gh0strat | d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe
Size

27.6MB
MD5

dba779040cc9cf606ae3271ec9ef03d0
SHA1

00cd24e75cd21e44c14bc4602df189d34c2b14b2
SHA256

d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8
SHA512

427986dd32cd9ea42ee7da6eb8227ab939833f76a7d796d97b8ed213be3ed3e38dc75c0f332f50864eb972bf3af065f930acbafab8394098b9cd2d0f8158319f
SSDEEP

786432:wbnq//o4Syaf/A7NpfYoLzxCYjTF5wdbzo5p6VmTs1TW5lhH:z//nk8JjxCKSI5p6kTsJW5H

Score

10^/10

gh0strat purplefox defense_evasion discovery persistence privilege_escalation rat rootkit spyware stealer trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 4 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/4296-13151-0x0000000010000000-0x000000001019F000-memory.dmp	purplefox_rootkit
behavioral2/memory/4296-26240-0x0000000000400000-0x0000000001FA5000-memory.dmp	purplefox_rootkit
behavioral2/memory/13620-26258-0x0000000000400000-0x0000000001FA5000-memory.dmp	purplefox_rootkit
behavioral2/memory/7036-39373-0x0000000000400000-0x0000000001FA5000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/4296-13151-0x0000000010000000-0x000000001019F000-memory.dmp	family_gh0strat
behavioral2/memory/4296-26240-0x0000000000400000-0x0000000001FA5000-memory.dmp	family_gh0strat
behavioral2/memory/13620-26258-0x0000000000400000-0x0000000001FA5000-memory.dmp	family_gh0strat
behavioral2/memory/7036-39373-0x0000000000400000-0x0000000001FA5000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\132.0.6834.110\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	chrome.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 37 IoCs

pid	Process
4296	quubmrikb.exe
2736	ChromeSetup.exe
4824	updater.exe
2296	updater.exe
4300	updater.exe
3384	updater.exe
2404	updater.exe
2200	updater.exe
13620	Mnfgh.exe
7036	Mnfgh.exe
8056	132.0.6834.110_chrome_installer.exe
10996	setup.exe
10972	setup.exe
11824	setup.exe
11880	setup.exe
17592	chrome.exe
17624	chrome.exe
29948	chrome.exe
29900	chrome.exe
30028	chrome.exe
30256	elevation_service.exe
30100	chrome.exe
30180	chrome.exe
30308	chrome.exe
30496	chrome.exe
30732	chrome.exe
31028	chrome.exe
31044	chrome.exe
31056	chrome.exe
31456	chrome.exe
17840	chrome.exe
31952	chrome.exe
32452	updater.exe
32468	updater.exe
32684	chrome.exe
32692	chrome.exe
32700	chrome.exe

Loads dropped DLL 43 IoCs

pid	Process
17592	chrome.exe
17624	chrome.exe
17592	chrome.exe
29948	chrome.exe
29900	chrome.exe
29948	chrome.exe
30028	chrome.exe
29948	chrome.exe
29948	chrome.exe
29948	chrome.exe
29900	chrome.exe
30028	chrome.exe
29948	chrome.exe
29948	chrome.exe
29948	chrome.exe
30100	chrome.exe
30180	chrome.exe
30180	chrome.exe
30308	chrome.exe
30308	chrome.exe
30100	chrome.exe
30496	chrome.exe
30496	chrome.exe
30732	chrome.exe
30732	chrome.exe
31028	chrome.exe
31028	chrome.exe
31044	chrome.exe
31044	chrome.exe
31056	chrome.exe
31056	chrome.exe
31456	chrome.exe
31456	chrome.exe
17840	chrome.exe
17840	chrome.exe
31952	chrome.exe
31952	chrome.exe
32684	chrome.exe
32692	chrome.exe
32684	chrome.exe
32692	chrome.exe
32700	chrome.exe
32700	chrome.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mnfgh.exe	quubmrikb.exe
File opened for modification	C:\Windows\SysWOW64\Mnfgh.exe	quubmrikb.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk	setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 31 IoCs

