Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-10-2024 12:18
Static task
static1
Behavioral task
behavioral1
Sample
94200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43.msi
Resource
win7-20240903-en
General
-
Target
94200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43.msi
-
Size
28.7MB
-
MD5
bffddb889b7089cc6af3b9d9efb3c89d
-
SHA1
977fc679569271849068e704a53c57b09009f414
-
SHA256
94200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43
-
SHA512
0c3d0db3b8d0c5a071cc3a140695d8ea1b1600c36add6a4c36e24effd9d4dc579ce6953386cc624406c8fb9d6ba436b7082a5e675799d3f860fd0df6a5946e93
-
SSDEEP
786432:tQ05JQsMXv0z+OEoBvTT1A7IXA5hPP4WhYw70FDDV:e0Tif06OXrT1AGw70FD5
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1356-152-0x000000002C080000-0x000000002C23B000-memory.dmp purplefox_rootkit behavioral2/memory/1356-154-0x000000002C080000-0x000000002C23B000-memory.dmp purplefox_rootkit behavioral2/memory/1356-155-0x000000002C080000-0x000000002C23B000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral2/memory/1356-152-0x000000002C080000-0x000000002C23B000-memory.dmp family_gh0strat behavioral2/memory/1356-154-0x000000002C080000-0x000000002C23B000-memory.dmp family_gh0strat behavioral2/memory/1356-155-0x000000002C080000-0x000000002C23B000-memory.dmp family_gh0strat -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\129.0.6668.90\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome" setup.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: ojZEoSUznz17.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: ojZEoSUznz17.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: ojZEoSUznz17.exe File opened (read-only) \??\Y: ojZEoSUznz17.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\I: ojZEoSUznz17.exe File opened (read-only) \??\Q: ojZEoSUznz17.exe File opened (read-only) \??\P: ojZEoSUznz17.exe File opened (read-only) \??\U: ojZEoSUznz17.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: ojZEoSUznz17.exe File opened (read-only) \??\J: ojZEoSUznz17.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: ojZEoSUznz17.exe File opened (read-only) \??\O: ojZEoSUznz17.exe File opened (read-only) \??\R: ojZEoSUznz17.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\K: ojZEoSUznz17.exe File opened (read-only) \??\T: ojZEoSUznz17.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: ojZEoSUznz17.exe File opened (read-only) \??\N: ojZEoSUznz17.exe File opened (read-only) \??\S: ojZEoSUznz17.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: ojZEoSUznz17.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData updater.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA updater.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content updater.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA updater.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk setup.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lTRNmTKwQzfm.exe.log lTRNmTKwQzfm.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache updater.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 updater.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 updater.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_753AFDB6B788AB7F055EF332F4173015 updater.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_753AFDB6B788AB7F055EF332F4173015 updater.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft updater.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer chrome.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe57bb03.TMP updater.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\Locales\bn.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\Locales\nl.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\Locales\pt-BR.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\Locales\vi.pak setup.exe File created C:\Program Files\Google\Chrome\Application\129.0.6668.90\Installer\setup.exe setup.exe File opened for modification C:\Program Files\Crashpad\metadata setup.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\metadata updater.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\Locales\sv.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\chrome_elf.dll setup.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\dxcompiler.dll setup.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\metadata updater.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\chrome.dll.sig setup.exe File created C:\Program Files\ImproveDefenderResilient\OoRjJglzLJCL.exe msiexec.exe File created C:\Program Files (x86)\Google\Update\GoogleUpdate.exe updater.exe File created C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\_metadata\verified_contents.json updater.exe File created C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\CR_58395.tmp\setup.exe 129.0.6668.90_chrome_installer.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\chrome.7z setup.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\icudtl.dat setup.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\Locales\hu.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\Locales\nb.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\libGLESv2.dll setup.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe setup.exe File created C:\Program Files\ImproveDefenderResilient\ChromeSetup(1).exe msiexec.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\updater.log updater.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\settings.dat updater.exe File created C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\manifest.fingerprint updater.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\Locales\sk.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\Locales\sr.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll setup.exe File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe setup.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\prefs.json updater.exe File created C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\a60056b5-9aa8-4581-b4b2-c7ba856b8b7a.tmp updater.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\Locales\it.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\Locales\mr.