Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2024 07:27
Static task
static1
Behavioral task
behavioral1
Sample
Chrmroe-intraller.msi
Resource
win7-20240903-en
General
-
Target
Chrmroe-intraller.msi
-
Size
43.5MB
-
MD5
113a2eab7ccf51501146194bbaadb175
-
SHA1
de00c7a8ff5b49adec8bc44eba7f6332446f0e8f
-
SHA256
4cab134dbaf1059613f44da615292af5713a0aa3a0185abda0cf1ebf8a7dc9a4
-
SHA512
ce681034d9c3cad7367fa2a541401036651ce79385524b10f8ea0287c6c6e1bd307c82d339056d6f2e2fd48cbdd05e80650c1b5acb62b55772b4157d3ef9c13e
-
SSDEEP
786432:KPmAYqjq7J2mESTU1A2SBaUCAkEPstiz7Ngv9iJ67P3+OBrIU7:d4m5U1A2SMUxstiz7NGYJ673z9
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/2900-143-0x000000002BB50000-0x000000002BD0C000-memory.dmp purplefox_rootkit behavioral2/memory/2900-146-0x000000002BB50000-0x000000002BD0C000-memory.dmp purplefox_rootkit behavioral2/memory/2900-147-0x000000002BB50000-0x000000002BD0C000-memory.dmp purplefox_rootkit behavioral2/memory/2900-156-0x000000002BB50000-0x000000002BD0C000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 4 IoCs
resource yara_rule behavioral2/memory/2900-143-0x000000002BB50000-0x000000002BD0C000-memory.dmp family_gh0strat behavioral2/memory/2900-146-0x000000002BB50000-0x000000002BD0C000-memory.dmp family_gh0strat behavioral2/memory/2900-147-0x000000002BB50000-0x000000002BD0C000-memory.dmp family_gh0strat behavioral2/memory/2900-156-0x000000002BB50000-0x000000002BD0C000-memory.dmp family_gh0strat -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2612 powershell.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\129.0.6668.101\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1" setup.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\P: qMdeNKsXYpNq.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: qMdeNKsXYpNq.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: qMdeNKsXYpNq.exe File opened (read-only) \??\N: qMdeNKsXYpNq.exe File opened (read-only) \??\T: qMdeNKsXYpNq.exe File opened (read-only) \??\Z: qMdeNKsXYpNq.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: qMdeNKsXYpNq.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\E: qMdeNKsXYpNq.exe File opened (read-only) \??\S: qMdeNKsXYpNq.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: qMdeNKsXYpNq.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: qMdeNKsXYpNq.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: qMdeNKsXYpNq.exe File opened (read-only) \??\U: qMdeNKsXYpNq.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: qMdeNKsXYpNq.exe File opened (read-only) \??\M: qMdeNKsXYpNq.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: qMdeNKsXYpNq.exe File opened (read-only) \??\H: qMdeNKsXYpNq.exe File opened (read-only) \??\R: qMdeNKsXYpNq.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\J: qMdeNKsXYpNq.exe File opened (read-only) \??\K: qMdeNKsXYpNq.exe File opened (read-only) \??\V: qMdeNKsXYpNq.exe File opened (read-only) \??\M: msiexec.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA updater.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content updater.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 updater.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 updater.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD updater.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD updater.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk setup.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\vKtMPwVbdMUU.exe.log vKtMPwVbdMUU.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft updater.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache updater.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData updater.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA updater.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer chrome.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\UtilizeDynamicWorker\ChromeSetup.exe JkRyrlfVyEOH.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad\metadata updater.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad\metadata updater.exe File created C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\aa9339ae-ee4a-4643-a007-60829a227904.tmp updater.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\Locales\pl.pak setup.exe File opened for modification C:\Program Files\UtilizeDynamicWorker qMdeNKsXYpNq.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\updater.log updater.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\chrome_200_percent.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\VisualElements\SmallLogoBeta.png setup.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\chrome.exe setup.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\elevation_service.exe setup.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\chrome.VisualElementsManifest.xml setup.exe File created C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\uninstall.cmd updater.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\4ae62b23-f15f-4140-8058-49d6f0644bbe.tmp updater.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\Locales\hu.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\Locales\nl.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\VisualElements\SmallLogo.png setup.exe File created C:\Program Files\UtilizeDynamicWorker\qMdeNKsXYpNq JkRyrlfVyEOH.exe File created C:\Program Files\UtilizeDynamicWorker\vKtMPwVbdMUU.xml JkRyrlfVyEOH.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\updater.log updater.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\vk_swiftshader_icd.json setup.exe File opened for modification C:\Program Files\UtilizeDynamicWorker\qMdeNKsXYpNq.exe JkRyrlfVyEOH.exe File created C:\Program Files (x86)\Google1476_574004426\bin\updater.exe ChromeSetup.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad\metadata updater.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\Extensions\external_extensions.json setup.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\Locales\te.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\chrome_elf.dll setup.