Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-10-2024 07:27

General

  • Target

    Chrmroe-intraller.msi

  • Size

    43.5MB

  • MD5

    113a2eab7ccf51501146194bbaadb175

  • SHA1

    de00c7a8ff5b49adec8bc44eba7f6332446f0e8f

  • SHA256

    4cab134dbaf1059613f44da615292af5713a0aa3a0185abda0cf1ebf8a7dc9a4

  • SHA512

    ce681034d9c3cad7367fa2a541401036651ce79385524b10f8ea0287c6c6e1bd307c82d339056d6f2e2fd48cbdd05e80650c1b5acb62b55772b4157d3ef9c13e

  • SSDEEP

    786432:KPmAYqjq7J2mESTU1A2SBaUCAkEPstiz7Ngv9iJ67P3+OBrIU7:d4m5U1A2SMUxstiz7NGYJ673z9

Malware Config

Signatures

  • Detect PurpleFox Rootkit 4 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 12 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 34 IoCs
  • Loads dropped DLL 29 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Chrmroe-intraller.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3696
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3316
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4016
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding 0205BBBA1FF53D1F47EAE3665EEF93A1 E Global\MSI0000
      2⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:3836
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\UtilizeDynamicWorker'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2612
      • C:\Program Files\UtilizeDynamicWorker\JkRyrlfVyEOH.exe
        "C:\Program Files\UtilizeDynamicWorker\JkRyrlfVyEOH.exe" x "C:\Program Files\UtilizeDynamicWorker\ZcOUMgAKFaEfsJXTUJeF" -o"C:\Program Files\UtilizeDynamicWorker\" -psiCMjwFfLqezcQPgBfEe -y
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4012
      • C:\Program Files\UtilizeDynamicWorker\qMdeNKsXYpNq.exe
        "C:\Program Files\UtilizeDynamicWorker\qMdeNKsXYpNq.exe" -number 276 -file file3 -mode mode3 -flag flag3
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4808
      • C:\Program Files\UtilizeDynamicWorker\ChromeSetup.exe
        "C:\Program Files\UtilizeDynamicWorker\ChromeSetup.exe"
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1476
        • C:\Program Files (x86)\Google1476_574004426\bin\updater.exe
          "C:\Program Files (x86)\Google1476_574004426\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={0831CB51-605E-C38D-DE8B-88614C43BE12}&lang=zh-CN&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/enterprise_companion/*=2,*/chrome/updater/*=2
          4⤵
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • System Location Discovery: System Language Discovery
          • Modifies data under HKEY_USERS
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3844
          • C:\Program Files (x86)\Google1476_574004426\bin\updater.exe
            "C:\Program Files (x86)\Google1476_574004426\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=131.0.6776.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0xac6290,0xac629c,0xac62a8
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:5048
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer
            5⤵
            • Checks system information in the registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Enumerates system info in registry
            • Modifies data under HKEY_USERS
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:456
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.101 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb14f77bf8,0x7ffb14f77c04,0x7ffb14f77c10
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:4848
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1936,i,5834642344696888118,12242844623741309727,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1932 /prefetch:2
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Modifies data under HKEY_USERS
              PID:688
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=2080,i,5834642344696888118,12242844623741309727,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2140 /prefetch:3
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Modifies data under HKEY_USERS
              PID:3148
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2332,i,5834642344696888118,12242844623741309727,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2516 /prefetch:8
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:1416
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,5834642344696888118,12242844623741309727,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3256 /prefetch:1
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Modifies data under HKEY_USERS
              PID:4920
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,5834642344696888118,12242844623741309727,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:1
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Modifies data under HKEY_USERS
              PID:2116
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4436,i,5834642344696888118,12242844623741309727,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4476 /prefetch:1
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:4388
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4368,i,5834642344696888118,12242844623741309727,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4692 /prefetch:1
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:3088
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4812,i,5834642344696888118,12242844623741309727,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:8
