe 127 PID 1768 wrote to memory of 4920 1768 chrome.exe 127 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\94200B3B4792C019EBE7BCFD16573FDEDF385369E41309D82958568078E90C43.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3660
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding BF1E11A6A50E51A2E7C388808B61F8EC E Global\MSI00002⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Program Files\ImproveDefenderResilient\OoRjJglzLJCL.exe"C:\Program Files\ImproveDefenderResilient\OoRjJglzLJCL.exe" x "C:\Program Files\ImproveDefenderResilient\jXdmemDIXVZlyRJvLnMc" -o"C:\Program Files\ImproveDefenderResilient\" -pBWkOspNCEXRAXyVSBPgs -y3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe"C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe" -number 264 -file file3 -mode mode3 -flag flag33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1888
-
-
C:\Program Files\ImproveDefenderResilient\ChromeSetup(1).exe"C:\Program Files\ImproveDefenderResilient\ChromeSetup(1).exe"3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Program Files (x86)\Google4640_107721573\bin\updater.exe"C:\Program Files (x86)\Google4640_107721573\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={FD39FE3E-F972-AC55-37EA-CE3FED473068}&lang=zh-CN&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=24⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Program Files (x86)\Google4640_107721573\bin\updater.exe"C:\Program Files (x86)\Google4640_107721573\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x133c694,0x133c6a0,0x133c6ac5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer5⤵
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.90 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ff8ae977bf8,0x7ff8ae977c04,0x7ff8ae977c106⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1972,i,4906268264225414903,14635198070061086202,262144 --variations-seed-version --mojo-platform-channel-handle=1968 /prefetch:26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=2192,i,4906268264225414903,14635198070061086202,262144 --variations-seed-version --mojo-platform-channel-handle=2228 /prefetch:36⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:3412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2332,i,4906268264225414903,14635198070061086202,262144 --variations-seed-version --mojo-platform-channel-handle=2456 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:644
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,4906268264225414903,14635198070061086202,262144 --variations-seed-version --mojo-platform-channel-handle=3252 /prefetch:16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:3752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,4906268264225414903,14635198070061086202,262144 --variations-seed-version --mojo-platform-channel-handle=3184 /prefetch:16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:1860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4340,i,4906268264225414903,14635198070061086202,262144 --variations-seed-version --mojo-platform-channel-handle=4388 /prefetch:16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4620
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4652,i,4906268264225414903,14635198070061086202,262144 --variations-seed-version --mojo-platform-channel-handle=4588 /prefetch:16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:732
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4916,i,4906268264225414903,14635198070061086202,262144 --variations-seed-version --mojo-platform-channel-handle=4920 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4580
