32b8ac4b491b0d1be1f27c4e2531c4117aa928551b2ade3c0152c27808fedb2f

Analysis

max time kernel
67s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20241007-ja
resource tags

arch:x64arch:x86image:win10v2004-20241007-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
21-11-2024 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

chrome.exe
Size

12.3MB
MD5

a77ebb32ac51d7605b33e3fdd8191f6e
SHA1

4e91fa8d20ee82aec600ea233a65461d6c5717ee
SHA256

32b8ac4b491b0d1be1f27c4e2531c4117aa928551b2ade3c0152c27808fedb2f
SHA512

5d6ffcf6490dbc71fa81bd79e7dbca3067630331aeb199208486d983e7d402b5ff3aac4ad57b46dcd965b006c721d0b2e7be18e0bb941fa1b4b6c47ecaef7762
SSDEEP

393216:jIFY+4quIREaCe0i5tNV8p9I5h+A9qZ2evV2rZBJi:MF5LuIxf9Vd5hNwZfvV24

Score

8^/10

discovery evasion persistence privilege_escalation spyware stealer trojan

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\131.0.6778.71\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	chrome.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 26 IoCs

Processes:

chrome.tmpAppverif.exeChromeSetup.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exe131.0.6778.71_chrome_installer.exesetup.exesetup.exesetup.exesetup.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeelevation_service.exechrome.exechrome.exechrome.exechrome.exe

pid	process
5104	chrome.tmp
2092	Appverif.exe
3076	ChromeSetup.exe
1408	updater.exe
400	updater.exe
1344	updater.exe
1128	updater.exe
4636	updater.exe
5012	updater.exe
1032	131.0.6778.71_chrome_installer.exe
2000	setup.exe
4788	setup.exe
4436	setup.exe
3868	setup.exe
4736	chrome.exe
1368	chrome.exe
32	chrome.exe
3660	chrome.exe
2968	chrome.exe
2248	chrome.exe
1500	chrome.exe
4276	elevation_service.exe
4712	chrome.exe
3752	chrome.exe
1596	chrome.exe
1876	chrome.exe

Loads dropped DLL 28 IoCs

Processes:

Appverif.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
2092	Appverif.exe
4736	chrome.exe
1368	chrome.exe
4736	chrome.exe
32	chrome.exe
32	chrome.exe
3660	chrome.exe
3660	chrome.exe
2968	chrome.exe
2968	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
2248	chrome.exe
32	chrome.exe
32	chrome.exe
32	chrome.exe
2248	chrome.exe
1500	chrome.exe
1500	chrome.exe
4712	chrome.exe
4712	chrome.exe
3752	chrome.exe
3752	chrome.exe
1596	chrome.exe
1596	chrome.exe
1876	chrome.exe
1876	chrome.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

updater.exeupdater.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe

Drops file in System32 directory 1 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk	setup.exe

Drops file in Program Files directory 64 IoCs

Processes:

updater.exesetup.exeChromeSetup.exeupdater.exesetup.exeupdater.exe131.0.6778.71_chrome_installer.exesetup.exeupdater.exesetup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\e0c8b86c-60ed-454c-bc2d-15bbfe0d5aff.tmp	updater.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\3949e978-3ec7-43f0-81f7-53491dfe2ccc.tmp	updater.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4636_1910965378\manifest.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\dxil.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\Locales\tr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\Locales\es-419.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\Locales\ko.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\Locales\nb.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\vulkan-1.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\Locales\bg.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\Locales\kn.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\VisualElements\SmallLogoDev.png	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\bae23e39-ca76-42ac-97db-00d215ee2f08.tmp	updater.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4636_1910965378\CR_B8173.tmp\CHROME.PACKED.7Z	131.0.6778.71_chrome_installer.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\PrivacySandboxAttestationsPreloaded\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4636_1910965378\CR_B8173.tmp\setup.exe	131.0.6778.71_chrome_installer.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\6aa24e94-3331-4ed5-b43c-b337a48cfdef.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\394cca26-161c-4fe3-8b91-50c742d817a0.tmp	updater.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4636_1910965378\131.0.6778.71_chrome_installer.exe	updater.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4636_1910965378\_metadata\verified_contents.json	updater.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4636_1910965378\manifest.fingerprint	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\Locales\da.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\Locales\it.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\Locales\ur.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\Locales\zh-CN.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\resources.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\libEGL.dll	setup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe58847d.TMP	updater.exe
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\v8_context_snapshot.bin	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\chrome_proxy.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\chrome.VisualElementsManifest.xml	setup.exe
File opened for modification	C:\Program Files\chrome_installer.log	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\Locales\cs.pak	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\chrome_100_percent.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\chrome_200_percent.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\PrivacySandboxAttestationsPreloaded\privacy-sandbox-attestations.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4636_1910965378\79cf050d-c1ac-4ae6-9da4-50594ff9b24c.tmp	updater.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4636_1910965378\CR_B8173.tmp\setup.exe	131.0.6778.71_chrome_installer.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\chrome_elf.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\os_update_handler.exe	setup.exe
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\VisualElements\SmallLogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4636_1910965378\CR_B8173.tmp\SETUP.EX_	131.0.6778.71_chrome_installer.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\Locales\am.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\Locales\gu.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\Locales\ta.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\Locales\vi.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\WidevineCdm\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\prefs.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\d3dcompiler_47.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source2000_1283623714\Chrome-bin\131.0.6778.71\Locales\lv.pak	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