pid	Process
4296	quubmrikb.exe
4296	quubmrikb.exe
13620	Mnfgh.exe
4296	quubmrikb.exe
13620	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe
7036	Mnfgh.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\Locales\pt-BR.pak	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17592_354349177\128.png	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17592_354349177\_metadata\verified_contents.json	chrome.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\settings.dat	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe57de4a.TMP	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\libGLESv2.dll	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17592_354349177\_locales\en_US\messages.json	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17592_354349177\_locales\iw\messages.json	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17592_354349177\_locales\sl\messages.json	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17592_354349177\_locales\gl\messages.json	chrome.exe
File opened for modification	C:\Program Files\chrome_installer.log	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\Locales\ro.pak	setup.exe
File opened for modification	C:\Program Files\chrome_installer.log	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17592_354349177\_locales\hr\messages.json	chrome.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\settings.dat	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File created	C:\Program Files (x86)\Google2736_1143322932\updater.7z	ChromeSetup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\Locales\es-419.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\Locales\zh-TW.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\chrome.VisualElementsManifest.xml	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17592_354349177\_locales\tr\messages.json	chrome.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\prefs.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\dxil.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\Locales\ko.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\chrome_wer.dll	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17592_354349177\_locales\el\messages.json	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17592_354349177\_locales\fa\messages.json	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17592_354349177\_locales\es_419\messages.json	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17592_354349177\page_embed_script.js	chrome.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\default_apps\external_extensions.json	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\MEIPreload\preloaded_data.pb	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\resources.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\vk_swiftshader_icd.json	setup.exe
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17592_354349177\offscreendocument_main.js	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17592_354349177\_locales\pa\messages.json	chrome.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\132.0.6834.110.manifest	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\Locales\ar.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\Locales\bn.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\Locales\id.pak	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\6adc2170-c7f1-4115-adb2-158d89e407f3.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\Locales\af.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\Locales\cs.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\v8_context_snapshot.bin	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\elevation_service.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\vulkan-1.dll	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe590b51.TMP	updater.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17592_354349177\_locales\da\messages.json	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17592_354349177\_locales\mn\messages.json	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17592_354349177\_locales\lv\messages.json	chrome.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\chrome_200_percent.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\dxcompiler.dll	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17592_354349177\_locales\ca\messages.json	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17592_354349177\_locales\pl\messages.json	chrome.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17592_354349177\_locales\eu\messages.json	chrome.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log.old	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\746d60dc-a7e3-458c-8b50-94f4ab7625b1.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2404_1196118554\manifest.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\Locales\mr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\Locales\tr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source10996_588191948\Chrome-bin\132.0.6834.110\libEGL.dll	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping17592_354349177\_locales\hy\messages.json	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnfgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnfgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quubmrikb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChromeSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
8056	132.0.6834.110_chrome_installer.exe
10996	setup.exe
11524	PING.EXE
7024	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\InstallerPinned = "0"	setup.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133821710385631087"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\1.0\0\win64\ = "C:\\Program Files\\Google\\Chrome\\Application\\132.0.6834.110\\elevation_service.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\ = "IPolicyStatus3System"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\1.0\ = "GoogleUpdater TypeLib for ICurrentState"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0125FBD6-CB11-5A7E-828A-0845F90C7D4E}\TypeLib\ = "{0125FBD6-CB11-5A7E-828A-0845F90C7D4E}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\GoogleUpdate.Update3WebMachine\CLSID	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0125FBD6-CB11-5A7E-828A-0845F90C7D4E}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\AppID = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeHTML\Application\ApplicationIcon = "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe,0"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\ProgID	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.html	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F966A529-43C6-4710-8FF4-0B456324C8F4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\ = "IGoogleUpdate3WebSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{699F07AD-304C-5F71-A2DA-ABD765965B54}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\4"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\ = "IAppCommandWebSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{0125FBD6-CB11-5A7E-828A-0845F90C7D4E}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\AppID = "{521FDB42-7130-4806-822A-FC5163FAD983}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1588C1A8-27D9-563E-9641-8D20767FB258}\ = "IUpdateStateSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ChromeHTML\shell	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ChromePDF\shell\open	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{521FDB42-7130-4806-822A-FC5163FAD983}\LocalService = "GoogleUpdaterService130.0.6679.