Resubmissions

29-10-2024 18:03

241029-wnd2aaxgmq 10

06-10-2024 12:18

241006-pgxrgstckn 10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-10-2024 12:18

General

  • Target

    94200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43.msi

  • Size

    28.7MB

  • MD5

    bffddb889b7089cc6af3b9d9efb3c89d

  • SHA1

    977fc679569271849068e704a53c57b09009f414

  • SHA256

    94200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43

  • SHA512

    0c3d0db3b8d0c5a071cc3a140695d8ea1b1600c36add6a4c36e24effd9d4dc579ce6953386cc624406c8fb9d6ba436b7082a5e675799d3f860fd0df6a5946e93

  • SSDEEP

    786432:tQ05JQsMXv0z+OEoBvTT1A7IXA5hPP4WhYw70FDDV:e0Tif06OXrT1AGw70FD5

Malware Config

Signatures

  • Detect PurpleFox Rootkit 3 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 12 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 34 IoCs
  • Loads dropped DLL 29 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\94200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2084
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2004
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding B778AD0B35FEA799C6B7C3C9F71B8F05 E Global\MSI0000
      2⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Program Files\ImproveDefenderResilient\OoRjJglzLJCL.exe
        "C:\Program Files\ImproveDefenderResilient\OoRjJglzLJCL.exe" x "C:\Program Files\ImproveDefenderResilient\jXdmemDIXVZlyRJvLnMc" -o"C:\Program Files\ImproveDefenderResilient\" -pBWkOspNCEXRAXyVSBPgs -y
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4780
      • C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe
        "C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe" -number 264 -file file3 -mode mode3 -flag flag3
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2580
      • C:\Program Files\ImproveDefenderResilient\ChromeSetup(1).exe
        "C:\Program Files\ImproveDefenderResilient\ChromeSetup(1).exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1916
        • C:\Program Files (x86)\Google1916_871808175\bin\updater.exe
          "C:\Program Files (x86)\Google1916_871808175\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={FD39FE3E-F972-AC55-37EA-CE3FED473068}&lang=zh-CN&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
          4⤵
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • System Location Discovery: System Language Discovery
          • Modifies data under HKEY_USERS
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:996
          • C:\Program Files (x86)\Google1916_871808175\bin\updater.exe
            "C:\Program Files (x86)\Google1916_871808175\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x254,0x27c,0x280,0x258,0x284,0xb1c694,0xb1c6a0,0xb1c6ac
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:424
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer
            5⤵
            • Checks system information in the registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Enumerates system info in registry
            • Modifies data under HKEY_USERS
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4516
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.90 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcea787bf8,0x7ffcea787c04,0x7ffcea787c10
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:4280
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1892,i,13922957281421686553,8981163169042064241,262144 --variations-seed-version --mojo-platform-channel-handle=1888 /prefetch:2
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Modifies data under HKEY_USERS
              PID:2968
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=2188,i,13922957281421686553,8981163169042064241,262144 --variations-seed-version --mojo-platform-channel-handle=2220 /prefetch:3
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Modifies data under HKEY_USERS
              PID:4976
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2348,i,13922957281421686553,8981163169042064241,262144 --variations-seed-version --mojo-platform-channel-handle=2520 /prefetch:8
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Modifies data under HKEY_USERS
              PID:1104
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,13922957281421686553,8981163169042064241,262144 --variations-seed-version --mojo-platform-channel-handle=3240 /prefetch:1
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:4172
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,13922957281421686553,8981163169042064241,262144 --variations-seed-version --mojo-platform-channel-handle=3264 /prefetch:1
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Modifies data under HKEY_USERS
              PID:1720
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4352,i,13922957281421686553,8981163169042064241,262144 --variations-seed-version --mojo-platform-channel-handle=3784 /prefetch:1
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Modifies data under HKEY_USERS
              PID:4296
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4648,i,13922957281421686553,8981163169042064241,262144 --variations-seed-version --mojo-platform-channel-handle=4592 /prefetch:1
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:4564
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4800,i,13922957281421686553,8981163169042064241,262144 --variations-seed-version --mojo-platform-channel-handle=4676 /prefetch:8