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4912,i,4906268264225414903,14635198070061086202,262144 --variations-seed-version --mojo-platform-channel-handle=5040 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:3736
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5264,i,4906268264225414903,14635198070061086202,262144 --variations-seed-version --mojo-platform-channel-handle=5272 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4904
-
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:436
-
C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe"C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe" install1⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:4820
-
C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --system --windows-service --service=update-internal1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x12ec694,0x12ec6a0,0x12ec6ac2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2720
-
-
C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --system --windows-service --service=update1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x12ec694,0x12ec6a0,0x12ec6ac2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2512
-
-
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\129.0.6668.90_chrome_installer.exe"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\129.0.6668.90_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\91e29489-0155-4566-a2c8-bf7c63e0a493.tmp"2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\CR_4A671.tmp\setup.exe"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\CR_4A671.tmp\setup.exe" --install-archive="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\CR_4A671.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\91e29489-0155-4566-a2c8-bf7c63e0a493.tmp"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Program Files directory
- Executes dropped EXE
- System Network Configuration Discovery: Internet Connection Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\CR_4A671.tmp\setup.exe"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\CR_4A671.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.90 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff6ad8f9628,0x7ff6ad8f9634,0x7ff6ad8f96404⤵
- Executes dropped EXE
PID:1436
-
-
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\CR_4A671.tmp\setup.exe"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\CR_4A671.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=14⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\CR_4A671.tmp\setup.exe"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\CR_4A671.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.90 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff6ad8f9628,0x7ff6ad8f9634,0x7ff6ad8f96405⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:1644
-
-
-
-
-
C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe"C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe" start1⤵
- Executes dropped EXE
PID:2944
-
C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe"C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe"C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe" -number 162 -file file3 -mode mode3 -flag flag32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe"C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe" -number 362 -file file3 -mode mode3 -flag flag33⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4816
-
-
-