updater.exeupdater.exeupdater.exechrome.exeChromeSetup.exeupdater.exeupdater.exechrome.tmpcmd.exeupdater.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChromeSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chrome.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

131.0.6778.71_chrome_installer.exesetup.exe

pid process

1032 131.0.6778.71_chrome_installer.exe
2000 setup.exe

pid	process
1032	131.0.6778.71_chrome_installer.exe
2000	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

setup.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\InstallerPinned = "0"	setup.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133766836485138515"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome	setup.exe

Modifies registry class 64 IoCs

Processes:

updater.exeupdater.exesetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ = "IGoogleUpdate3Web"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{CCA9FC90-B200-5641-99C0-7907756A93CF}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\4"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34527502-D3DB-4205-A69B-789B27EE0414}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\TypeLib\ = "{27634814-8E41-4C35-8577-980134A96544}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{27634814-8E41-4C35-8577-980134A96544}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCA9FC90-B200-5641-99C0-7907756A93CF}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\TypeLib\ = "{85AE4AE3-8530-516B-8BE4-A456BF2637D3}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8018F647-BF07-55BB-82BE-A2D7049F7CE4}\AppID = "{8018F647-BF07-55BB-82BE-A2D7049F7CE4}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\ = "ICompleteStatusSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4622B28-A747-44C7-96AF-319BE5C3B261}\1.0\ = "GoogleUpdater TypeLib for IAppBundleWebSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27634814-8E41-4C35-8577-980134A96544}\1.0\ = "GoogleUpdater TypeLib for IPolicyStatusValue"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\1.0\0\win32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B685B009-DBC4-4F24-9542-A162C3793E77}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromePDF\AppUserModelId = "Chrome"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\4"	updater.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\LocalServer32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\1.0\ = "GoogleUpdater TypeLib for ICompleteStatusSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\1.0\ = "GoogleUpdater TypeLib for ICurrentStateSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{4DC034A8-4BFC-4D43-9250-914163356BB0}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1588C1A8-27D9-563E-9641-8D20767FB258}\TypeLib\ = "{1588C1A8-27D9-563E-9641-8D20767FB258}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\TypeLib\ = "{0CD01D1E-4A1C-489D-93B9-9B6672877C57}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0\0\win32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\1.0\ = "GoogleUpdater TypeLib for IProcessLauncherSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1588C1A8-27D9-563E-9641-8D20767FB258}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B685B009-DBC4-4F24-9542-A162C3793E77}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6597.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\1.0\0\win64	updater.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

chrome.tmpupdater.exeupdater.exeupdater.exechrome.exeAppverif.exe

pid	process
5104	chrome.tmp
5104	chrome.tmp
1408	updater.exe
1408	updater.exe
1408	updater.exe
1408	updater.exe
1408	updater.exe
1408	updater.exe
1344	updater.exe
1344	updater.exe
1344	updater.exe
1344	updater.exe
1344	updater.exe
1344	updater.exe
4636	updater.exe
4636	updater.exe
4636	updater.exe
4636	updater.exe
4636	updater.exe
4636	updater.exe
4636	updater.exe
4636	updater.exe
1408	updater.exe
1408	updater.exe
4736	chrome.exe
4736	chrome.exe
2092	Appverif.exe
2092	Appverif.exe
2092	Appverif.exe
2092	Appverif.exe
2092	Appverif.exe
2092	Appverif.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