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:5224
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4972,i,5834642344696888118,12242844623741309727,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4988 /prefetch:8
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Modifies data under HKEY_USERS
              PID:5240
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5284,i,5834642344696888118,12242844623741309727,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5228 /prefetch:8
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Modifies data under HKEY_USERS
              PID:5508
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:1368
  • C:\Program Files\UtilizeDynamicWorker\vKtMPwVbdMUU.exe
    "C:\Program Files\UtilizeDynamicWorker\vKtMPwVbdMUU.exe" install
    1⤵
    • Drops file in System32 directory
    • Executes dropped EXE
    PID:1948
  • C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe
    "C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --system --windows-service --service=update-internal
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4972
    • C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe
      "C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=131.0.6776.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0xa36290,0xa3629c,0xa362a8
      2⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3056
  • C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe
    "C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --system --windows-service --service=update
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe
      "C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=131.0.6776.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0xa36290,0xa3629c,0xa362a8
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3428
    • C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\129.0.6668.101_chrome_installer.exe
      "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\129.0.6668.101_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\a2413752-7e97-45c2-96eb-723bdec4b875.tmp"
      2⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\CR_49DBF.tmp\setup.exe
        "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\CR_49DBF.tmp\setup.exe" --install-archive="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\CR_49DBF.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\a2413752-7e97-45c2-96eb-723bdec4b875.tmp"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Network Configuration Discovery: Internet Connection Discovery
        • Modifies data under HKEY_USERS
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2800
        • C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\CR_49DBF.tmp\setup.exe
          "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\CR_49DBF.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.101 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff6da4cc628,0x7ff6da4cc634,0x7ff6da4cc640
          4⤵
          • Executes dropped EXE
          PID:2096
        • C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\CR_49DBF.tmp\setup.exe
          "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\CR_49DBF.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
          4⤵
          • Drops file in System32 directory
          • Executes dropped EXE
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:2560
          • C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\CR_49DBF.tmp\setup.exe
            "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\CR_49DBF.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.101 --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x7ff6da4cc628,0x7ff6da4cc634,0x7ff6da4cc640
            5⤵
            • Executes dropped EXE
            PID:4968
  • C:\Program Files\UtilizeDynamicWorker\vKtMPwVbdMUU.exe
    "C:\Program Files\UtilizeDynamicWorker\vKtMPwVbdMUU.exe" start
    1⤵
    • Executes dropped EXE
    PID:4476
  • C:\Program Files\UtilizeDynamicWorker\vKtMPwVbdMUU.exe
    "C:\Program Files\UtilizeDynamicWorker\vKtMPwVbdMUU.exe"
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Program Files\UtilizeDynamicWorker\qMdeNKsXYpNq.exe
      "C:\Program Files\UtilizeDynamicWorker\qMdeNKsXYpNq.exe" -number 236 -file file3 -mode mode3 -flag flag3
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Program Files\UtilizeDynamicWorker\qMdeNKsXYpNq.exe
        "C:\Program Files\UtilizeDynamicWorker\qMdeNKsXYpNq.exe" -number 362 -file file3 -mode mode3 -flag flag3
        3⤵
        • Enumerates connected drives
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2900
  • C:\Program Files\Google\Chrome\Application\129.0.6668.101\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\129.0.6668.101\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:244
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
    1⤵
      PID:5608
    • C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe
      "C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --system --windows-service --service=update
      1⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      PID:5884
      • C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe
        "C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=131.0.6776.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0xa36290,0xa3629c,0xa362a8
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:5900