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1588C1A8-27D9-563E-9641-8D20767FB258}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.shtml\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\1.0\ = "GoogleUpdater TypeLib for IAppCommandWeb"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{DC738913-8AA7-5CF3-912D-45FB81D79BCB}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\TypeLib\ = "{34527502-D3DB-4205-A69B-789B27EE0414}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0125FBD6-CB11-5A7E-828A-0845F90C7D4E}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C4622B28-A747-44C7-96AF-319BE5C3B261}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{8018F647-BF07-55BB-82BE-A2D7049F7CE4}\LocalService = "GoogleUpdaterService130.0.6679.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\TypeLib\Version = "1.0"	updater.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
11524	PING.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4824	updater.exe
4824	updater.exe
4824	updater.exe
4824	updater.exe
4824	updater.exe
4824	updater.exe
4300	updater.exe
4300	updater.exe
4300	updater.exe
4300	updater.exe
4300	updater.exe
4300	updater.exe
2404	updater.exe
2404	updater.exe
2404	updater.exe
2404	updater.exe
2404	updater.exe
2404	updater.exe
2404	updater.exe
2404	updater.exe
4824	updater.exe
4824	updater.exe
17592	chrome.exe
17592	chrome.exe
32452	updater.exe
32452	updater.exe
32452	updater.exe
32452	updater.exe
17592	chrome.exe
17592	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2736	ChromeSetup.exe
Token: SeIncBasePriorityPrivilege	2736	ChromeSetup.exe
Token: SeIncBasePriorityPrivilege	4296	quubmrikb.exe
Token: 33	8056	132.0.6834.110_chrome_installer.exe
Token: SeIncBasePriorityPrivilege	8056	132.0.6834.110_chrome_installer.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: 33	7036	Mnfgh.exe
Token: SeIncBasePriorityPrivilege	7036	Mnfgh.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe
Token: SeCreatePagefilePrivilege	17592	chrome.exe
Token: SeShutdownPrivilege	17592	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe
17592	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 4296	840	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe	82
PID 840 wrote to memory of 4296	840	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe	82
PID 840 wrote to memory of 4296	840	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe	82
PID 840 wrote to memory of 2736	840	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe	84
PID 840 wrote to memory of 2736	840	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe	84
PID 840 wrote to memory of 2736	840	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe	84
PID 2736 wrote to memory of 4824	2736	ChromeSetup.exe	85
PID 2736 wrote to memory of 4824	2736	ChromeSetup.exe	85
PID 2736 wrote to memory of 4824	2736	ChromeSetup.exe	85
PID 4824 wrote to memory of 2296	4824	updater.exe	86
PID 4824 wrote to memory of 2296	4824	updater.exe	86
PID 4824 wrote to memory of 2296	4824	updater.exe	86
PID 4300 wrote to memory of 3384	4300	updater.exe	88
PID 4300 wrote to memory of 3384	4300	updater.exe	88
PID 4300 wrote to memory of 3384	4300	updater.exe	88
PID 2404 wrote to memory of 2200	2404	updater.exe	90
PID 2404 wrote to memory of 2200	2404	updater.exe	90
PID 2404 wrote to memory of 2200	2404	updater.exe	90
PID 4296 wrote to memory of 7024	4296	quubmrikb.exe	96
PID 4296 wrote to memory of 7024	4296	quubmrikb.exe	96
PID 4296 wrote to memory of 7024	4296	quubmrikb.exe	96
PID 13620 wrote to memory of 7036	13620	Mnfgh.exe	97
PID 13620 wrote to memory of 7036	13620	Mnfgh.exe	97
PID 13620 wrote to memory of 7036	13620	Mnfgh.exe	97
PID 2404 wrote to memory of 8056	2404	updater.exe	98
PID 2404 wrote to memory of 8056	2404	updater.exe	98
PID 8056 wrote to memory of 10996	8056	132.0.6834.110_chrome_installer.exe	99
PID 8056 wrote to memory of 10996	8056	132.0.6834.110_chrome_installer.exe	99
PID 10996 wrote to memory of 10972	10996	setup.exe	100
PID 10996 wrote to memory of 10972	10996	setup.exe	100
PID 7024 wrote to memory of 11524	7024	cmd.exe	102
PID 7024 wrote to memory of 11524	7024	cmd.exe	102
PID 7024 wrote to memory of 11524	7024	cmd.exe	102
PID 10996 wrote to memory of 11824	10996	setup.exe	106
PID 10996 wrote to memory of 11824	10996	setup.exe	106
PID 11824 wrote to memory of 11880	11824	setup.exe	108
PID 11824 wrote to memory of 11880	11824	setup.exe	108
PID 4824 wrote to memory of 17592	4824	updater.exe	110
PID 4824 wrote to memory of 17592	4824	updater.exe	110
PID 17592 wrote to memory of 17624	17592	chrome.exe	111
PID 17592 wrote to memory of 17624	17592	chrome.exe	111
PID 17592 wrote to memory of 29948	17592	chrome.exe	112
PID 17592 wrote to memory of 29948	17592	chrome.exe	112
PID 17592 wrote to memory of 29948	17592	chrome.exe	112
PID 17592 wrote to memory of 29948	17592	chrome.exe	112
PID 17592 wrote to memory of 29948	17592	chrome.exe	112
PID 17592 wrote to memory of 29948	17592	chrome.exe	112
PID 17592 wrote to memory of 29948	17592	chrome.exe	112
PID 17592 wrote to memory of 29948	17592	chrome.exe	112
PID 17592 wrote to memory of 29948	17592	chrome.exe	112
PID 17592 wrote to memory of 29948	17592	chrome.exe	112
PID 17592 wrote to memory of 29948	17592	chrome.exe	112
PID 17592 wrote to memory of 29948	17592	chrome.exe	112
PID 17592 wrote to memory of 29948	17592	chrome.exe	112
PID 17592 wrote to memory of 29948	17592	chrome.exe	112
PID 17592 wrote to memory of 29948	17592	chrome.exe	112
PID 17592 wrote to memory of 29948	17592	chrome.exe	112
PID 17592 wrote to memory of 29948	17592	chrome.exe	112
PID 17592 wrote to memory of 29948	17592	chrome.exe	112
PID 17592 wrote to memory of 29948	17592	chrome.exe	112
PID 17592 wrote to memory of 29948	17592	chrome.exe	112
PID 17592 wrote to memory of 29948	17592	chrome.exe	112
PID 17592 wrote to memory of 29948	17592	chrome.exe	112
PID 17592 wrote to memory of 29948	17592	chrome.exe	112