4736 chrome.exe
4736 chrome.exe
4736 chrome.exe
4736 chrome.exe
4736 chrome.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

ChromeSetup.exe131.0.6778.71_chrome_installer.exechrome.exe

description	pid	process
Token: 33	3076	ChromeSetup.exe
Token: SeIncBasePriorityPrivilege	3076	ChromeSetup.exe
Token: 33	1032	131.0.6778.71_chrome_installer.exe
Token: SeIncBasePriorityPrivilege	1032	131.0.6778.71_chrome_installer.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe
Token: SeShutdownPrivilege	4736	chrome.exe
Token: SeCreatePagefilePrivilege	4736	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.tmpchrome.exe

pid	process
5104	chrome.tmp
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exechrome.tmpcmd.exeChromeSetup.exeupdater.exeupdater.exeupdater.exe131.0.6778.71_chrome_installer.exesetup.exesetup.exechrome.exe

description	pid	process	target process
PID 2212 wrote to memory of 5104	2212	chrome.exe	chrome.tmp
PID 2212 wrote to memory of 5104	2212	chrome.exe	chrome.tmp
PID 2212 wrote to memory of 5104	2212	chrome.exe	chrome.tmp
PID 5104 wrote to memory of 5040	5104	chrome.tmp	cmd.exe
PID 5104 wrote to memory of 5040	5104	chrome.tmp	cmd.exe
PID 5104 wrote to memory of 5040	5104	chrome.tmp	cmd.exe
PID 5040 wrote to memory of 2092	5040	cmd.exe	Appverif.exe
PID 5040 wrote to memory of 2092	5040	cmd.exe	Appverif.exe
PID 5040 wrote to memory of 3076	5040	cmd.exe	ChromeSetup.exe
PID 5040 wrote to memory of 3076	5040	cmd.exe	ChromeSetup.exe
PID 5040 wrote to memory of 3076	5040	cmd.exe	ChromeSetup.exe
PID 3076 wrote to memory of 1408	3076	ChromeSetup.exe	updater.exe
PID 3076 wrote to memory of 1408	3076	ChromeSetup.exe	updater.exe
PID 3076 wrote to memory of 1408	3076	ChromeSetup.exe	updater.exe
PID 1408 wrote to memory of 400	1408	updater.exe	updater.exe
PID 1408 wrote to memory of 400	1408	updater.exe	updater.exe
PID 1408 wrote to memory of 400	1408	updater.exe	updater.exe
PID 1344 wrote to memory of 1128	1344	updater.exe	updater.exe
PID 1344 wrote to memory of 1128	1344	updater.exe	updater.exe
PID 1344 wrote to memory of 1128	1344	updater.exe	updater.exe
PID 4636 wrote to memory of 5012	4636	updater.exe	updater.exe
PID 4636 wrote to memory of 5012	4636	updater.exe	updater.exe
PID 4636 wrote to memory of 5012	4636	updater.exe	updater.exe
PID 4636 wrote to memory of 1032	4636	updater.exe	131.0.6778.71_chrome_installer.exe
PID 4636 wrote to memory of 1032	4636	updater.exe	131.0.6778.71_chrome_installer.exe
PID 1032 wrote to memory of 2000	1032	131.0.6778.71_chrome_installer.exe	setup.exe
PID 1032 wrote to memory of 2000	1032	131.0.6778.71_chrome_installer.exe	setup.exe
PID 2000 wrote to memory of 4788	2000	setup.exe	setup.exe
PID 2000 wrote to memory of 4788	2000	setup.exe	setup.exe
PID 2000 wrote to memory of 4436	2000	setup.exe	setup.exe
PID 2000 wrote to memory of 4436	2000	setup.exe	setup.exe
PID 4436 wrote to memory of 3868	4436	setup.exe	setup.exe
PID 4436 wrote to memory of 3868	4436	setup.exe	setup.exe
PID 1408 wrote to memory of 4736	1408	updater.exe	chrome.exe
PID 1408 wrote to memory of 4736	1408	updater.exe	chrome.exe
PID 4736 wrote to memory of 1368	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 1368	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe
PID 4736 wrote to memory of 32	4736	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\chrome.exe
"C:\Users\Admin\AppData\Local\Temp\chrome.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\is-ESQUO.tmp\chrome.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-ESQUO.tmp\chrome.tmp" /SL5="$502A2,12023458,717824,C:\Users\Admin\AppData\Local\Temp\chrome.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\ProgramData\start.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\ProgramData\Appverif.exe
      "C:\ProgramData\appverif.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:2092
  - - C:\ProgramData\ChromeSetup.exe
      "C:\ProgramData\ChromeSetup.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3076
    - - C:\Program Files (x86)\Google3076_1345202984\bin\updater.exe
        