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\VisualElements\SmallLogoCanary.png setup.exe File created C:\Program Files\Google\Chrome\Application\129.0.6668.90\Installer\chrmstp.exe setup.exe File created C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\uninstall.cmd updater.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\VisualElements\LogoBeta.png setup.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\chrome_wer.dll setup.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\chrome.exe.sig setup.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\metadata updater.exe File created C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\settings.dat updater.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\metadata updater.exe File opened for modification C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.wrapper.log lTRNmTKwQzfm.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\Locales\en-US.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\Locales\ur.pak setup.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\updater.log updater.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\Locales\ko.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\chrome.exe setup.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\notification_helper.exe setup.exe File created C:\Program Files (x86)\Google\GoogleUpdater\3a9b5947-2414-4f47-99c3-aeb1f954d8f3.tmp updater.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\settings.dat updater.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\settings.dat updater.exe File created C:\Program Files (x86)\Google\GoogleUpdater\eae2b38d-7fd8-40f7-b10d-0432347aedf2.tmp updater.exe File opened for modification C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.wrapper.log lTRNmTKwQzfm.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\Locales\bg.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\Locales\fa.pak setup.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\updater.log.old updater.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\updater.log updater.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\PrivacySandboxAttestationsPreloaded\privacy-sandbox-attestations.dat setup.exe File opened for modification C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\CR_58395.tmp\setup.exe 129.0.6668.90_chrome_installer.exe File created C:\Program Files (x86)\Google\GoogleUpdater\cd0720cb-c361-43f2-bd52-c700bb8a3788.tmp updater.exe File created C:\Program Files\Google\Chrome\Temp\source3212_1142009019\Chrome-bin\129.0.6668.90\chrome_200_percent.pak setup.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\Installer\SourceHash{D2129BB0-0088-4785-95E7-8B3E656E5BD9} msiexec.exe File opened for modification C:\Windows\Installer\MSIAAF5.tmp msiexec.exe File created C:\Windows\Installer\e57a9cf.msi msiexec.exe File created C:\Windows\Installer\e57a9cd.msi msiexec.exe File opened for modification C:\Windows\Installer\e57a9cd.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Executes dropped EXE 34 IoCs
pid Process 4780 OoRjJglzLJCL.exe 2580 ojZEoSUznz17.exe 1916 ChromeSetup(1).exe 996 updater.exe 424 updater.exe 1564 lTRNmTKwQzfm.exe 3124 updater.exe 4080 updater.exe 5004 updater.exe 2516 updater.exe 3564 lTRNmTKwQzfm.exe 2324 lTRNmTKwQzfm.exe 2448 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 3452 129.0.6668.90_chrome_installer.exe 3212 setup.exe 436 setup.exe 4184 setup.exe 3284 setup.exe 4516 chrome.exe 4280 chrome.exe 2968 chrome.exe 4976 chrome.exe 1104 chrome.exe 4172 chrome.exe 1720 chrome.exe 2128 elevation_service.exe 4296 chrome.exe 4564 chrome.exe 5380 chrome.exe 5408 chrome.exe 5728 chrome.exe 6060 updater.exe 6076 updater.exe -
Loads dropped DLL 29 IoCs
pid Process 4516 chrome.exe 4280 chrome.exe 4516 chrome.exe 2968 chrome.exe 2968 chrome.exe 2968 chrome.exe 2968 chrome.exe 2968 chrome.exe 4976 chrome.exe 1104 chrome.exe 4976 chrome.exe 1104 chrome.exe 1720 chrome.exe 2968 chrome.exe 2968 chrome.exe 2968 chrome.exe 4172 chrome.exe 4172 chrome.exe 1720 chrome.exe 4296 chrome.exe 4296 chrome.exe 4564 chrome.exe 4564 chrome.exe 5380 chrome.exe 5380 chrome.exe 5408 chrome.exe 5408 chrome.exe 5728 chrome.exe 5728 chrome.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2084 msiexec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OoRjJglzLJCL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojZEoSUznz17.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojZEoSUznz17.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ChromeSetup(1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojZEoSUznz17.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3452 129.0.6668.90_chrome_installer.exe 3212 setup.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c9aa8484b1ca68e90000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c9aa84840000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c9aa8484000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc9aa8484000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c9aa848400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ojZEoSUznz17.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ojZEoSUznz17.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" updater.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" updater.exe Key created \REGISTRY\USER\.DEFAULT\Software setup.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\InstallerPinned = "0" setup.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\media.cdm.origin_data = "C7F3B5E2E02CC227510233FB824C9066F2503E28032952A3AC1C06ECDF386C50" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\google.services.last_username = "3866C84E4480ABD0A32C7222C7F858F7266FC21E14AA030A0CDFB22A6D24601F" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome setup.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\module_blocklist_cache_md5_digest = "A5E0D5D8B74776DDA7E71C5ABF1BDCA36024266A46547B6D74343E228F8D7455" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ updater.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" updater.