C:\Users\Admin\AppData\Local\Temp\d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe
"C:\Users\Admin\AppData\Local\Temp\d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Local\Temp\quubmrikb.exe
  "C:\Users\Admin\AppData\Local\Temp\quubmrikb.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\QUUBMR~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:7024
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:11524
- C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Program Files (x86)\Google2736_1143322932\bin\updater.exe
    "C:\Program Files (x86)\Google2736_1143322932\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={68A8F50C-03FE-5756-A1D3-410E39B8C8FD}&lang=zh-CN&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Program Files (x86)\Google2736_1143322932\bin\updater.exe
      "C:\Program Files (x86)\Google2736_1143322932\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=130.0.6679.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0xeba6cc,0xeba6d8,0xeba6e4
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2296
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      Drops file in Program Files directory
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:17592
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=132.0.6834.110 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc0439dcf8,0x7ffc0439dd04,0x7ffc0439dd10
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:17624
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2000,i,15149457583301532970,189251362488277738,262144 --variations-seed-version --mojo-platform-channel-handle=1996 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:29948
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1612,i,15149457583301532970,189251362488277738,262144 --variations-seed-version --mojo-platform-channel-handle=2268 /prefetch:3
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:29900
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2400,i,15149457583301532970,189251362488277738,262144 --variations-seed-version --mojo-platform-channel-handle=2352 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:30028
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3256,i,15149457583301532970,189251362488277738,262144 --variations-seed-version --mojo-platform-channel-handle=3212 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:30100
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3260,i,15149457583301532970,189251362488277738,262144 --variations-seed-version --mojo-platform-channel-handle=3652 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:30180
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,15149457583301532970,189251362488277738,262144 --variations-seed-version --mojo-platform-channel-handle=4488 /prefetch:2
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:30308
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4692,i,15149457583301532970,189251362488277738,262144 --variations-seed-version --mojo-platform-channel-handle=4736 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:30496
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4960,i,15149457583301532970,189251362488277738,262144 --variations-seed-version --mojo-platform-channel-handle=5036 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:30732
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5616,i,15149457583301532970,189251362488277738,262144 --variations-seed-version --mojo-platform-channel-handle=5612 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:31028
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5712,i,15149457583301532970,189251362488277738,262144 --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:31044
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5768,i,15149457583301532970,189251362488277738,262144 --variations-seed-version --mojo-platform-channel-handle=5728 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:31056
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6052,i,15149457583301532970,189251362488277738,262144 --variations-seed-version --mojo-platform-channel-handle=6136 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:31456
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6128,i,15149457583301532970,189251362488277738,262144 --variations-seed-version --mojo-platform-channel-handle=5756 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:17840
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5636,i,15149457583301532970,189251362488277738,262144 --variations-seed-version --mojo-platform-channel-handle=4044 /prefetch:2
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:31952
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4480,i,15149457583301532970,189251362488277738,262144 --variations-seed-version --mojo-platform-channel-handle=4500 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:32684
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4488,i,15149457583301532970,189251362488277738,262144 --variations-seed-version --mojo-platform-channel-handle=5880 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:32692
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3936,i,15149457583301532970,189251362488277738,262144 --variations-seed-version --mojo-platform-channel-handle=5700 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:32700