        "C:\Program Files (x86)\Google3076_1345202984\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={A26F2748-22B9-D35F-67AB-DB956FDEBF65}&lang=zh-CN&browser=3&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
        5⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1408
      - C:\Program Files (x86)\Google3076_1345202984\bin\updater.exe
        
        "C:\Program Files (x86)\Google3076_1345202984\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x12ec694,0x12ec6a0,0x12ec6ac
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:400
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=131.0.6778.71 --initial-client-data=0x104,0x108,0x10c,0xd4,0x110,0x7ffa12baed08,0x7ffa12baed14,0x7ffa12baed20
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1368
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1968,i,6489444139590223963,954240697543330590,262144 --variations-seed-version --mojo-platform-channel-handle=1964 /prefetch:2
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:32
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=2220,i,6489444139590223963,954240697543330590,262144 --variations-seed-version --mojo-platform-channel-handle=2252 /prefetch:3
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3660
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2356,i,6489444139590223963,954240697543330590,262144 --variations-seed-version --mojo-platform-channel-handle=2528 /prefetch:8
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2968
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,6489444139590223963,954240697543330590,262144 --variations-seed-version --mojo-platform-channel-handle=3252 /prefetch:1
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2248
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,6489444139590223963,954240697543330590,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:1
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1500
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4204,i,6489444139590223963,954240697543330590,262144 --variations-seed-version --mojo-platform-channel-handle=4480 /prefetch:2
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4712
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4768,i,6489444139590223963,954240697543330590,262144 --variations-seed-version --mojo-platform-channel-handle=4724 /prefetch:1
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3752
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4740,i,6489444139590223963,954240697543330590,262144 --variations-seed-version --mojo-platform-channel-handle=4712 /prefetch:1
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1596
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5648,i,6489444139590223963,954240697543330590,262144 --variations-seed-version --mojo-platform-channel-handle=5716 /prefetch:8
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1876

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x91c694,0x91c6a0,0x91c6ac
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1128

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6597.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x91c694,0x91c6a0,0x91c6ac
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:5012
- C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4636_1910965378\131.0.6778.71_chrome_installer.exe
  "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4636_1910965378\131.0.6778.71_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4636_1910965378\79cf050d-c1ac-4ae6-9da4-50594ff9b24c.tmp"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4636_1910965378\CR_B8173.tmp\setup.exe
    "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4636_1910965378\CR_B8173.tmp\setup.exe" --install-archive="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4636_1910965378\CR_B8173.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4636_1910965378\79cf050d-c1ac-4ae6-9da4-50594ff9b24c.tmp"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Network Configuration Discovery: Internet Connection Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4636_1910965378\CR_B8173.tmp\setup.exe
      "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4636_1910965378\CR_B8173.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=131.0.6778.71 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff70d747d68,0x7ff70d747d74,0x7ff70d747d80
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:4788
  - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4636_1910965378\CR_B8173.tmp\setup.exe
      "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4636_1910965378\CR_B8173.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4636_1910965378\CR_B8173.tmp\setup.exe
        
        "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4636_1910965378\CR_B8173.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=131.0.6778.71 --initial-client-data=0x270,0x274,0x278,0x250,0x27c,0x7ff70d747d68,0x7ff70d747d74,0x7ff70d747d80
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3868

C:\Program Files\Google\Chrome\Application\131.0.6778.71\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\131.0.6778.71\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google3076_1345202984\bin\updater.exe

Filesize
4.7MB

MD5
823816b4a601c69c89435ee17ef7b9e0

SHA1
2fc4c446243be4a18a6a0d142a68d5da7d2a6954

SHA256
c2a7c0fa80f228c2ce599e4427280997ea9e1a3f85ed32e5d5e4219dfb05ddb2

SHA512
f3b38807ed1eb96c932e850b9b37551554408a628bedf12aa32bde08c442ff3663bf584335e7eab193ce2cf7552bce456737c96a2ba9faa953150e6304068fc6