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Update\ClientState chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\nkeimhogjdpnpccoofpliimaahmaaome = "684EA617C6D91423F81A2A4B8C3ADF6A7186E447DBFA0ECE7BEC0C34F86050E6" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\BLBeacon\version = "129.0.6668.90" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix updater.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall" setup.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google setup.exe Key created \REGISTRY\USER\.DEFAULT chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\neajdppkdcdipfabeoofebfddakdcjhd = "498D7DB6982AB9FD5427D35055E35740ABD468376853C50EDDA74CB637C56225" chrome.exe Key created \REGISTRY\USER\.DEFAULT chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Update chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\StabilityMetrics\user_experience_metrics.stability.exited_cleanly = "0" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\media.storage_id_salt = "C79FDD37487DC860FF930AE09905921114F18A650E3836D576E53642A52CD9B3" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\safebrowsing.incidents_sent = "8EE3092C259C869EC142C25EC3F41A294F3AB2F956DBADFE8E5AD8E375996234" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\session.restore_on_startup = "3570A54F23C4442B7742886E6DBEA116E0EFB11C4068FC86278514003CAC801B" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\browser.show_home_button = "C7F74424D00A6B0A7A385A1873B59DAAE1DA72784FE8C106C3DF28C079446CC5" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\BLBeacon chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\StabilityMetrics chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\UsageStatsInSample = "0" chrome.exe Key created \REGISTRY\USER\.DEFAULT chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\session.startup_urls = "6A1C8EB8AACB913D743CA6CBAA4051ACE709A6521B1A02D606088A1A3E35F39A" chrome.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\pinned_tabs = "B1293DEB0C0F0723E263D135517D8130625D9722B47F7018D7D853B6549DDCD9" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi = "0E94193FA3B0E78C4E5F18681458073D8A3FB58CCF20E13941AAFDDCA68FAF02" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\Extensions chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\enterprise_signin.policy_recovery_token = "78913177EF16CBB69CE4F8B8C88DEF767822013787DD59174D9CD81A2DFCCB3F" chrome.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness chrome.exe Key created \REGISTRY\USER\.DEFAULT chrome.exe Key created \REGISTRY\USER\.DEFAULT chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\nmmhkkegccagdldgiimedpiccmgmieda = "F1FDBE5D78209AE3E10910E4AB119F14B1484E3D119D3A6E741710F7E97EEE56" chrome.exe Key created \REGISTRY\USER\.DEFAULT chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" updater.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing updater.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\BLBeacon chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\default_search_provider_data.template_url_data = "33CE611C94DE7C5B269B4C73084A6E6F5615B9147263D0B3E10652A1836C8BE2" chrome.exe Key created \REGISTRY\USER\.DEFAULT chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\BLBeacon\failed_count = "0" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google chrome.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0\0 updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4DC034A8-4BFC-4D43-9250-914163356BB0}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1588C1A8-27D9-563E-9641-8D20767FB258}\TypeLib\ = "{1588C1A8-27D9-563E-9641-8D20767FB258}" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{8A4B5D74-8832-5170-AB03-2415833EC703} updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1588C1A8-27D9-563E-9641-8D20767FB258}\TypeLib\Version = "1.0" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\TypeLib\Version = "1.0" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\1.0\ = "GoogleUpdater TypeLib for IAppCommandWeb" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\TypeLib updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0 updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\TypeLib\Version = "1.0" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\1.0 updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\ProxyStubClsid32 updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\1.0 updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\ProxyStubClsid32 updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ = "IAppVersionWeb" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ProxyStubClsid32 updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TypeLib\ = "{463ABECF-410D-407F-8AF5-0DF35A005CC8}" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716} updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\1.0\0\win32 updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C4622B28-A747-44C7-96AF-319BE5C3B261}\1.0\0\win32 updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{B685B009-DBC4-4F24-9542-A162C3793E77}\1.0\0 updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{8A4B5D74-8832-5170-AB03-2415833EC703} updater.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB} updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\TypeLib\Version = "1.0" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9} updater.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\ProxyStubClsid32 updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{8476CE12-AE1F-4198-805C-BA0F9B783F57} updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\1.0\0\win32 updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\4" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\1.0\0\win64 updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{708860E0-F641-4611-8895-7D867DD3675B}\AppID = "{708860E0-F641-4611-8895-7D867DD3675B}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44B969D4-48B7-5A30-9CD6-CAC179D81F9C}\AppID = "{44B969D4-48B7-5A30-9CD6-CAC179D81F9C}" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CCA9FC90-B200-5641-99C0-7907756A93CF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}\TypeLib updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\TypeLib updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\1.0\0\win64 updater.