C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=130.0.6679.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x73a6cc,0x73a6d8,0x73a6e4
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:3384

C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=130.0.6679.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x73a6cc,0x73a6d8,0x73a6e4
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2200
- C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2404_1196118554\132.0.6834.110_chrome_installer.exe
  "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2404_1196118554\132.0.6834.110_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2404_1196118554\1bd778e7-dc8d-4e00-b3fe-05acc59b71a4.tmp"
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:8056
- - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2404_1196118554\CR_BD01A.tmp\setup.exe
    "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2404_1196118554\CR_BD01A.tmp\setup.exe" --install-archive="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2404_1196118554\CR_BD01A.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2404_1196118554\1bd778e7-dc8d-4e00-b3fe-05acc59b71a4.tmp"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Network Configuration Discovery: Internet Connection Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:10996
  - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2404_1196118554\CR_BD01A.tmp\setup.exe
      "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2404_1196118554\CR_BD01A.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=132.0.6834.110 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff67fb8dd98,0x7ff67fb8dda4,0x7ff67fb8ddb0
      4⤵
      Executes dropped EXE
      PID:10972
  - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2404_1196118554\CR_BD01A.tmp\setup.exe
      "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2404_1196118554\CR_BD01A.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:11824
    - - C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2404_1196118554\CR_BD01A.tmp\setup.exe
        
        "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2404_1196118554\CR_BD01A.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=132.0.6834.110 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff67fb8dd98,0x7ff67fb8dda4,0x7ff67fb8ddb0
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:11880

C:\Windows\SysWOW64\Mnfgh.exe
C:\Windows\SysWOW64\Mnfgh.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:13620
- C:\Windows\SysWOW64\Mnfgh.exe
  C:\Windows\SysWOW64\Mnfgh.exe -acsi
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:7036