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57c1bb.rbs

      Filesize

      7KB

      MD5

      785b801b44c15db672392269ca5df664

      SHA1

      9850b3437dd3eb100ad29a7fc2caa6e5b07fec17

      SHA256

      c703cfaea5e47ebe9cb0cac7a04499104d552a8d29d7e4ccc591152c4474dad9

      SHA512

      a784b90c5e397b94d43f565416f21bbab78e74f5faa1bbb9758d605d2bd2a495827cd38ef53732217b5f7f6a18855dbf15ded44e8bafbda3b5e12592d626b64b

    • C:\Program Files (x86)\Google1476_574004426\bin\updater.exe

      Filesize

      5.3MB

      MD5

      e2937e33c2554eecc37c804a7f99f8b7

      SHA1

      2c33d4573e21c7d18de1d3f337bacd7c4e58fe87

      SHA256

      5dde29f028e75ee72f50902d20c41b699ef8fc5c294f04a321deac6909ffe409

      SHA512

      cf50e630cd75483f5887153490ab5c55e21a711541d0a4aa0e29d055f42076f7d58edf743bff26e145b56a69b6be9f6704e9c2b071be0aa5a7f6cc1f6be3406f

    • C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad\settings.dat

      Filesize

      40B

      MD5

      c47b9e6cacd3c99592e5325b017f07e9

      SHA1

      deb07933c19f8e1b53596066003dbabdc3372a16

      SHA256

      78c7fa0d09c8898d2c96a86a2802e8544c23a8afe2c1708af52de6064b666fee

      SHA512

      50ed602605c4ad90d9ec89194adb5a53e82de7ae3f3b504f628e2244d96cf5ea3cc6a74f0c3e75fb48e50362c3641804587a1c75131666f18568c948a9698187

    • C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

      Filesize

      354B

      MD5

      61e150bfd9fe9c9fe354b74b4c535215

      SHA1

      6702e4d555315b91f7df284caa7c819d87cb5466

      SHA256

      b403d8e714539402c473a85d2b51069bf3dac127ec139c97a0bbeeb1b6409f37

      SHA512

      3400d796aefa86784395b92300a4125c2faf6bb01bf87c3827e44340a92d44ed65637e844770a30cddc337c2f4bdce154f554e4bf4ab50f2b3ce2fc36909d969

    • C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

      Filesize

      500B

      MD5

      d3955523fb39f88e6bc6c6d8a18acccd

      SHA1

      888955bc9cefd44c45a566ddb6d0749e0bae8883

      SHA256

      273f4adae46745b424b12e33fd1a5554c43cbf3c9d55774dbf781c366f508bc0

      SHA512

      83fdee8de03cda9ecbbc80260298fb19a5b6e8eba47dcc48f9611bc3427e0a732eb87bcebd7be4842842c30260c0443a7461874570a8ec26103398f9436f9905

    • C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

      Filesize

      600B

      MD5

      fc0f600ec2ecf5e04a4328475c5e2503

      SHA1

      6d77b0b9979edc76fa9f543b3586730d5377da55

      SHA256

      bf8f9dfdb56270ea0c035234ca4b26df40eaacd9630e5206fa102ea74462e7b3

      SHA512

      50f69345c3840ce43a37fe49298eb785a4f2a4ae6c8c66128ebe416f23aacb4305154a048875c46fefe0b30a439a9fa7ad4d93dbfc599f8649fbd69f4117715c

    • C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

      Filesize

      600B

      MD5

      7262920d7e980e073ef8415d7f212b94

      SHA1

      022494fa13e8fe634a9a5787be3f2b2446537944

      SHA256

      a7556c9f4c3dd99eab178cc44ed98dcacba768c0bf21792c903f333cd0f06534

      SHA512

      4557a7f72da461411430c2b4aa1ec2e8dfaaa96e606f600122280f8c730a53b34855833f7265d016015934be614b7a33bffc5cd0c51a5fafb280946fa6e574ad

    • C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

      Filesize

      49B

      MD5

      4a2784f1ca879e8fbbd97e39d0de3cc9

      SHA1

      a0eb8b63b4b19b134b46fea8e66f819105f004e8

      SHA256

      2bcd0a4051b1fa5b0444cee9fd9f7341fafe1eae36659511926ebefba648dee9

      SHA512

      95e64a2afbdba5943410f912eba5bc626cbe775c14dd8a3ac8fb6c8c0301762190c15844f2776f894088cf937450e383464592bee8e24308c6f90029d5a57f57

    • C:\Program Files (x86)\Google\GoogleUpdater\updater.log

      Filesize

      9KB

      MD5

      2fe2c599cf923ac3b200a86bc0e94d7f

      SHA1

      3d53773ca493ec512ea31e23f50d094e457e5933

      SHA256

      d6b63577e89387b98f509365af8e7c0a542168a8012da2dda1ace705a52e9d50

      SHA512

      f47ee1ae6a29db4a7e97ba9d4f95451cca470fc7411c21f2b650cad59a78018b4561f9ec069cff70ef6bb2433b54b09c65b6f130f151fd3e1847a59df786d943