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\updater.log updater.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\prefs.json updater.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\chrome_100_percent.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\Locales\de.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\Locales\ru.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\Locales\zh-TW.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\vulkan-1.dll setup.exe File opened for modification C:\Program Files\UtilizeDynamicWorker\qMdeNKsXYpNq JkRyrlfVyEOH.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\updater.log updater.exe File created C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe updater.exe File created C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\_metadata\verified_contents.json updater.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\default_apps\external_extensions.json setup.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\Locales\fr.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\Locales\kn.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\Locales\lt.pak setup.exe File created C:\Program Files\UtilizeDynamicWorker\JkRyrlfVyEOH.exe msiexec.exe File created C:\Program Files (x86)\Google\GoogleUpdater\4ae62b23-f15f-4140-8058-49d6f0644bbe.tmp updater.exe File created C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\CR_49DBF.tmp\CHROME.PACKED.7Z 129.0.6668.101_chrome_installer.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\icudtl.dat setup.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\Locales\et.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\WidevineCdm\LICENSE setup.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\524d03d9-4212-44ec-91ca-4b8b398e758d.tmp updater.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad\metadata updater.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\chrome.exe.sig setup.exe File created C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe58f8d2.TMP updater.exe File opened for modification C:\Program Files\UtilizeDynamicWorker\vKtMPwVbdMUU.wrapper.log vKtMPwVbdMUU.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\MEIPreload\preloaded_data.pb setup.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\dxcompiler.dll setup.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\notification_helper.exe setup.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\optimization_guide_internal.dll setup.exe File created C:\Program Files\UtilizeDynamicWorker\UE4PrereqSetup_x64.exe msiexec.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\Locales\ms.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\VisualElements\SmallLogoDev.png setup.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\prefs.json updater.exe File created C:\Program Files\Google\Chrome\Temp\source2800_841482881\Chrome-bin\129.0.6668.101\Locales\nb.pak setup.exe File created C:\Program Files (x86)\Google\GoogleUpdater\524d03d9-4212-44ec-91ca-4b8b398e758d.tmp updater.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\updater.log updater.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\Installer\e57c1bc.msi msiexec.exe File created C:\Windows\Installer\e57c1ba.msi msiexec.exe File opened for modification C:\Windows\Installer\e57c1ba.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{E4586484-5C27-4883-9D5F-77C1C7E5F0BA} msiexec.exe File opened for modification C:\Windows\Installer\MSIC331.tmp msiexec.exe -
Executes dropped EXE 34 IoCs
pid Process 4012 JkRyrlfVyEOH.exe 4808 qMdeNKsXYpNq.exe 1476 ChromeSetup.exe 3844 updater.exe 5048 updater.exe 1948 vKtMPwVbdMUU.exe 4972 updater.exe 3056 updater.exe 2264 updater.exe 3428 updater.exe 4476 vKtMPwVbdMUU.exe 2504 vKtMPwVbdMUU.exe 1732 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 5056 129.0.6668.101_chrome_installer.exe 2800 setup.exe 2096 setup.exe 2560 setup.exe 4968 setup.exe 456 chrome.exe 4848 chrome.exe 688 chrome.exe 3148 chrome.exe 1416 chrome.exe 244 elevation_service.exe 4920 chrome.exe 2116 chrome.exe 4388 chrome.exe 5224 chrome.exe 5240 chrome.exe 3088 chrome.exe 5508 chrome.exe 5884 updater.exe 5900 updater.exe -
Loads dropped DLL 29 IoCs
pid Process 456 chrome.exe 4848 chrome.exe 456 chrome.exe 688 chrome.exe 688 chrome.exe 1416 chrome.exe 1416 chrome.exe 3148 chrome.exe 3148 chrome.exe 688 chrome.exe 688 chrome.exe 688 chrome.exe 688 chrome.exe 688 chrome.exe 688 chrome.exe 4920 chrome.exe 2116 chrome.exe 4920 chrome.exe 2116 chrome.exe 4388 chrome.exe 4388 chrome.exe 5224 chrome.exe 5240 chrome.exe 5224 chrome.exe 5240 chrome.exe 3088 chrome.exe 3088 chrome.exe 5508 chrome.exe 5508 chrome.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 3696 msiexec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JkRyrlfVyEOH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qMdeNKsXYpNq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ChromeSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qMdeNKsXYpNq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qMdeNKsXYpNq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5056 129.0.6668.101_chrome_installer.exe 2800 setup.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c4d65e62b69e8e0b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c4d65e620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c4d65e62000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc4d65e62000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c4d65e6200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz qMdeNKsXYpNq.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 qMdeNKsXYpNq.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" updater.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}\dr = "1" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\nkeimhogjdpnpccoofpliimaahmaaome = "6A4D6EC6DCE8D1AF9D84CEE43380EE47303E674CF8180DD6B4EF74DFF2C4B032" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome setup.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\media.storage_id_salt = "7CB678A2FE709D13FBBB31B0C5479F3509C97E558233E421823C23BCB5514B14" chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" updater.