gh0strat | 94200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94200B3B4792C019EBE7BCFD16573FDEDF385369E41309D82958568078E90C43.msi
Size

28.7MB
MD5

bffddb889b7089cc6af3b9d9efb3c89d
SHA1

977fc679569271849068e704a53c57b09009f414
SHA256

94200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43
SHA512

0c3d0db3b8d0c5a071cc3a140695d8ea1b1600c36add6a4c36e24effd9d4dc579ce6953386cc624406c8fb9d6ba436b7082a5e675799d3f860fd0df6a5946e93
SSDEEP

786432:tQ05JQsMXv0z+OEoBvTT1A7IXA5hPP4WhYw70FDDV:e0Tif06OXrT1AGw70FD5

Score

10^/10

gh0strat purplefox discovery evasion persistence privilege_escalation rat rootkit spyware stealer trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 3 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/4816-127-0x000000002B3D0000-0x000000002B58B000-memory.dmp	purplefox_rootkit
behavioral2/memory/4816-129-0x000000002B3D0000-0x000000002B58B000-memory.dmp	purplefox_rootkit
behavioral2/memory/4816-130-0x000000002B3D0000-0x000000002B58B000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/memory/4816-127-0x000000002B3D0000-0x000000002B58B000-memory.dmp	family_gh0strat
behavioral2/memory/4816-129-0x000000002B3D0000-0x000000002B58B000-memory.dmp	family_gh0strat
behavioral2/memory/4816-130-0x000000002B3D0000-0x000000002B58B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\129.0.6668.90\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	ojZEoSUznz17.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	ojZEoSUznz17.exe
File opened (read-only)	\??\W:	ojZEoSUznz17.exe
File opened (read-only)	\??\Z:	ojZEoSUznz17.exe
File opened (read-only)	\??\G:	ojZEoSUznz17.exe
File opened (read-only)	\??\P:	ojZEoSUznz17.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	ojZEoSUznz17.exe
File opened (read-only)	\??\S:	ojZEoSUznz17.exe
File opened (read-only)	\??\R:	ojZEoSUznz17.exe
File opened (read-only)	\??\T:	ojZEoSUznz17.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	ojZEoSUznz17.exe
File opened (read-only)	\??\O:	ojZEoSUznz17.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	ojZEoSUznz17.exe
File opened (read-only)	\??\K:	ojZEoSUznz17.exe
File opened (read-only)	\??\U:	ojZEoSUznz17.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	ojZEoSUznz17.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	ojZEoSUznz17.exe
File opened (read-only)	\??\X:	ojZEoSUznz17.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	ojZEoSUznz17.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	ojZEoSUznz17.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	ojZEoSUznz17.exe
File opened (read-only)	\??\J:	ojZEoSUznz17.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199	updater.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk	setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_753AFDB6B788AB7F055EF332F4173015	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_753AFDB6B788AB7F055EF332F4173015	updater.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lTRNmTKwQzfm.exe.log	lTRNmTKwQzfm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	updater.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\te.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\v8_context_snapshot.bin	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\os_update_handler.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\metadata	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\0ae54638-001e-4692-a738-5c59b30d2626.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\es.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\sw.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\cs.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\chrome_proxy.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\notification_helper.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\hr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\nl.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\MEIPreload\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\VisualElements\SmallLogoDev.png	setup.exe
File created	C:\Program Files\ImproveDefenderResilient\jXdmemDIXVZlyRJvLnMc	msiexec.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\prefs.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\pt-PT.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\VisualElements\SmallLogo.png	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log.old	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\fil.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\hu.pak	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\698ca3fe-7fd5-4f89-a49d-96351c1b2e0b.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\he.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\ko.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\mr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\tr.pak	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\uninstall.cmd	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\settings.dat	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Extensions\external_extensions.json	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\de.pak	setup.exe
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File created	C:\Program Files (x86)\Google4640_2141196407\UPDATER.PACKED.7Z	ChromeSetup(1).exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\CR_4A671.tmp\setup.exe	129.0.6668.90_chrome_installer.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\chrome.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\libEGL.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\settings.dat	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\da.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\en-US.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\chrome.exe.sig	setup.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.wrapper.log	lTRNmTKwQzfm.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\9fece7d5-2bd0-48ff-a302-8f0950dc984c.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\it.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\kn.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\eventlog_provider.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\settings.dat	updater.exe
File created	C:\Program Files (x86)\chrome_url_fetcher_2216_780328711\-8a69d345-d564-463c-aff1-a69d9e530f96-_129.0.6668.90_all_adoc4766j3bivaj6ot6kye3j6isq.crx3	updater.exe
File opened for modification	C:\Program Files\chrome_installer.log	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\dxil.dll	setup.exe
File created	C:\Program Files (x86)\Google4640_107721573\bin\updater.exe	ChromeSetup(1).exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\ja.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\fa.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\VisualElements\LogoBeta.png	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\ar.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\Locales\zh-TW.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\dxcompiler.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3992_1078998850\Chrome-bin\129.0.6668.90\optimization_guide_internal.dll	setup.exe
File opened for modification	C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe	OoRjJglzLJCL.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57bcd8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57bcd8.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D2129BB0-0088-4785-95E7-8B3E656E5BD9}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBDE1.tmp	msiexec.exe
File created	C:\Windows\Installer\e57bcda.msi	msiexec.exe

Executes dropped EXE 34 IoCs

pid	Process
2112	OoRjJglzLJCL.exe
1888	ojZEoSUznz17.exe
4640	ChromeSetup(1).exe
4588	updater.exe
4856	updater.exe
4820	lTRNmTKwQzfm.exe
1564	updater.exe
2720	updater.exe
2216	updater.exe
2512	updater.exe
2944	lTRNmTKwQzfm.exe
1440	lTRNmTKwQzfm.exe
3784	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
2380	129.0.6668.90_chrome_installer.exe
3992	setup.exe
1436	setup.exe
3480	setup.exe
1644	setup.exe
1768	chrome.exe
1060	chrome.exe
4920	chrome.exe
3412	chrome.exe
644	chrome.exe
3752	chrome.exe
1780	elevation_service.exe
1860	chrome.exe
4620	chrome.exe
732	chrome.exe
4580	chrome.exe
3736	chrome.exe
4904	chrome.exe
5468	updater.exe
5484	updater.exe