C:\Program Files\Google\Chrome\Application\129.0.6668.90\elevation_service.exe"C:\Program Files\Google\Chrome\Application\129.0.6668.90\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:5184
-
C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --system --windows-service --service=update1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:5468 -
C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x12ec694,0x12ec6a0,0x12ec6ac2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5484
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5c6a75894aa8772287e8f165be50a1f2f
SHA1bcc4dff3435d06ca01e8f8d819de65fea1643af4
SHA2567b0f21ed2de05b0cc098a2d8c3484ffd53fd1f9209206a0dc91fe63a4ca00cb5
SHA512249a654c27d9bb3e92b768d5d141f5e8a5d9e256cea22072e1ae121d59038e4a67075df0099d869a479a8e3ee17143e3bbdf8c32f8f1a56e9cea03439c9d353c
-
Filesize
4.7MB
MD5823816b4a601c69c89435ee17ef7b9e0
SHA12fc4c446243be4a18a6a0d142a68d5da7d2a6954
SHA256c2a7c0fa80f228c2ce599e4427280997ea9e1a3f85ed32e5d5e4219dfb05ddb2
SHA512f3b38807ed1eb96c932e850b9b37551554408a628bedf12aa32bde08c442ff3663bf584335e7eab193ce2cf7552bce456737c96a2ba9faa953150e6304068fc6
-
Filesize
40B
MD5cabbf468ec93ebd88cc3e8c628bba9a6
SHA1dad87ef5ee817a29b078480967fd84fea6e9c511
SHA2567bf15622eecc26291de1cd00fc5544c3554925fdc915c22345d6f9d2d112188a
SHA5125974d994140372be4b91421813d6667dc1e0691da3d858c6c5e2cb0ffd6646a3570beb15e50de4c4208ad6f987fefaa6869f82200c858b880122663920100523
-
Filesize
492B
MD5050f5ea303ff566040da1b142f2c3311
SHA10f1c5fb45fbfc7ac3ce2799ae15ae1f8ae79ae9b
SHA256246d1e9fa3b02bdd3bec3807e65078052143400c643cd0e962f2f0f2b4ec5670
SHA512e7482e84d73ead2e69e99ba11681edd416319b45abc557ad2fe86e6f55f57bc74dc593d85914aec1b06c4f45b149809b45739b07e0970c72cf4832cb6312856c
-
Filesize
354B
MD5d4927578fc92dc543365aa4e43b202ba
SHA15e1aeb950ac6ac3f071fa02f90a4fbc0c8e5304c
SHA2564ac029c04a6e82f4c588237f57a798b4285c818bdbb4250c20f11a5b95d4ecd1
SHA5124c6cbf4bfb4279edc6d6bd816ca4d1d4dbc8b7f06d875493ffeea3a8782568f49911db28aae743a41962bbe4fe34afc531e119be58888a2acf0623e99df38e95
-
Filesize
591B
MD53d298363d6bbd805d94ef016ab6c45da
SHA1eaebf04de34793d0250cf9370de042e804781820
SHA2561c88a0d2ba1a4aadc602a1c6bc6c844049d06f5eecccf26e322b0f2a08dc756f
SHA5128aecd65c67846b571183df560a726fc63a59e84059e4487f4dbed0f06112263899c8ff260e84178d1e8b7420b1d355708d1ae2a7b0dbcc71bc28d17dec7e25a9
-
Filesize
591B
MD531e2c7f9288d5663acbba2725945d5a2
SHA1da07b8992fe4699121bb60efbfa0925d24179b0a
SHA256936d4e82c20010420e61728edbb87e2b8f6af9d5dab8177342de55c84c54634b
SHA512fd217ec803080cfe7a176d556001e399fd671abddc4a2113b784b1685159da85020ad0aa660eca06ed6b62fdb31b56aa9edca6b9592ab8542108b5a5191e3b0c
-
Filesize
49B
MD57b693a82168c33ec9e8cf276859ddf7f
SHA1d396dbbe299fe7754a6244d01e97cc4edd0693eb
SHA25684a9a7f43db56cd6e9a408f88244e8ba5efbe48a5b5168d321f112b8c8fd8e3f
SHA5124064c158d753d19a72e1be1c8bd5fe7f22e2032d67d1dd7ea1d85ce652d63c69b85a4292c4403b0f7729b05607f3d1ccfaf4d27d04ad09ffcec70082450320ab
-
Filesize
1KB
MD5f4ea39fe3c4d6f81916c1d47a33251c1
SHA12e41ef22e038c04965336eccf2334282c8087771
SHA256eed20c7623350646ced1fa35178398662d185d44d0e2dcf064e9699b3f1cfce9
SHA512efd00c9ee142052cd50672eb90b4f3309988e84515c9ba40ef794a654d91d65ec142a3ba25bee2eefd28bbe9e75d4e03f9bea93a52b32765268d5e1f0e202d51
-
Filesize
2KB
MD51731a7feb240645749b5e4034d546745
SHA104f973d552e4e89219c99d9d5546d0496ddd8863
SHA256810556911941e85d3f977626cc293e54b04b7907db17743dc9f81001f186b99e
SHA51204f55604737fd47b495bf5fbd3e6cb5691cd88b3ddeba3bc59481fb45384fb5848f9924657146b7aa277db7c3181058dfeb32a38c97dfcd6bac3981af05abed9
-
Filesize
4KB
MD528c71b64d27601efcda62659b320ac56