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Modifies data under HKEY_USERS
              PID:5380
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5004,i,13922957281421686553,8981163169042064241,262144 --variations-seed-version --mojo-platform-channel-handle=5000 /prefetch:8
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Modifies data under HKEY_USERS
              PID:5408
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5096,i,13922957281421686553,8981163169042064241,262144 --variations-seed-version --mojo-platform-channel-handle=5084 /prefetch:8
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Modifies data under HKEY_USERS
              PID:5728
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:2196
  • C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
    "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --system --windows-service --service=update-internal
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3124
    • C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
      "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x116c694,0x116c6a0,0x116c6ac
      2⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4080
  • C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe
    "C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe" install
    1⤵
    • Drops file in System32 directory
    • Executes dropped EXE
    PID:1564
  • C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
    "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --system --windows-service --service=update
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
      "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x116c694,0x116c6a0,0x116c6ac
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2516
    • C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\129.0.6668.90_chrome_installer.exe
      "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\129.0.6668.90_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\7eba23e2-6f8f-4881-ac94-501c8229a592.tmp"
      2⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:3452
      • C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\CR_58395.tmp\setup.exe
        "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\CR_58395.tmp\setup.exe" --install-archive="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\CR_58395.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\7eba23e2-6f8f-4881-ac94-501c8229a592.tmp"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Network Configuration Discovery: Internet Connection Discovery
        • Modifies data under HKEY_USERS
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3212
        • C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\CR_58395.tmp\setup.exe
          "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\CR_58395.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.90 --initial-client-data=0x274,0x278,0x27c,0x270,0x280,0x7ff738589628,0x7ff738589634,0x7ff738589640
          4⤵
          • Executes dropped EXE
          PID:436
        • C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\CR_58395.tmp\setup.exe
          "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\CR_58395.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
          4⤵
          • Drops file in System32 directory
          • Executes dropped EXE
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:4184
          • C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\CR_58395.tmp\setup.exe
            "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\CR_58395.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.90 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff738589628,0x7ff738589634,0x7ff738589640
            5⤵
            • Drops file in Program Files directory
            • Executes dropped EXE
            PID:3284
  • C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe
    "C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe" start
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    PID:3564
  • C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe
    "C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe"
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe
      "C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe" -number 162 -file file3 -mode mode3 -flag flag3
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe
        "C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe" -number 362 -file file3 -mode mode3 -flag flag3
        3⤵
        • Enumerates connected drives
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:1356
  • C:\Program Files\Google\Chrome\Application\129.0.6668.90\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\129.0.6668.90\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:2128
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
    1⤵
      PID:5812
    • C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
      "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --system --windows-service --service=update
      1⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      PID:6060
      • C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
        "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x116c694,0x116c6a0,0x116c6ac
        2⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:6076

