452faf66b12f218f3831a0a305fb7a6a06cf7cd77d6040dc4dc732b31885ef06

Analysis

max time kernel
109s
max time network
142s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
13-11-2024 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installers/GoogleChromeStandaloneEnterprise64.msi
Size

120.1MB
MD5

858f07346daf8a13c1ebbcb05abaa377
SHA1

7d58ff7f9c562cdba757cb1bf30e929729641d0b
SHA256

2e77e789f014bd8bcd66f9af87da0c621debbb2ce2c904dcd80eddd342b90532
SHA512

e5745045f30b551813f62c21efc55fa180f158f0ebbe9279c7f300da187b90f9831c8d89b3280312faaf128b56313f52e2cb38c7b924824298b89e7ea2fba62c
SSDEEP

3145728:fHiQinoedlGzUENKzBw7IJYB1pIo49wZo1LezXeSke:fHiQinoHzr0zBw7HIo4OW1Leae

Score

6^/10

discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
13	1396	msiexec.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\130.0.6723.117\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7	updater.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk	setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	updater.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\ml.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\VisualElements\LogoDev.png	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\0b8e9411-5afb-47a9-adb8-69e286b7f21d.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad\settings.dat	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\fil.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\chrome.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\elevation_service.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\dxil.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\ar.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\da.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\es-419.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\fr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\sr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\MEIPreload\preloaded_data.pb	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\WidevineCdm\LICENSE	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\chrome.7z	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\cs.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\pt-BR.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\ru.pak	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\6f6b35eb-00ef-4d40-bb57-3c47aa19bfe3.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\hi.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\WidevineCdm\manifest.json	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\chrome.VisualElementsManifest.xml	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\5ee6bab7-387b-4a9e-aa60-ab237ba7458c.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\prefs.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\default_apps\external_extensions.json	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Extensions\external_extensions.json	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\es.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\nl.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\v8_context_snapshot.bin	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\da43267f-4ab4-41ab-8c6a-291db51b76e0.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\notification_helper.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\os_update_handler.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\vulkan-1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\hu.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\zh-TW.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\uk.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\libEGL.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Application\130.0.6723.117\Installer\setup.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad\settings.dat	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\tr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\ca.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\et.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\ro.pak	setup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\chrome_wer.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\eventlog_provider.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\am.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\he.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\ko.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\mr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\MEIPreload\manifest.json	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\VisualElements\LogoCanary.png	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\Locales\ur.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source1848_918584681\Chrome-bin\130.0.6723.117\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll	setup.exe

Drops file in Windows directory 38 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57f211.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF9B3.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\Google2696_1213156704\bin\Offline\{3910b19a-6610-4ea9-8d8a-2e1630a65594}\OfflineManifest.gup	MSIFFDE.tmp
File created	C:\Windows\SystemTemp\scoped_dir1376_1809210702\43196555-24be-4d74-8a70-5cf263f852a7.tmp	updater.exe
File created	C:\Windows\SystemTemp\Google2696_1213156704\bin\Offline\{3910b19a-6610-4ea9-8d8a-2e1630a65594}\{8a69d345-d564-463c-aff1-a69d9e530f96}\CR_635CE.tmp\CHROME.PACKED.7Z	130.0.6723.117_chrome_installer.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\Installer\MSIF992.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\Google2696_1213156704\updater.7z	MSIFFDE.tmp
File created	C:\Windows\SystemTemp\Google2696_1213156704\bin\updater.exe	MSIFFDE.tmp
File created	C:\Windows\Installer\e57f213.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EE6F7855-810E-3D2E-925B-9F8B36410A53}	msiexec.exe
File created	C:\Windows\SystemTemp\Google2696_1213156704\bin\Offline\{3910b19a-6610-4ea9-8d8a-2e1630a65594}\{8A69D345-D564-463c-AFF1-A69D9E530F96}\130.0.6723.117_chrome_installer.exe	MSIFFDE.tmp
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	MSIFFDE.tmp
File opened for modification	C:\Windows\SystemTemp	updater.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\Google2696_1213156704\bin\Offline\{3910b19a-6610-4ea9-8d8a-2e1630a65594}\{8a69d345-d564-463c-aff1-a69d9e530f96}\CR_635CE.tmp\setup.exe	130.0.6723.117_chrome_installer.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\Installer\{EE6F7855-810E-3D2E-925B-9F8B36410A53}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFFDE.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\Google2696_1213156704\bin\uninstall.cmd	MSIFFDE.tmp
File opened for modification	C:\Windows\SystemTemp	updater.exe
File opened for modification	C:\Windows\SystemTemp\chrome_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\Installer\e57f211.msi	msiexec.exe
File created	C:\Windows\SystemTemp\Google2696_1777564156\UPDATER.PACKED.7Z	MSIFFDE.tmp
File created	C:\Windows\SystemTemp\Google2696_1213156704\bin\Offline\{3910b19a-6610-4ea9-8d8a-2e1630a65594}\{8a69d345-d564-463c-aff1-a69d9e530f96}\CR_635CE.tmp\SETUP.EX_	130.0.6723.117_chrome_installer.exe
File opened for modification	C:\Windows\SystemTemp\chrome_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\chrome_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Google2696_1213156704\bin\Offline\{3910b19a-6610-4ea9-8d8a-2e1630a65594}\{8a69d345-d564-463c-aff1-a69d9e530f96}\CR_635CE.tmp\setup.exe	130.0.6723.117_chrome_installer.exe
File created	C:\Windows\Installer\{EE6F7855-810E-3D2E-925B-9F8B36410A53}\icon.ico	msiexec.exe