C:\Program Files\Google\Chrome\Application\132.0.6834.110\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\132.0.6834.110\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:30256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:31380

C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:32452
- C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=130.0.6679.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x73a6cc,0x73a6d8,0x73a6e4
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:32468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google2736_1143322932\bin\updater.exe

Filesize
4.7MB

MD5
c583e91ddee7c0e8ac2a3d3aacad2f4c

SHA1
3d824f6aa75611478e56f4f56d0a6f6db8cb1c9b

SHA256
7f67129760223e5ddf31219f0b2e247555fbac85f4b6f933212ac091a21debf9

SHA512
0edbc9a7e3b6bf77d9a94242ee88b32af1b1f03c248290e750f355e921f49d62af13acfeed118ec624fb3e2c6131226ac17bb3d206316b056c1f7cf55642e069

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\settings.dat

Filesize
40B

MD5
08df5c3d1dc0a04a11417d43143b3dd8

SHA1
fbe7c95c8e0fa81b3b82ae3763559f3e54cbf5ff

SHA256
6427ea3d6e39999f3266f4ccd8899242ab25f0764059244bbb430880df580dc6

SHA512
6a0ce8525ae6fb129a52c1f0909fb1f2d4de0a85b3b49f40a2403b1e44a3824e241a8724fc4417a9ebc2c34c71a8032974dd2dedd7eb0b0d27ddcebb97109367

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
354B

MD5
227350f44c11f7dc5e4229d041dfa72f

SHA1
66f6d2bfd37e6b9df9ead8c40500db5fbd4ea9ba

SHA256
e82892f132a5432c6e8c02d6f36faea67b272497cbc82c5f0cfabde79372ac7e

SHA512
6231d93293181be9e398a2e811a0e5a0b141fd8a02523656b6c6e6740e6aab37d53139c1cd3c30b9cc0b1dac187d594189ae0131e5f44b2739de74c5c1fa146d

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
511B

MD5
bd960ee74a42f9136e5100d5c4f43f3e

SHA1
75c3088334f50d1b65cd298a7a5660ecc5379b49

SHA256
c0600c48ca87ef4d3865a6a5bc7c6701f9ea3e4ef8ca96c7ee381e22714c00d3

SHA512
cd2e77312ab3d9c577cf3fe5518d49dc697d0eac11aa15708ead41eeaa087dd65e1b8fedec4d9627768c32e993d3a70a0ba0d487aa935860cea7cbd72c7e17e6

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
611B

MD5
739193f4c68aa4809db118990ec71126

SHA1
f1bba5f915d465345c83e30b25cfee2acd0dedaa

SHA256
f830d76650b8616685e93c0430444512fc2ee36356d777ce811692273c0ae96c

SHA512
ac82274443b7e30a572da175024a8bdbb659361d085369c6f2a77e63524e62666e76761335931ce42b075acdcf054d5d9c63ce5c15f212db0e018bc8f3424938

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
611B

MD5
0a91d6c477856d8363e658488715f1f1

SHA1
891b4dab436798b56a8501d942fee0b117814caa

SHA256
6fe8e301c4d88543c020650b60d0bc5199e1eabf50135493792b21120f599142

SHA512
ef4eefe69493334523a86eb19b7d6ebfaab4098220cdcd5690c3e31f2c27f7502af71949cf2bc1512e87900223b57b3f5965e4d371dcc5837eec6cbbaf336461

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
49B

MD5
c88c3ad52765a523b2b598bf2c5a9216

SHA1
4ebada495c7ec0e2ae7d92aa2be7c049d2b0e512

SHA256
e450a8d057f11bb4cd98343448b3fd8a70b0f22bd7eb6b84b6fb03731b36fc32

SHA512
a21348e047b3e84ce8a14a6298f518d1c4f512a7155360e1d85121d77ab9b4d51d09dbe67e6aad5a19b758f69b1a177a54c2e848de23d6cb66f6c7ff9b2c40b5