Loads dropped DLL 29 IoCs

pid	Process
1768	chrome.exe
1060	chrome.exe
1768	chrome.exe
4920	chrome.exe
4920	chrome.exe
3412	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
3412	chrome.exe
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
644	chrome.exe
1860	chrome.exe
644	chrome.exe
1860	chrome.exe
3752	chrome.exe
3752	chrome.exe
4620	chrome.exe
4620	chrome.exe
732	chrome.exe
732	chrome.exe
4580	chrome.exe
4580	chrome.exe
3736	chrome.exe
3736	chrome.exe
4904	chrome.exe
4904	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3660	msiexec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ojZEoSUznz17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ojZEoSUznz17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OoRjJglzLJCL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ojZEoSUznz17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChromeSetup(1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2380	129.0.6668.90_chrome_installer.exe
3992	setup.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000082ad35faf8c7b7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000082ad35fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090082ad35fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d82ad35fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000082ad35fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ojZEoSUznz17.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ojZEoSUznz17.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\google.services.account_id = "4159F4029358507FEC9D1EFDD9689A50F2C1FC3EAE96B0C69BAC3E36F164323B"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\enterprise_signin.policy_recovery_token = "14BEF56DE0277790AA4FA497EEFD06B992EF7D99076408CEED2857E07B672BFA"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	updater.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\browser.show_home_button = "2B8282966A07716DF19BE758FB4174CA3F968F4CC0A8AE73EE1C9E150EE51867"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}\lastrun = "13372570959226071"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\BLBeacon\version = "129.0.6668.90"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133725709625973775"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Update\ClientState	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\google.services.last_signed_in_username = "A292ADAAF787689A8992FE9A6C5F6BE4DB77E3AA2C661C7D0A387BEF3D414487"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\StabilityMetrics\user_experience_metrics.stability.exited_cleanly = "0"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\Extensions	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\InstallerPinned = "0"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Update	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\session.restore_on_startup = "274F7666EA42108127452F2CD739A4BA0E369817CFDB8F180558CCAA016267B5"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\media.cdm.origin_data = "946805C93967CFB8C75E4A78CF620C5C270440E07C48E873B0EE789AAAE61748"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\nkeimhogjdpnpccoofpliimaahmaaome = "9908585043B7FD002750B9969BA62EC2E2AEF90EF9E0FD1E23E2A92D7C5FBA5D"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\BLBeacon	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\nkeimhogjdpnpccoofpliimaahmaaome = "94A424A6AE761BE4EF51091BA85619BE9CEAB0A294F5DE202523C995BDBE6E89"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall"	setup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\prefs.preference_reset_time = "3B55CD90837996C1E9193E796103586544C609D686D0549A4D4E027BE860FD38"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi = "2D22BB09D9244779219CE623910E9A784D85E56A67A0433F93A88737D5EAA325"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\StabilityMetrics	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\BLBeacon	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\default_search_provider_data.template_url_data = "B2DBD6B8C7EFAD3A4CC47F03B235688B7E567EE9E78826232BD34D94EE5471B2"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\safebrowsing.incidents_sent = "F4D96C4D6C36690822B6ED40782931F1D15A51EFFECA33416136CEE1508B86AD"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\BLBeacon	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\BLBeacon\state = "1"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi = "2526012FD20ACEADCE7D352E67B29C29B418CCA1BB18A263044DFCF76EBC6B53"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\1.0\ = "GoogleUpdater TypeLib for ICurrentState"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ = "IGoogleUpdate3Web"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32\ = "\"C:\\Program Files\\Google\\Chrome\\Application\\129.0.6668.90\\notification_helper.exe\""	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{8A4B5D74-8832-5170-AB03-2415833EC703}\1.0\0	updater.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\TypeLib\ = "{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27634814-8E41-4C35-8577-980134A96544}\1.0\ = "GoogleUpdater TypeLib for IPolicyStatusValue"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ = "IProcessLauncher"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\4"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F966A529-43C6-4710-8FF4-0B456324C8F4}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\TypeLib\ = "{DD42475D-6D46-496A-924E-BD5630B4CBBA}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\TypeLib\ = "{F4334319-8210-469B-8262-DD03623FEB5B}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0\ = "GoogleUpdater TypeLib for IProcessLauncher"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TypeLib\ = "{463ABECF-410D-407F-8AF5-0DF35A005CC8}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\ = "IPolicyStatus2"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\TypeLib\ = "{6430040A-5EBD-4E63-A56F-C71D5990F827}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\4"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\TypeLib\ = "{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\1.0\ = "GoogleUpdater TypeLib for IPolicyStatus"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BB9212D88005874597EB8E356E6B59D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\ = "IUpdaterAppStateSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\TypeLib\ = "{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\1.0\0	updater.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
812	msiexec.exe
812	msiexec.exe
1888	ojZEoSUznz17.exe
1888	ojZEoSUznz17.exe
4588	updater.exe
4588	updater.exe
4588	updater.exe
4588	updater.exe
4588	updater.exe
4588	updater.exe
1564	updater.exe
1564	updater.exe
1564	updater.exe
1564	updater.exe
1564	updater.exe
1564	updater.exe
2216	updater.exe
2216	updater.exe
2216	updater.exe
2216	updater.exe
2216	updater.exe
2216	updater.exe
2216	updater.exe