Executes dropped EXE 14 IoCs

pid	Process
2696	MSIFFDE.tmp
4632	updater.exe
2024	updater.exe
572	updater.exe
924	updater.exe
1376	updater.exe
2444	updater.exe
3472	130.0.6723.117_chrome_installer.exe
1848	setup.exe
2120	setup.exe
2308	setup.exe
1156	setup.exe
3928	setup.exe
1868	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
1528	MsiExec.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1396	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIFFDE.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000719b916909da5b040000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000719b91690000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900719b9169000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d719b9169000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000719b916900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\25\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	updater.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	updater.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	setup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\InstallerPinned = "0"	setup.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	updater.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\131.0.6776.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\131.0.6776.0\\updater.exe\\4"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D5BB0C40-8078-5D97-80DD-2C8F4510263D}\TypeLib\ = "{D5BB0C40-8078-5D97-80DD-2C8F4510263D}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ChromePDF\shell\open	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{4DC034A8-4BFC-4D43-9250-914163356BB0}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B685B009-DBC4-4F24-9542-A162C3793E77}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\131.0.6776.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F966A529-43C6-4710-8FF4-0B456324C8F4}	updater.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5587F6EEE018E2D329B5F9B86314A035\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC1132BC-C84F-5D90-9BB6-3D44C6394B28}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds\ChromeHTML	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\1.0\0\win32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ = "IProcessLauncher2"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3WebMachine\CurVer	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0\ = "GoogleUpdater TypeLib for IProcessLauncher"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\ = "ICurrentStateSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4DC034A8-4BFC-4D43-9250-914163356BB0}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\131.0.6776.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\ = "IAppVersionWebSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C4622B28-A747-44C7-96AF-319BE5C3B261}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromePDF\DefaultIcon\ = "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe,11"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromePDF\ = "Chrome PDF Document"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pdf	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\131.0.6776.0\\updater.exe\\4"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\1.0\ = "GoogleUpdater TypeLib for IAppCommandWeb"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\131.0.6776.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeHTML\shell\open\command\ = "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\131.0.6776.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F4334319-8210-469B-8262-DD03623FEB5B}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\TypeLib\ = "{F63F6F8B-ACD5-413C-A44B-0409136D26CB}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{FC1132BC-C84F-5D90-9BB6-3D44C6394B28}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\TypeLib\ = "{699F07AD-304C-5F71-A2DA-ABD765965B54}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\1.0\ = "GoogleUpdater TypeLib for IGoogleUpdate3WebSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{8018F647-BF07-55BB-82BE-A2D7049F7CE4}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.html\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\LocalServer32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\1.0\ = "GoogleUpdater TypeLib for IUpdaterObserverSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D5BB0C40-8078-5D97-80DD-2C8F4510263D}\ = "IUpdaterInternalCallbackSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\ = "Interface {463ABECF-410D-407F-8AF5-0DF35A005CC8}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xht	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{34527502-D3DB-4205-A69B-789B27EE0414}	updater.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3540	msiexec.exe
3540	msiexec.exe
4632	updater.exe
4632	updater.exe
4632	updater.exe
4632	updater.exe
4632	updater.exe
4632	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
1376	updater.exe
1376	updater.exe
1376	updater.exe
1376	updater.exe
1376	updater.exe