    • C:\Program Files (x86)\Google\GoogleUpdater\updater.log

      Filesize

      11KB

      MD5

      01099ca8b464461b7567c8d80412a469

      SHA1

      5b644f9fec94722afd25bc1870e41035cbe4137f

      SHA256

      2a863525a1f1c264090ebd1c57f653818c29d0f38dde549a9b3ab8a0ad2247e4

      SHA512

      f35f86ec0d84e74aa357e434b9730b9bd794b98f37e8001d6fe15f233ea5e995e5102c124358bff89f53cb51d9fdd5cd05fe546539877b548565e6449222614d

    • C:\Program Files (x86)\Google\GoogleUpdater\updater.log

      Filesize

      1KB

      MD5

      c5bc84a6a089ee544c5647cc03fe7de2

      SHA1

      d5f2c94db9d4174149d8e058a494c6ca6ec8f82e

      SHA256

      366985507171db4cf098f13976e76d2c6fd37c8c58d60e4da2959c498903362e

      SHA512

      69831a694550c710aa051c55d09c5b50c1e7ed69e985444c60f133e323390203c104d9d63a6cedebea59c0e46c5d6c9f5144abfd4e92d684bbe0c43aece18a17

    • C:\Program Files (x86)\Google\GoogleUpdater\updater.log

      Filesize

      2KB

      MD5

      83dd8dc13a490fda1418dcaa0667d81b

      SHA1

      b7af2b285399d6e48c8c146309aa3703e9d01fcd

      SHA256

      4837a69b90efd3b1d3b2d9249988a9dd9086ffff5e718e6d1f33e67c1a8f3ca6

      SHA512

      fbbbbd581dc6cb42c1ee8623661b0ded7de8a5df780bd50470130b4f3c691d7ab5a282796ad98bb0276815a2d5a9b4fb3e3b05ba2f37239be88a76c45c7c62b4

    • C:\Program Files (x86)\Google\GoogleUpdater\updater.log

      Filesize

      6KB

      MD5

      e37f5e63399df08367943335544934cc

      SHA1

      c9fe41b2e855d3016a6f51e683a2e8a520d2be25

      SHA256

      b0b41f4255d9d647b1fa4e070561d1a68821300d1312749b6b13409ebc7c5ad6

      SHA512

      b0ecd0b80a4711a388d8f2ab9c762c66ad780b75c64fd61dc3d43ef09de1598f6be82bd550e85834f628057b5004fe108287464d70321cf1517078393246def0

    • C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\CR_49DBF.tmp\setup.exe

      Filesize

      5.8MB

      MD5

      055aa84e5d26f032a2b99ffaf56b91b2

      SHA1

      df1fb7c2f0b98900e97c1e8947265b56ef20cc2d

      SHA256

      020df3bdbb8bc004bcb1b9ba5fc82ef6ad7c683ef7e0a2090dd63f2a29843d53

      SHA512

      6c6c5c220970ebad301f6e08a46aab3ee259355afe368fccf612b7ef6855d376c4d89319952d9ac6c489865befc5a2b1ae53d8f63bf7a6ae782975c8cde13aaf

    • C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2264_2049488978\a2413752-7e97-45c2-96eb-723bdec4b875.tmp

      Filesize

      685KB

      MD5

      5c28084b121985584262517e024685c7

      SHA1

      e3ccdaba1aeea21479f67e991fb89329c2d78a7e

      SHA256

      ad9a0f1128d035014b8bee6e807360439d82f7277b0da0d6929f2deeb2b94830

      SHA512

      908dd1e9258f6160248bc031a47cd892e67969b6a93d8dc6a9e4c389c11a80d7bb418a062aab6ba16714a01aebe4dc2c7277f869c98b13aca660f2d89cc6a9fe

    • C:\Program Files\Crashpad\settings.dat

      Filesize

      40B

      MD5

      cc588e9c6f18997aef89d0b744d1fe37

      SHA1

      16009616abbcac0af64e3de3bb6839da85b1608c

      SHA256

      ce6dd4a00f816ada707cb9a72775512d4f300d55f5bd2d73d33d6024db931856

      SHA512

      012ac21c449141cac5e66dfb09f883b521b0a94b15508873c9dfddf84e0d19d6b76144461b7d1a77160aaa5d8bb7fea88caaef063b2d4ce33f8800d53a12826b