2216	updater.exe
1440	lTRNmTKwQzfm.exe
3784	ojZEoSUznz17.exe
3784	ojZEoSUznz17.exe
3784	ojZEoSUznz17.exe
3784	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe
4816	ojZEoSUznz17.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3660	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3660	msiexec.exe
Token: SeSecurityPrivilege	812	msiexec.exe
Token: SeCreateTokenPrivilege	3660	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3660	msiexec.exe
Token: SeLockMemoryPrivilege	3660	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3660	msiexec.exe
Token: SeMachineAccountPrivilege	3660	msiexec.exe
Token: SeTcbPrivilege	3660	msiexec.exe
Token: SeSecurityPrivilege	3660	msiexec.exe
Token: SeTakeOwnershipPrivilege	3660	msiexec.exe
Token: SeLoadDriverPrivilege	3660	msiexec.exe
Token: SeSystemProfilePrivilege	3660	msiexec.exe
Token: SeSystemtimePrivilege	3660	msiexec.exe
Token: SeProfSingleProcessPrivilege	3660	msiexec.exe
Token: SeIncBasePriorityPrivilege	3660	msiexec.exe
Token: SeCreatePagefilePrivilege	3660	msiexec.exe
Token: SeCreatePermanentPrivilege	3660	msiexec.exe
Token: SeBackupPrivilege	3660	msiexec.exe
Token: SeRestorePrivilege	3660	msiexec.exe
Token: SeShutdownPrivilege	3660	msiexec.exe
Token: SeDebugPrivilege	3660	msiexec.exe
Token: SeAuditPrivilege	3660	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3660	msiexec.exe
Token: SeChangeNotifyPrivilege	3660	msiexec.exe
Token: SeRemoteShutdownPrivilege	3660	msiexec.exe
Token: SeUndockPrivilege	3660	msiexec.exe
Token: SeSyncAgentPrivilege	3660	msiexec.exe
Token: SeEnableDelegationPrivilege	3660	msiexec.exe
Token: SeManageVolumePrivilege	3660	msiexec.exe
Token: SeImpersonatePrivilege	3660	msiexec.exe
Token: SeCreateGlobalPrivilege	3660	msiexec.exe
Token: SeBackupPrivilege	436	vssvc.exe
Token: SeRestorePrivilege	436	vssvc.exe
Token: SeAuditPrivilege	436	vssvc.exe
Token: SeBackupPrivilege	812	msiexec.exe
Token: SeRestorePrivilege	812	msiexec.exe
Token: SeRestorePrivilege	812	msiexec.exe
Token: SeTakeOwnershipPrivilege	812	msiexec.exe
Token: SeRestorePrivilege	812	msiexec.exe
Token: SeTakeOwnershipPrivilege	812	msiexec.exe
Token: SeBackupPrivilege	2204	srtasks.exe
Token: SeRestorePrivilege	2204	srtasks.exe
Token: SeSecurityPrivilege	2204	srtasks.exe
Token: SeTakeOwnershipPrivilege	2204	srtasks.exe
Token: SeRestorePrivilege	2112	OoRjJglzLJCL.exe
Token: 35	2112	OoRjJglzLJCL.exe
Token: SeSecurityPrivilege	2112	OoRjJglzLJCL.exe
Token: SeSecurityPrivilege	2112	OoRjJglzLJCL.exe
Token: SeBackupPrivilege	2204	srtasks.exe
Token: SeRestorePrivilege	2204	srtasks.exe
Token: SeSecurityPrivilege	2204	srtasks.exe
Token: SeTakeOwnershipPrivilege	2204	srtasks.exe
Token: SeRestorePrivilege	812	msiexec.exe
Token: SeTakeOwnershipPrivilege	812	msiexec.exe
Token: SeRestorePrivilege	812	msiexec.exe
Token: SeTakeOwnershipPrivilege	812	msiexec.exe
Token: SeRestorePrivilege	812	msiexec.exe
Token: SeTakeOwnershipPrivilege	812	msiexec.exe
Token: SeRestorePrivilege	812	msiexec.exe
Token: SeTakeOwnershipPrivilege	812	msiexec.exe
Token: SeRestorePrivilege	812	msiexec.exe
Token: SeTakeOwnershipPrivilege	812	msiexec.exe
Token: SeRestorePrivilege	812	msiexec.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
3660	msiexec.exe
3660	msiexec.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 2204	812	msiexec.exe	87
PID 812 wrote to memory of 2204	812	msiexec.exe	87
PID 812 wrote to memory of 1780	812	msiexec.exe	89
PID 812 wrote to memory of 1780	812	msiexec.exe	89
PID 1780 wrote to memory of 2112	1780	MsiExec.exe	90
PID 1780 wrote to memory of 2112	1780	MsiExec.exe	90
PID 1780 wrote to memory of 2112	1780	MsiExec.exe	90
PID 1780 wrote to memory of 1888	1780	MsiExec.exe	92
PID 1780 wrote to memory of 1888	1780	MsiExec.exe	92
PID 1780 wrote to memory of 1888	1780	MsiExec.exe	92
PID 1780 wrote to memory of 4640	1780	MsiExec.exe	94
PID 1780 wrote to memory of 4640	1780	MsiExec.exe	94
PID 1780 wrote to memory of 4640	1780	MsiExec.exe	94
PID 4640 wrote to memory of 4588	4640	ChromeSetup(1).exe	95
PID 4640 wrote to memory of 4588	4640	ChromeSetup(1).exe	95
PID 4640 wrote to memory of 4588	4640	ChromeSetup(1).exe	95
PID 4588 wrote to memory of 4856	4588	updater.exe	96
PID 4588 wrote to memory of 4856	4588	updater.exe	96
PID 4588 wrote to memory of 4856	4588	updater.exe	96
PID 1564 wrote to memory of 2720	1564	updater.exe	100
PID 1564 wrote to memory of 2720	1564	updater.exe	100
PID 1564 wrote to memory of 2720	1564	updater.exe	100
PID 2216 wrote to memory of 2512	2216	updater.exe	102
PID 2216 wrote to memory of 2512	2216	updater.exe	102
PID 2216 wrote to memory of 2512	2216	updater.exe	102
PID 1440 wrote to memory of 3784	1440	lTRNmTKwQzfm.exe	107
PID 1440 wrote to memory of 3784	1440	lTRNmTKwQzfm.exe	107
PID 1440 wrote to memory of 3784	1440	lTRNmTKwQzfm.exe	107
PID 3784 wrote to memory of 4816	3784	ojZEoSUznz17.exe	109
PID 3784 wrote to memory of 4816	3784	ojZEoSUznz17.exe	109
PID 3784 wrote to memory of 4816	3784	ojZEoSUznz17.exe	109
PID 2216 wrote to memory of 2380	2216	updater.exe	119
PID 2216 wrote to memory of 2380	2216	updater.exe	119
PID 2380 wrote to memory of 3992	2380	129.0.6668.90_chrome_installer.exe	120
PID 2380 wrote to memory of 3992	2380	129.0.6668.90_chrome_installer.exe	120
PID 3992 wrote to memory of 1436	3992	setup.exe	121
PID 3992 wrote to memory of 1436	3992	setup.exe	121
PID 3992 wrote to memory of 3480	3992	setup.exe	122
PID 3992 wrote to memory of 3480	3992	setup.exe	122
PID 3480 wrote to memory of 1644	3480	setup.exe	123
PID 3480 wrote to memory of 1644	3480	setup.exe	123
PID 4588 wrote to memory of 1768	4588	updater.exe	125
PID 4588 wrote to memory of 1768	4588	updater.exe	125
PID 1768 wrote to memory of 1060	1768	chrome.exe	126
PID 1768 wrote to memory of 1060	1768	chrome.exe	126
PID 1768 wrote to memory of 4920	1768	chrome.exe	127
PID 1768 wrote to memory of 4920	1768	chrome.exe	127
PID 1768 wrote to memory of 4920	1768	chrome.exe	127
PID 1768 wrote to memory of 4920	1768	chrome.exe	127
PID 1768 wrote to memory of 4920	1768	chrome.exe	127
PID 1768 wrote to memory of 4920	1768	chrome.exe	127
PID 1768 wrote to memory of 4920	1768	chrome.exe	127
PID 1768 wrote to memory of 4920	1768	chrome.exe	127
PID 1768 wrote to memory of 4920	1768	chrome.exe	127
PID 1768 wrote to memory of 4920	1768	chrome.exe	127
PID 1768 wrote to memory of 4920	1768	chrome.exe	127
PID 1768 wrote to memory of 4920	1768	chrome.exe	127
PID 1768 wrote to memory of 4920	1768	chrome.exe	127
PID 1768 wrote to memory of 4920	1768	chrome.exe	127
PID 1768 wrote to memory of 4920	1768	chrome.exe	127
PID 1768 wrote to memory of 4920	1768	chrome.exe	127
PID 1768 wrote to memory of 4920	1768	chrome.exe	127
PID 1768 wrote to memory of 4920	1768	chrome.exe	127
PID 1768 wrote to memory of 4920	1768	chrome.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\94200B3B4792C019EBE7BCFD16573FDEDF385369E41309D82958568078E90C43.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3660