1376	updater.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1396	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1396	msiexec.exe
Token: SeSecurityPrivilege	3540	msiexec.exe
Token: SeCreateTokenPrivilege	1396	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1396	msiexec.exe
Token: SeLockMemoryPrivilege	1396	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1396	msiexec.exe
Token: SeMachineAccountPrivilege	1396	msiexec.exe
Token: SeTcbPrivilege	1396	msiexec.exe
Token: SeSecurityPrivilege	1396	msiexec.exe
Token: SeTakeOwnershipPrivilege	1396	msiexec.exe
Token: SeLoadDriverPrivilege	1396	msiexec.exe
Token: SeSystemProfilePrivilege	1396	msiexec.exe
Token: SeSystemtimePrivilege	1396	msiexec.exe
Token: SeProfSingleProcessPrivilege	1396	msiexec.exe
Token: SeIncBasePriorityPrivilege	1396	msiexec.exe
Token: SeCreatePagefilePrivilege	1396	msiexec.exe
Token: SeCreatePermanentPrivilege	1396	msiexec.exe
Token: SeBackupPrivilege	1396	msiexec.exe
Token: SeRestorePrivilege	1396	msiexec.exe
Token: SeShutdownPrivilege	1396	msiexec.exe
Token: SeDebugPrivilege	1396	msiexec.exe
Token: SeAuditPrivilege	1396	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1396	msiexec.exe
Token: SeChangeNotifyPrivilege	1396	msiexec.exe
Token: SeRemoteShutdownPrivilege	1396	msiexec.exe
Token: SeUndockPrivilege	1396	msiexec.exe
Token: SeSyncAgentPrivilege	1396	msiexec.exe
Token: SeEnableDelegationPrivilege	1396	msiexec.exe
Token: SeManageVolumePrivilege	1396	msiexec.exe
Token: SeImpersonatePrivilege	1396	msiexec.exe
Token: SeCreateGlobalPrivilege	1396	msiexec.exe
Token: SeBackupPrivilege	1968	vssvc.exe
Token: SeRestorePrivilege	1968	vssvc.exe
Token: SeAuditPrivilege	1968	vssvc.exe
Token: SeBackupPrivilege	3540	msiexec.exe
Token: SeRestorePrivilege	3540	msiexec.exe
Token: SeRestorePrivilege	3540	msiexec.exe
Token: SeTakeOwnershipPrivilege	3540	msiexec.exe
Token: SeBackupPrivilege	2196	srtasks.exe
Token: SeRestorePrivilege	2196	srtasks.exe
Token: SeSecurityPrivilege	2196	srtasks.exe
Token: SeTakeOwnershipPrivilege	2196	srtasks.exe
Token: SeBackupPrivilege	2196	srtasks.exe
Token: SeRestorePrivilege	2196	srtasks.exe
Token: SeSecurityPrivilege	2196	srtasks.exe
Token: SeTakeOwnershipPrivilege	2196	srtasks.exe
Token: SeRestorePrivilege	3540	msiexec.exe
Token: SeTakeOwnershipPrivilege	3540	msiexec.exe
Token: SeRestorePrivilege	3540	msiexec.exe
Token: SeTakeOwnershipPrivilege	3540	msiexec.exe
Token: SeRestorePrivilege	3540	msiexec.exe
Token: SeTakeOwnershipPrivilege	3540	msiexec.exe
Token: 33	2696	MSIFFDE.tmp
Token: SeIncBasePriorityPrivilege	2696	MSIFFDE.tmp
Token: 33	3472	130.0.6723.117_chrome_installer.exe
Token: SeIncBasePriorityPrivilege	3472	130.0.6723.117_chrome_installer.exe
Token: SeIncBasePriorityPrivilege	3928	setup.exe
Token: SeRestorePrivilege	3540	msiexec.exe
Token: SeTakeOwnershipPrivilege	3540	msiexec.exe
Token: SeRestorePrivilege	3540	msiexec.exe
Token: SeTakeOwnershipPrivilege	3540	msiexec.exe
Token: SeRestorePrivilege	3540	msiexec.exe
Token: SeTakeOwnershipPrivilege	3540	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1396	msiexec.exe
1396	msiexec.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 2196	3540	msiexec.exe	93
PID 3540 wrote to memory of 2196	3540	msiexec.exe	93
PID 3540 wrote to memory of 1528	3540	msiexec.exe	95
PID 3540 wrote to memory of 1528	3540	msiexec.exe	95
PID 3540 wrote to memory of 1528	3540	msiexec.exe	95
PID 3540 wrote to memory of 2696	3540	msiexec.exe	96
PID 3540 wrote to memory of 2696	3540	msiexec.exe	96
PID 3540 wrote to memory of 2696	3540	msiexec.exe	96
PID 2696 wrote to memory of 4632	2696	MSIFFDE.tmp	97
PID 2696 wrote to memory of 4632	2696	MSIFFDE.tmp	97
PID 2696 wrote to memory of 4632	2696	MSIFFDE.tmp	97
PID 4632 wrote to memory of 2024	4632	updater.exe	98
PID 4632 wrote to memory of 2024	4632	updater.exe	98
PID 4632 wrote to memory of 2024	4632	updater.exe	98
PID 572 wrote to memory of 924	572	updater.exe	100
PID 572 wrote to memory of 924	572	updater.exe	100
PID 572 wrote to memory of 924	572	updater.exe	100
PID 1376 wrote to memory of 2444	1376	updater.exe	102
PID 1376 wrote to memory of 2444	1376	updater.exe	102
PID 1376 wrote to memory of 2444	1376	updater.exe	102
PID 1376 wrote to memory of 3472	1376	updater.exe	103
PID 1376 wrote to memory of 3472	1376	updater.exe	103
PID 3472 wrote to memory of 1848	3472	130.0.6723.117_chrome_installer.exe	104
PID 3472 wrote to memory of 1848	3472	130.0.6723.117_chrome_installer.exe	104
PID 1848 wrote to memory of 2120	1848	setup.exe	105
PID 1848 wrote to memory of 2120	1848	setup.exe	105
PID 1848 wrote to memory of 2308	1848	setup.exe	107
PID 1848 wrote to memory of 2308	1848	setup.exe	107
PID 2308 wrote to memory of 1156	2308	setup.exe	108
PID 2308 wrote to memory of 1156	2308	setup.exe	108
PID 1848 wrote to memory of 3928	1848	setup.exe	109
PID 1848 wrote to memory of 3928	1848	setup.exe	109
PID 3928 wrote to memory of 1868	3928	setup.exe	110
PID 3928 wrote to memory of 1868	3928	setup.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Installers\GoogleChromeStandaloneEnterprise64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1396