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\nmmhkkegccagdldgiimedpiccmgmieda = "0FA6203F72CFE9BFDF48E8DF910AC6B269358186769D3F5540E782830988E332" chrome.exe Key created \REGISTRY\USER\.DEFAULT chrome.exe Key created \REGISTRY\USER\.DEFAULT chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing updater.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\UsageStatsInSample = "0" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\enterprise_signin.policy_recovery_token = "08A1E71A48635BACE2EE47DFD6CD84074B32CA42AC647C9C0729F245103DAC55" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall" setup.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\InstallerPinned = "0" setup.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96} chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\neajdppkdcdipfabeoofebfddakdcjhd = "A68694DDFB6B11E9DF127BDA07C0847D826EF4F3C87EC811FC042B127AE2596C" chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\StabilityMetrics chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix updater.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Update chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\session.startup_urls = "4D5CAB4239841AC3BA3A538ACE533694FE584477384FE30B49E856B5557A2957" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\mhjfbmdgcfjbbpaeojofohoefgiehjai = "42AB2D71BE42C425E4D059FD475FA4598C64071EE27161D94D8AEE05A219E5D3" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\homepage = "A1FEBC75BB3BB94A8E5CA79F49DF00E06525254981FC6AE350B8E51088315767" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi = "D0ACB89C882D79FAC6F93DA21B98E6742EFEA94DBCA4C9B98BE2ABD49197F1B4" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\BLBeacon\state = "1" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\google.services.account_id = "274D9345B4A9273FEED465E8043050EBCC5423B04ECF0F66310104D29CFB0591" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi = "262D24813ABC9678ABB9CAC8C90E1D02464C52AA360AEF8232453BF5D73A8D41" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\nkeimhogjdpnpccoofpliimaahmaaome = "C5C3DD75AE9873630EDE6F6143144D94FFE10CDBEB8E2BF78FB9E4F0A7AEA1D2" chrome.exe Key created \REGISTRY\USER\.DEFAULT chrome.exe Key created \REGISTRY\USER\.DEFAULT chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E updater.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" updater.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\AppID\{7405F538-1185-5D46-BDE0-8FD5C0DBFF39} updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{27634814-8E41-4C35-8577-980134A96544}\TypeLib updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\TypeLib\ = "{699F07AD-304C-5F71-A2DA-ABD765965B54}" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\TypeLib updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F966A529-43C6-4710-8FF4-0B456324C8F4}\1.0\ = "GoogleUpdater TypeLib for IPolicyStatus4System" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ = "IProcessLauncher" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\GoogleUpdate.Update3WebMachine updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\131.0.6776.0\\updater.exe\\4" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{F4334319-8210-469B-8262-DD03623FEB5B} updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0 updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0\0 updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TypeLib\Version = "1.0" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ServiceParameters = "--com-service" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1588C1A8-27D9-563E-9641-8D20767FB258}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\131.0.6776.0\\updater.exe\\4" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\TypeLib\ = "{5F793925-C903-4E92-9AE3-77CA5EAB1716}" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\TypeLib\Version = "1.0" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32 updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\1.0\0 updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\TypeLib\ = "{F4334319-8210-469B-8262-DD03623FEB5B}" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964} updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\131.0.6776.0\\updater.exe\\6" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\TypeLib\ = "{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC1132BC-C84F-5D90-9BB6-3D44C6394B28}\TypeLib\Version = "1.0" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\AppID\{534F5323-3569-4F42-919D-1E1CF93E5BF6} updater.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8} setup.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{8018F647-BF07-55BB-82BE-A2D7049F7CE4}\ServiceParameters = "--com-service" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{494B20CF-282E-4BDD-9F5D-B70CB09D351E} updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\1.0\ = "GoogleUpdater TypeLib for IPolicyStatus" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD} setup.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\131.0.6776.0\\updater.exe\\4" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4} updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\131.0.6776.0\\updater.exe\\6" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\TypeLib\ = "{34527502-D3DB-4205-A69B-789B27EE0414}" updater.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4846854E72C53884D9F5771C7C5E0FAB\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{F966A529-43C6-4710-8FF4-0B456324C8F4} updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\TypeLib\Version = "1.0" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TypeLib setup.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{1588C1A8-27D9-563E-9641-8D20767FB258} updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{699F07AD-304C-5F71-A2DA-ABD765965B54}\1.0\ = "GoogleUpdater TypeLib for IUpdaterAppStatesCallbackSystem" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\131.0.6776.0\\updater.exe\\6" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF} updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\1.0 updater.