    • C:\Program Files\Google\Chrome\Application\129.0.6668.101\chrome_elf.dll

      Filesize

      1.2MB

      MD5

      3239df1249368e86ce465d5d921c2480

      SHA1

      7e8bd15e0b40d029a104d650f89f1ebb96f0f0d7

      SHA256

      1738df9838839c8565236b39ebb884739808924b73f51316d6fec9efad308eab

      SHA512

      68156ee6ebb4cb5b6eee0f29e38c40a44a36ca7e38ec8c4b5fe4f64cd51660c212fe0bcc034e022ab8e0204e3d5db032a5ffa55db38d00328abea513a021881b

    • C:\Program Files\Google\Chrome\Application\chrome.exe

      Filesize

      2.6MB

      MD5

      12c5248a52d365e94f3525e65d56cb35

      SHA1

      69f4eaac8c27861ae091babb8451e525eb9f7fb6

      SHA256

      60ea1dc68535a32b1993fd41c61734bd74536ff95b5449504f741fcb3bbb3842

      SHA512

      5e9790aea5d78428e34a3380346987f47874f15b406a76c3a928e2a4f7a261eecafe8dd24800c3f0c4a427d81e06c460da2213206c4e9e34b929c0443dff2cb9

    • C:\Program Files\UtilizeDynamicWorker\ChromeSetup.exe

      Filesize

      9.7MB

      MD5

      29c9848749d11cdac06f5c1ab27ae9e4

      SHA1

      bb6b142e7b29e8f3a523bd238697622d828a9b5a

      SHA256

      94b57aa9cb18f206c72031d9ac8ae1fd3dc00d9248f66cf2dc75593a156534e0

      SHA512

      176073947ca2be3bf05834a07a64c3db0de7ed11d77704af862164bb91aabc5f08e7d5b53a7fc7bb67fc5d8480ab322272414b81d56d9a565339ea9ead1adb18

    • C:\Program Files\UtilizeDynamicWorker\JkRyrlfVyEOH.exe

      Filesize

      577KB

      MD5

      11fa744ebf6a17d7dd3c58dc2603046d

      SHA1

      d99de792fd08db53bb552cd28f0080137274f897

      SHA256

      1b16c41ae39b679384b06f1492b587b650716430ff9c2e079dca2ad1f62c952d

      SHA512

      424196f2acf5b89807f4038683acc50e7604223fc630245af6bab0e0df923f8b1c49cb09ac709086568c214c3f53dcb7d6c32e8a54af222a3ff78cfab9c51670

    • C:\Program Files\UtilizeDynamicWorker\UE4PrereqSetup_x64.exe

      Filesize

      39.1MB

      MD5

      a688d249c498d4d3b89ed876c8239520

      SHA1

      25bdaa9b0a339099e10cf9c26e8abdcd67a9e583

      SHA256

      145f4e4d11e76a2612db5ffbfae8f9ab8e4385ff7660802ffd2f473c9dcb2a0d

      SHA512

      ca24eee29e9ae1c919b98d1f5e41b96566c86b1e40e30f3f6c7fb5c7e4049f92fb64afa4c87e8e815d3926b9cac17d0347f1f9b69d06e01303ffcb1815efecc1

    • C:\Program Files\UtilizeDynamicWorker\ZcOUMgAKFaEfsJXTUJeF

      Filesize

      4.3MB

      MD5

      b9b51255b7e495877496c1e6758e3871

      SHA1

      0c042a1ef84828b4e0f2d4e6046197c3a5eb8a7b

      SHA256

      7659a1bd1d45ee4dd54592de56ba0b669344cc205aa0894c4e98e2fb8003f268

      SHA512

      7c7a5399fdac2d7ed176b438f9475a3da715fb16e09a0b71f208f34a5620baf84287e8d16a91fdcd84284b7babc94f65a134fa92ec19ce698f97153b64ea7b29