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:4
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FDCA0DE112CBC37EAE0EFDAF9FAB21FC
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1528
- C:\Windows\Installer\MSIFFDE.tmp
  "C:\Windows\Installer\MSIFFDE.tmp" /silent /install "appguid={8A69D345-D564-463c-AFF1-A69D9E530F96}&appname=Google Chrome&needsAdmin=True"&brand=GCEA&ap=x64-stable"&iid={F1F8EC71-9270-0941-3F1F-DEFB5C7B73F7}&brand=GCEB&browser=5&usagestats=0&ap=x64-stable-statsdef_0" /installsource enterprisemsi /appargs "appguid={8A69D345-D564-463c-AFF1-A69D9E530F96}&installerdata=%7B%22distribution%22%3A%7B%22msi%22%3Atrue%2C%22system_level%22%3Atrue%2C%22verbose_logging%22%3Atrue%2C%22msi_product_id%22%3A%22EE6F7855-810E-3D2E-925B-9F8B36410A53%22%2C%22allow_downgrade%22%3Afalse%7D%7D"
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SystemTemp\Google2696_1213156704\bin\updater.exe
    "C:\Windows\SystemTemp\Google2696_1213156704\bin\updater.exe" --silent --install="appguid={8A69D345-D564-463c-AFF1-A69D9E530F96}&appname=Google Chrome&needsAdmin=True&brand=GCEA&ap=x64-stable&iid={F1F8EC71-9270-0941-3F1F-DEFB5C7B73F7}&brand=GCEB&browser=5&usagestats=0&ap=x64-stable-statsdef_0" --installsource=enterprisemsi --appargs=appguid={8A69D345-D564-463c-AFF1-A69D9E530F96}&installerdata=%7B%22distribution%22%3A%7B%22msi%22%3Atrue%2C%22system_level%22%3Atrue%2C%22verbose_logging%22%3Atrue%2C%22msi_product_id%22%3A%22EE6F7855-810E-3D2E-925B-9F8B36410A53%22%2C%22allow_downgrade%22%3Afalse%7D%7D --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/enterprise_companion/*=2,*/chrome/updater/*=2 --offlinedir={3910b19a-6610-4ea9-8d8a-2e1630a65594}
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\SystemTemp\Google2696_1213156704\bin\updater.exe
      C:\Windows\SystemTemp\Google2696_1213156704\bin\updater.exe --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=131.0.6776.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0xdd6290,0xdd629c,0xdd62a8
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:572
- C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=131.0.6776.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x876290,0x87629c,0x8762a8
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:924