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57a9ce.rbs

      Filesize

      8KB

      MD5

      838d5c4b2a6d86f0e5860e7fb50e5c5f

      SHA1

      300e9ea27fbc0fb7af8816d2b54014e2fdf59619

      SHA256

      3dbe6e5af2f0a644c7c913170c2d928187d9b6a5639de69fa37ee1d33409866e

      SHA512

      f27feb717e1487bcc416a4b0b0ce550f313fd79c49a9c24ed60d32bea62a1de52c32bec14cb6a052d4f0de1aef13575d731c1c6723b98529e131dfe35dcd33f3

    • C:\Program Files (x86)\Google1916_871808175\bin\updater.exe

      Filesize

      4.7MB

      MD5

      823816b4a601c69c89435ee17ef7b9e0

      SHA1

      2fc4c446243be4a18a6a0d142a68d5da7d2a6954

      SHA256

      c2a7c0fa80f228c2ce599e4427280997ea9e1a3f85ed32e5d5e4219dfb05ddb2

      SHA512

      f3b38807ed1eb96c932e850b9b37551554408a628bedf12aa32bde08c442ff3663bf584335e7eab193ce2cf7552bce456737c96a2ba9faa953150e6304068fc6

    • C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\settings.dat

      Filesize

      40B

      MD5

      2f83b6090067f1ad860e875175ad3abd

      SHA1

      005328c32c59f05e1457173a2fb26cbe4a934eae

      SHA256

      db036676eb8b22588a0c2259a3ecdd007793b8cb7a24ecbafd4836d755dc931f

      SHA512

      2fbbcc0e74543a209c18b6b4eb875e7157d5a535caf1c5ae3a3b2d2bf521e13937c65cbb12502ddccefb6d3553317288e4dce77419193161591e3d2a57cfc50b

    • C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

      Filesize

      492B

      MD5

      6309d4123cd31745ca890e0f5cd79991

      SHA1

      bf4f12e9f583dc977cfd39b9263a93118c5f1356

      SHA256

      9a7b883f9144d62fb764259cb92f8948bfa307e9463f9417b8d77e0841cef9bc

      SHA512

      b4ddd3c51a4f3faf8bd0eb88bcaa86228b812193c04f5fbb83126f0a60ca640e96bdbff2827ac1751c337787f236d2dce6a129e88af05b1bdbe61583485a470a

    • C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

      Filesize

      354B

      MD5

      d4927578fc92dc543365aa4e43b202ba

      SHA1

      5e1aeb950ac6ac3f071fa02f90a4fbc0c8e5304c

      SHA256

      4ac029c04a6e82f4c588237f57a798b4285c818bdbb4250c20f11a5b95d4ecd1

      SHA512

      4c6cbf4bfb4279edc6d6bd816ca4d1d4dbc8b7f06d875493ffeea3a8782568f49911db28aae743a41962bbe4fe34afc531e119be58888a2acf0623e99df38e95

    • C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

      Filesize

      591B

      MD5

      7dfd61836a50f9164fdafd9cf41bbc6d

      SHA1

      5e2d08d8e69c0f0a5251dc029a4767aa6f4908a1

      SHA256

      f37aa61d321b5fd791af3763984fd4add4de3cd2946caba755fceba0a6e98e73

      SHA512

      739354616d3a06675fabe5f82ac2455709049cde9837080e53540e50e8b9dde7b3babe70d8efacf77f4b3253957dc37a4f714950011d014746b5493147557bb8

    • C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

      Filesize

      591B

      MD5

      c039b20290b29aecab0d4004722b99de

      SHA1

      58fe9a437eaa51f3e228baf2915755961bbd2265

      SHA256

      2edec6d92757e9e584e8b4a57310566cc2595e055f9cf0f202f40ba0b10c4b33

      SHA512

      fca1ea361b46cd2e3f812aba8a3b7404ed6f5ff614628e7123e22169cfb650edb782c8e6b90c268ce80649c74c996abf37919531e43f4a707bc92de23e8f210a

    • C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

      Filesize

      49B

      MD5

      7b693a82168c33ec9e8cf276859ddf7f

      SHA1

      d396dbbe299fe7754a6244d01e97cc4edd0693eb

      SHA256

      84a9a7f43db56cd6e9a408f88244e8ba5efbe48a5b5168d321f112b8c8fd8e3f

      SHA512

      4064c158d753d19a72e1be1c8bd5fe7f22e2032d67d1dd7ea1d85ce652d63c69b85a4292c4403b0f7729b05607f3d1ccfaf4d27d04ad09ffcec70082450320ab

    • C:\Program Files (x86)\Google\GoogleUpdater\updater.log

      Filesize

      2KB

      MD5

      653cdb391edf2810806b03c9ebe91fda

      SHA1

      37f6878b8c7f3861c78f9130f8702b87dfa45b0a

      SHA256

      da267e6102ca532ecfef4ae5333ce68acb2757a1af45bc84cf1f2b076a417001

      SHA512

      3373e89d8e6c27f6341047717bb6a29ab1f6ea6ac5d7fe4c4648e7cfc0de1000d5eabefff02240c5876d4940941f25e0fba15e7c46304ff2ff7e05edebf167ff

    • C:\Program Files (x86)\Google\GoogleUpdater\updater.log

      Filesize

      4KB

      MD5

      844ce78559c9a94263260d2c33158966

      SHA1

      129c2360c32265637880d6d2a0d60e26132b47fa

      SHA256

      1ca353c9ed5f9bb4318b201bb442f21a10e5f386f15486f899d8e304f266bf43

      SHA512

      ea6471263a72e4218eedb64e4a17f86df126509dde738f05aaeea9cf106bfc2da13222325bc6f785a5e725398c6281a91acbe421ba40c5d1febc278e342d4bdb