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\1.0\0\win64 updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\TypeLib updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB} updater.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\TypeLib updater.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF} updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5BB0C40-8078-5D97-80DD-2C8F4510263D}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\131.0.6776.0\\updater.exe\\5" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\1.0\ = "GoogleUpdater TypeLib for IUpdaterAppStateSystem" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\ = "IAppCommandWebSystem" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\ = "IPolicyStatus3System" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32\ = "\"C:\\Program Files\\Google\\Chrome\\Application\\129.0.6668.101\\notification_helper.exe\"" setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82} updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\TypeLib\ = "{5F793925-C903-4E92-9AE3-77CA5EAB1716}" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\TypeLib\Version = "1.0" updater.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{27634814-8E41-4C35-8577-980134A96544}\TypeLib\ = "{27634814-8E41-4C35-8577-980134A96544}" updater.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32 updater.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3316 msiexec.exe 3316 msiexec.exe 2612 powershell.exe 2612 powershell.exe 2612 powershell.exe 4808 qMdeNKsXYpNq.exe 4808 qMdeNKsXYpNq.exe 3844 updater.exe 3844 updater.exe 3844 updater.exe 3844 updater.exe 3844 updater.exe 3844 updater.exe 4972 updater.exe 4972 updater.exe 4972 updater.exe 4972 updater.exe 4972 updater.exe 4972 updater.exe 2264 updater.exe 2264 updater.exe 2264 updater.exe 2264 updater.exe 2264 updater.exe 2264 updater.exe 2504 vKtMPwVbdMUU.exe 2504 vKtMPwVbdMUU.exe 1732 qMdeNKsXYpNq.exe 1732 qMdeNKsXYpNq.exe 1732 qMdeNKsXYpNq.exe 1732 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe 2900 qMdeNKsXYpNq.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3696 msiexec.exe Token: SeIncreaseQuotaPrivilege 3696 msiexec.exe Token: SeSecurityPrivilege 3316 msiexec.exe Token: SeCreateTokenPrivilege 3696 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3696 msiexec.exe Token: SeLockMemoryPrivilege 3696 msiexec.exe Token: SeIncreaseQuotaPrivilege 3696 msiexec.exe Token: SeMachineAccountPrivilege 3696 msiexec.exe Token: SeTcbPrivilege 3696 msiexec.exe Token: SeSecurityPrivilege 3696 msiexec.exe Token: SeTakeOwnershipPrivilege 3696 msiexec.exe Token: SeLoadDriverPrivilege 3696 msiexec.exe Token: SeSystemProfilePrivilege 3696 msiexec.exe Token: SeSystemtimePrivilege 3696 msiexec.exe Token: SeProfSingleProcessPrivilege 3696 msiexec.exe Token: SeIncBasePriorityPrivilege 3696 msiexec.exe Token: SeCreatePagefilePrivilege 3696 msiexec.exe Token: SeCreatePermanentPrivilege 3696 msiexec.exe Token: SeBackupPrivilege 3696 msiexec.exe Token: SeRestorePrivilege 3696 msiexec.exe Token: SeShutdownPrivilege 3696 msiexec.exe Token: SeDebugPrivilege 3696 msiexec.exe Token: SeAuditPrivilege 3696 msiexec.exe Token: SeSystemEnvironmentPrivilege 3696 msiexec.exe Token: SeChangeNotifyPrivilege 3696 msiexec.exe Token: SeRemoteShutdownPrivilege 3696 msiexec.exe Token: SeUndockPrivilege 3696 msiexec.exe Token: SeSyncAgentPrivilege 3696 msiexec.exe Token: SeEnableDelegationPrivilege 3696 msiexec.exe Token: SeManageVolumePrivilege 3696 msiexec.exe Token: SeImpersonatePrivilege 3696 msiexec.exe Token: SeCreateGlobalPrivilege 3696 msiexec.exe Token: SeBackupPrivilege 1368 vssvc.exe Token: SeRestorePrivilege 1368 vssvc.exe Token: SeAuditPrivilege 1368 vssvc.exe Token: SeBackupPrivilege 3316 msiexec.exe Token: SeRestorePrivilege 3316 msiexec.exe Token: SeRestorePrivilege 3316 msiexec.exe Token: SeTakeOwnershipPrivilege 3316 msiexec.exe Token: SeRestorePrivilege 3316 msiexec.exe Token: SeTakeOwnershipPrivilege 3316 msiexec.exe Token: SeDebugPrivilege 2612 powershell.exe Token: SeBackupPrivilege 4016 srtasks.exe Token: SeRestorePrivilege 4016 srtasks.exe Token: SeSecurityPrivilege 4016 srtasks.exe Token: SeTakeOwnershipPrivilege 4016 srtasks.exe Token: SeBackupPrivilege 4016 srtasks.exe Token: SeRestorePrivilege 4016 srtasks.exe Token: SeSecurityPrivilege 4016 srtasks.exe Token: SeTakeOwnershipPrivilege 4016 srtasks.exe Token: SeRestorePrivilege 4012 JkRyrlfVyEOH.exe Token: 35 4012 JkRyrlfVyEOH.exe Token: SeSecurityPrivilege 4012 JkRyrlfVyEOH.exe Token: SeSecurityPrivilege 4012 JkRyrlfVyEOH.exe Token: SeRestorePrivilege 3316 msiexec.exe Token: SeTakeOwnershipPrivilege 3316 msiexec.exe Token: SeRestorePrivilege 3316 msiexec.exe Token: SeTakeOwnershipPrivilege 3316 msiexec.exe Token: SeRestorePrivilege 3316 msiexec.exe Token: SeTakeOwnershipPrivilege 3316 msiexec.exe Token: SeRestorePrivilege 3316 msiexec.exe Token: SeTakeOwnershipPrivilege 3316 msiexec.exe Token: SeRestorePrivilege 3316 msiexec.exe Token: SeTakeOwnershipPrivilege 3316 msiexec.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 3696 msiexec.exe 3696 msiexec.