C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --system --windows-service --service=update
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=131.0.6776.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x876290,0x87629c,0x8762a8
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2444
- C:\Windows\SystemTemp\Google2696_1213156704\bin\Offline\{3910b19a-6610-4ea9-8d8a-2e1630a65594}\{8a69d345-d564-463c-aff1-a69d9e530f96}\130.0.6723.117_chrome_installer.exe
  "C:\Windows\SystemTemp\Google2696_1213156704\bin\Offline\{3910b19a-6610-4ea9-8d8a-2e1630a65594}\{8a69d345-d564-463c-aff1-a69d9e530f96}\130.0.6723.117_chrome_installer.exe" --do-not-launch-chrome --installerdata="C:\Windows\SystemTemp\scoped_dir1376_1809210702\43196555-24be-4d74-8a70-5cf263f852a7.tmp"
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Windows\SystemTemp\Google2696_1213156704\bin\Offline\{3910b19a-6610-4ea9-8d8a-2e1630a65594}\{8a69d345-d564-463c-aff1-a69d9e530f96}\CR_635CE.tmp\setup.exe
    "C:\Windows\SystemTemp\Google2696_1213156704\bin\Offline\{3910b19a-6610-4ea9-8d8a-2e1630a65594}\{8a69d345-d564-463c-aff1-a69d9e530f96}\CR_635CE.tmp\setup.exe" --install-archive="C:\Windows\SystemTemp\Google2696_1213156704\bin\Offline\{3910b19a-6610-4ea9-8d8a-2e1630a65594}\{8a69d345-d564-463c-aff1-a69d9e530f96}\CR_635CE.tmp\CHROME.PACKED.7Z" --do-not-launch-chrome --installerdata="C:\Windows\SystemTemp\scoped_dir1376_1809210702\43196555-24be-4d74-8a70-5cf263f852a7.tmp"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Windows\SystemTemp\Google2696_1213156704\bin\Offline\{3910b19a-6610-4ea9-8d8a-2e1630a65594}\{8a69d345-d564-463c-aff1-a69d9e530f96}\CR_635CE.tmp\setup.exe
      C:\Windows\SystemTemp\Google2696_1213156704\bin\Offline\{3910b19a-6610-4ea9-8d8a-2e1630a65594}\{8a69d345-d564-463c-aff1-a69d9e530f96}\CR_635CE.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=130.0.6723.117 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x7ff69110ec28,0x7ff69110ec34,0x7ff69110ec40
      4⤵
      Drops file in Windows directory
      Executes dropped EXE
      PID:2120
  - - C:\Windows\SystemTemp\Google2696_1213156704\bin\Offline\{3910b19a-6610-4ea9-8d8a-2e1630a65594}\{8a69d345-d564-463c-aff1-a69d9e530f96}\CR_635CE.tmp\setup.exe
      "C:\Windows\SystemTemp\Google2696_1213156704\bin\Offline\{3910b19a-6610-4ea9-8d8a-2e1630a65594}\{8a69d345-d564-463c-aff1-a69d9e530f96}\CR_635CE.tmp\setup.exe" --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      Executes dropped EXE
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:2308
    - - C:\Windows\SystemTemp\Google2696_1213156704\bin\Offline\{3910b19a-6610-4ea9-8d8a-2e1630a65594}\{8a69d345-d564-463c-aff1-a69d9e530f96}\CR_635CE.tmp\setup.exe
        
        C:\Windows\SystemTemp\Google2696_1213156704\bin\Offline\{3910b19a-6610-4ea9-8d8a-2e1630a65594}\{8a69d345-d564-463c-aff1-a69d9e530f96}\CR_635CE.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=130.0.6723.117 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x7ff69110ec28,0x7ff69110ec34,0x7ff69110ec40
        5⤵
        Drops file in Windows directory
        Executes dropped EXE
        
        PID:1156
  - - C:\Program Files\Google\Chrome\Application\130.0.6723.117\Installer\setup.exe
      "C:\Program Files\Google\Chrome\Application\130.0.6723.117\Installer\setup.exe" --set-display-version-product=EE6F7855-810E-3D2E-925B-9F8B36410A53 --set-display-version-value=130.0.6723.117 --startup-event-handle=776 --system-level --verbose-logging
      4⤵
      Drops file in Windows directory
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3928
    - - C:\Program Files\Google\Chrome\Application\130.0.6723.117\Installer\setup.exe
        
        "C:\Program Files\Google\Chrome\Application\130.0.6723.117\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=130.0.6723.117 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x7ff6fa00ec28,0x7ff6fa00ec34,0x7ff6fa00ec40
        5⤵
        Drops file in Windows directory
        Executes dropped EXE
        
        PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f212.rbs

Filesize
115KB

MD5
8ab61bb0b34b95a4a3c64f2e962682c6

SHA1
483117b5e5642636e080dceedb1d8236af70acae

SHA256
141fc7d59681940ea914f3d5b0eb05ecc2e6e615bc316f89211ad2073c7df871

SHA512
9039cd4f67144542074d52bffeaadbff248956ae82a00aed4624c4f4b639a6e30c1964f97c9e775bb4b1fc7a469cb4554584052cba4a4c0f08b95e23d1fc932e