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\128.0.6597.0\Crashpad\settings.dat

Filesize
40B

MD5
85aa04e562e7bcfbcf7a702516783014

SHA1
005cde4c2b0801cf6f2e312ff57596819413a2a8

SHA256
f06e159b18c23c403d89dff4b275c890776a9e10812d7c0292e751042ff2a9ee

SHA512
50e9cc0aebced6c6d68d480463953a8131257b277755822df374954b8443c38a95c438596dc3ed4e223d635ec4d77a7968b6dc44a0ebb478432d27b56c72e0e3

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
503B

MD5
680bd229a9d0ebe1b2ac574984076911

SHA1
ec67eb02aa73c95ad514e315efef5d286e7bf71f

SHA256
f01c4a45ae053bee4e41fdb0884c3dbe0ef3391f1b58afaa5f6cff724d3c4e45

SHA512
51cc32d431d70efaeb12df0311ade48e7c7a148d821832163382972964a2e32322dda6a28074a05a898b39b075ac1dba8d24dd4550446e97d84e1580f68f89c8

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
354B

MD5
d4927578fc92dc543365aa4e43b202ba

SHA1
5e1aeb950ac6ac3f071fa02f90a4fbc0c8e5304c

SHA256
4ac029c04a6e82f4c588237f57a798b4285c818bdbb4250c20f11a5b95d4ecd1

SHA512
4c6cbf4bfb4279edc6d6bd816ca4d1d4dbc8b7f06d875493ffeea3a8782568f49911db28aae743a41962bbe4fe34afc531e119be58888a2acf0623e99df38e95

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
602B

MD5
0d8ed3873de7e8c4cb796bf83a411746

SHA1
0cd248621e64a0763056aec41a33edeb64e9fe4d

SHA256
8623be1623926ddc9fe1a892644fe57bc29bb759cc297189360905d1a6d7fe33

SHA512
089fe028c7c75b08cddc2ff87fb6020123bab821b63cadfb396355a4ebd0fb34d79596066470f428377e5b01485bee2e9a5d1cd5a3c3fb1a04ae33faf3ad9909

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
49B

MD5
7b693a82168c33ec9e8cf276859ddf7f

SHA1
d396dbbe299fe7754a6244d01e97cc4edd0693eb

SHA256
84a9a7f43db56cd6e9a408f88244e8ba5efbe48a5b5168d321f112b8c8fd8e3f

SHA512
4064c158d753d19a72e1be1c8bd5fe7f22e2032d67d1dd7ea1d85ce652d63c69b85a4292c4403b0f7729b05607f3d1ccfaf4d27d04ad09ffcec70082450320ab

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
1KB

MD5
0d32346c2a45955bbc4bfee2ec9f5c2b

SHA1
71c89d85b7c52b83b5809c53ce0eff3c15ec2a41

SHA256
c7c1cc1f41ff9c12fe3faed47d50f41f85821294efcb551d250258fd4c229d8c

SHA512
258783abe70ddb5fe335c260b37001fa1a02065331019aefae1aa3b0e2ecf4c97b9791d2d603f49da2749c964f70bfecf0fcb0f46c40abd15c7707a2b612d69c

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
2KB

MD5
0cf88a4e02a19af4975b5b7e76ce2043

SHA1
ba93fa62f23a6aef16587df8c0a05c652d339c44

SHA256
965bd780308607423acb7e32568eb756ab89bb020e4b6aaa58a052f342d9105e

SHA512
bcd26c055997766623ab0294f806c69f73763c55c12a4b80bf6b356739b71a12bff0f5947c51ca1564d6707b34e388d6805db0bc3a0a2535e2f1f4ecafaedab8

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
5KB

MD5
88feb8604a61b7e4b4c0aa15de2fae7e

SHA1
a76dc1c58b28aa4b8b00eceb76ecb9259728536e

SHA256
829d7f4f5279b996546ed696c221537e000e64949fbb8fe02479060c17c46791

SHA512
663ca90a321e5aac9393fa903e55ac2e6c36f33286841556d21b5ba2d27825b532173b4b5db03ffee9681b03691c1afa758233be3de3d9d81fef4e9f616ec221