    • C:\Program Files (x86)\Google\GoogleUpdater\updater.log

      Filesize

      5KB

      MD5

      7719a516c11a557ad87829d0693f5378

      SHA1

      a3a9995ea31f96fce0175daafa05b3048ae4a2cd

      SHA256

      3b5f0e4cb2c5a328e0079d300d4eaa1e1cfe4639a30f69b15c67a99616c2d58e

      SHA512

      58c9beb985c3d450aa60a8acd1c2936a1b872eb890047351cbcb3c7b4f3f398a5e561b9c84955b8c622abd71ad88559ce19c129f85476b1e38f16a1a5900af9f

    • C:\Program Files (x86)\Google\GoogleUpdater\updater.log

      Filesize

      9KB

      MD5

      9a972f33b6363452a84b7bee3d9709e7

      SHA1

      6bc39f868e5a22af1513533b7379c90ce52acb26

      SHA256

      9685dd7f1e79225dfae2c045b254dd957dd28c3acba47d43c115a16f7f69523a

      SHA512

      566c1a05ac59ccd2247e0044bde7406a5a7c707d0eafb55349e046a286ad1bf73a9a6af7b53383247f2048e9525c5ead2ea7655646216aeef18a9eadee8b71e0

    • C:\Program Files (x86)\Google\GoogleUpdater\updater.log

      Filesize

      11KB

      MD5

      1cba5bd581a487042bdaf06eb1a4872b

      SHA1

      0c4d8fb301e153bb8109ed2c9fef7cf56ee0303b

      SHA256

      d57bb0bed214cfeade892a1d575ba6cd0a73952f4b3b4344d4b3dcd80fa9b94b

      SHA512

      38122e169c18539f0c45f06396e8dcbabba5b55470f62e8d1c914b0d57d0928d68f1193ec005d5e3bf1075893691d391397b0efee1716ed3b1a67415c02c758d

    • C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\7eba23e2-6f8f-4881-ac94-501c8229a592.tmp

      Filesize

      680KB

      MD5

      e8bdb8470612de48a2969dc9044a6827

      SHA1

      c639858bc762f1a81c7d49fb3882ecc287bf328c

      SHA256

      bcdb382c34a680afcef53e3e3104328f17a185bf00ca47307ded59eb4a077f0f

      SHA512

      8fdf5cd80eaa8c94bff22c0072ab5a4a3d510074da7f089c9cb5e8f946238ec64ca6cf0b45f643c58b580cfb39ab0c75a2ad7accca0ca0ef5dd6f27f3a1b580d

    • C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\CR_58395.tmp\setup.exe

      Filesize

      5.8MB

      MD5

      2bff61e098cb435c0680f80c6ed9b261

      SHA1

      62ec8eee0a1da31677eda7fdeafe0d18c86e0c0d

      SHA256

      c78c91a2b491d0f42c9f6754bbaa011c65c73160ebff2852ceebac41a535f4ec

      SHA512

      8c3bcae53a0012c8dc728d8742eaaa94feeb9644cd3387a8ba953b6b259da894dc407064b527a958b18a74a986728c3c0cbfbad8f8fbaf5c8c6544b0e3246662

    • C:\Program Files\Crashpad\settings.dat

      Filesize

      40B

      MD5

      591fdcb3993735dac39859857362e3e5

      SHA1

      581253e65424a4923e49bbeb7950afcf7afa63af

      SHA256

      47c33b76e49602cf6ec92f49674013f2076f393cb0115c8bb989d0b4b730bfc4

      SHA512

      b79ed725056e34e7a7a4c1cb3369ac8733590208fd80e7e2af4447ae2bbd59b66599f555e5989f70db8f7a1117eb196ba1b364190e5b4f58ba40cb7bab63b9f6