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe 456 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3316 wrote to memory of 4016 3316 msiexec.exe 103 PID 3316 wrote to memory of 4016 3316 msiexec.exe 103 PID 3316 wrote to memory of 3836 3316 msiexec.exe 105 PID 3316 wrote to memory of 3836 3316 msiexec.exe 105 PID 3836 wrote to memory of 2612 3836 MsiExec.exe 106 PID 3836 wrote to memory of 2612 3836 MsiExec.exe 106 PID 3836 wrote to memory of 4012 3836 MsiExec.exe 108 PID 3836 wrote to memory of 4012 3836 MsiExec.exe 108 PID 3836 wrote to memory of 4012 3836 MsiExec.exe 108 PID 3836 wrote to memory of 4808 3836 MsiExec.exe 110 PID 3836 wrote to memory of 4808 3836 MsiExec.exe 110 PID 3836 wrote to memory of 4808 3836 MsiExec.exe 110 PID 3836 wrote to memory of 1476 3836 MsiExec.exe 111 PID 3836 wrote to memory of 1476 3836 MsiExec.exe 111 PID 3836 wrote to memory of 1476 3836 MsiExec.exe 111 PID 1476 wrote to memory of 3844 1476 ChromeSetup.exe 113 PID 1476 wrote to memory of 3844 1476 ChromeSetup.exe 113 PID 1476 wrote to memory of 3844 1476 ChromeSetup.exe 113 PID 3844 wrote to memory of 5048 3844 updater.exe 114 PID 3844 wrote to memory of 5048 3844 updater.exe 114 PID 3844 wrote to memory of 5048 3844 updater.exe 114 PID 4972 wrote to memory of 3056 4972 updater.exe 118 PID 4972 wrote to memory of 3056 4972 updater.exe 118 PID 4972 wrote to memory of 3056 4972 updater.exe 118 PID 2264 wrote to memory of 3428 2264 updater.exe 121 PID 2264 wrote to memory of 3428 2264 updater.exe 121 PID 2264 wrote to memory of 3428 2264 updater.exe 121 PID 2504 wrote to memory of 1732 2504 vKtMPwVbdMUU.exe 127 PID 2504 wrote to memory of 1732 2504 vKtMPwVbdMUU.exe 127 PID 2504 wrote to memory of 1732 2504 vKtMPwVbdMUU.exe 127 PID 1732 wrote to memory of 2900 1732 qMdeNKsXYpNq.exe 129 PID 1732 wrote to memory of 2900 1732 qMdeNKsXYpNq.exe 129 PID 1732 wrote to memory of 2900 1732 qMdeNKsXYpNq.exe 129 PID 2264 wrote to memory of 5056 2264 updater.exe 132 PID 2264 wrote to memory of 5056 2264 updater.exe 132 PID 5056 wrote to memory of 2800 5056 129.0.6668.101_chrome_installer.exe 133 PID 5056 wrote to memory of 2800 5056 129.0.6668.101_chrome_installer.exe 133 PID 2800 wrote to memory of 2096 2800 setup.exe 134 PID 2800 wrote to memory of 2096 2800 setup.exe 134 PID 2800 wrote to memory of 2560 2800 setup.exe 135 PID 2800 wrote to memory of 2560 2800 setup.exe 135 PID 2560 wrote to memory of 4968 2560 setup.exe 136 PID 2560 wrote to memory of 4968 2560 setup.exe 136 PID 3844 wrote to memory of 456 3844 updater.exe 139 PID 3844 wrote to memory of 456 3844 updater.exe 139 PID 456 wrote to memory of 4848 456 chrome.exe 140 PID 456 wrote to memory of 4848 456 chrome.exe 140 PID 456 wrote to memory of 688 456 chrome.exe 141 PID 456 wrote to memory of 688 456 chrome.exe 141 PID 456 wrote to memory of 688 456 chrome.exe 141 PID 456 wrote to memory of 688 456 chrome.exe 141 PID 456 wrote to memory of 688 456 chrome.exe 141 PID 456 wrote to memory of 688 456 chrome.exe 141 PID 456 wrote to memory of 688 456 chrome.exe 141 PID 456 wrote to memory of 688 456 chrome.exe 141 PID 456 wrote to memory of 688 456 chrome.exe 141 PID 456 wrote to memory of 688 456 chrome.exe 141 PID 456 wrote to memory of 688 456 chrome.exe 141 PID 456 wrote to memory of 688 456 chrome.exe 141 PID 456 wrote to memory of 688 456 chrome.exe 141 PID 456 wrote to memory of 688 456 chrome.exe 141 PID 456 wrote to memory of 688 456 chrome.exe 141 PID 456 wrote to memory of 688 456 chrome.exe 141 PID 456 wrote to memory of 688 456 chrome.exe 141 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Chrmroe-intraller.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3696
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4016
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 0205BBBA1FF53D1F47EAE3665EEF93A1 E Global\MSI00002⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\UtilizeDynamicWorker'3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Program Files\UtilizeDynamicWorker\JkRyrlfVyEOH.exe"C:\Program Files\UtilizeDynamicWorker\JkRyrlfVyEOH.exe" x "C:\Program Files\UtilizeDynamicWorker\ZcOUMgAKFaEfsJXTUJeF" -o"C:\Program Files\UtilizeDynamicWorker\" -psiCMjwFfLqezcQPgBfEe -y3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4012
-
-
C:\Program Files\UtilizeDynamicWorker\qMdeNKsXYpNq.exe"C:\Program Files\UtilizeDynamicWorker\qMdeNKsXYpNq.exe" -number 276 -file file3 -mode mode3 -flag flag33⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4808
-
-
C:\Program Files\UtilizeDynamicWorker\ChromeSetup.exe"C:\Program Files\UtilizeDynamicWorker\ChromeSetup.exe"3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Program Files (x86)\Google1476_574004426\bin\updater.exe"C:\Program Files (x86)\Google1476_574004426\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={0831CB51-605E-C38D-DE8B-88614C43BE12}&lang=zh-CN&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/enterprise_companion/*=2,*/chrome/updater/*=24⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Program Files (x86)\Google1476_574004426\bin\updater.exe"C:\Program Files (x86)\Google1476_574004426\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=131.0.6776.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0xac6290,0xac629c,0xac62a85⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5048
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer5⤵
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.101 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb14f77bf8,0x7ffb14f77c04,0x7ffb14f77c106⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4848
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1936,i,5834642344696888118,12242844623741309727,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1932 /prefetch:26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:688
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=2080,i,5834642344696888118,12242844623741309727,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2140 /prefetch:36⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:3148
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2332,i,5834642344696888118,12242844623741309727,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2516 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,5834642344696888118,12242844623741309727,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3256 /prefetch:16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,5834642344696888118,12242844623741309727,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:2116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4436,i,5834642344696888118,12242844623741309727,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4476 /prefetch:16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4388