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1588C1A8-27D9-563E-9641-8D20767FB258}\TypeLib\ = "{1588C1A8-27D9-563E-9641-8D20767FB258}" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9} updater.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\ProxyStubClsid32 updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0\ = "GoogleUpdater TypeLib for IPolicyStatus2System" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\TypeLib\ = "{699F07AD-304C-5F71-A2DA-ABD765965B54}" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\ProxyStubClsid32 updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\1.0 updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\TypeLib\Version = "1.0" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ServiceParameters = "--com-service" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\ProxyStubClsid32 updater.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77} updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\TypeLib\Version = "1.0" updater.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BB9212D88005874597EB8E356E6B59D\Version = "50659333" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\1.0 updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4} updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{B685B009-DBC4-4F24-9542-A162C3793E77}\1.0\0\win32 updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32 updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4B5D74-8832-5170-AB03-2415833EC703}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\5" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB} updater.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4956 msiexec.exe 4956 msiexec.exe 996 updater.exe 996 updater.exe 996 updater.exe 996 updater.exe 996 updater.exe 996 updater.exe 2580 ojZEoSUznz17.exe 2580 ojZEoSUznz17.exe 3124 updater.exe 3124 updater.exe 3124 updater.exe 3124 updater.exe 3124 updater.exe 3124 updater.exe 5004 updater.exe 5004 updater.exe 5004 updater.exe 5004 updater.exe 5004 updater.exe 5004 updater.exe 5004 updater.exe 5004 updater.exe 2324 lTRNmTKwQzfm.exe 2324 lTRNmTKwQzfm.exe 2448 ojZEoSUznz17.exe 2448 ojZEoSUznz17.exe 2448 ojZEoSUznz17.exe 2448 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe 1356 ojZEoSUznz17.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2084 msiexec.exe Token: SeIncreaseQuotaPrivilege 2084 msiexec.exe Token: SeSecurityPrivilege 4956 msiexec.exe Token: SeCreateTokenPrivilege 2084 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2084 msiexec.exe Token: SeLockMemoryPrivilege 2084 msiexec.exe Token: SeIncreaseQuotaPrivilege 2084 msiexec.exe Token: SeMachineAccountPrivilege 2084 msiexec.exe Token: SeTcbPrivilege 2084 msiexec.exe Token: SeSecurityPrivilege 2084 msiexec.exe Token: SeTakeOwnershipPrivilege 2084 msiexec.exe Token: SeLoadDriverPrivilege 2084 msiexec.exe Token: SeSystemProfilePrivilege 2084 msiexec.exe Token: SeSystemtimePrivilege 2084 msiexec.exe Token: SeProfSingleProcessPrivilege 2084 msiexec.exe Token: SeIncBasePriorityPrivilege 2084 msiexec.exe Token: SeCreatePagefilePrivilege 2084 msiexec.exe Token: SeCreatePermanentPrivilege 2084 msiexec.exe Token: SeBackupPrivilege 2084 msiexec.exe Token: SeRestorePrivilege 2084 msiexec.exe Token: SeShutdownPrivilege 2084 msiexec.exe Token: SeDebugPrivilege 2084 msiexec.exe Token: SeAuditPrivilege 2084 msiexec.exe Token: SeSystemEnvironmentPrivilege 2084 msiexec.exe Token: SeChangeNotifyPrivilege 2084 msiexec.exe Token: SeRemoteShutdownPrivilege 2084 msiexec.exe Token: SeUndockPrivilege 2084 msiexec.exe Token: SeSyncAgentPrivilege 2084 msiexec.exe Token: SeEnableDelegationPrivilege 2084 msiexec.exe Token: SeManageVolumePrivilege 2084 msiexec.exe Token: SeImpersonatePrivilege 2084 msiexec.exe Token: SeCreateGlobalPrivilege 2084 msiexec.exe Token: SeBackupPrivilege 2196 vssvc.exe Token: SeRestorePrivilege 2196 vssvc.exe Token: SeAuditPrivilege 2196 vssvc.exe Token: SeBackupPrivilege 4956 msiexec.exe Token: SeRestorePrivilege 4956 msiexec.exe Token: SeRestorePrivilege 4956 msiexec.exe Token: SeTakeOwnershipPrivilege 4956 msiexec.exe Token: SeRestorePrivilege 4956 msiexec.exe Token: SeTakeOwnershipPrivilege 4956 msiexec.exe Token: SeBackupPrivilege 2004 srtasks.exe Token: SeRestorePrivilege 2004 srtasks.exe Token: SeSecurityPrivilege 2004 srtasks.exe Token: SeTakeOwnershipPrivilege 2004 srtasks.exe Token: SeRestorePrivilege 4780 OoRjJglzLJCL.exe Token: 35 4780 OoRjJglzLJCL.exe Token: SeSecurityPrivilege 4780 OoRjJglzLJCL.exe Token: SeSecurityPrivilege 4780 OoRjJglzLJCL.exe Token: SeBackupPrivilege 2004 srtasks.exe Token: SeRestorePrivilege 2004 srtasks.exe Token: SeSecurityPrivilege 2004 srtasks.exe Token: SeTakeOwnershipPrivilege 2004 srtasks.exe Token: SeRestorePrivilege 4956 msiexec.exe Token: SeTakeOwnershipPrivilege 4956 msiexec.exe Token: SeRestorePrivilege 4956 msiexec.exe Token: SeTakeOwnershipPrivilege 4956 msiexec.exe Token: SeRestorePrivilege 4956 msiexec.exe Token: SeTakeOwnershipPrivilege 4956 msiexec.exe Token: SeRestorePrivilege 4956 msiexec.exe Token: SeTakeOwnershipPrivilege 4956 msiexec.exe Token: SeRestorePrivilege 4956 msiexec.exe Token: SeTakeOwnershipPrivilege 4956 msiexec.exe Token: SeRestorePrivilege 4956 msiexec.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 2084 msiexec.exe 2084 msiexec.