    • C:\Program Files\Google\Chrome\Application\129.0.6668.90\chrome_elf.dll

      Filesize

      1.2MB

      MD5

      fc5a0077095107949395677b38aa28c4

      SHA1

      07f042b616804fb3d053ee0b03df39730abdc8ea

      SHA256

      16512b1b35bd85e9d4b41d5a6677c9ae59020bebb2c334a40233532a2474ab1c

      SHA512

      070af019209d635ccf13e59a5798de80627c1eeb756423066563c63db04c94b2e674a1534559ce0d4b50a14ec907b2d6dadd5b6c33ea5efb99f2dd9722132ef5

    • C:\Program Files\Google\Chrome\Application\129.0.6668.90\d3dcompiler_47.dll

      Filesize

      4.7MB

      MD5

      a7b7470c347f84365ffe1b2072b4f95c

      SHA1

      57a96f6fb326ba65b7f7016242132b3f9464c7a3

      SHA256

      af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

      SHA512

      83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

    • C:\Program Files\Google\Chrome\Application\129.0.6668.90\libEGL.dll

      Filesize

      493KB

      MD5

      077262962ab4006434fe33b582b50a46

      SHA1

      63204f7ede81c318b89bd4d768686fd9a22f3b49

      SHA256

      a759aa54d4aaeb9b9d4d2057405b520ed00e3a4945a55eef9c805f9751612777

      SHA512

      acb625d8925bb2803c4ddb73a937195e1fde4c04433654ba35422e09c0801c23bd0616e70361006d24da3fbd589b0938fd72dc628c4b6ad263193f25d17987ff

    • C:\Program Files\Google\Chrome\Application\129.0.6668.90\libGLESv2.dll

      Filesize

      7.9MB

      MD5

      d18593720dcfb0539f6d625e8f311b43

      SHA1

      b7aef63354e8cf733af5ecd27cf715c8461af94d

      SHA256

      f913d483492ceaa2e0ae63b9ed5ce605e0a9c79518a448f36dec09ad86715b0f

      SHA512

      092a79db1262c6f732373f1692b82dc87bd3e32e0d2244f94a55d2cef444417686549478efe912060c0e39f571f9207a8b62ccba3fb76853713fead38d9e4b9e

    • C:\Program Files\Google\Chrome\Application\chrome.exe

      Filesize

      2.6MB

      MD5

      2fb6428bd717b9694fc79e9115987afc

      SHA1

      2e9eb0b4fca60a5ede55e3e66e0c1d481b97aae9

      SHA256

      7a7304c716b24f97ac5c83c4f509b1820a7b116eee6716a839952a5f502bf056

      SHA512

      16f1530e8660f6411c890a675756c3f8a17c2ae2da6f7778ce01a285c75e72bd65a52e8ba3447d6e438fa0e85f065e4b74ebd0a521aa1e377e6ca6d5045915bd

    • C:\Program Files\ImproveDefenderResilient\ChromeSetup(1).exe

      Filesize

      8.5MB

      MD5

      5adff4313fbd074df44b4eb5b7893c5e

      SHA1

      d27388ef6cf34d40e0e7666f6381fcc5bbafa0f7

      SHA256

      d0c7a4390bdd6b442b96fc76f8a38f7b756ba2c16752ea259844420161865cae

      SHA512

      f5d639922b91878cf83d97563288a3aa4cba94db3ad5e8ac11d24ef7c44b019383a4414aeba6171b4c7bfa83ea1eafc1231cc9233e3b82b5ca7dc0b3ffacbf60

    • C:\Program Files\ImproveDefenderResilient\OoRjJglzLJCL.exe

      Filesize

      577KB

      MD5

      11fa744ebf6a17d7dd3c58dc2603046d

      SHA1

      d99de792fd08db53bb552cd28f0080137274f897

      SHA256

      1b16c41ae39b679384b06f1492b587b650716430ff9c2e079dca2ad1f62c952d

      SHA512

      424196f2acf5b89807f4038683acc50e7604223fc630245af6bab0e0df923f8b1c49cb09ac709086568c214c3f53dcb7d6c32e8a54af222a3ff78cfab9c51670