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4368,i,5834642344696888118,12242844623741309727,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4692 /prefetch:16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4812,i,5834642344696888118,12242844623741309727,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4972,i,5834642344696888118,12242844623741309727,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4988 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:5240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5284,i,5834642344696888118,12242844623741309727,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5228 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:5508
-
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
C:\Program Files\UtilizeDynamicWorker\vKtMPwVbdMUU.exe"C:\Program Files\UtilizeDynamicWorker\vKtMPwVbdMUU.exe" install1⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:1948
-
C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe"C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --system --windows-service --service=update-internal1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe"C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=131.0.6776.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0xa36290,0xa3629c,0xa362a82⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3056
-
-
C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe"C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --system --windows-service --service=update1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe"C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=131.0.6776.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0xa36290,0xa3629c,0xa362a82⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3428
-
-
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\129.0.6668.101_chrome_installer.exe"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\129.0.6668.101_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\a2413752-7e97-45c2-96eb-723bdec4b875.tmp"2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\CR_49DBF.tmp\setup.exe"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\CR_49DBF.tmp\setup.exe" --install-archive="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\CR_49DBF.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\a2413752-7e97-45c2-96eb-723bdec4b875.tmp"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Program Files directory
- Executes dropped EXE
- System Network Configuration Discovery: Internet Connection Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\CR_49DBF.tmp\setup.exe"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\CR_49DBF.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.101 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff6da4cc628,0x7ff6da4cc634,0x7ff6da4cc6404⤵
- Executes dropped EXE
PID:2096
-
-
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\CR_49DBF.tmp\setup.exe"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\CR_49DBF.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=14⤵
- Drops file in System32 directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\CR_49DBF.tmp\setup.exe"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\CR_49DBF.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.101 --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x7ff6da4cc628,0x7ff6da4cc634,0x7ff6da4cc6405⤵
- Executes dropped EXE
PID:4968
-
-
-
-
-
C:\Program Files\UtilizeDynamicWorker\vKtMPwVbdMUU.exe"C:\Program Files\UtilizeDynamicWorker\vKtMPwVbdMUU.exe" start1⤵
- Executes dropped EXE
PID:4476
-
C:\Program Files\UtilizeDynamicWorker\vKtMPwVbdMUU.exe"C:\Program Files\UtilizeDynamicWorker\vKtMPwVbdMUU.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Program Files\UtilizeDynamicWorker\qMdeNKsXYpNq.exe"C:\Program Files\UtilizeDynamicWorker\qMdeNKsXYpNq.exe" -number 236 -file file3 -mode mode3 -flag flag32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Program Files\UtilizeDynamicWorker\qMdeNKsXYpNq.exe"C:\Program Files\UtilizeDynamicWorker\qMdeNKsXYpNq.exe" -number 362 -file file3 -mode mode3 -flag flag33⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2900
-
-
-
C:\Program Files\Google\Chrome\Application\129.0.6668.101\elevation_service.exe"C:\Program Files\Google\Chrome\Application\129.0.6668.101\elevation_service.exe"1⤵
- Executes dropped EXE
PID:244
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:5608
-
C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe"C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --system --windows-service --service=update1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:5884 -
C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe"C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=131.0.6776.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0xa36290,0xa3629c,0xa362a82⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5900
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5785b801b44c15db672392269ca5df664
SHA19850b3437dd3eb100ad29a7fc2caa6e5b07fec17
SHA256c703cfaea5e47ebe9cb0cac7a04499104d552a8d29d7e4ccc591152c4474dad9
SHA512a784b90c5e397b94d43f565416f21bbab78e74f5faa1bbb9758d605d2bd2a495827cd38ef53732217b5f7f6a18855dbf15ded44e8bafbda3b5e12592d626b64b
-
Filesize
5.3MB
MD5e2937e33c2554eecc37c804a7f99f8b7
SHA12c33d4573e21c7d18de1d3f337bacd7c4e58fe87
SHA2565dde29f028e75ee72f50902d20c41b699ef8fc5c294f04a321deac6909ffe409
SHA512cf50e630cd75483f5887153490ab5c55e21a711541d0a4aa0e29d055f42076f7d58edf743bff26e145b56a69b6be9f6704e9c2b071be0aa5a7f6cc1f6be3406f
-
Filesize
40B
MD5c47b9e6cacd3c99592e5325b017f07e9
SHA1deb07933c19f8e1b53596066003dbabdc3372a16
SHA25678c7fa0d09c8898d2c96a86a2802e8544c23a8afe2c1708af52de6064b666fee
SHA51250ed602605c4ad90d9ec89194adb5a53e82de7ae3f3b504f628e2244d96cf5ea3cc6a74f0c3e75fb48e50362c3641804587a1c75131666f18568c948a9698187
-
Filesize
354B
MD561e150bfd9fe9c9fe354b74b4c535215
SHA16702e4d555315b91f7df284caa7c819d87cb5466
SHA256b403d8e714539402c473a85d2b51069bf3dac127ec139c97a0bbeeb1b6409f37
SHA5123400d796aefa86784395b92300a4125c2faf6bb01bf87c3827e44340a92d44ed65637e844770a30cddc337c2f4bdce154f554e4bf4ab50f2b3ce2fc36909d969