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe 4516 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4956 wrote to memory of 2004 4956 msiexec.exe 87 PID 4956 wrote to memory of 2004 4956 msiexec.exe 87 PID 4956 wrote to memory of 2072 4956 msiexec.exe 89 PID 4956 wrote to memory of 2072 4956 msiexec.exe 89 PID 2072 wrote to memory of 4780 2072 MsiExec.exe 90 PID 2072 wrote to memory of 4780 2072 MsiExec.exe 90 PID 2072 wrote to memory of 4780 2072 MsiExec.exe 90 PID 2072 wrote to memory of 2580 2072 MsiExec.exe 92 PID 2072 wrote to memory of 2580 2072 MsiExec.exe 92 PID 2072 wrote to memory of 2580 2072 MsiExec.exe 92 PID 2072 wrote to memory of 1916 2072 MsiExec.exe 94 PID 2072 wrote to memory of 1916 2072 MsiExec.exe 94 PID 2072 wrote to memory of 1916 2072 MsiExec.exe 94 PID 1916 wrote to memory of 996 1916 ChromeSetup(1).exe 95 PID 1916 wrote to memory of 996 1916 ChromeSetup(1).exe 95 PID 1916 wrote to memory of 996 1916 ChromeSetup(1).exe 95 PID 996 wrote to memory of 424 996 updater.exe 96 PID 996 wrote to memory of 424 996 updater.exe 96 PID 996 wrote to memory of 424 996 updater.exe 96 PID 3124 wrote to memory of 4080 3124 updater.exe 100 PID 3124 wrote to memory of 4080 3124 updater.exe 100 PID 3124 wrote to memory of 4080 3124 updater.exe 100 PID 5004 wrote to memory of 2516 5004 updater.exe 104 PID 5004 wrote to memory of 2516 5004 updater.exe 104 PID 5004 wrote to memory of 2516 5004 updater.exe 104 PID 2324 wrote to memory of 2448 2324 lTRNmTKwQzfm.exe 113 PID 2324 wrote to memory of 2448 2324 lTRNmTKwQzfm.exe 113 PID 2324 wrote to memory of 2448 2324 lTRNmTKwQzfm.exe 113 PID 2448 wrote to memory of 1356 2448 ojZEoSUznz17.exe 115 PID 2448 wrote to memory of 1356 2448 ojZEoSUznz17.exe 115 PID 2448 wrote to memory of 1356 2448 ojZEoSUznz17.exe 115 PID 5004 wrote to memory of 3452 5004 updater.exe 117 PID 5004 wrote to memory of 3452 5004 updater.exe 117 PID 3452 wrote to memory of 3212 3452 129.0.6668.90_chrome_installer.exe 119 PID 3452 wrote to memory of 3212 3452 129.0.6668.90_chrome_installer.exe 119 PID 3212 wrote to memory of 436 3212 setup.exe 120 PID 3212 wrote to memory of 436 3212 setup.exe 120 PID 3212 wrote to memory of 4184 3212 setup.exe 122 PID 3212 wrote to memory of 4184 3212 setup.exe 122 PID 4184 wrote to memory of 3284 4184 setup.exe 123 PID 4184 wrote to memory of 3284 4184 setup.exe 123 PID 996 wrote to memory of 4516 996 updater.exe 125 PID 996 wrote to memory of 4516 996 updater.exe 125 PID 4516 wrote to memory of 4280 4516 chrome.exe 126 PID 4516 wrote to memory of 4280 4516 chrome.exe 126 PID 4516 wrote to memory of 2968 4516 chrome.exe 127 PID 4516 wrote to memory of 2968 4516 chrome.exe 127 PID 4516 wrote to memory of 2968 4516 chrome.exe 127 PID 4516 wrote to memory of 2968 4516 chrome.exe 127 PID 4516 wrote to memory of 2968 4516 chrome.exe 127 PID 4516 wrote to memory of 2968 4516 chrome.exe 127 PID 4516 wrote to memory of 2968 4516 chrome.exe 127 PID 4516 wrote to memory of 2968 4516 chrome.exe 127 PID 4516 wrote to memory of 2968 4516 chrome.exe 127 PID 4516 wrote to memory of 2968 4516 chrome.exe 127 PID 4516 wrote to memory of 2968 4516 chrome.exe 127 PID 4516 wrote to memory of 2968 4516 chrome.exe 127 PID 4516 wrote to memory of 2968 4516 chrome.exe 127 PID 4516 wrote to memory of 2968 4516 chrome.exe 127 PID 4516 wrote to memory of 2968 4516 chrome.exe 127 PID 4516 wrote to memory of 2968 4516 chrome.exe 127 PID 4516 wrote to memory of 2968 4516 chrome.exe 127 PID 4516 wrote to memory of 2968 4516 chrome.exe 127 PID 4516 wrote to memory of 2968 4516 chrome.exe 127 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\94200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2084
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding B778AD0B35FEA799C6B7C3C9F71B8F05 E Global\MSI00002⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Program Files\ImproveDefenderResilient\OoRjJglzLJCL.exe"C:\Program Files\ImproveDefenderResilient\OoRjJglzLJCL.exe" x "C:\Program Files\ImproveDefenderResilient\jXdmemDIXVZlyRJvLnMc" -o"C:\Program Files\ImproveDefenderResilient\" -pBWkOspNCEXRAXyVSBPgs -y3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4780
-
-
C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe"C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe" -number 264 -file file3 -mode mode3 -flag flag33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2580
-
-
C:\Program Files\ImproveDefenderResilient\ChromeSetup(1).exe"C:\Program Files\ImproveDefenderResilient\ChromeSetup(1).exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Program Files (x86)\Google1916_871808175\bin\updater.exe"C:\Program Files (x86)\Google1916_871808175\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={FD39FE3E-F972-AC55-37EA-CE3FED473068}&lang=zh-CN&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=24⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Program Files (x86)\Google1916_871808175\bin\updater.exe"C:\Program Files (x86)\Google1916_871808175\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x254,0x27c,0x280,0x258,0x284,0xb1c694,0xb1c6a0,0xb1c6ac5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer5⤵
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.90 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcea787bf8,0x7ffcea787c04,0x7ffcea787c106⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4280
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1892,i,13922957281421686553,8981163169042064241,262144 --variations-seed-version --mojo-platform-channel-handle=1888 /prefetch:26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:2968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=2188,i,13922957281421686553,8981163169042064241,262144 --variations-seed-version --mojo-platform-channel-handle=2220 /prefetch:36⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2348,i,13922957281421686553,8981163169042064241,262144 --variations-seed-version --mojo-platform-channel-handle=2520 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:1104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,13922957281421686553,8981163169042064241,262144 --variations-seed-version --mojo-platform-channel-handle=3240 /prefetch:16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4172
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,13922957281421686553,8981163169042064241,262144 --variations-seed-version --mojo-platform-channel-handle=3264 /prefetch:16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:1720
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4352,i,13922957281421686553,8981163169042064241,262144 --variations-seed-version --mojo-platform-channel-handle=3784 /prefetch:16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4296
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4648,i,13922957281421686553,8981163169042064241,262144 --variations-seed-version --mojo-platform-channel-handle=4592 /prefetch:16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4564