    • C:\Program Files\ImproveDefenderResilient\jXdmemDIXVZlyRJvLnMc

      Filesize

      1.1MB

      MD5

      04b529a6aef5e7c2a1f79a04b81be20f

      SHA1

      ee6a4c1f35ae62a42c0a4378362878769cd3aec1

      SHA256

      c7101b019dc7625c4036420b8c9f90ad4c6e7e57d847b1c60c6270cc67cf8aca

      SHA512

      328ed4939b78630cec8aa7ff3fc0af48ae4b1592241265d8f3d60d2945772686b1a1eb40b1ace635dad911482a12a985432793cf48ca9d637558982c53a11f81

    • C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe

      Filesize

      832KB

      MD5

      d305d506c0095df8af223ac7d91ca327

      SHA1

      679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

      SHA256

      923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

      SHA512

      94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

    • C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.wrapper.log

      Filesize

      272B

      MD5

      f5380d7f56c3e29266a4f9a6256d2771

      SHA1

      7172c96d3b7c054fa2c68bc1e3ded1abae3f8b29

      SHA256

      84a91bd6585a33351e9ca29127b96b86efb2b8acf155c8182773538079459599

      SHA512

      a051d60e718b27e877e63c8b24eab16b88b8e5426794280032c8ad8cc5fe900dce61fe23dc8438b231c3b79390e590d88d760bcf1794144c7917a2eb66528720

    • C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.wrapper.log

      Filesize

      831B

      MD5

      d4f8bec6900e478c87de899e0bed5a3b

      SHA1

      842a5fea6f32d0476815136f8fce6fc26906a123

      SHA256

      be2b88b9926db4dd8f07ce9e95b7f3e621d14270c1b54c86c92e8182c25d97f0

      SHA512

      a6f5a63d4f1d91ac0b25e707312ebbf760f8bad95f53dfcc65b4814e030dd0721db39eda168dd9cf3d8b77d01697fef9d51007ac76631d14483a46b6c5c03b0b

    • C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.wrapper.log

      Filesize

      936B

      MD5

      08b74274c778305c41a07e95df7e6981

      SHA1

      bf43035346e80e880069e225f9bf96b7f94a945c

      SHA256

      5a80b97d35603fbee4b24d32c16f13f272496f274aeeb7f4bb9aa4639fd9b13d

      SHA512

      30f28cff50c341c1d010f5d566cfcd5725fdb947211d0c018ee7b75d4c541aafe3064a9314c4b871be95c96e7466ba93daa2d942d2330f9027117a4e7d56503d

    • C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.xml

      Filesize

      448B

      MD5

      266bfe492318ff1337c913cc4635f563

      SHA1

      32f7a6db72b608302368b546afaf9e2307fd1dde

      SHA256

      23eda6decdfaeed555d8ad9f83795a90cbedef8a3b75960d6794bb231e86fc47

      SHA512

      872cd6a69305aae9ac776a031a4c1b2d5ce08915477225752154e45d32dcbaafa29048d9033577caedd3eb2d862373b08d61d211e55e8673265d87ca01afd341

    • C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe

      Filesize

      2.4MB

      MD5

      f85f44f7f01ac7dfe2d379dad4386920

      SHA1

      2d1fefb3ac611e97845659085aaccf10b74815a1

      SHA256

      e2dde008486ee007b634bb8012ae1fc11f79ee4a2ce6e4d5337074cfb2582e73

      SHA512

      56d060093e92a6663b4c17a39c209009439d09b119856890ed9200cac51a3d2c7f726b681964cce83e0daf77a177db62fa5cf5ddb639fbe25c4be5c6fa5cc7a1

    • C:\Program Files\chrome_installer.log

      Filesize

      21KB

      MD5

      68687ccd5fe01347c7f1df317716f545

      SHA1

      34d0ce2a01084adeebcc17e4e30bae73d062f7e3

      SHA256

      e62229e156e3d45cc473d41afcf7db426a390628434215318d9fb3e1666c8d15

      SHA512

      75398ff44389150aff9793757397c131360cf253d9a7c7f8798308987c45adb41df5b5c5ab2bbfad6dbc78a4fff4c0d4987cc540425c447bd9c18a6d27d3d205

    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk

      Filesize

      2KB

      MD5

      0f3f51cb53c066757daed473aeb9e1ff

      SHA1

      5e17c09b606054d57f8824cd516bd6cab059d8b3

      SHA256

      4e5e362e1cb0472a22edbecae699f376d00468bf7b281007dfee03cdf2497147

      SHA512

      70c8d34c8fa4c43078047c18317180c2b75d3e7cde082b3eca30a10d6e6199d417530039e152874d567e119c82e85771441db7ad7f220c601cc010b0433e2eca