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad\settings.dat

Filesize
40B

MD5
3651a9f9a48f0f3f6457fa75185885ff

SHA1
f36a0fc228dbd77fffcce0a5e5de46b4c9101c20

SHA256
ab6f5ea52e555f50f02f51b5fc81c7b9e5cbdbf4791abc06ff0eed662be6d6fe

SHA512
c3e9baa176b37c75228ca558006b83d47d93a6463c867578847070ae8d182c8bc85430f5cadab70a31db15215607684524cb183d3eee3073832a40f80677f647

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
354B

MD5
61e150bfd9fe9c9fe354b74b4c535215

SHA1
6702e4d555315b91f7df284caa7c819d87cb5466

SHA256
b403d8e714539402c473a85d2b51069bf3dac127ec139c97a0bbeeb1b6409f37

SHA512
3400d796aefa86784395b92300a4125c2faf6bb01bf87c3827e44340a92d44ed65637e844770a30cddc337c2f4bdce154f554e4bf4ab50f2b3ce2fc36909d969

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
388B

MD5
5e9ba53c51e490616bc4fb051b7310c5

SHA1
e1b2e52eb5a4f3bdbeb936f93785e448e0d638f7

SHA256
4a5cbf2f80c376cb9f59f1960bfb1bcb0e25cb9de7c769562e67e286dcce8778

SHA512
3e860eb1fd954d09b161b4c0fe2085d0b7045f29b01ca46c2bd5cd31dd92b3d543edd2f9960a07186b449a2d559903768e4167697aec9ec3f08522119144d29a

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
381B

MD5
62f4d185a543fe0e640470b287f1d6eb

SHA1
7ee9c244ec0e8ccd4c3ba006e2555ed9f269e545

SHA256
3a45f46b6de7ca4579cea661db3e0902e374f6a56bab9b088eeae6b5d560bc41

SHA512
5ee5acc8e30d61b891cf7d29f715454e80d5feded140c40e44eac8ef777edf33ef18b38e25533646f95d21115c350bdc4511824f5dcb0fe7d611949c53e11d18

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
49B

MD5
4a2784f1ca879e8fbbd97e39d0de3cc9

SHA1
a0eb8b63b4b19b134b46fea8e66f819105f004e8

SHA256
2bcd0a4051b1fa5b0444cee9fd9f7341fafe1eae36659511926ebefba648dee9

SHA512
95e64a2afbdba5943410f912eba5bc626cbe775c14dd8a3ac8fb6c8c0301762190c15844f2776f894088cf937450e383464592bee8e24308c6f90029d5a57f57

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
1KB

MD5
855ec074a81008b40bf894438c9e2dee

SHA1
0f35c2b600b5bd5fef911872b16c4b41cd809715

SHA256
c48dff74fc65a43ab2bbd6a689068b1112e82e72fbde4a474374c739f52b0560

SHA512
06b694d9c3995b18401b068b82330f931481dbcea7109847203275456a21113d7f996713159349bffe30ecbed0af503e40cceeea99da0792002b5ed6a318442d

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
2KB

MD5
5a8160f6ae038ac107084a32986ebc2b

SHA1
c2e161a11c5a72be6555c0a28e03bd69105855eb

SHA256
27eb17a1be23618f73f5bd13a8b2a079df5374991dfb13a353950376d21c385d

SHA512
d439717e5e85b0ba934271a2093c8497f7082d0d1ce51c2c2e53461957fba7c655835d71e8c1e0611f4ba62dd866383ac31276c13cd88ecafe64bd564422132e

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
4KB

MD5
6a23596ab4c5363f583f57dcf27c75d3

SHA1
664a739d46396e1713d89c1944d0ee339a62d6a5

SHA256
95a59251bb5dc4aa70e1a39658fc3a923a753c797d1568b344c9cdf08b5ea6a8

SHA512
25d23a61b47d96df128dbc97265397ac03144f7d1e8aede2d6b3bafbdd66dc2f16e02e589edeb8dcca303f0169b099023548c6621bc2c68244193ea46bff0f53

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
6KB

MD5
0fbbecb4a31150dcb5a1c213d123eb6d

SHA1
5be87ce06d73653db461200e7611b20e06254c60

SHA256
448cbbff1ebbb12e9d5c8fa50461637067fd0565ef5cddf2861571271dfd210c

SHA512
028929b4c7b7b2583daa930f7f7bb0273cd9a62e8fe598d7c2cf8d562f12e2283f6c2ba48b77b901a9f0999794570cacbf5850a4433d9a8f023049c496e166eb

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
10KB

MD5
a6e4066b85a58da6ebd6c0d470b0bdf3

SHA1
8dcb1c7bc204b43c68ada4d9b48eaf772bde09bf

SHA256
44b5bab1f064bbb7c27d72b917fa6bed5549e8b2aebbd7377e06c4a26888b522

SHA512
adda5d56453cc36f1b9e08d174180c240b2877ea8aabdb48ecb2ff8588c5323d0629428450f85b6d67decbc6bbd5a9e9f86f884112e4316d86ebd46bec65be41