    • C:\Program Files\UtilizeDynamicWorker\qMdeNKsXYpNq.exe

      Filesize

      3.0MB

      MD5

      57761e35f3375adb749fb9e14f423a21

      SHA1

      5deb274e82085ad21911ce9abb91d466e556fb4a

      SHA256

      08526d64f255bb798037b7f475bc8cad40a860e4fe68eeb52f9b9f0eb0ef0231

      SHA512

      e1f6fa277e7f34b961b51065ae10c190d5a453b9188f5ee5ced62706136fbbd6727db48efdbea3599fb82f4c6485313674fa458e5b7f9bde6cb7f0664de81c1e

    • C:\Program Files\UtilizeDynamicWorker\vKtMPwVbdMUU.exe

      Filesize

      832KB

      MD5

      d305d506c0095df8af223ac7d91ca327

      SHA1

      679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

      SHA256

      923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

      SHA512

      94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

    • C:\Program Files\UtilizeDynamicWorker\vKtMPwVbdMUU.wrapper.log

      Filesize

      431B

      MD5

      2fa4e1ae760044fa9fe11ba275466774

      SHA1

      837508b1cfcf10f7320448656aba7db3bd3b82f3

      SHA256

      2c3cfd35e3079ee7493b55ac36ea8aac4664b85fca8ba16668b02b888d90a2f6

      SHA512

      337cc3fcf96fe631c186e518fd0d14df81b6e11af45855e89b2367272b1c13a6a32415c5e1253f7f9d07e69cab63de4561349e7d86114c00929842ca589b36f5

    • C:\Program Files\UtilizeDynamicWorker\vKtMPwVbdMUU.wrapper.log

      Filesize

      600B

      MD5

      1a843a6a94c17e336e15984a11d271ef

      SHA1

      cd3a4a6af08303d2a265da26ca858c0ac91af989

      SHA256

      1d21d7811c1cda4921fbb8377dea94d4344cfbafec829ec857b6e05c8c5ee60c

      SHA512

      d6304081f54bfc4bcd685adf3c6828814fcba6b1af16f79d19baf1b6ab5c987a571e138112d94d9036ee4e11598d7e2a3ae80dbd52a365990f8d81a57ba0c94b

    • C:\Program Files\UtilizeDynamicWorker\vKtMPwVbdMUU.xml

      Filesize

      435B

      MD5

      37d76145bf06010c75bc5568ae02d55e

      SHA1

      5b43938e78fd65453c38180a7fa1b5cd8f8eed0a

      SHA256

      ead679c38ba5857183e7126d5d06a57c9bae54d8c2fae2d4677dd657dc2ca556

      SHA512

      48a87351f3bab74b734d2c1a9208fbfe72af4879b6d508ce03421a4d63d345c58c3ddc60c15ef820ddefb46041a7a9b44b9d2f1d96cbc34cc1233c3c4989bdaa

    • C:\Program Files\chrome_installer.log

      Filesize

      21KB

      MD5

      6fdfc4054e8551f4d9555d694b5b94a4

      SHA1

      05bae05af66304b2ff8823ded7572ea55b53b69e

      SHA256

      884af0706b9f4376ee9c2c73f50da49cd3b2394f852532b1cda31916ad906df3

      SHA512

      2f213ffa74891e8d12d93eeff7f0b00e04489e738e776ed3ee8f034013ab568be35b49a979d9b5fd2b5caf34033b6b6d868ff677679440c6fc147d93b7c8b4ff

    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk

      Filesize

      2KB

      MD5

      1abaf298b2dd64e513f1f7ee2165801a

      SHA1

      4327779918643da468490a4551c64e15fd346e0a

      SHA256

      976ab4428a31e02de24ab153a22e1a6b1e4dd27669fbafc681b3f5a29ebd9a8e

      SHA512

      faa7a19210dbc2d62f0879dfd5d1524358f3e822d135cfa1837e69c4ac9b9bc783e9c3f969f9d52993674b085b621481c83d0f62c278df345fc6a54f342996e7

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\1956e71e-5ff8-45bb-9601-1fb07378d406.tmp