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

      Filesize

      649B

      MD5

      463bd9f6d2d1d4cc02220d2131346fbf

      SHA1

      8d17876e030915d9d3be8d28c8c5c5ca132ec2be

      SHA256

      2b0ac4ca188b8669327f0c829c7c26d0cbf80ef4dd1d9f5573d37993848322de

      SHA512

      565c85e6cb07434d0283da28b53ad0477df344724199952b252d91872a12a5ef306df19d1644f854558580e7e9e8139a7ac92c1d8ea98ab2c2a407c885a9ab4e

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

      Filesize

      192KB

      MD5

      505a174e740b3c0e7065c45a78b5cf42

      SHA1

      38911944f14a8b5717245c8e6bd1d48e58c7df12

      SHA256

      024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d

      SHA512

      7891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

      Filesize

      2KB

      MD5

      2cbe0649080d207132d549f8cf12afc1

      SHA1

      c7ee4fd33dcf90bfa4661b199bceeced99ee1d56

      SHA256

      7e96b5750f9b52a724e7c88e3dd68bd03eef0b2b5738ced8ac2bcc8e9da7994c

      SHA512

      db63a65e0612b8814acf3ae1705b5bb79a1c143e8ea7ad1352697789ce85ca4398c404d44b9623f4a5731ce7a72945b762f5385e55781cbcef81dc233777d8fc

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

      Filesize

      2B

      MD5

      d751713988987e9331980363e24189ce

      SHA1

      97d170e1550eee4afc0af065b78cda302a97674c

      SHA256

      4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

      SHA512

      b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

      Filesize

      356B

      MD5

      7f41257e2e3caf81c9616fd18c1f2e4b

      SHA1

      e6bd27662d821d810cc8136ae430cf07fade72b1

      SHA256

      186101185d9481b69a81da5f378a3be61bcc45c5fe247ceeee22873af460a471

      SHA512

      c545daad879a4793207808daf40e32411c090fc2dd47db3476edeba07559d4c91298b7e7e2b8f0157becae0f3189775334adca12c5497902609a92600848b05a

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

      Filesize

      10KB

      MD5

      ef465d4225ad3545b658d950de6c9253

      SHA1

      86f04edd2a7633d07c56ad251de8d28800e8d445

      SHA256

      4954e259a50079bb2afc946d597db8205823f7c10ace4c52fa07bdff0389addb

      SHA512

      72fe247e58882873df405bb310897f654d957df4eef2651abac7b2eedf5dc051e9152f183e5a844ffd5c2ea94ade8cbb3f58c507f7336e657dc6be4ffacec2ce

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

      Filesize

      15KB

      MD5

      29f01f9d757ae8761c9582f00e985edc

      SHA1

      af4d1c5dbd22ceeaeaae3451b1aa269b04f559c9

      SHA256

      7228af67e44f47d8f37e78f9bc24d2ad40e6ed838d1f1638c81e4549a1937bc2

      SHA512

      90d8442dc032641018208e758e2da393ded606017c13ecced438753335eea4ebd4dff7a04f4b0e80b26375836c843ffb0ef1cae9eceee9172c20db51ffa7c085

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\trusted_vault.pb

      Filesize

      38B

      MD5

      3433ccf3e03fc35b634cd0627833b0ad

      SHA1

      789a43382e88905d6eb739ada3a8ba8c479ede02

      SHA256

      f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d

      SHA512

      21a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

      Filesize

      184KB

      MD5

      846b0dc0c7e09d226b17cd19f228f3e8

      SHA1

      1949b88673e96ba595d0234b07a3ca2ff3e73b3c

      SHA256

      0e9e28c13fbbf98dbc99f93ae8bfca0a698f9bb78e2b22602f5cd6b1d813b463

      SHA512

      a7d54288963fc4aa478b7e8c3ae60204e300f2fe776d29f253f9022b626297490f89ab48ffe75592fb3a854d05ce02d0c8f32597cdbac61b1b978303ca751c07