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding BF1E11A6A50E51A2E7C388808B61F8EC E Global\MSI0000
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Program Files\ImproveDefenderResilient\OoRjJglzLJCL.exe
    "C:\Program Files\ImproveDefenderResilient\OoRjJglzLJCL.exe" x "C:\Program Files\ImproveDefenderResilient\jXdmemDIXVZlyRJvLnMc" -o"C:\Program Files\ImproveDefenderResilient\" -pBWkOspNCEXRAXyVSBPgs -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2112
- - C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe
    "C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe" -number 264 -file file3 -mode mode3 -flag flag3
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1888
- - C:\Program Files\ImproveDefenderResilient\ChromeSetup(1).exe
    "C:\Program Files\ImproveDefenderResilient\ChromeSetup(1).exe"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Program Files (x86)\Google4640_107721573\bin\updater.exe
      "C:\Program Files (x86)\Google4640_107721573\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={FD39FE3E-F972-AC55-37EA-CE3FED473068}&lang=zh-CN&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
      4⤵
      Drops file in System32 directory
      Drops file in Program Files directory
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4588
    - - C:\Program Files (x86)\Google4640_107721573\bin\updater.exe
        
        "C:\Program Files (x86)\Google4640_107721573\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x133c694,0x133c6a0,0x133c6ac
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4856
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer
        5⤵
        Checks system information in the registry
        Executes dropped EXE
        Loads dropped DLL
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1768
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.90 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ff8ae977bf8,0x7ff8ae977c04,0x7ff8ae977c10
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1060
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1972,i,4906268264225414903,14635198070061086202,262144 --variations-seed-version --mojo-platform-channel-handle=1968 /prefetch:2
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4920
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=2192,i,4906268264225414903,14635198070061086202,262144 --variations-seed-version --mojo-platform-channel-handle=2228 /prefetch:3
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies data under HKEY_USERS
        
        PID:3412
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2332,i,4906268264225414903,14635198070061086202,262144 --variations-seed-version --mojo-platform-channel-handle=2456 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies data under HKEY_USERS
        
        PID:644
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,4906268264225414903,14635198070061086202,262144 --variations-seed-version --mojo-platform-channel-handle=3252 /prefetch:1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies data under HKEY_USERS
        
        PID:3752
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,4906268264225414903,14635198070061086202,262144 --variations-seed-version --mojo-platform-channel-handle=3184 /prefetch:1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies data under HKEY_USERS
        
        PID:1860
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4340,i,4906268264225414903,14635198070061086202,262144 --variations-seed-version --mojo-platform-channel-handle=4388 /prefetch:1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies data under HKEY_USERS
        
        PID:4620
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4652,i,4906268264225414903,14635198070061086202,262144 --variations-seed-version --mojo-platform-channel-handle=4588 /prefetch:1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:732
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4916,i,4906268264225414903,14635198070061086202,262144 --variations-seed-version --mojo-platform-channel-handle=4920 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4580
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4912,i,4906268264225414903,14635198070061086202,262144 --variations-seed-version --mojo-platform-channel-handle=5040 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies data under HKEY_USERS
        
        PID:3736
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5264,i,4906268264225414903,14635198070061086202,262144 --variations-seed-version --mojo-platform-channel-handle=5272 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies data under HKEY_USERS
        
        PID:4904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe
"C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe" install
1⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:4820

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x12ec694,0x12ec6a0,0x12ec6ac
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2720