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
11KB

MD5
60149624bb81f4730ba8c314b9dd1251

SHA1
a6b9d19baea374fc1a3ec28453272841102d8114

SHA256
ef71b01370e2dcff001e3fbdedae275701a5450d550d392c2c35e1c58cf11239

SHA512
787ec36326bcb3d60ca90f34b392de426de88d1dae66b0fbb61cb6b792994461ad1eecb259af886ae12155b8448089194111cc578f513db6f07e492bb07c080b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
de60388f3921fe0cd4272d7fc99a4bd9

SHA1
4726073b006c9b54cdcb378212dee2cdd4bd622b

SHA256
9e8579e6133a72d13a0704175fb50353bef2876e04e0b510d32791e47ac94c31

SHA512
84325efe7125e5c12adbfb5edd96147e3211c8128e02183effa7db9c52255f8ce1ff20eae5eb50e999cb4a8528ea3f8b4fb09e5fe85478559688c1b208691e0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_986C7EDF85F5859081F49AE7B6205CDD

Filesize
727B

MD5
a3e70208a9969c0943c7b8b9c557f77d

SHA1
5f2a09e6360900e41c8fe1d38037696ceb4daa92

SHA256
c4d6ddc1ac3feba727e3439da0b65cbc610108cc59535a61a7d2f1828e0f7716

SHA512
f02fcf64e04a79f8b42e1a29e305e503e7a135e85d9ad1cd48e4803f6691e9f9a8533f6b0f2fe63cb792f7d5d5cffe16158f66f4c70af99e3aea029cd1ed2c0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
19818ddcac7e6d84edda2d202a8bd6f5

SHA1
078a354358a3ab745489ec949e64e71b73f800a7

SHA256
376fd6fec42ba09d21b131410ebd956b6c768597d3bba28d120060ca8f8ca64c

SHA512
646010ea61958a0af74cf6bf53623fdc233291cdb309b7d92dfc1cce33444e57c693c3186b54ac7e082106fe02a48faefc02ff647a5eb09fc2b945f12d0df36b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
edbc583d63637fdd86f02edb68feaff8

SHA1
484e6c6b804f7545fb9b8afb64f62c0800eb46c8

SHA256
be9d21f51b2d155e4a142ea3d2677c3fa8926b650429bccdd18c4a1360670a86

SHA512
e1aa102edac3fe9326f2d5a754fcaf0fa96ea9a66cfe82a3eb1ec4dda48e62b1c23f72c337fb9aeca958955b12abfef297cf1b174ec6a0ec1a09d28acc1a2e8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_986C7EDF85F5859081F49AE7B6205CDD

Filesize
408B

MD5
bcb677dd26bfb54f5dcc10bbf5d33400

SHA1
02fc4ac64bc4687f07cacb314001f042ff07e302

SHA256
435bba0f4c2b61067f5acae01d535c3cbe9d79b9d4f85532e7f895db068b1029

SHA512
c20b4cb2211c421a18e08e17639c356ffd5f91f98ce893c909fbd0dbc0bb4b43af8f2039aa85c6206ca9d40d6feeb74ee493e2e1e5cc07bc9d5ae4d87ae69181

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
4b954d715439706188c3d147aff344d2

SHA1
e94fc6feee48004178f21daffb323d9b05115cb9

SHA256
207a1b025d760240db62e130059844dcb5026f2b4b145006744fd85ed58ff65e

SHA512
a933a6cb0d9c09c0c20c69e5fb9c95ec9f7853251e7446d007f1dfd0ca5fd53942920b7422350c80b84bd28b09a3dfb52c5c31653d467c33c06df724c0a01ea6

Download Submit
C:\Windows\Installer\MSIF9B3.tmp

Filesize
107KB

MD5
117fced3c631a0b996233df4d45e0a8c

SHA1
5bb87d25ec8c7f56cacfbbfbcf1e8423dd229379

SHA256
0753782325408a2f721097b2722b0aab39d4740baaa78b8fa7e6db47bd53f5c0

SHA512
40515cebdaa82f9481c7f765a54445c7273ccda178e9e90c4b5a38f82b3bee86e441b482537f1c54ae756f9bf06d72cb79f1c15fb6cdeec49adf063002c87bd8

Download Submit
C:\Windows\SystemTemp\Crashpad\settings.dat

Filesize
40B

MD5
06a54e1832b8d791f4bceca84e843e10

SHA1
760cea401091258b21544660499610511675224b

SHA256
c99578ea10d44c153c56365393b090f316335e3020ce34dd5e74b6aefa6ac44a

SHA512
165aadd8ebafe0ec9d33df6a2008791c50edfd0e7292c6849fd02e7b45dcc96fd605c8a5ccdcfe87cf09a8c3804eb9116d2fa2803cb583547a177e13b9b4a86c