SHA1e5e2d1ac1d1edcb18a5b62108df715c8192ca749
SHA256d452df6c0a41b66bd313c5d5e889b90afdd3257dd06c81141cd40de9ff76e037
SHA512ac6bc54996d592d1ec99ac97097496d9b8ad333df0da54493e05a41ee08421459f2bcac243f928ae8dc85d75daa2997350db78902678c6d38aac93b7114cc3d5
-
Filesize
4KB
MD5df2fa17085b1178c6998cc41eae5334c
SHA1385a70abb8e56621a1ebe5047bd74c4e9cbefe44
SHA256ab0ef381fdfe6e895f9d1e5f9718016e880b393381655746178e3adf8b17632d
SHA5124d83f370c90c14c4bbe2a52dcceedbeef2d5f07bd1c9019650a9dbacd6ea6f2a7518a073f40db2bf15095f92771862eccbf1340d8b878fd245a787589630a197
-
Filesize
9KB
MD5408869f46009fb2b022dacea016aa379
SHA1147b1fc2736f1e30f0d73818169afd7af4cb0d1a
SHA256acbd95119f0703584e22537974ba998130bd3293f06f154518e5d5dbeaf9e9d8
SHA51226db813f13af454895c916d5136f278ed06e600a0e0a0e6c1d056fa6d86c16f347655bc8a10da269084063a1d8bb2af6f3706efbda4580f1728b6a27ae876d2d
-
Filesize
11KB
MD5bdaf7268dedfdcdb49b95dffcd33f6fd
SHA1f061e974c64a1efd1c519cbcde4fa39309b03ca5
SHA2565191c8db27421a7affc7b7aec5d84a786de5df791e881ca725331a8baba5c8d6
SHA51258238bddb33ed6fddcb3e20c3cca374e9d48b10a8d4a6e4da3d6fb69f315d90712385dbea7edec67d9d3d8f120fd866882efdff61a7e6809e5fc66c833c938b0
-
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\91e29489-0155-4566-a2c8-bf7c63e0a493.tmp
Filesize680KB
MD5e8bdb8470612de48a2969dc9044a6827
SHA1c639858bc762f1a81c7d49fb3882ecc287bf328c
SHA256bcdb382c34a680afcef53e3e3104328f17a185bf00ca47307ded59eb4a077f0f
SHA5128fdf5cd80eaa8c94bff22c0072ab5a4a3d510074da7f089c9cb5e8f946238ec64ca6cf0b45f643c58b580cfb39ab0c75a2ad7accca0ca0ef5dd6f27f3a1b580d
-
Filesize
5.8MB
MD52bff61e098cb435c0680f80c6ed9b261
SHA162ec8eee0a1da31677eda7fdeafe0d18c86e0c0d
SHA256c78c91a2b491d0f42c9f6754bbaa011c65c73160ebff2852ceebac41a535f4ec
SHA5128c3bcae53a0012c8dc728d8742eaaa94feeb9644cd3387a8ba953b6b259da894dc407064b527a958b18a74a986728c3c0cbfbad8f8fbaf5c8c6544b0e3246662
-
Filesize
40B
MD51f29661577d73d34562cfa83922a8705
SHA18c5d38f6eb3813c1d1150017f05f8930e61c0094
SHA256190e8f98579bece07125bca4c381358033766dc5aca06dd0b282442b814add69
SHA512ab47ef3d1cf83ab70da597184f518480440048635a9915065f76fc98c6aeaecd75c5f27319c9dc224625a8534c230303cd0a2844a07c892ab30f331438b64f3a
-
Filesize
1.2MB
MD5fc5a0077095107949395677b38aa28c4
SHA107f042b616804fb3d053ee0b03df39730abdc8ea
SHA25616512b1b35bd85e9d4b41d5a6677c9ae59020bebb2c334a40233532a2474ab1c
SHA512070af019209d635ccf13e59a5798de80627c1eeb756423066563c63db04c94b2e674a1534559ce0d4b50a14ec907b2d6dadd5b6c33ea5efb99f2dd9722132ef5
-
Filesize
4.7MB
MD5a7b7470c347f84365ffe1b2072b4f95c
SHA157a96f6fb326ba65b7f7016242132b3f9464c7a3
SHA256af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a
SHA51283391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d
-
Filesize
7.9MB
MD5d18593720dcfb0539f6d625e8f311b43
SHA1b7aef63354e8cf733af5ecd27cf715c8461af94d
SHA256f913d483492ceaa2e0ae63b9ed5ce605e0a9c79518a448f36dec09ad86715b0f
SHA512092a79db1262c6f732373f1692b82dc87bd3e32e0d2244f94a55d2cef444417686549478efe912060c0e39f571f9207a8b62ccba3fb76853713fead38d9e4b9e
-
Filesize
2.6MB
MD52fb6428bd717b9694fc79e9115987afc
SHA12e9eb0b4fca60a5ede55e3e66e0c1d481b97aae9
SHA2567a7304c716b24f97ac5c83c4f509b1820a7b116eee6716a839952a5f502bf056
SHA51216f1530e8660f6411c890a675756c3f8a17c2ae2da6f7778ce01a285c75e72bd65a52e8ba3447d6e438fa0e85f065e4b74ebd0a521aa1e377e6ca6d5045915bd
-
Filesize
8.5MB
MD55adff4313fbd074df44b4eb5b7893c5e
SHA1d27388ef6cf34d40e0e7666f6381fcc5bbafa0f7
SHA256d0c7a4390bdd6b442b96fc76f8a38f7b756ba2c16752ea259844420161865cae
SHA512f5d639922b91878cf83d97563288a3aa4cba94db3ad5e8ac11d24ef7c44b019383a4414aeba6171b4c7bfa83ea1eafc1231cc9233e3b82b5ca7dc0b3ffacbf60