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
9KB

MD5
765445f296c2f4027123419f4ba37b2a

SHA1
48f022dca682f30898f1b4e27cfe6497deb7db46

SHA256
9347944bc32715f7c7872a3ad5d265ce0a1f2de80ac5eef9c625d702b0971333

SHA512
97ed48c064cb746332dc46f8caadf263e3fe5ad7ea66a8827ed62f286900e8fd72ca7f20dfe42f5f942dfa38fc13a5a4070607bc1477c54ad15396873f525a34

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
10KB

MD5
a8c1c102f832d79a51e399f399a37dc4

SHA1
ba910c739ae1458bef24c02af55ef92395356483

SHA256
58b44f3d72a1021964fec22c9fc6d32601dd9b72abbd63c53ade2d3eda18cc3c

SHA512
48806688556f98c59369e2219e870aea17797cebff8320642ae4bea6004bdff07026d11179da7520601fe7ea011a441b745e0f9f535e979f415e3eb4bdf55d61

Download Submit
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4636_1910965378\79cf050d-c1ac-4ae6-9da4-50594ff9b24c.tmp

Filesize
690KB

MD5
2ab20ac9d3ddeabefd44f10d72d7ebfa

SHA1
cebf557c16266c1d8305ad69fe98041fc638bd98

SHA256
43454ddbbb096562469e74cdd98b647a2810ad5f9892154038f8f75a090bc606

SHA512
8d215306b9ab0e17988f66ffacc768ef75660e9beb2c473efd7047787e92d0a110e1efe22771a34e07b4dcadfd2b799377ef28c95be9ae1484083fc0437e28fb

Download Submit
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4636_1910965378\CR_B8173.tmp\setup.exe

Filesize
5.8MB

MD5
6f6a167ca653e0f1cb63d329375be4bc

SHA1
486964b4b6b80a1738efc8b357bb6ce82b38f62f

SHA256
2264856e909a50136b6a4e3c0d2aaf8c27397f874a861ea35dbe52abb2ea6def

SHA512
1ca578eaf3093a004381346a630d3580f7ba26245e11e21f9ac215813d4a1e7321712950c6cd7b73e2870b38b657d7586d8e9a891aab077d3675a6c4cb76d8d0

Download Submit
C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
47590457d651f0b8f93ea221a2057879

SHA1
4b5677a440999f2211c819e715e787b9333ad7d1

SHA256
72491bb92382a9ea0ab98f6c496c06ccf9218da7e8475803fc5131ea0ca628df

SHA512
fefddc58da06111b990332f6d4793363d190bd053e1dbcff533b248f43365faf55a8cc926fc2873c8fdd717db2d7773198cf42a12c2137bc15c39a17015d229d

Download Submit
C:\Program Files\Google\Chrome\Application\131.0.6778.71\chrome_elf.dll

Filesize
1.3MB

MD5
d6c8da36ca45a0052517e8906d18faa8

SHA1
355efd9125a56fd097117f515846f70318fe2145

SHA256
ba1e73d6cdbe5816634459d3ad7b8544ac82c927bef73f5c0471d498b5b57e6c

SHA512
e2dacb1c1a975ecb77982df43984b094125109acff8bce2e448beff2c9c57ce88449a7ba77ed2813f9ae70e369f4e706b5fb8724a2dcb0c9101dea4840ef038e

Download Submit
C:\Program Files\Google\Chrome\Application\131.0.6778.71\d3dcompiler_47.dll

Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
C:\Program Files\Google\Chrome\Application\131.0.6778.71\dxcompiler.dll

Filesize
24.6MB

MD5
18b5f9fdf4e7a5461f1495e1e5b44c7e

SHA1
1751aa06486f31913d972a07699fefd3e2ac610d

SHA256
7cdafd236b6fefab9a07334613fd5d0d1e3520f0a410e4cfda856984e3223125

SHA512
0d4400ac9ddc6cd6d26e60d93e08792c96750e8e28a2c7556762bc5641bb5c527b5bc5e5961be69756e218732094976969b516b37d2a856c426d2817ad0416f9

Download Submit
C:\Program Files\Google\Chrome\Application\131.0.6778.71\dxil.dll

Filesize
1.4MB

MD5
30da04b06e0abec33fecc55db1aa9b95

SHA1
de711585acfe49c510b500328803d3a411a4e515

SHA256
a5fe1d8d9caa2ff29daffd53f73a9a4e19c250351b2abe4fc7b57e60ce67ac68

SHA512
67790874377e308d1448d0e41df9dd353a5f63686df4eb9a8e70a4da449b0c63a5d3655ab38d24b145ad3c57971b1c6793ea6c5ac2257b6eb2e8964a44ab0f08