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4800,i,13922957281421686553,8981163169042064241,262144 --variations-seed-version --mojo-platform-channel-handle=4676 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:5380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5004,i,13922957281421686553,8981163169042064241,262144 --variations-seed-version --mojo-platform-channel-handle=5000 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:5408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5096,i,13922957281421686553,8981163169042064241,262144 --variations-seed-version --mojo-platform-channel-handle=5084 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:5728
-
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --system --windows-service --service=update-internal1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x116c694,0x116c6a0,0x116c6ac2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4080
-
-
C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe"C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe" install1⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:1564
-
C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --system --windows-service --service=update1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x116c694,0x116c6a0,0x116c6ac2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2516
-
-
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\129.0.6668.90_chrome_installer.exe"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\129.0.6668.90_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\7eba23e2-6f8f-4881-ac94-501c8229a592.tmp"2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\CR_58395.tmp\setup.exe"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\CR_58395.tmp\setup.exe" --install-archive="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\CR_58395.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\7eba23e2-6f8f-4881-ac94-501c8229a592.tmp"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Program Files directory
- Executes dropped EXE
- System Network Configuration Discovery: Internet Connection Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\CR_58395.tmp\setup.exe"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\CR_58395.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.90 --initial-client-data=0x274,0x278,0x27c,0x270,0x280,0x7ff738589628,0x7ff738589634,0x7ff7385896404⤵
- Executes dropped EXE
PID:436
-
-
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\CR_58395.tmp\setup.exe"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\CR_58395.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=14⤵
- Drops file in System32 directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\CR_58395.tmp\setup.exe"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\CR_58395.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.90 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff738589628,0x7ff738589634,0x7ff7385896405⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:3284
-
-
-
-
-
C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe"C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe" start1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:3564
-
C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe"C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe"C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe" -number 162 -file file3 -mode mode3 -flag flag32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe"C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe" -number 362 -file file3 -mode mode3 -flag flag33⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1356
-
-
-
C:\Program Files\Google\Chrome\Application\129.0.6668.90\elevation_service.exe"C:\Program Files\Google\Chrome\Application\129.0.6668.90\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2128
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:5812
-
C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --system --windows-service --service=update1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:6060 -
C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x116c694,0x116c6a0,0x116c6ac2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6076
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5838d5c4b2a6d86f0e5860e7fb50e5c5f
SHA1300e9ea27fbc0fb7af8816d2b54014e2fdf59619
SHA2563dbe6e5af2f0a644c7c913170c2d928187d9b6a5639de69fa37ee1d33409866e
SHA512f27feb717e1487bcc416a4b0b0ce550f313fd79c49a9c24ed60d32bea62a1de52c32bec14cb6a052d4f0de1aef13575d731c1c6723b98529e131dfe35dcd33f3
-
Filesize
4.7MB
MD5823816b4a601c69c89435ee17ef7b9e0
SHA12fc4c446243be4a18a6a0d142a68d5da7d2a6954
SHA256c2a7c0fa80f228c2ce599e4427280997ea9e1a3f85ed32e5d5e4219dfb05ddb2
SHA512f3b38807ed1eb96c932e850b9b37551554408a628bedf12aa32bde08c442ff3663bf584335e7eab193ce2cf7552bce456737c96a2ba9faa953150e6304068fc6
-
Filesize
40B
MD52f83b6090067f1ad860e875175ad3abd
SHA1005328c32c59f05e1457173a2fb26cbe4a934eae
SHA256db036676eb8b22588a0c2259a3ecdd007793b8cb7a24ecbafd4836d755dc931f
SHA5122fbbcc0e74543a209c18b6b4eb875e7157d5a535caf1c5ae3a3b2d2bf521e13937c65cbb12502ddccefb6d3553317288e4dce77419193161591e3d2a57cfc50b
-
Filesize
492B
MD56309d4123cd31745ca890e0f5cd79991
SHA1bf4f12e9f583dc977cfd39b9263a93118c5f1356
SHA2569a7b883f9144d62fb764259cb92f8948bfa307e9463f9417b8d77e0841cef9bc
SHA512b4ddd3c51a4f3faf8bd0eb88bcaa86228b812193c04f5fbb83126f0a60ca640e96bdbff2827ac1751c337787f236d2dce6a129e88af05b1bdbe61583485a470a
-
Filesize
354B
MD5d4927578fc92dc543365aa4e43b202ba
SHA15e1aeb950ac6ac3f071fa02f90a4fbc0c8e5304c
SHA2564ac029c04a6e82f4c588237f57a798b4285c818bdbb4250c20f11a5b95d4ecd1
SHA5124c6cbf4bfb4279edc6d6bd816ca4d1d4dbc8b7f06d875493ffeea3a8782568f49911db28aae743a41962bbe4fe34afc531e119be58888a2acf0623e99df38e95
-
Filesize
591B
MD57dfd61836a50f9164fdafd9cf41bbc6d
SHA15e2d08d8e69c0f0a5251dc029a4767aa6f4908a1
SHA256f37aa61d321b5fd791af3763984fd4add4de3cd2946caba755fceba0a6e98e73
SHA512739354616d3a06675fabe5f82ac2455709049cde9837080e53540e50e8b9dde7b3babe70d8efacf77f4b3253957dc37a4f714950011d014746b5493147557bb8