-
Filesize
577KB
MD511fa744ebf6a17d7dd3c58dc2603046d
SHA1d99de792fd08db53bb552cd28f0080137274f897
SHA2561b16c41ae39b679384b06f1492b587b650716430ff9c2e079dca2ad1f62c952d
SHA512424196f2acf5b89807f4038683acc50e7604223fc630245af6bab0e0df923f8b1c49cb09ac709086568c214c3f53dcb7d6c32e8a54af222a3ff78cfab9c51670
-
Filesize
1.1MB
MD504b529a6aef5e7c2a1f79a04b81be20f
SHA1ee6a4c1f35ae62a42c0a4378362878769cd3aec1
SHA256c7101b019dc7625c4036420b8c9f90ad4c6e7e57d847b1c60c6270cc67cf8aca
SHA512328ed4939b78630cec8aa7ff3fc0af48ae4b1592241265d8f3d60d2945772686b1a1eb40b1ace635dad911482a12a985432793cf48ca9d637558982c53a11f81
-
Filesize
832KB
MD5d305d506c0095df8af223ac7d91ca327
SHA1679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA51294d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796
-
Filesize
272B
MD52ae573f8f78b749f26e80cd0450ee3ea
SHA12da412a5bdc67dd2af705e962c68f3f1b8704406
SHA256e403f64b5c92e2c82ad2a3a551c020f0a09b40eba7b674bd4d9f733c330cc6e9
SHA51225d939c8c7ac358459c035ad6bfa8a74cfcbe2c5fbd7367837e30bce63fbd3a68b53b515768c33f7aac7a2f2f6de49687a2fd956eec7faeacca6a6ae33aab357
-
Filesize
431B
MD588182631f72b8479d908ad2270b20fd1
SHA18fc55730f29cd24ec9f2b4e8deba0e1039d9389f
SHA256f30888799f4fd2079edd48f7c146afe4dfba1bbfef6223ae00758563281dcd5e
SHA512af191737cdb10d7061b6f4792bffc69fa848e649e27f439e47f488c8e3abbdd6e131f95a3a226ca5978a969c736c111c947140975fd1564c4805865e9cb005ca
-
Filesize
600B
MD5355fbf55f3101c49a1ff0b8d5a29776f
SHA182d4070bb0c0b80147071e1092069d3e41ff6f19
SHA2561dfe9b7a759df00c2b8bb29228c7016da36a75a1c5c873bb7f2fcce76185361d
SHA5124506e3ee2b0a15e213e43bb7278810d99e6db1ff219402ff8c22a94ef0c81f77afea9e8f0ade59373dec4b8ffaa39f9f4c4a67878aa6c5829876c60a04584514
-
Filesize
749B
MD5db85de7d64dfcdd6f95bd7ef22079694
SHA1a6dbb9214d14e097411e1fe1c2767510ae363e3a
SHA2567150b5dc6a376d53189e5a601b3e87d49a77fe77b2e2e0c85bc6ebafec131cd7
SHA5128a043e6dbefd7e90e9c45aa762ea43e1413765da21e1e513ff85e4681d6b8b0ca2e913b02d5d774c5794bb3fab06cb350d7492ee204870fbac3be28e14b2b198
-
Filesize
448B
MD5266bfe492318ff1337c913cc4635f563
SHA132f7a6db72b608302368b546afaf9e2307fd1dde
SHA25623eda6decdfaeed555d8ad9f83795a90cbedef8a3b75960d6794bb231e86fc47
SHA512872cd6a69305aae9ac776a031a4c1b2d5ce08915477225752154e45d32dcbaafa29048d9033577caedd3eb2d862373b08d61d211e55e8673265d87ca01afd341
-
Filesize
2.4MB
MD5f85f44f7f01ac7dfe2d379dad4386920
SHA12d1fefb3ac611e97845659085aaccf10b74815a1
SHA256e2dde008486ee007b634bb8012ae1fc11f79ee4a2ce6e4d5337074cfb2582e73
SHA51256d060093e92a6663b4c17a39c209009439d09b119856890ed9200cac51a3d2c7f726b681964cce83e0daf77a177db62fa5cf5ddb639fbe25c4be5c6fa5cc7a1
-
Filesize
21KB
MD53a1e9c739bb0e1b60bf26989818c8d8f
SHA1424adf9c62bd35dfe8e9b470f6529302b4c6a4a7
SHA256dbee03f830937864d224e066efb1b00e25fe7c4e6c73ab5fbb3138d2b0843732
SHA512051014f2b3f4cdfacb191817639476ca077ede8bd98caeef628bb16cdb3d3f30293ceb9846a38da585193cf00627ecb9ffa290b49ae7367ad2c9afb737279661
-
Filesize
649B
MD51a1804671e95c240b0ed913538cd4f68
SHA1af9f03eba4eca60721af81e23c39e0f8e848494b
SHA25657b9faac0dce057ada3552be969179587698ddf757b7f40ed69da6b6b033e833
SHA512edd3506d5334a9fef67fd813d1f290d3902deb30fc7ae72952d916a9601f25ab6a14e17e05051410de453850e3a3f08017a0005b861aed0600dfac3ca1a72a49
-
Filesize
192KB
MD5505a174e740b3c0e7065c45a78b5cf42
SHA138911944f14a8b5717245c8e6bd1d48e58c7df12
SHA256024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d
SHA5127891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD57a3703fe7ef32fa4aea3c338a94721ca