      Filesize

      115KB

      MD5

      98069f4ca581f700ff53b0135e535cab

      SHA1

      c456fcd9e337c4a2752a935d0163fc413b98f816

      SHA256

      64e61dc49c2f2c6f8d43b24278d1aff38ad3fac100561e70d12273b577d2d191

      SHA512

      a3f463599a87363f75ce56c31b847f685393658030e3dfa43334889866eedf50aff36369e0cdbd30c05f65ba8186d64ceb97d273d22f3cd08c20d094874ab0eb

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

      Filesize

      649B

      MD5

      167ba12a0bab145df8c04e8b6fa9cae4

      SHA1

      dbca326b3ac17ea1e0e1962bb4393316a39fcaee

      SHA256

      c6dee31cc86ae7c7b943e962f2351965f871a9f6782da7a0ee7aecbef987d58b

      SHA512

      a54057bb941d0b0e47e52f99d19d3253e8d4ae75adc909d6240bc896ba4ac1824adc3dad0ce14cba55331a82327b6efd432c11ce47873f6bb1f6f9d0b3b3e3a3

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

      Filesize

      192KB

      MD5

      505a174e740b3c0e7065c45a78b5cf42

      SHA1

      38911944f14a8b5717245c8e6bd1d48e58c7df12

      SHA256

      024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d

      SHA512

      7891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

      Filesize

      2KB

      MD5

      1e18105f900d9375f7546023129035b7

      SHA1

      13c50f0ec2d1f20a6d465fcaaa8849df0738ca69

      SHA256

      42d555269481f771888a4f04ef3ca3315dc7b12d87257cb013ae20b4c134633c

      SHA512

      c47568417aa178024c068b085ed6b909d0dd49460edc111ecb62620071562cbac988c017167178e5f7c17fa6b4cd06073f7bcd5c251c7dc6b6f70123c3a94d3b

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

      Filesize

      2B

      MD5

      d751713988987e9331980363e24189ce

      SHA1

      97d170e1550eee4afc0af065b78cda302a97674c

      SHA256

      4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

      SHA512

      b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

      Filesize

      356B

      MD5

      5aaea6a5b80ec26d7f9a1fef6aad1534

      SHA1

      99d8e9e4387be4b187174efa95a6b98d3abde41e

      SHA256

      f82c0c1e20f6f4882b0c42723e275e019111b5bd64759d4992ded3998b09d107

      SHA512

      1bf1695b9ddcc59fe99e78a41107a60ae93f812403dc62bdd4e2398e157be33dce19d6537dc7de066723150e2b6107b0d5e9cce9be1a937cf8da321dd9877d6e

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

      Filesize

      10KB

      MD5

      3f9864f9bc85676ba7967e5e28570af9

      SHA1

      5b35f2e7802e62906bd4b80f2fbcaad69a439523

      SHA256

      eb44cd952df68339360f3295432ebb84b7d90f6c003cf3824ad00163517bf831

      SHA512

      1bf6f30a82bb2dc9d9ff7627d2232be64454130afea1015f6248881c9933e5208caeba1e87cdcb2bb653b34f5ed999272b220b7c7b1774b4a821b2188b27f01f

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

      Filesize

      15KB

      MD5

      0423dcd1cd95f4ad76dd7151e2240eae

      SHA1

      2cb3ecde82d241b373908f5c2e4e91202c79b4e9

      SHA256

      cc02458f00238775c901d37f119ce206ed16133cd237df67367b88fa2039c106

      SHA512

      8bbd88dbcbc8724234629649042f2d39ec3101ba23d4833c4187b4270a0917c42a886ce1b07c4d82070cf91460212b62bc8c4d6ae7149fab94a2adde3c766c6e

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\trusted_vault.pb

      Filesize

      38B

      MD5

      3433ccf3e03fc35b634cd0627833b0ad

      SHA1

      789a43382e88905d6eb739ada3a8ba8c479ede02

      SHA256

      f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d

      SHA512

      21a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

      Filesize

      202KB

      MD5

      e3b068fc9d797050c0ea0ce5a6e74597

      SHA1

      55a9c48bb297c6cc57b3b4efc7fecb7b156f1243

      SHA256

      9c4223f655ec4ec69a5813ae006d9dd83e7592db4a832cd19045abd956a313b4

      SHA512

      8ff41d1dec29b55bc645b8b4efb1b164475fe57d33d47edb1abb5038aac910da1120ffb84ba5a6e3657da2a63e1cb515c39a85d295aec0c3419ed116b338d78b