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --system --windows-service --service=update
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x12ec694,0x12ec6a0,0x12ec6ac
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2512
- C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\129.0.6668.90_chrome_installer.exe
  "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\129.0.6668.90_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\91e29489-0155-4566-a2c8-bf7c63e0a493.tmp"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\CR_4A671.tmp\setup.exe
    "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\CR_4A671.tmp\setup.exe" --install-archive="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\CR_4A671.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\91e29489-0155-4566-a2c8-bf7c63e0a493.tmp"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Network Configuration Discovery: Internet Connection Discovery
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\CR_4A671.tmp\setup.exe
      "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\CR_4A671.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.90 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff6ad8f9628,0x7ff6ad8f9634,0x7ff6ad8f9640
      4⤵
      Executes dropped EXE
      PID:1436
  - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\CR_4A671.tmp\setup.exe
      "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\CR_4A671.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      Drops file in System32 directory
      Drops file in Program Files directory
      Executes dropped EXE
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:3480
    - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\CR_4A671.tmp\setup.exe
        
        "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\CR_4A671.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.90 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff6ad8f9628,0x7ff6ad8f9634,0x7ff6ad8f9640
        5⤵
        Drops file in Program Files directory
        Executes dropped EXE
        
        PID:1644

C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe
"C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe" start
1⤵
- Executes dropped EXE
PID:2944

C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe
"C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe
  "C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe" -number 162 -file file3 -mode mode3 -flag flag3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe
    "C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe" -number 362 -file file3 -mode mode3 -flag flag3
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4816

C:\Program Files\Google\Chrome\Application\129.0.6668.90\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\129.0.6668.90\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5184

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --system --windows-service --service=update
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:5468
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x12ec694,0x12ec6a0,0x12ec6ac
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57bcd9.rbs

Filesize
8KB

MD5
c6a75894aa8772287e8f165be50a1f2f

SHA1
bcc4dff3435d06ca01e8f8d819de65fea1643af4

SHA256
7b0f21ed2de05b0cc098a2d8c3484ffd53fd1f9209206a0dc91fe63a4ca00cb5

SHA512
249a654c27d9bb3e92b768d5d141f5e8a5d9e256cea22072e1ae121d59038e4a67075df0099d869a479a8e3ee17143e3bbdf8c32f8f1a56e9cea03439c9d353c

Download Submit
C:\Program Files (x86)\Google4640_107721573\bin\updater.exe

Filesize
4.7MB

MD5
823816b4a601c69c89435ee17ef7b9e0

SHA1
2fc4c446243be4a18a6a0d142a68d5da7d2a6954

SHA256
c2a7c0fa80f228c2ce599e4427280997ea9e1a3f85ed32e5d5e4219dfb05ddb2

SHA512
f3b38807ed1eb96c932e850b9b37551554408a628bedf12aa32bde08c442ff3663bf584335e7eab193ce2cf7552bce456737c96a2ba9faa953150e6304068fc6

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\settings.dat

Filesize
40B

MD5
cabbf468ec93ebd88cc3e8c628bba9a6

SHA1
dad87ef5ee817a29b078480967fd84fea6e9c511

SHA256
7bf15622eecc26291de1cd00fc5544c3554925fdc915c22345d6f9d2d112188a

SHA512
5974d994140372be4b91421813d6667dc1e0691da3d858c6c5e2cb0ffd6646a3570beb15e50de4c4208ad6f987fefaa6869f82200c858b880122663920100523

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\9fece7d5-2bd0-48ff-a302-8f0950dc984c.tmp

Filesize
492B

MD5
050f5ea303ff566040da1b142f2c3311

SHA1
0f1c5fb45fbfc7ac3ce2799ae15ae1f8ae79ae9b

SHA256
246d1e9fa3b02bdd3bec3807e65078052143400c643cd0e962f2f0f2b4ec5670

SHA512
e7482e84d73ead2e69e99ba11681edd416319b45abc557ad2fe86e6f55f57bc74dc593d85914aec1b06c4f45b149809b45739b07e0970c72cf4832cb6312856c

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
354B

MD5
d4927578fc92dc543365aa4e43b202ba

SHA1
5e1aeb950ac6ac3f071fa02f90a4fbc0c8e5304c

SHA256
4ac029c04a6e82f4c588237f57a798b4285c818bdbb4250c20f11a5b95d4ecd1

SHA512
4c6cbf4bfb4279edc6d6bd816ca4d1d4dbc8b7f06d875493ffeea3a8782568f49911db28aae743a41962bbe4fe34afc531e119be58888a2acf0623e99df38e95

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
591B

MD5
3d298363d6bbd805d94ef016ab6c45da

SHA1
eaebf04de34793d0250cf9370de042e804781820

SHA256
1c88a0d2ba1a4aadc602a1c6bc6c844049d06f5eecccf26e322b0f2a08dc756f

SHA512
8aecd65c67846b571183df560a726fc63a59e84059e4487f4dbed0f06112263899c8ff260e84178d1e8b7420b1d355708d1ae2a7b0dbcc71bc28d17dec7e25a9

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
591B

MD5
31e2c7f9288d5663acbba2725945d5a2

SHA1
da07b8992fe4699121bb60efbfa0925d24179b0a

SHA256
936d4e82c20010420e61728edbb87e2b8f6af9d5dab8177342de55c84c54634b

SHA512
fd217ec803080cfe7a176d556001e399fd671abddc4a2113b784b1685159da85020ad0aa660eca06ed6b62fdb31b56aa9edca6b9592ab8542108b5a5191e3b0c

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
49B

MD5
7b693a82168c33ec9e8cf276859ddf7f

SHA1
d396dbbe299fe7754a6244d01e97cc4edd0693eb

SHA256
84a9a7f43db56cd6e9a408f88244e8ba5efbe48a5b5168d321f112b8c8fd8e3f

SHA512
4064c158d753d19a72e1be1c8bd5fe7f22e2032d67d1dd7ea1d85ce652d63c69b85a4292c4403b0f7729b05607f3d1ccfaf4d27d04ad09ffcec70082450320ab

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
1KB

MD5
f4ea39fe3c4d6f81916c1d47a33251c1

SHA1
2e41ef22e038c04965336eccf2334282c8087771

SHA256
eed20c7623350646ced1fa35178398662d185d44d0e2dcf064e9699b3f1cfce9

SHA512
efd00c9ee142052cd50672eb90b4f3309988e84515c9ba40ef794a654d91d65ec142a3ba25bee2eefd28bbe9e75d4e03f9bea93a52b32765268d5e1f0e202d51