Download Submit
C:\Program Files\Google\Chrome\Application\131.0.6778.71\libEGL.dll

Filesize
492KB

MD5
5b2d045c3f4b4ef0ddad599741b9590b

SHA1
9ce33d56e2c605bb6de70133f53be28fc839fd20

SHA256
094d62c79f62428d1dfd75384493ca5a1b12895639a0391d56351da36bc4451d

SHA512
2170a1059a7a75e83a86b220707b01c986339dbadcef6958ab48a6c84855c05fa77457afb0a11195e5c806c906167f68643ec313a8eb3e7173749e7f76e5b57b

Download Submit
C:\Program Files\Google\Chrome\Application\131.0.6778.71\libGLESv2.dll

Filesize
7.9MB

MD5
2838b356f7df6387eced5f13ddf74ab4

SHA1
9fe3af859073d4309296fedaeed5185e16b04a23

SHA256
5ec2044254c4cde67fc4c4d4d7eddd7777cb730fc19f9a35f98cfde01cefeba3

SHA512
86b5bbd14ad505cba832b7f261f1f68e2008c14f260a45fe1aa9554fa35ea8a4783419f6fe0471af5fc75db6e46b1e557075cfb9412bf252c8fe04883f8c0662

Download Submit
C:\Program Files\Google\Chrome\Application\131.0.6778.71\vk_swiftshader.dll

Filesize
5.1MB

MD5
b0f12eba05cf44587b7a2a176fc41a90

SHA1
ce0fd8d207e25fc61f0bd230b54dad275edb24d8

SHA256
0afeea3fec91c1bce8cb87ca5634c7ec48d96a21577c493520d3e7d4b1cbb5dc

SHA512
3cf491fe52c8dffb2cb4ad9cb5f424d12d884cb7213e2d31d898659085b94bef97ab905f312a392f632a6ec655de97de786f65e3da016ce79720c6dc5e50ed3b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.8MB

MD5
1c16c5cb04ed6b605efda4d2919813cc

SHA1
12f9c5ca2711278d24543c2179af96dfa09fe85c

SHA256
f80761a7d035354d38efb7aa0e1586da6b67d47b989100a026ccf452a4b54e39

SHA512
b3c157405a299f0766fd422325325eacd118407d54793e99dea8817a750a29e7b5bf2f8b2b7cbd7e57d8bb493f2e81e562c96492127c9832bd438c193b58badc

Download Submit
C:\Program Files\chrome_installer.log

Filesize
21KB

MD5
f474b1078649e6e4087460ef5e62e35b

SHA1
15a1eb77b1f434b127d75ae2357254606071f5b1

SHA256
c09cf8e22d61ee6f9ce9329cf0f86996718607d532e4580923a689060feda4a1

SHA512
c19676bcde8229ac8f53a75c80c0b3792221dff99da60f21e96846dcd0419661ba9fc7873212b21bc060fc4ca3188a7f0765d2d682dc052af129e66f42823310

Download Submit
C:\ProgramData\Appverif.exe

Filesize
91KB

MD5
8ef4960e597ab67df52e45a0af124048

SHA1
8846ad8c2992bd2503dc831195898309d00c2bfa

SHA256
849c12b99709eb16790e70cd04c615de75346b15fb9da325f87180b7a7567f42

SHA512
f393da33e61a73e21e2e0504088d3728b3229fb823290031ff42ca1ef83e1d94732f35e023115d6718dab163175184852107bf7e946f7271bb3508af9d000842

Download Submit
C:\ProgramData\ChromeSetup.exe

Filesize
8.5MB

MD5
86eb69942ef2ee2bbebe934cde9eb99c

SHA1
41d96315325c2fd8c7b0b2a1e07df254fb715e49

SHA256
127a82b5b879aa18eba9e35fdc820a0f19fd816e2825ec4cc5f385e4b7a244f3

SHA512
0cd79224479f6b20a8e2edd865890f46a41d434a6403dec5524d11cbf2fd12408eaa32221fa10fc701c6e24cb1edb0ef602b176860b9a9db9dbf63a73556c55c