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

      Filesize

      202KB

      MD5

      65219db689866292e00be33954d89d14

      SHA1

      173f5e2aab4832dd89c3140eeb2b255ea2d49be4

      SHA256

      19dc2f17304c6e0133f1a078b29e6c23ab0cddd5ebb99952f441e6c20f666f78

      SHA512

      4c1d2d65fe0c9f03fcd065e59bb4913319ef01975363e6bb786991947e56039dfeb4b4346a0c0024ac3da7e98e3da72d7bd44b26663e442410c3516302bd618b

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

      Filesize

      116KB

      MD5

      ccf0ba9e51297fc29efc073b31b02300

      SHA1

      8384f5debedf90e3b74c013c92473d7d02ee8fe1

      SHA256

      baf1c97bd6a2a830da926c901e1999e24c4e76a2e32c3d9cedc14e9086db9320

      SHA512

      5469e308439aaee183a038cb0a91effb3f3b45f40eceb2de50c2f56f9e0f72e4f2308508ea770e93980ae4448360193dce9ff82bcb043136d9dc0e2766d9bff2

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_33nw5zew.smi.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Windows\Installer\e57c1ba.msi

      Filesize

      43.5MB

      MD5

      113a2eab7ccf51501146194bbaadb175

      SHA1

      de00c7a8ff5b49adec8bc44eba7f6332446f0e8f

      SHA256

      4cab134dbaf1059613f44da615292af5713a0aa3a0185abda0cf1ebf8a7dc9a4

      SHA512

      ce681034d9c3cad7367fa2a541401036651ce79385524b10f8ea0287c6c6e1bd307c82d339056d6f2e2fd48cbdd05e80650c1b5acb62b55772b4157d3ef9c13e

    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\vKtMPwVbdMUU.exe.log

      Filesize

      1KB

      MD5

      122cf3c4f3452a55a92edee78316e071

      SHA1

      f2caa36d483076c92d17224cf92e260516b3cbbf

      SHA256

      42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

      SHA512

      c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      24.1MB

      MD5

      4479dd2ce05c605681e050b03ff2c747

      SHA1

      b6a941a43f2672bcd8f8498b735069981465b177

      SHA256

      561bfc417ad3842ee466120ac412f6be8b186fb9502b95331be131522415b94f

      SHA512

      9cdf689c750a81a2acdc340e279aba8e53b64afb18c3ba3dcabff9654a680caa37126722b4ecb34a77fef370ec274e8d90140b9c4fb43719edd5407ca0d9c309

    • \??\Volume{625ed6c4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1007a37d-3f7d-41f8-bd01-a1e0379e5adf}_OnDiskSnapshotProp

      Filesize

      6KB

      MD5

      20cca4ce4d0ddcc855c83a48514179b1

      SHA1

      cf31ebdacdc0d4c5f1f393f621a0771d61b0731e

      SHA256

      5b8722df4991a89f66e5217f768cd0365884662eb7135c012256deeb59de8af8

      SHA512

      2c0eae15efb000102b5dc9d067df7cee5e55a077d7997b8c640e43288e8f6d3fe57fb0c011ed17cee4e2f0862ce321a7a5cc77104caa5b416f985acbea45c3f1

    • memory/1948-65-0x0000000000330000-0x0000000000406000-memory.dmp

      Filesize

      856KB

    • memory/2612-14-0x0000021DE6D30000-0x0000021DE6D52000-memory.dmp

      Filesize

      136KB

    • memory/2900-132-0x0000000029F50000-0x0000000029F96000-memory.dmp

      Filesize

      280KB

    • memory/2900-147-0x000000002BB50000-0x000000002BD0C000-memory.dmp

      Filesize

      1.7MB

    • memory/2900-146-0x000000002BB50000-0x000000002BD0C000-memory.dmp

      Filesize

      1.7MB

    • memory/2900-143-0x000000002BB50000-0x000000002BD0C000-memory.dmp

      Filesize

      1.7MB

    • memory/2900-156-0x000000002BB50000-0x000000002BD0C000-memory.dmp

      Filesize

      1.7MB