Download Submit
C:\Windows\SystemTemp\Google2696_1213156704\bin\Offline\{3910b19a-6610-4ea9-8d8a-2e1630a65594}\{8A69D345-D564-463c-AFF1-A69D9E530F96}\CR_635CE.tmp\setup.exe

Filesize
5.7MB

MD5
975f2eaa38bb31796f08bdf7ada59b5d

SHA1
3d8bbb8cc560a5be2d73d394caf19a914140432d

SHA256
fdd374c979fdd584e6361d41a238c81436018d96d9f5be0cc1e05e7f997c1873

SHA512
a110ddf5b7df6d871c0bfe0f1821df8e127e3e5e6d1c6955f844cce4725afa06ca258c34b9488681588da0fe0594660f080525a101a2f05ef6b5c63811332051

Download Submit
C:\Windows\SystemTemp\Google2696_1213156704\bin\updater.exe

Filesize
5.3MB

MD5
5c0776fad5900ef6f00842dfb7e2dfcc

SHA1
826e08197214e1fce6b510c717bf8de9b4463cb7

SHA256
6bfbf98067c2ff3f76f928c53a7e214508647351e0a5344961ea60f901203e9c

SHA512
35e59e8eccf1c8f1a79be24dacabce52dcea748987bc7807b9e6ac6b55eae22fcdd9d3e05a89161876d3be413432e851eca5a874f2a5c1e49706f9bf95d9d721

Download Submit
C:\Windows\SystemTemp\chrome_installer.log

Filesize
37KB

MD5
d85cce8d049324d5b2a8b7aacc30eb29

SHA1
db938838aaed9ab6d2124d1c6e0fd4737da22c81

SHA256
c853d3bfe1f65dd29f70dbde658331b78fdb571e7c244bad85b8860b04145eb3

SHA512
e49a681a33a797623c500f54570d54a3ddc62811c3b886f32dab152f4eb7522775d98be0cd9c5d986c1f1a1be0f5ebe97220505f5d42ccbb945875939d813741

Download Submit
C:\Windows\SystemTemp\chrome_installer.log

Filesize
20KB

MD5
8f7a3bd8b4eb0c37ee13ba669cdfae49

SHA1
b34398daa1b90ad3d9f3551685067518758567c0

SHA256
e38be44a69c0feb6c8d2324caa2afbbb2947981cc383cc2873c8ef4a48901475

SHA512
d9427eeba789d2ada0bb86a0ebd309e539ee6cdd534fa90bcc5fc75097e3e314606a96129a93eace5aa06bc3f6979e413357d6b294a9129a8c5f1d7852570344

Download Submit
C:\Windows\SystemTemp\scoped_dir1376_1809210702\43196555-24be-4d74-8a70-5cf263f852a7.tmp

Filesize
155B

MD5
410b84eaff5840d6f09cc8e5a10073c6

SHA1
7abd9b01e1fe4c677067f4e9a3dd736f6830d222

SHA256
2e6d043f5e5e23aff160c60fc3db7bc3bc37ec06e8df6d4ae25e31260eb84914

SHA512
681eb35d099924c7edab65a7024c371d92ef6b182e252b8a5c11a7114b134039c2e1b12840cca44ebf7d2a40b10ff1fcecb42a3c02ec15600a82de77513237f6

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.9MB

MD5
7fbbd00c83592d41c8711db47b4dd4b8

SHA1
266e1de4a62f8e6db44db6a8087f1b243bc1172d

SHA256
665b6a851ab419272295bd50d24042dccc80e661e419ecfe6d9c6f861079b71d

SHA512
857238ee111151d32d7d3d2152a6a72d0474d776ced45a089d357bd83c21fbdbc510719ef13691d8400025e0d92bb0d27e14837bee34656ba5215c3e41aac51c

Download Submit
\??\Volume{69919b71-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{adaba908-e10f-42c2-99cc-6e3065fd11a5}_OnDiskSnapshotProp

Filesize
6KB

MD5
cc8009cabffbd1d746c65305109f10c8

SHA1
cd8ef4235d7bada1f44e2d12efc4f1f7ef53df6c

SHA256
3091197215091e050f2783cb18dadba9c3e24b9b643527cb913f9db36525dc84

SHA512
b7dcfe113f95ee08b58929243281d751c1d197ec2a51cc54a4163eaa57d15e39bf0a57b7fab640fb0b43d9331ad1a3aaecb0e9f9e65240a3b932a1c5e721dfca

Download Submit