SHA10eb4149debf2ea6d54449c0a4e5a682f73b20e03
SHA2562a3d0892f62be355cac25d7e63bf628027e9d26ca4964da7076bfc7324ad7751
SHA51201444072b9ffb4a8acf4c6e2098fb152f1c259f6f39a2f79d42278e273c5d504c2e4f467c1bca21807ea6fb88c1e0dcce15fc701ee7708a03985cd6cf065d0b6
-
Filesize
10KB
MD576236b5ad59f4e5ccf5df6112748572c
SHA1ae972ef0a3a3c9b7d5b96b9fdd8b2ef10d68e58f
SHA25678bbb14143f12f576ccc290f680a83b81fca6cea983bf4168a570629ed024a1e
SHA512c8c1321897a1a68a38d4eed751009e28c25ae892ee050966d571d9112540061c7f44d9dcfeb1204e571750dd89c1c917c4f23dd3df6306113833f95dd27028d6
-
Filesize
15KB
MD5ba9280d97db1f5e69bd9155ab9fdd2e4
SHA1fdd3a9f4b34f4b3a1ce2f7649cc8a661af4ef061
SHA2564613e97e1933dfccd83e240a97fefda3e296443f903b3ddbe7bd6192ed9dea07
SHA512fe748945b368402870d3a95c4c6ff03f0114546f0e113ddf7d1501a429c0c20ae2d25bcf2bc2b422dced0422d142903f31867fbf314105085be7cc478041582d
-
Filesize
38B
MD53433ccf3e03fc35b634cd0627833b0ad
SHA1789a43382e88905d6eb739ada3a8ba8c479ede02
SHA256f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d
SHA51221a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c
-
Filesize
184KB
MD52d0ef0f6a87cb9fd1ecfd9b486b6ab07
SHA1e9777bdc3549e42865657536e8da6739f60341f2
SHA2566ef367616ff751f322cfbc63c7c03e73eae4892bebb1edbcd473c6453d27d2af
SHA512b2800db1c4fe690e6f08fd08bdb0b3c2a8bd16268c81f58f21e8d5e72d7ff897a69a0c38a31030a3c909c0d7dafba7adf9e2143be2c357cd188c2329f20bee0b
-
Filesize
184KB
MD5bcc1a289d6e875e013cfb0de0d059955
SHA1e6d85198ea8ebbd254f2e6c584c5eaf28cf06e7b
SHA2561b491697ca64fee46c45f9909cd99cc59fc0895c2ba2601f87434f13660a88ef
SHA512666facfe9937b35f59efe1f34e3ef50d611658f47e1027464838b14d36856044ca802b7e8352a4aec3dfb78f14960345a7419b1c7e540b425fcd2ce580255d17
-
Filesize
100KB
MD5484e9c0924353aa71571257e1855bdcb
SHA1534ebd7840585038cc55a745ab136950609597db
SHA2565fbc85e25c394c424ed33955cd8cb266da925e64aa75e31b62be90774a19129c
SHA512be8a5d127ce82dc60583aeac9cb1a9ac04d17bc88440b625c5d69ac88b719f0c3d0ef87d16e8b77f366afc800eb4b90df35ca1836ecf1d5b19a05f5a7f6fa049
-
Filesize
99KB
MD592f13764ff40fe2e73c4053383a6b6f5
SHA17d398d44c6077a98e6214925ba4b7015c0fbfe3f
SHA25642c4ff2b277fdf22b04339ff322e6e2c152dc17fd5d843b407dab0952645b439
SHA5128b02c70e82dda15717e40656abebb7496e6c1f959a8006c834d82de9d1df925954844d4d4da7b5082ceb27d382c7bcccab7b433f07ad37aef4c2e5548c1aec1a
-
Filesize
28.7MB
MD5bffddb889b7089cc6af3b9d9efb3c89d
SHA1977fc679569271849068e704a53c57b09009f414
SHA25694200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43
SHA5120c3d0db3b8d0c5a071cc3a140695d8ea1b1600c36add6a4c36e24effd9d4dc579ce6953386cc624406c8fb9d6ba436b7082a5e675799d3f860fd0df6a5946e93
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lTRNmTKwQzfm.exe.log
Filesize1KB
MD5122cf3c4f3452a55a92edee78316e071
SHA1f2caa36d483076c92d17224cf92e260516b3cbbf
SHA25642f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c
-
Filesize
23.7MB
MD52038975d6cd473665a3593cc8de82a8d
SHA1969f5e8205ea190dd6e9a40a4b98d15a69799ae1
SHA25653ce5a2ea8552271d490b9f2289976915c42888f81dca9790738bb349df287a9
SHA51205497beead99f8f5a8c7a47f05886bc391834ddc67236d02be4184daa7e3c087c2003f24e2157c671fe87aa2cf01f32baf1d6a968b811d9059bd70cc2925318a
-
\??\Volume{fa35ad82-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9be52f1d-f003-4d20-8ebb-f6f92cdbb329}_OnDiskSnapshotProp
Filesize6KB
MD518e7962d3744cac40baceb39c9e62ed3
SHA1b1a1a314f0a6eb4f674a556fe5ecb3afc73f2eb6
SHA2567fb22b0e4411ab086c1a3b358e08da4f0563cacd03f773b2c57c64bdade43730
SHA5124fefd4852bf29e03a68828ce809eeb39f84367d47df2be8f1a40bc1b8077a4b60d503f6c89a281fd907f656128a892f65006989252dccfd8ad9746861ff1fd4d