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

      Filesize

      100KB

      MD5

      518ac0ed0de2f4790b20c98738b7a7e0

      SHA1

      755bfa4d732afd6083eae125d39bc34f9cfb7643

      SHA256

      eb7c2b89ac9c0b5f90604afd9dc4cc6aa9c386a3a7c81b14a95211c91cc3c47c

      SHA512

      c3f632549b194d909a71dd564d2c87917274654ebb5c460c845052ab204ca85e2a3391c57c348781588c25d0e31b2a230f40ce0785570ecdf16aed7719b64d4b

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

      Filesize

      184KB

      MD5

      8676e56420c9c7b2e0b3472877d4a77d

      SHA1

      999d7be4b9517fa2ea927048137c40a221584763

      SHA256

      b147019ce259a86c466421357aa35b09adfcccdb0796b71f194f8f25c3043a60

      SHA512

      f9b52851c749e8ed7aa362ce540703c2dfb5042176aceea481e02dec8e5f39cc49934faeab0d0b83b2e60ff31467856c700c39eaa8c508c356b6e66d4c502eaf

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

      Filesize

      99KB

      MD5

      86c527753dbbacac7f031c90b61ef25d

      SHA1

      703aac9c582500c2528626893cf72c6713487555

      SHA256

      552bf54bcd3f0bb67a7209cf2dd0e75276a312bcde94035e7e1d18c0564a68cf

      SHA512

      8ea69fad54c12a654520b85dac8675899b99ee2c98a01061d257d93278db9b84cb313e40a59dd216cbf279f34bf88951412d19e9a3c2264232206f65816e37f5

    • C:\Windows\Installer\e57a9cd.msi

      Filesize

      28.7MB

      MD5

      bffddb889b7089cc6af3b9d9efb3c89d

      SHA1

      977fc679569271849068e704a53c57b09009f414

      SHA256

      94200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43

      SHA512

      0c3d0db3b8d0c5a071cc3a140695d8ea1b1600c36add6a4c36e24effd9d4dc579ce6953386cc624406c8fb9d6ba436b7082a5e675799d3f860fd0df6a5946e93

    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lTRNmTKwQzfm.exe.log

      Filesize

      1KB

      MD5

      122cf3c4f3452a55a92edee78316e071

      SHA1

      f2caa36d483076c92d17224cf92e260516b3cbbf

      SHA256

      42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

      SHA512

      c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      23.7MB

      MD5

      e76a9145254b3599a71fdbe99926488d

      SHA1

      34599e720ec2b97e20e4f7589255d11976a7b861

      SHA256

      90bfb974cf159f606248a68f2f2dc1e4ce74c58f1a62876aabd6619ae1b35224

      SHA512

      ddb8ae060927db7d694b04933229cb31775237b45c1c6b5ff2b0ce9d282b3ef2b00ff047a2d95bae680f1a85ccaeb850aefc168584463ad019160542819ea8ae

    • \??\Volume{8484aac9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3f0b7583-7d64-41c6-b7ea-3a19d32d743b}_OnDiskSnapshotProp

      Filesize

      6KB

      MD5

      401cbb54b89eb11bf9ec80805e2cbb60

      SHA1

      dbf2fce298316a80081eee35892c1ab2dec76e00

      SHA256

      bb341138efbc247630163fb1dc30b5bdcf0abc6e305d231bfed4fa59eecda2c2

      SHA512

      dc917f9b585d608261419c816e9385041ffcc95b7abed3db8b95695eee94ed86dd4111cf7ac1a21531e144165f4b32e822982d4958af6b07b06ca08799600b0d

    • memory/1356-155-0x000000002C080000-0x000000002C23B000-memory.dmp

      Filesize

      1.7MB

    • memory/1356-154-0x000000002C080000-0x000000002C23B000-memory.dmp

      Filesize

      1.7MB

    • memory/1356-152-0x000000002C080000-0x000000002C23B000-memory.dmp

      Filesize

      1.7MB

    • memory/1356-151-0x000000002A480000-0x000000002A4BE000-memory.dmp

      Filesize

      248KB

    • memory/1564-66-0x0000000000090000-0x0000000000166000-memory.dmp

      Filesize

      856KB