Download Submit
C:\ProgramData\DesDtCore64.dll

Filesize
209KB

MD5
ef211dd68325f87395a1cf5232501880

SHA1
bc740f18683d7e35a254de4d901e2e184883680a

SHA256
97e32c456e5757fde0cc81de20e041865fd1cbcf42b5e90bf15560703d00bcd3

SHA512
a2ce5351c451dea75f408cb5de215e6e89f51054f693a87abc59f4b2dc9a2699796f2ed6589305cda89d77131a727d779ea6df97eb11b1c9836f5b9c2e089299

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk

Filesize
2KB

MD5
e04934834299377413412abf2620979f

SHA1
196c33941e065c172dcbcc8e9b277ed742955784

SHA256
4f8f5893d0d4fdd7d0146e830a33f74efc21c6832d2ca58e9d6e54f7ce0b4363

SHA512
0b478c34bf1e0a253cb555e5be69a5351b81e563c5ab630f4a97c692544d64a3ed4613e6af410bd38a6c5257a886f85f909e300203a1ac3c4c47418e2351deab

Download Submit
C:\ProgramData\start.bat

Filesize
72B

MD5
5f7cbf20bb8fdaf6b0734986cf3de662

SHA1
d79c9d6b4f1d9da0e075b9dd627197ba7f7b8576

SHA256
1ac28dba3ec4d5083adaae3b7edba7ca2d0ef77869203b21ed84fabe0fb55c05

SHA512
e5d0860bf9691aaf1cba76099c76451d4c029560d76677db9a4df5cb776aab5bfa58c882f7d64ba4e816b4ea1799a17a63d185795f5b587af216c9dde2bc6b8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
8f5292a06f6d8692762e232507bc74cb

SHA1
57c38fcf89fe4f8838b0413e26de14acf5a5324d

SHA256
6721afcb7b5f34330e7adfdb64e04594921287652840931ae5a25faebb09edb6

SHA512
66bc551db269a21637e6ef5e9568d5f0aff6aaa5e9a39cde9b5f899895e53559e16a1bdbbfd2941e4dd9d248dfc2d238d59f1194efbc932389476072dea81a50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
505a174e740b3c0e7065c45a78b5cf42

SHA1
38911944f14a8b5717245c8e6bd1d48e58c7df12

SHA256
024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d

SHA512
7891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\trusted_vault.pb

Filesize
38B

MD5
3433ccf3e03fc35b634cd0627833b0ad

SHA1
789a43382e88905d6eb739ada3a8ba8c479ede02

SHA256
f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d

SHA512
21a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
46171ded40535faec05a2e08ae947469

SHA1
e891df00539c4b04964053d08f1447c65391eb8d

SHA256
8e9def632da5b868bcb6fc11eb28078a8270d36f9931da913121e626aa64de27

SHA512
c5e80fb35c16f3686ec9436732ab68e06586ffa9151926edb21a6a0e3fc7f18f3b4fd2bedd30dc1b953551b713185ce028b3f0d52fab53d7aa3a4e3d95ae4cbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
dc5c9c5e86842804110f5b155d582fda

SHA1
3926fc21ac52c5ca87c70bff8ab8a59eee32a4da

SHA256
a7bd75c9dc391cf641cd2fe5fe4c47b42b05825cfd8ab98cd4a148de885a0b62

SHA512
147a4214ae9976c0874ff595dd612d8c3f9f6fc96806f0e59e8c80095f91895a5637641eb0f8a6227f17eed62154ed664d0e8452fe195d88fe13032e784dbedf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ESQUO.tmp\chrome.tmp

Filesize
2.9MB

MD5
5ee4539394fd28a6feb7c29fba663be0

SHA1
cab38330de72d783a39bde9b47ab5990b8a2b793

SHA256
63df72007101bf222c8c8f1e0522f2117285b34741be04920e38c725622483dd

SHA512
737dcf5461dd1f5022d05fd1b5017b2a574ce77f2575f100feb2ec2070b16d9751e3cca3b609932e8eb342d5e81c4380d8b7f42a147ddce1e6ae832154b3519f

Download Submit
\??\pipe\crashpad_4736_EGFBIFOLKONLQDNC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2212-2-0x0000000000401000-0x00000000004A8000-memory.dmp

Filesize
668KB

Download
memory/2212-0-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2212-26-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/5104-6-0x0000000000400000-0x00000000006FB000-memory.dmp

Filesize
3.0MB

Download
memory/5104-24-0x0000000000400000-0x00000000006FB000-memory.dmp

Filesize
3.0MB

Download