-
Filesize
500B
MD5d3955523fb39f88e6bc6c6d8a18acccd
SHA1888955bc9cefd44c45a566ddb6d0749e0bae8883
SHA256273f4adae46745b424b12e33fd1a5554c43cbf3c9d55774dbf781c366f508bc0
SHA51283fdee8de03cda9ecbbc80260298fb19a5b6e8eba47dcc48f9611bc3427e0a732eb87bcebd7be4842842c30260c0443a7461874570a8ec26103398f9436f9905
-
Filesize
600B
MD5fc0f600ec2ecf5e04a4328475c5e2503
SHA16d77b0b9979edc76fa9f543b3586730d5377da55
SHA256bf8f9dfdb56270ea0c035234ca4b26df40eaacd9630e5206fa102ea74462e7b3
SHA51250f69345c3840ce43a37fe49298eb785a4f2a4ae6c8c66128ebe416f23aacb4305154a048875c46fefe0b30a439a9fa7ad4d93dbfc599f8649fbd69f4117715c
-
Filesize
600B
MD57262920d7e980e073ef8415d7f212b94
SHA1022494fa13e8fe634a9a5787be3f2b2446537944
SHA256a7556c9f4c3dd99eab178cc44ed98dcacba768c0bf21792c903f333cd0f06534
SHA5124557a7f72da461411430c2b4aa1ec2e8dfaaa96e606f600122280f8c730a53b34855833f7265d016015934be614b7a33bffc5cd0c51a5fafb280946fa6e574ad
-
Filesize
49B
MD54a2784f1ca879e8fbbd97e39d0de3cc9
SHA1a0eb8b63b4b19b134b46fea8e66f819105f004e8
SHA2562bcd0a4051b1fa5b0444cee9fd9f7341fafe1eae36659511926ebefba648dee9
SHA51295e64a2afbdba5943410f912eba5bc626cbe775c14dd8a3ac8fb6c8c0301762190c15844f2776f894088cf937450e383464592bee8e24308c6f90029d5a57f57
-
Filesize
9KB
MD52fe2c599cf923ac3b200a86bc0e94d7f
SHA13d53773ca493ec512ea31e23f50d094e457e5933
SHA256d6b63577e89387b98f509365af8e7c0a542168a8012da2dda1ace705a52e9d50
SHA512f47ee1ae6a29db4a7e97ba9d4f95451cca470fc7411c21f2b650cad59a78018b4561f9ec069cff70ef6bb2433b54b09c65b6f130f151fd3e1847a59df786d943
-
Filesize
11KB
MD501099ca8b464461b7567c8d80412a469
SHA15b644f9fec94722afd25bc1870e41035cbe4137f
SHA2562a863525a1f1c264090ebd1c57f653818c29d0f38dde549a9b3ab8a0ad2247e4
SHA512f35f86ec0d84e74aa357e434b9730b9bd794b98f37e8001d6fe15f233ea5e995e5102c124358bff89f53cb51d9fdd5cd05fe546539877b548565e6449222614d
-
Filesize
1KB
MD5c5bc84a6a089ee544c5647cc03fe7de2
SHA1d5f2c94db9d4174149d8e058a494c6ca6ec8f82e
SHA256366985507171db4cf098f13976e76d2c6fd37c8c58d60e4da2959c498903362e
SHA51269831a694550c710aa051c55d09c5b50c1e7ed69e985444c60f133e323390203c104d9d63a6cedebea59c0e46c5d6c9f5144abfd4e92d684bbe0c43aece18a17
-
Filesize
2KB
MD583dd8dc13a490fda1418dcaa0667d81b
SHA1b7af2b285399d6e48c8c146309aa3703e9d01fcd
SHA2564837a69b90efd3b1d3b2d9249988a9dd9086ffff5e718e6d1f33e67c1a8f3ca6
SHA512fbbbbd581dc6cb42c1ee8623661b0ded7de8a5df780bd50470130b4f3c691d7ab5a282796ad98bb0276815a2d5a9b4fb3e3b05ba2f37239be88a76c45c7c62b4
-
Filesize
6KB
MD5e37f5e63399df08367943335544934cc
SHA1c9fe41b2e855d3016a6f51e683a2e8a520d2be25
SHA256b0b41f4255d9d647b1fa4e070561d1a68821300d1312749b6b13409ebc7c5ad6
SHA512b0ecd0b80a4711a388d8f2ab9c762c66ad780b75c64fd61dc3d43ef09de1598f6be82bd550e85834f628057b5004fe108287464d70321cf1517078393246def0
-
Filesize
5.8MB
MD5055aa84e5d26f032a2b99ffaf56b91b2
SHA1df1fb7c2f0b98900e97c1e8947265b56ef20cc2d
SHA256020df3bdbb8bc004bcb1b9ba5fc82ef6ad7c683ef7e0a2090dd63f2a29843d53
SHA5126c6c5c220970ebad301f6e08a46aab3ee259355afe368fccf612b7ef6855d376c4d89319952d9ac6c489865befc5a2b1ae53d8f63bf7a6ae782975c8cde13aaf
-
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\a2413752-7e97-45c2-96eb-723bdec4b875.tmp
Filesize685KB
MD55c28084b121985584262517e024685c7
SHA1e3ccdaba1aeea21479f67e991fb89329c2d78a7e
SHA256ad9a0f1128d035014b8bee6e807360439d82f7277b0da0d6929f2deeb2b94830
SHA512908dd1e9258f6160248bc031a47cd892e67969b6a93d8dc6a9e4c389c11a80d7bb418a062aab6ba16714a01aebe4dc2c7277f869c98b13aca660f2d89cc6a9fe
-
Filesize
40B
MD5cc588e9c6f18997aef89d0b744d1fe37
SHA116009616abbcac0af64e3de3bb6839da85b1608c
SHA256ce6dd4a00f816ada707cb9a72775512d4f300d55f5bd2d73d33d6024db931856
SHA512012ac21c449141cac5e66dfb09f883b521b0a94b15508873c9dfddf84e0d19d6b76144461b7d1a77160aaa5d8bb7fea88caaef063b2d4ce33f8800d53a12826b
-
Filesize
1.2MB
MD53239df1249368e86ce465d5d921c2480
SHA17e8bd15e0b40d029a104d650f89f1ebb96f0f0d7
SHA2561738df9838839c8565236b39ebb884739808924b73f51316d6fec9efad308eab
SHA51268156ee6ebb4cb5b6eee0f29e38c40a44a36ca7e38ec8c4b5fe4f64cd51660c212fe0bcc034e022ab8e0204e3d5db032a5ffa55db38d00328abea513a021881b
-
Filesize
2.6MB
MD512c5248a52d365e94f3525e65d56cb35
SHA169f4eaac8c27861ae091babb8451e525eb9f7fb6
SHA25660ea1dc68535a32b1993fd41c61734bd74536ff95b5449504f741fcb3bbb3842
SHA5125e9790aea5d78428e34a3380346987f47874f15b406a76c3a928e2a4f7a261eecafe8dd24800c3f0c4a427d81e06c460da2213206c4e9e34b929c0443dff2cb9
-
Filesize
9.7MB
MD529c9848749d11cdac06f5c1ab27ae9e4
SHA1bb6b142e7b29e8f3a523bd238697622d828a9b5a
SHA25694b57aa9cb18f206c72031d9ac8ae1fd3dc00d9248f66cf2dc75593a156534e0
SHA512176073947ca2be3bf05834a07a64c3db0de7ed11d77704af862164bb91aabc5f08e7d5b53a7fc7bb67fc5d8480ab322272414b81d56d9a565339ea9ead1adb18
-
Filesize
577KB
MD511fa744ebf6a17d7dd3c58dc2603046d
SHA1d99de792fd08db53bb552cd28f0080137274f897
SHA2561b16c41ae39b679384b06f1492b587b650716430ff9c2e079dca2ad1f62c952d
SHA512424196f2acf5b89807f4038683acc50e7604223fc630245af6bab0e0df923f8b1c49cb09ac709086568c214c3f53dcb7d6c32e8a54af222a3ff78cfab9c51670
-
Filesize
39.1MB
MD5a688d249c498d4d3b89ed876c8239520
SHA125bdaa9b0a339099e10cf9c26e8abdcd67a9e583
SHA256145f4e4d11e76a2612db5ffbfae8f9ab8e4385ff7660802ffd2f473c9dcb2a0d
SHA512ca24eee29e9ae1c919b98d1f5e41b96566c86b1e40e30f3f6c7fb5c7e4049f92fb64afa4c87e8e815d3926b9cac17d0347f1f9b69d06e01303ffcb1815efecc1
-
Filesize
4.3MB
MD5b9b51255b7e495877496c1e6758e3871
SHA10c042a1ef84828b4e0f2d4e6046197c3a5eb8a7b
SHA2567659a1bd1d45ee4dd54592de56ba0b669344cc205aa0894c4e98e2fb8003f268
SHA5127c7a5399fdac2d7ed176b438f9475a3da715fb16e09a0b71f208f34a5620baf84287e8d16a91fdcd84284b7babc94f65a134fa92ec19ce698f97153b64ea7b29
-
Filesize
3.0MB
MD557761e35f3375adb749fb9e14f423a21
SHA15deb274e82085ad21911ce9abb91d466e556fb4a
SHA25608526d64f255bb798037b7f475bc8cad40a860e4fe68eeb52f9b9f0eb0ef0231
SHA512e1f6fa277e7f34b961b51065ae10c190d5a453b9188f5ee5ced62706136fbbd6727db48efdbea3599fb82f4c6485313674fa458e5b7f9bde6cb7f0664de81c1e
-
Filesize
832KB
MD5d305d506c0095df8af223ac7d91ca327
SHA1679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA51294d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796