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
2KB

MD5
1731a7feb240645749b5e4034d546745

SHA1
04f973d552e4e89219c99d9d5546d0496ddd8863

SHA256
810556911941e85d3f977626cc293e54b04b7907db17743dc9f81001f186b99e

SHA512
04f55604737fd47b495bf5fbd3e6cb5691cd88b3ddeba3bc59481fb45384fb5848f9924657146b7aa277db7c3181058dfeb32a38c97dfcd6bac3981af05abed9

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
4KB

MD5
28c71b64d27601efcda62659b320ac56

SHA1
e5e2d1ac1d1edcb18a5b62108df715c8192ca749

SHA256
d452df6c0a41b66bd313c5d5e889b90afdd3257dd06c81141cd40de9ff76e037

SHA512
ac6bc54996d592d1ec99ac97097496d9b8ad333df0da54493e05a41ee08421459f2bcac243f928ae8dc85d75daa2997350db78902678c6d38aac93b7114cc3d5

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
4KB

MD5
df2fa17085b1178c6998cc41eae5334c

SHA1
385a70abb8e56621a1ebe5047bd74c4e9cbefe44

SHA256
ab0ef381fdfe6e895f9d1e5f9718016e880b393381655746178e3adf8b17632d

SHA512
4d83f370c90c14c4bbe2a52dcceedbeef2d5f07bd1c9019650a9dbacd6ea6f2a7518a073f40db2bf15095f92771862eccbf1340d8b878fd245a787589630a197

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
9KB

MD5
408869f46009fb2b022dacea016aa379

SHA1
147b1fc2736f1e30f0d73818169afd7af4cb0d1a

SHA256
acbd95119f0703584e22537974ba998130bd3293f06f154518e5d5dbeaf9e9d8

SHA512
26db813f13af454895c916d5136f278ed06e600a0e0a0e6c1d056fa6d86c16f347655bc8a10da269084063a1d8bb2af6f3706efbda4580f1728b6a27ae876d2d

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
11KB

MD5
bdaf7268dedfdcdb49b95dffcd33f6fd

SHA1
f061e974c64a1efd1c519cbcde4fa39309b03ca5

SHA256
5191c8db27421a7affc7b7aec5d84a786de5df791e881ca725331a8baba5c8d6

SHA512
58238bddb33ed6fddcb3e20c3cca374e9d48b10a8d4a6e4da3d6fb69f315d90712385dbea7edec67d9d3d8f120fd866882efdff61a7e6809e5fc66c833c938b0

Download Submit
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\91e29489-0155-4566-a2c8-bf7c63e0a493.tmp

Filesize
680KB

MD5
e8bdb8470612de48a2969dc9044a6827

SHA1
c639858bc762f1a81c7d49fb3882ecc287bf328c

SHA256
bcdb382c34a680afcef53e3e3104328f17a185bf00ca47307ded59eb4a077f0f

SHA512
8fdf5cd80eaa8c94bff22c0072ab5a4a3d510074da7f089c9cb5e8f946238ec64ca6cf0b45f643c58b580cfb39ab0c75a2ad7accca0ca0ef5dd6f27f3a1b580d

Download Submit
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2216_1254460817\CR_4A671.tmp\setup.exe

Filesize
5.8MB

MD5
2bff61e098cb435c0680f80c6ed9b261

SHA1
62ec8eee0a1da31677eda7fdeafe0d18c86e0c0d

SHA256
c78c91a2b491d0f42c9f6754bbaa011c65c73160ebff2852ceebac41a535f4ec

SHA512
8c3bcae53a0012c8dc728d8742eaaa94feeb9644cd3387a8ba953b6b259da894dc407064b527a958b18a74a986728c3c0cbfbad8f8fbaf5c8c6544b0e3246662

Download Submit
C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
1f29661577d73d34562cfa83922a8705

SHA1
8c5d38f6eb3813c1d1150017f05f8930e61c0094

SHA256
190e8f98579bece07125bca4c381358033766dc5aca06dd0b282442b814add69

SHA512
ab47ef3d1cf83ab70da597184f518480440048635a9915065f76fc98c6aeaecd75c5f27319c9dc224625a8534c230303cd0a2844a07c892ab30f331438b64f3a

Download Submit
C:\Program Files\Google\Chrome\Application\129.0.6668.90\chrome_elf.dll

Filesize
1.2MB

MD5
fc5a0077095107949395677b38aa28c4

SHA1
07f042b616804fb3d053ee0b03df39730abdc8ea

SHA256
16512b1b35bd85e9d4b41d5a6677c9ae59020bebb2c334a40233532a2474ab1c

SHA512
070af019209d635ccf13e59a5798de80627c1eeb756423066563c63db04c94b2e674a1534559ce0d4b50a14ec907b2d6dadd5b6c33ea5efb99f2dd9722132ef5

Download Submit
C:\Program Files\Google\Chrome\Application\129.0.6668.90\d3dcompiler_47.dll

Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
C:\Program Files\Google\Chrome\Application\129.0.6668.90\libGLESv2.dll

Filesize
7.9MB

MD5
d18593720dcfb0539f6d625e8f311b43

SHA1
b7aef63354e8cf733af5ecd27cf715c8461af94d

SHA256
f913d483492ceaa2e0ae63b9ed5ce605e0a9c79518a448f36dec09ad86715b0f

SHA512
092a79db1262c6f732373f1692b82dc87bd3e32e0d2244f94a55d2cef444417686549478efe912060c0e39f571f9207a8b62ccba3fb76853713fead38d9e4b9e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.6MB

MD5
2fb6428bd717b9694fc79e9115987afc

SHA1
2e9eb0b4fca60a5ede55e3e66e0c1d481b97aae9

SHA256
7a7304c716b24f97ac5c83c4f509b1820a7b116eee6716a839952a5f502bf056

SHA512
16f1530e8660f6411c890a675756c3f8a17c2ae2da6f7778ce01a285c75e72bd65a52e8ba3447d6e438fa0e85f065e4b74ebd0a521aa1e377e6ca6d5045915bd