-
Filesize
591B
MD5c039b20290b29aecab0d4004722b99de
SHA158fe9a437eaa51f3e228baf2915755961bbd2265
SHA2562edec6d92757e9e584e8b4a57310566cc2595e055f9cf0f202f40ba0b10c4b33
SHA512fca1ea361b46cd2e3f812aba8a3b7404ed6f5ff614628e7123e22169cfb650edb782c8e6b90c268ce80649c74c996abf37919531e43f4a707bc92de23e8f210a
-
Filesize
49B
MD57b693a82168c33ec9e8cf276859ddf7f
SHA1d396dbbe299fe7754a6244d01e97cc4edd0693eb
SHA25684a9a7f43db56cd6e9a408f88244e8ba5efbe48a5b5168d321f112b8c8fd8e3f
SHA5124064c158d753d19a72e1be1c8bd5fe7f22e2032d67d1dd7ea1d85ce652d63c69b85a4292c4403b0f7729b05607f3d1ccfaf4d27d04ad09ffcec70082450320ab
-
Filesize
2KB
MD5653cdb391edf2810806b03c9ebe91fda
SHA137f6878b8c7f3861c78f9130f8702b87dfa45b0a
SHA256da267e6102ca532ecfef4ae5333ce68acb2757a1af45bc84cf1f2b076a417001
SHA5123373e89d8e6c27f6341047717bb6a29ab1f6ea6ac5d7fe4c4648e7cfc0de1000d5eabefff02240c5876d4940941f25e0fba15e7c46304ff2ff7e05edebf167ff
-
Filesize
4KB
MD5844ce78559c9a94263260d2c33158966
SHA1129c2360c32265637880d6d2a0d60e26132b47fa
SHA2561ca353c9ed5f9bb4318b201bb442f21a10e5f386f15486f899d8e304f266bf43
SHA512ea6471263a72e4218eedb64e4a17f86df126509dde738f05aaeea9cf106bfc2da13222325bc6f785a5e725398c6281a91acbe421ba40c5d1febc278e342d4bdb
-
Filesize
5KB
MD57719a516c11a557ad87829d0693f5378
SHA1a3a9995ea31f96fce0175daafa05b3048ae4a2cd
SHA2563b5f0e4cb2c5a328e0079d300d4eaa1e1cfe4639a30f69b15c67a99616c2d58e
SHA51258c9beb985c3d450aa60a8acd1c2936a1b872eb890047351cbcb3c7b4f3f398a5e561b9c84955b8c622abd71ad88559ce19c129f85476b1e38f16a1a5900af9f
-
Filesize
9KB
MD59a972f33b6363452a84b7bee3d9709e7
SHA16bc39f868e5a22af1513533b7379c90ce52acb26
SHA2569685dd7f1e79225dfae2c045b254dd957dd28c3acba47d43c115a16f7f69523a
SHA512566c1a05ac59ccd2247e0044bde7406a5a7c707d0eafb55349e046a286ad1bf73a9a6af7b53383247f2048e9525c5ead2ea7655646216aeef18a9eadee8b71e0
-
Filesize
11KB
MD51cba5bd581a487042bdaf06eb1a4872b
SHA10c4d8fb301e153bb8109ed2c9fef7cf56ee0303b
SHA256d57bb0bed214cfeade892a1d575ba6cd0a73952f4b3b4344d4b3dcd80fa9b94b
SHA51238122e169c18539f0c45f06396e8dcbabba5b55470f62e8d1c914b0d57d0928d68f1193ec005d5e3bf1075893691d391397b0efee1716ed3b1a67415c02c758d
-
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping5004_1772445764\7eba23e2-6f8f-4881-ac94-501c8229a592.tmp
Filesize680KB
MD5e8bdb8470612de48a2969dc9044a6827
SHA1c639858bc762f1a81c7d49fb3882ecc287bf328c
SHA256bcdb382c34a680afcef53e3e3104328f17a185bf00ca47307ded59eb4a077f0f
SHA5128fdf5cd80eaa8c94bff22c0072ab5a4a3d510074da7f089c9cb5e8f946238ec64ca6cf0b45f643c58b580cfb39ab0c75a2ad7accca0ca0ef5dd6f27f3a1b580d
-
Filesize
5.8MB
MD52bff61e098cb435c0680f80c6ed9b261
SHA162ec8eee0a1da31677eda7fdeafe0d18c86e0c0d
SHA256c78c91a2b491d0f42c9f6754bbaa011c65c73160ebff2852ceebac41a535f4ec
SHA5128c3bcae53a0012c8dc728d8742eaaa94feeb9644cd3387a8ba953b6b259da894dc407064b527a958b18a74a986728c3c0cbfbad8f8fbaf5c8c6544b0e3246662
-
Filesize
40B
MD5591fdcb3993735dac39859857362e3e5
SHA1581253e65424a4923e49bbeb7950afcf7afa63af
SHA25647c33b76e49602cf6ec92f49674013f2076f393cb0115c8bb989d0b4b730bfc4
SHA512b79ed725056e34e7a7a4c1cb3369ac8733590208fd80e7e2af4447ae2bbd59b66599f555e5989f70db8f7a1117eb196ba1b364190e5b4f58ba40cb7bab63b9f6
-
Filesize
1.2MB
MD5fc5a0077095107949395677b38aa28c4
SHA107f042b616804fb3d053ee0b03df39730abdc8ea
SHA25616512b1b35bd85e9d4b41d5a6677c9ae59020bebb2c334a40233532a2474ab1c
SHA512070af019209d635ccf13e59a5798de80627c1eeb756423066563c63db04c94b2e674a1534559ce0d4b50a14ec907b2d6dadd5b6c33ea5efb99f2dd9722132ef5
-
Filesize
4.7MB
MD5a7b7470c347f84365ffe1b2072b4f95c
SHA157a96f6fb326ba65b7f7016242132b3f9464c7a3
SHA256af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a
SHA51283391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d
-
Filesize
493KB
MD5077262962ab4006434fe33b582b50a46
SHA163204f7ede81c318b89bd4d768686fd9a22f3b49
SHA256a759aa54d4aaeb9b9d4d2057405b520ed00e3a4945a55eef9c805f9751612777
SHA512acb625d8925bb2803c4ddb73a937195e1fde4c04433654ba35422e09c0801c23bd0616e70361006d24da3fbd589b0938fd72dc628c4b6ad263193f25d17987ff
-
Filesize
7.9MB
MD5d18593720dcfb0539f6d625e8f311b43
SHA1b7aef63354e8cf733af5ecd27cf715c8461af94d
SHA256f913d483492ceaa2e0ae63b9ed5ce605e0a9c79518a448f36dec09ad86715b0f
SHA512092a79db1262c6f732373f1692b82dc87bd3e32e0d2244f94a55d2cef444417686549478efe912060c0e39f571f9207a8b62ccba3fb76853713fead38d9e4b9e
-
Filesize
2.6MB
MD52fb6428bd717b9694fc79e9115987afc
SHA12e9eb0b4fca60a5ede55e3e66e0c1d481b97aae9
SHA2567a7304c716b24f97ac5c83c4f509b1820a7b116eee6716a839952a5f502bf056
SHA51216f1530e8660f6411c890a675756c3f8a17c2ae2da6f7778ce01a285c75e72bd65a52e8ba3447d6e438fa0e85f065e4b74ebd0a521aa1e377e6ca6d5045915bd
-
Filesize
8.5MB
MD55adff4313fbd074df44b4eb5b7893c5e
SHA1d27388ef6cf34d40e0e7666f6381fcc5bbafa0f7
SHA256d0c7a4390bdd6b442b96fc76f8a38f7b756ba2c16752ea259844420161865cae
SHA512f5d639922b91878cf83d97563288a3aa4cba94db3ad5e8ac11d24ef7c44b019383a4414aeba6171b4c7bfa83ea1eafc1231cc9233e3b82b5ca7dc0b3ffacbf60
-
Filesize
577KB
MD511fa744ebf6a17d7dd3c58dc2603046d
SHA1d99de792fd08db53bb552cd28f0080137274f897
SHA2561b16c41ae39b679384b06f1492b587b650716430ff9c2e079dca2ad1f62c952d
SHA512424196f2acf5b89807f4038683acc50e7604223fc630245af6bab0e0df923f8b1c49cb09ac709086568c214c3f53dcb7d6c32e8a54af222a3ff78cfab9c51670
-
Filesize
1.1MB
MD504b529a6aef5e7c2a1f79a04b81be20f
SHA1ee6a4c1f35ae62a42c0a4378362878769cd3aec1
SHA256c7101b019dc7625c4036420b8c9f90ad4c6e7e57d847b1c60c6270cc67cf8aca
SHA512328ed4939b78630cec8aa7ff3fc0af48ae4b1592241265d8f3d60d2945772686b1a1eb40b1ace635dad911482a12a985432793cf48ca9d637558982c53a11f81
-
Filesize
832KB
MD5d305d506c0095df8af223ac7d91ca327
SHA1679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA51294d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796
-
Filesize
272B
MD5f5380d7f56c3e29266a4f9a6256d2771
SHA17172c96d3b7c054fa2c68bc1e3ded1abae3f8b29
SHA25684a91bd6585a33351e9ca29127b96b86efb2b8acf155c8182773538079459599
SHA512a051d60e718b27e877e63c8b24eab16b88b8e5426794280032c8ad8cc5fe900dce61fe23dc8438b231c3b79390e590d88d760bcf1794144c7917a2eb66528720
-
Filesize
831B
MD5d4f8bec6900e478c87de899e0bed5a3b
SHA1842a5fea6f32d0476815136f8fce6fc26906a123
SHA256be2b88b9926db4dd8f07ce9e95b7f3e621d14270c1b54c86c92e8182c25d97f0