-
Filesize
431B
MD52fa4e1ae760044fa9fe11ba275466774
SHA1837508b1cfcf10f7320448656aba7db3bd3b82f3
SHA2562c3cfd35e3079ee7493b55ac36ea8aac4664b85fca8ba16668b02b888d90a2f6
SHA512337cc3fcf96fe631c186e518fd0d14df81b6e11af45855e89b2367272b1c13a6a32415c5e1253f7f9d07e69cab63de4561349e7d86114c00929842ca589b36f5
-
Filesize
600B
MD51a843a6a94c17e336e15984a11d271ef
SHA1cd3a4a6af08303d2a265da26ca858c0ac91af989
SHA2561d21d7811c1cda4921fbb8377dea94d4344cfbafec829ec857b6e05c8c5ee60c
SHA512d6304081f54bfc4bcd685adf3c6828814fcba6b1af16f79d19baf1b6ab5c987a571e138112d94d9036ee4e11598d7e2a3ae80dbd52a365990f8d81a57ba0c94b
-
Filesize
435B
MD537d76145bf06010c75bc5568ae02d55e
SHA15b43938e78fd65453c38180a7fa1b5cd8f8eed0a
SHA256ead679c38ba5857183e7126d5d06a57c9bae54d8c2fae2d4677dd657dc2ca556
SHA51248a87351f3bab74b734d2c1a9208fbfe72af4879b6d508ce03421a4d63d345c58c3ddc60c15ef820ddefb46041a7a9b44b9d2f1d96cbc34cc1233c3c4989bdaa
-
Filesize
21KB
MD56fdfc4054e8551f4d9555d694b5b94a4
SHA105bae05af66304b2ff8823ded7572ea55b53b69e
SHA256884af0706b9f4376ee9c2c73f50da49cd3b2394f852532b1cda31916ad906df3
SHA5122f213ffa74891e8d12d93eeff7f0b00e04489e738e776ed3ee8f034013ab568be35b49a979d9b5fd2b5caf34033b6b6d868ff677679440c6fc147d93b7c8b4ff
-
Filesize
2KB
MD51abaf298b2dd64e513f1f7ee2165801a
SHA14327779918643da468490a4551c64e15fd346e0a
SHA256976ab4428a31e02de24ab153a22e1a6b1e4dd27669fbafc681b3f5a29ebd9a8e
SHA512faa7a19210dbc2d62f0879dfd5d1524358f3e822d135cfa1837e69c4ac9b9bc783e9c3f969f9d52993674b085b621481c83d0f62c278df345fc6a54f342996e7
-
Filesize
115KB
MD598069f4ca581f700ff53b0135e535cab
SHA1c456fcd9e337c4a2752a935d0163fc413b98f816
SHA25664e61dc49c2f2c6f8d43b24278d1aff38ad3fac100561e70d12273b577d2d191
SHA512a3f463599a87363f75ce56c31b847f685393658030e3dfa43334889866eedf50aff36369e0cdbd30c05f65ba8186d64ceb97d273d22f3cd08c20d094874ab0eb
-
Filesize
649B
MD5167ba12a0bab145df8c04e8b6fa9cae4
SHA1dbca326b3ac17ea1e0e1962bb4393316a39fcaee
SHA256c6dee31cc86ae7c7b943e962f2351965f871a9f6782da7a0ee7aecbef987d58b
SHA512a54057bb941d0b0e47e52f99d19d3253e8d4ae75adc909d6240bc896ba4ac1824adc3dad0ce14cba55331a82327b6efd432c11ce47873f6bb1f6f9d0b3b3e3a3
-
Filesize
192KB
MD5505a174e740b3c0e7065c45a78b5cf42
SHA138911944f14a8b5717245c8e6bd1d48e58c7df12
SHA256024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d
SHA5127891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911
-
Filesize
2KB
MD51e18105f900d9375f7546023129035b7
SHA113c50f0ec2d1f20a6d465fcaaa8849df0738ca69
SHA25642d555269481f771888a4f04ef3ca3315dc7b12d87257cb013ae20b4c134633c
SHA512c47568417aa178024c068b085ed6b909d0dd49460edc111ecb62620071562cbac988c017167178e5f7c17fa6b4cd06073f7bcd5c251c7dc6b6f70123c3a94d3b
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD55aaea6a5b80ec26d7f9a1fef6aad1534
SHA199d8e9e4387be4b187174efa95a6b98d3abde41e
SHA256f82c0c1e20f6f4882b0c42723e275e019111b5bd64759d4992ded3998b09d107
SHA5121bf1695b9ddcc59fe99e78a41107a60ae93f812403dc62bdd4e2398e157be33dce19d6537dc7de066723150e2b6107b0d5e9cce9be1a937cf8da321dd9877d6e
-
Filesize
10KB
MD53f9864f9bc85676ba7967e5e28570af9
SHA15b35f2e7802e62906bd4b80f2fbcaad69a439523
SHA256eb44cd952df68339360f3295432ebb84b7d90f6c003cf3824ad00163517bf831
SHA5121bf6f30a82bb2dc9d9ff7627d2232be64454130afea1015f6248881c9933e5208caeba1e87cdcb2bb653b34f5ed999272b220b7c7b1774b4a821b2188b27f01f
-
Filesize
15KB
MD50423dcd1cd95f4ad76dd7151e2240eae
SHA12cb3ecde82d241b373908f5c2e4e91202c79b4e9
SHA256cc02458f00238775c901d37f119ce206ed16133cd237df67367b88fa2039c106
SHA5128bbd88dbcbc8724234629649042f2d39ec3101ba23d4833c4187b4270a0917c42a886ce1b07c4d82070cf91460212b62bc8c4d6ae7149fab94a2adde3c766c6e
-
Filesize
38B
MD53433ccf3e03fc35b634cd0627833b0ad
SHA1789a43382e88905d6eb739ada3a8ba8c479ede02
SHA256f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d
SHA51221a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c
-
Filesize
202KB
MD5e3b068fc9d797050c0ea0ce5a6e74597
SHA155a9c48bb297c6cc57b3b4efc7fecb7b156f1243
SHA2569c4223f655ec4ec69a5813ae006d9dd83e7592db4a832cd19045abd956a313b4
SHA5128ff41d1dec29b55bc645b8b4efb1b164475fe57d33d47edb1abb5038aac910da1120ffb84ba5a6e3657da2a63e1cb515c39a85d295aec0c3419ed116b338d78b
-
Filesize
202KB
MD565219db689866292e00be33954d89d14
SHA1173f5e2aab4832dd89c3140eeb2b255ea2d49be4
SHA25619dc2f17304c6e0133f1a078b29e6c23ab0cddd5ebb99952f441e6c20f666f78
SHA5124c1d2d65fe0c9f03fcd065e59bb4913319ef01975363e6bb786991947e56039dfeb4b4346a0c0024ac3da7e98e3da72d7bd44b26663e442410c3516302bd618b
-
Filesize
116KB
MD5ccf0ba9e51297fc29efc073b31b02300
SHA18384f5debedf90e3b74c013c92473d7d02ee8fe1
SHA256baf1c97bd6a2a830da926c901e1999e24c4e76a2e32c3d9cedc14e9086db9320
SHA5125469e308439aaee183a038cb0a91effb3f3b45f40eceb2de50c2f56f9e0f72e4f2308508ea770e93980ae4448360193dce9ff82bcb043136d9dc0e2766d9bff2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
43.5MB
MD5113a2eab7ccf51501146194bbaadb175
SHA1de00c7a8ff5b49adec8bc44eba7f6332446f0e8f
SHA2564cab134dbaf1059613f44da615292af5713a0aa3a0185abda0cf1ebf8a7dc9a4
SHA512ce681034d9c3cad7367fa2a541401036651ce79385524b10f8ea0287c6c6e1bd307c82d339056d6f2e2fd48cbdd05e80650c1b5acb62b55772b4157d3ef9c13e
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\vKtMPwVbdMUU.exe.log
Filesize1KB
MD5122cf3c4f3452a55a92edee78316e071
SHA1f2caa36d483076c92d17224cf92e260516b3cbbf
SHA25642f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c
-
Filesize
24.1MB
MD54479dd2ce05c605681e050b03ff2c747
SHA1b6a941a43f2672bcd8f8498b735069981465b177
SHA256561bfc417ad3842ee466120ac412f6be8b186fb9502b95331be131522415b94f
SHA5129cdf689c750a81a2acdc340e279aba8e53b64afb18c3ba3dcabff9654a680caa37126722b4ecb34a77fef370ec274e8d90140b9c4fb43719edd5407ca0d9c309
-
\??\Volume{625ed6c4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1007a37d-3f7d-41f8-bd01-a1e0379e5adf}_OnDiskSnapshotProp
Filesize6KB
MD520cca4ce4d0ddcc855c83a48514179b1
SHA1cf31ebdacdc0d4c5f1f393f621a0771d61b0731e
SHA2565b8722df4991a89f66e5217f768cd0365884662eb7135c012256deeb59de8af8
SHA5122c0eae15efb000102b5dc9d067df7cee5e55a077d7997b8c640e43288e8f6d3fe57fb0c011ed17cee4e2f0862ce321a7a5cc77104caa5b416f985acbea45c3f1