Download Submit
C:\Program Files\ImproveDefenderResilient\ChromeSetup(1).exe

Filesize
8.5MB

MD5
5adff4313fbd074df44b4eb5b7893c5e

SHA1
d27388ef6cf34d40e0e7666f6381fcc5bbafa0f7

SHA256
d0c7a4390bdd6b442b96fc76f8a38f7b756ba2c16752ea259844420161865cae

SHA512
f5d639922b91878cf83d97563288a3aa4cba94db3ad5e8ac11d24ef7c44b019383a4414aeba6171b4c7bfa83ea1eafc1231cc9233e3b82b5ca7dc0b3ffacbf60

Download Submit
C:\Program Files\ImproveDefenderResilient\OoRjJglzLJCL.exe

Filesize
577KB

MD5
11fa744ebf6a17d7dd3c58dc2603046d

SHA1
d99de792fd08db53bb552cd28f0080137274f897

SHA256
1b16c41ae39b679384b06f1492b587b650716430ff9c2e079dca2ad1f62c952d

SHA512
424196f2acf5b89807f4038683acc50e7604223fc630245af6bab0e0df923f8b1c49cb09ac709086568c214c3f53dcb7d6c32e8a54af222a3ff78cfab9c51670

Download Submit
C:\Program Files\ImproveDefenderResilient\jXdmemDIXVZlyRJvLnMc

Filesize
1.1MB

MD5
04b529a6aef5e7c2a1f79a04b81be20f

SHA1
ee6a4c1f35ae62a42c0a4378362878769cd3aec1

SHA256
c7101b019dc7625c4036420b8c9f90ad4c6e7e57d847b1c60c6270cc67cf8aca

SHA512
328ed4939b78630cec8aa7ff3fc0af48ae4b1592241265d8f3d60d2945772686b1a1eb40b1ace635dad911482a12a985432793cf48ca9d637558982c53a11f81

Download Submit
C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.wrapper.log

Filesize
272B

MD5
2ae573f8f78b749f26e80cd0450ee3ea

SHA1
2da412a5bdc67dd2af705e962c68f3f1b8704406

SHA256
e403f64b5c92e2c82ad2a3a551c020f0a09b40eba7b674bd4d9f733c330cc6e9

SHA512
25d939c8c7ac358459c035ad6bfa8a74cfcbe2c5fbd7367837e30bce63fbd3a68b53b515768c33f7aac7a2f2f6de49687a2fd956eec7faeacca6a6ae33aab357

Download Submit
C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.wrapper.log

Filesize
431B

MD5
88182631f72b8479d908ad2270b20fd1

SHA1
8fc55730f29cd24ec9f2b4e8deba0e1039d9389f

SHA256
f30888799f4fd2079edd48f7c146afe4dfba1bbfef6223ae00758563281dcd5e

SHA512
af191737cdb10d7061b6f4792bffc69fa848e649e27f439e47f488c8e3abbdd6e131f95a3a226ca5978a969c736c111c947140975fd1564c4805865e9cb005ca

Download Submit
C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.wrapper.log

Filesize
600B

MD5
355fbf55f3101c49a1ff0b8d5a29776f

SHA1
82d4070bb0c0b80147071e1092069d3e41ff6f19

SHA256
1dfe9b7a759df00c2b8bb29228c7016da36a75a1c5c873bb7f2fcce76185361d

SHA512
4506e3ee2b0a15e213e43bb7278810d99e6db1ff219402ff8c22a94ef0c81f77afea9e8f0ade59373dec4b8ffaa39f9f4c4a67878aa6c5829876c60a04584514

Download Submit
C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.wrapper.log

Filesize
749B

MD5
db85de7d64dfcdd6f95bd7ef22079694

SHA1
a6dbb9214d14e097411e1fe1c2767510ae363e3a

SHA256
7150b5dc6a376d53189e5a601b3e87d49a77fe77b2e2e0c85bc6ebafec131cd7

SHA512
8a043e6dbefd7e90e9c45aa762ea43e1413765da21e1e513ff85e4681d6b8b0ca2e913b02d5d774c5794bb3fab06cb350d7492ee204870fbac3be28e14b2b198

Download Submit
C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.xml

Filesize
448B

MD5
266bfe492318ff1337c913cc4635f563

SHA1
32f7a6db72b608302368b546afaf9e2307fd1dde

SHA256
23eda6decdfaeed555d8ad9f83795a90cbedef8a3b75960d6794bb231e86fc47

SHA512
872cd6a69305aae9ac776a031a4c1b2d5ce08915477225752154e45d32dcbaafa29048d9033577caedd3eb2d862373b08d61d211e55e8673265d87ca01afd341

Download Submit
C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe

Filesize
2.4MB

MD5
f85f44f7f01ac7dfe2d379dad4386920

SHA1
2d1fefb3ac611e97845659085aaccf10b74815a1

SHA256
e2dde008486ee007b634bb8012ae1fc11f79ee4a2ce6e4d5337074cfb2582e73

SHA512
56d060093e92a6663b4c17a39c209009439d09b119856890ed9200cac51a3d2c7f726b681964cce83e0daf77a177db62fa5cf5ddb639fbe25c4be5c6fa5cc7a1

Download Submit
C:\Program Files\chrome_installer.log

Filesize
21KB

MD5
3a1e9c739bb0e1b60bf26989818c8d8f

SHA1
424adf9c62bd35dfe8e9b470f6529302b4c6a4a7

SHA256
dbee03f830937864d224e066efb1b00e25fe7c4e6c73ab5fbb3138d2b0843732

SHA512
051014f2b3f4cdfacb191817639476ca077ede8bd98caeef628bb16cdb3d3f30293ceb9846a38da585193cf00627ecb9ffa290b49ae7367ad2c9afb737279661

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1a1804671e95c240b0ed913538cd4f68

SHA1
af9f03eba4eca60721af81e23c39e0f8e848494b

SHA256
57b9faac0dce057ada3552be969179587698ddf757b7f40ed69da6b6b033e833

SHA512
edd3506d5334a9fef67fd813d1f290d3902deb30fc7ae72952d916a9601f25ab6a14e17e05051410de453850e3a3f08017a0005b861aed0600dfac3ca1a72a49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
505a174e740b3c0e7065c45a78b5cf42

SHA1
38911944f14a8b5717245c8e6bd1d48e58c7df12

SHA256
024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d

SHA512
7891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7a3703fe7ef32fa4aea3c338a94721ca