SHA512a6f5a63d4f1d91ac0b25e707312ebbf760f8bad95f53dfcc65b4814e030dd0721db39eda168dd9cf3d8b77d01697fef9d51007ac76631d14483a46b6c5c03b0b
-
Filesize
936B
MD508b74274c778305c41a07e95df7e6981
SHA1bf43035346e80e880069e225f9bf96b7f94a945c
SHA2565a80b97d35603fbee4b24d32c16f13f272496f274aeeb7f4bb9aa4639fd9b13d
SHA51230f28cff50c341c1d010f5d566cfcd5725fdb947211d0c018ee7b75d4c541aafe3064a9314c4b871be95c96e7466ba93daa2d942d2330f9027117a4e7d56503d
-
Filesize
448B
MD5266bfe492318ff1337c913cc4635f563
SHA132f7a6db72b608302368b546afaf9e2307fd1dde
SHA25623eda6decdfaeed555d8ad9f83795a90cbedef8a3b75960d6794bb231e86fc47
SHA512872cd6a69305aae9ac776a031a4c1b2d5ce08915477225752154e45d32dcbaafa29048d9033577caedd3eb2d862373b08d61d211e55e8673265d87ca01afd341
-
Filesize
2.4MB
MD5f85f44f7f01ac7dfe2d379dad4386920
SHA12d1fefb3ac611e97845659085aaccf10b74815a1
SHA256e2dde008486ee007b634bb8012ae1fc11f79ee4a2ce6e4d5337074cfb2582e73
SHA51256d060093e92a6663b4c17a39c209009439d09b119856890ed9200cac51a3d2c7f726b681964cce83e0daf77a177db62fa5cf5ddb639fbe25c4be5c6fa5cc7a1
-
Filesize
21KB
MD568687ccd5fe01347c7f1df317716f545
SHA134d0ce2a01084adeebcc17e4e30bae73d062f7e3
SHA256e62229e156e3d45cc473d41afcf7db426a390628434215318d9fb3e1666c8d15
SHA51275398ff44389150aff9793757397c131360cf253d9a7c7f8798308987c45adb41df5b5c5ab2bbfad6dbc78a4fff4c0d4987cc540425c447bd9c18a6d27d3d205
-
Filesize
2KB
MD50f3f51cb53c066757daed473aeb9e1ff
SHA15e17c09b606054d57f8824cd516bd6cab059d8b3
SHA2564e5e362e1cb0472a22edbecae699f376d00468bf7b281007dfee03cdf2497147
SHA51270c8d34c8fa4c43078047c18317180c2b75d3e7cde082b3eca30a10d6e6199d417530039e152874d567e119c82e85771441db7ad7f220c601cc010b0433e2eca
-
Filesize
649B
MD5463bd9f6d2d1d4cc02220d2131346fbf
SHA18d17876e030915d9d3be8d28c8c5c5ca132ec2be
SHA2562b0ac4ca188b8669327f0c829c7c26d0cbf80ef4dd1d9f5573d37993848322de
SHA512565c85e6cb07434d0283da28b53ad0477df344724199952b252d91872a12a5ef306df19d1644f854558580e7e9e8139a7ac92c1d8ea98ab2c2a407c885a9ab4e
-
Filesize
192KB
MD5505a174e740b3c0e7065c45a78b5cf42
SHA138911944f14a8b5717245c8e6bd1d48e58c7df12
SHA256024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d
SHA5127891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911
-
Filesize
2KB
MD52cbe0649080d207132d549f8cf12afc1
SHA1c7ee4fd33dcf90bfa4661b199bceeced99ee1d56
SHA2567e96b5750f9b52a724e7c88e3dd68bd03eef0b2b5738ced8ac2bcc8e9da7994c
SHA512db63a65e0612b8814acf3ae1705b5bb79a1c143e8ea7ad1352697789ce85ca4398c404d44b9623f4a5731ce7a72945b762f5385e55781cbcef81dc233777d8fc
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD57f41257e2e3caf81c9616fd18c1f2e4b
SHA1e6bd27662d821d810cc8136ae430cf07fade72b1
SHA256186101185d9481b69a81da5f378a3be61bcc45c5fe247ceeee22873af460a471
SHA512c545daad879a4793207808daf40e32411c090fc2dd47db3476edeba07559d4c91298b7e7e2b8f0157becae0f3189775334adca12c5497902609a92600848b05a
-
Filesize
10KB
MD5ef465d4225ad3545b658d950de6c9253
SHA186f04edd2a7633d07c56ad251de8d28800e8d445
SHA2564954e259a50079bb2afc946d597db8205823f7c10ace4c52fa07bdff0389addb
SHA51272fe247e58882873df405bb310897f654d957df4eef2651abac7b2eedf5dc051e9152f183e5a844ffd5c2ea94ade8cbb3f58c507f7336e657dc6be4ffacec2ce
-
Filesize
15KB
MD529f01f9d757ae8761c9582f00e985edc
SHA1af4d1c5dbd22ceeaeaae3451b1aa269b04f559c9
SHA2567228af67e44f47d8f37e78f9bc24d2ad40e6ed838d1f1638c81e4549a1937bc2
SHA51290d8442dc032641018208e758e2da393ded606017c13ecced438753335eea4ebd4dff7a04f4b0e80b26375836c843ffb0ef1cae9eceee9172c20db51ffa7c085
-
Filesize
38B
MD53433ccf3e03fc35b634cd0627833b0ad
SHA1789a43382e88905d6eb739ada3a8ba8c479ede02
SHA256f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d
SHA51221a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c
-
Filesize
184KB
MD5846b0dc0c7e09d226b17cd19f228f3e8
SHA11949b88673e96ba595d0234b07a3ca2ff3e73b3c
SHA2560e9e28c13fbbf98dbc99f93ae8bfca0a698f9bb78e2b22602f5cd6b1d813b463
SHA512a7d54288963fc4aa478b7e8c3ae60204e300f2fe776d29f253f9022b626297490f89ab48ffe75592fb3a854d05ce02d0c8f32597cdbac61b1b978303ca751c07
-
Filesize
100KB
MD5518ac0ed0de2f4790b20c98738b7a7e0
SHA1755bfa4d732afd6083eae125d39bc34f9cfb7643
SHA256eb7c2b89ac9c0b5f90604afd9dc4cc6aa9c386a3a7c81b14a95211c91cc3c47c
SHA512c3f632549b194d909a71dd564d2c87917274654ebb5c460c845052ab204ca85e2a3391c57c348781588c25d0e31b2a230f40ce0785570ecdf16aed7719b64d4b
-
Filesize
184KB
MD58676e56420c9c7b2e0b3472877d4a77d
SHA1999d7be4b9517fa2ea927048137c40a221584763
SHA256b147019ce259a86c466421357aa35b09adfcccdb0796b71f194f8f25c3043a60
SHA512f9b52851c749e8ed7aa362ce540703c2dfb5042176aceea481e02dec8e5f39cc49934faeab0d0b83b2e60ff31467856c700c39eaa8c508c356b6e66d4c502eaf
-
Filesize
99KB
MD586c527753dbbacac7f031c90b61ef25d
SHA1703aac9c582500c2528626893cf72c6713487555
SHA256552bf54bcd3f0bb67a7209cf2dd0e75276a312bcde94035e7e1d18c0564a68cf
SHA5128ea69fad54c12a654520b85dac8675899b99ee2c98a01061d257d93278db9b84cb313e40a59dd216cbf279f34bf88951412d19e9a3c2264232206f65816e37f5
-
Filesize
28.7MB
MD5bffddb889b7089cc6af3b9d9efb3c89d
SHA1977fc679569271849068e704a53c57b09009f414
SHA25694200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43
SHA5120c3d0db3b8d0c5a071cc3a140695d8ea1b1600c36add6a4c36e24effd9d4dc579ce6953386cc624406c8fb9d6ba436b7082a5e675799d3f860fd0df6a5946e93
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lTRNmTKwQzfm.exe.log
Filesize1KB
MD5122cf3c4f3452a55a92edee78316e071
SHA1f2caa36d483076c92d17224cf92e260516b3cbbf
SHA25642f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c
-
Filesize
23.7MB
MD5e76a9145254b3599a71fdbe99926488d
SHA134599e720ec2b97e20e4f7589255d11976a7b861
SHA25690bfb974cf159f606248a68f2f2dc1e4ce74c58f1a62876aabd6619ae1b35224
SHA512ddb8ae060927db7d694b04933229cb31775237b45c1c6b5ff2b0ce9d282b3ef2b00ff047a2d95bae680f1a85ccaeb850aefc168584463ad019160542819ea8ae
-
\??\Volume{8484aac9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3f0b7583-7d64-41c6-b7ea-3a19d32d743b}_OnDiskSnapshotProp
Filesize6KB
MD5401cbb54b89eb11bf9ec80805e2cbb60
SHA1dbf2fce298316a80081eee35892c1ab2dec76e00
SHA256bb341138efbc247630163fb1dc30b5bdcf0abc6e305d231bfed4fa59eecda2c2
SHA512dc917f9b585d608261419c816e9385041ffcc95b7abed3db8b95695eee94ed86dd4111cf7ac1a21531e144165f4b32e822982d4958af6b07b06ca08799600b0d