SHA1
0eb4149debf2ea6d54449c0a4e5a682f73b20e03

SHA256
2a3d0892f62be355cac25d7e63bf628027e9d26ca4964da7076bfc7324ad7751

SHA512
01444072b9ffb4a8acf4c6e2098fb152f1c259f6f39a2f79d42278e273c5d504c2e4f467c1bca21807ea6fb88c1e0dcce15fc701ee7708a03985cd6cf065d0b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
76236b5ad59f4e5ccf5df6112748572c

SHA1
ae972ef0a3a3c9b7d5b96b9fdd8b2ef10d68e58f

SHA256
78bbb14143f12f576ccc290f680a83b81fca6cea983bf4168a570629ed024a1e

SHA512
c8c1321897a1a68a38d4eed751009e28c25ae892ee050966d571d9112540061c7f44d9dcfeb1204e571750dd89c1c917c4f23dd3df6306113833f95dd27028d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ba9280d97db1f5e69bd9155ab9fdd2e4

SHA1
fdd3a9f4b34f4b3a1ce2f7649cc8a661af4ef061

SHA256
4613e97e1933dfccd83e240a97fefda3e296443f903b3ddbe7bd6192ed9dea07

SHA512
fe748945b368402870d3a95c4c6ff03f0114546f0e113ddf7d1501a429c0c20ae2d25bcf2bc2b422dced0422d142903f31867fbf314105085be7cc478041582d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\trusted_vault.pb

Filesize
38B

MD5
3433ccf3e03fc35b634cd0627833b0ad

SHA1
789a43382e88905d6eb739ada3a8ba8c479ede02

SHA256
f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d

SHA512
21a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
184KB

MD5
2d0ef0f6a87cb9fd1ecfd9b486b6ab07

SHA1
e9777bdc3549e42865657536e8da6739f60341f2

SHA256
6ef367616ff751f322cfbc63c7c03e73eae4892bebb1edbcd473c6453d27d2af

SHA512
b2800db1c4fe690e6f08fd08bdb0b3c2a8bd16268c81f58f21e8d5e72d7ff897a69a0c38a31030a3c909c0d7dafba7adf9e2143be2c357cd188c2329f20bee0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
184KB

MD5
bcc1a289d6e875e013cfb0de0d059955

SHA1
e6d85198ea8ebbd254f2e6c584c5eaf28cf06e7b

SHA256
1b491697ca64fee46c45f9909cd99cc59fc0895c2ba2601f87434f13660a88ef

SHA512
666facfe9937b35f59efe1f34e3ef50d611658f47e1027464838b14d36856044ca802b7e8352a4aec3dfb78f14960345a7419b1c7e540b425fcd2ce580255d17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
100KB

MD5
484e9c0924353aa71571257e1855bdcb

SHA1
534ebd7840585038cc55a745ab136950609597db

SHA256
5fbc85e25c394c424ed33955cd8cb266da925e64aa75e31b62be90774a19129c

SHA512
be8a5d127ce82dc60583aeac9cb1a9ac04d17bc88440b625c5d69ac88b719f0c3d0ef87d16e8b77f366afc800eb4b90df35ca1836ecf1d5b19a05f5a7f6fa049

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
92f13764ff40fe2e73c4053383a6b6f5

SHA1
7d398d44c6077a98e6214925ba4b7015c0fbfe3f

SHA256
42c4ff2b277fdf22b04339ff322e6e2c152dc17fd5d843b407dab0952645b439

SHA512
8b02c70e82dda15717e40656abebb7496e6c1f959a8006c834d82de9d1df925954844d4d4da7b5082ceb27d382c7bcccab7b433f07ad37aef4c2e5548c1aec1a

Download Submit
C:\Windows\Installer\e57bcd8.msi

Filesize
28.7MB

MD5
bffddb889b7089cc6af3b9d9efb3c89d

SHA1
977fc679569271849068e704a53c57b09009f414

SHA256
94200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43

SHA512
0c3d0db3b8d0c5a071cc3a140695d8ea1b1600c36add6a4c36e24effd9d4dc579ce6953386cc624406c8fb9d6ba436b7082a5e675799d3f860fd0df6a5946e93

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lTRNmTKwQzfm.exe.log

Filesize
1KB

MD5
122cf3c4f3452a55a92edee78316e071

SHA1
f2caa36d483076c92d17224cf92e260516b3cbbf

SHA256
42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

SHA512
c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
2038975d6cd473665a3593cc8de82a8d

SHA1
969f5e8205ea190dd6e9a40a4b98d15a69799ae1

SHA256
53ce5a2ea8552271d490b9f2289976915c42888f81dca9790738bb349df287a9

SHA512
05497beead99f8f5a8c7a47f05886bc391834ddc67236d02be4184daa7e3c087c2003f24e2157c671fe87aa2cf01f32baf1d6a968b811d9059bd70cc2925318a

Download Submit
\??\Volume{fa35ad82-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9be52f1d-f003-4d20-8ebb-f6f92cdbb329}_OnDiskSnapshotProp

Filesize
6KB

MD5
18e7962d3744cac40baceb39c9e62ed3

SHA1
b1a1a314f0a6eb4f674a556fe5ecb3afc73f2eb6

SHA256
7fb22b0e4411ab086c1a3b358e08da4f0563cacd03f773b2c57c64bdade43730

SHA512
4fefd4852bf29e03a68828ce809eeb39f84367d47df2be8f1a40bc1b8077a4b60d503f6c89a281fd907f656128a892f65006989252dccfd8ad9746861ff1fd4d

Download Submit
memory/4816-130-0x000000002B3D0000-0x000000002B58B000-memory.dmp

Filesize
1.7MB

Download
memory/4816-126-0x00000000296C0000-0x00000000296FE000-memory.dmp

Filesize
248KB

Download
memory/4816-127-0x000000002B3D0000-0x000000002B58B000-memory.dmp

Filesize
1.7MB

Download
memory/4816-129-0x000000002B3D0000-0x000000002B58B000-memory.dmp

Filesize
1.7MB

Download
memory/4820-52-0x0000000000DC0000-0x0000000000E96000-memory.dmp

Filesize
856KB

Download