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
4KB

MD5
6579fed0bbef2e0eb8899aeef6a18662

SHA1
4d2e15e5fb4c0d0f8611d6ee9360503251051b33

SHA256
f201bc48874cd7aef8fa7393c9af6de8bd6e7900c926155b760af16c8b20c0e3

SHA512
306c0ba5fd9ce251ef1b6ece30c30d265043db315f37ae0ee617798014f759d39d1cb8bc300e851a64e3e964bc2bfaec0c00c866ec6681b9a27d8856dc9b20fe

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
2KB

MD5
b0b055b2d70872410f62d99f132ac6f5

SHA1
2455c4cc09ebdb1cf915f67d6a207d8a8fae671d

SHA256
5bf54b7bb276815f0101a1ce8361588ca48a3165323ade5239609690635dab78

SHA512
29fd2cd1ee444cbdb8fcd65d7b63deb5b4ed46f7fbb4baed3e7c262a05c22b054257912b61f78d2112b7aca6302baaf13b2bca63263faba823539f0be900f643

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
3KB

MD5
234309169ded19017aa8ae4cb86084de

SHA1
6f8c6ecbd1a6310f37fb71b7e913803d8b8124ec

SHA256
ef7cd132c1b52c69842d6e16f3f154284303b1cf161f8fe16c23ff11a6f783a7

SHA512
2c144a92d57f2e0bea8d7aebe16e2247eb45d45650c110e5991b196c4bbad1c017ecce9f36da5ad99b1984387f784b6fdffeeb18c610d8b883e2907d924a66cb

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
4KB

MD5
5f46e9b6242e721518ec07b6253a2f43

SHA1
85749701a9cf0a4b14924402faf5b8c8515de600

SHA256
5dc46df2a3039ada4e5322b52e45d0c20e3e527497c4a81622351ba8db062e14

SHA512
6cac1214a6ad3439ab01d9b8fbfe2f496dd4da67360aa268997607084e378183f7f3583abe62774e2b4a25bd3ff80ef8ca74ced1eee4780e4b9f87a9b680b218

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
11KB

MD5
8e55c7571ce5e54eb5f0e854077485cb

SHA1
5eb406b297d8b0284064188298b5d3585b1e59e9

SHA256
d3ef323aaf738237d6ce00cef5bf30ee423ac18398e2a7da0fc49bdb6ec00275

SHA512
8ef6e045b9a005f6cf7f82de4381a79c8613bab2343212becc986fd48045756a0103151ca74453b7b89a74a15c77c3e7d3cac3c66cc3164a7c94888b3f64affc

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
12KB

MD5
8978707185f91fa0f693e41c53ead35e

SHA1
777492cd634472210e26648a9282cc7e981321af

SHA256
2f56c6b04410245a88802127278a55bf9249cf1c5494595d296493ad91d7e253

SHA512
f559b28d9152cf15e4164f72b3e8f5bd690b718363f1c0730b8f7cd6cba5c5b11719551bf26d9f6e10feebd774e8a8cbaafc98087b494c163e876d780bbbed0d

Download Submit
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2404_1196118554\1bd778e7-dc8d-4e00-b3fe-05acc59b71a4.tmp

Filesize
680KB

MD5
20522549931f872ebc93fc41a280f977

SHA1
df7d3b6f48b0f12a52d996d887b38455ee69af43

SHA256
dbd81b52fd86771892c4c0877c3d5a1dc110f2ba2a8930339185846971b923e8

SHA512
6d53fe94e580cef8cd4dd5b03175392381a1a84b84dd625f7fbad37b4dab2123b6f989df517498d66529d5efe851cb89220e603aa781651e766f2ae34d1ef999

Download Submit
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2404_1196118554\CR_BD01A.tmp\setup.exe

Filesize
5.8MB

MD5
98050172d3b129043aff27c6d6cab9a5

SHA1
4d6e4cb7de513df8caeba8c5ff6e8d9ceabfbd80

SHA256
ec94b3ef56fe99a5a09451de5ab2e24d5bd32f6a8908dabab75db198ffa65883

SHA512
47ef30580b7ba38b84fe8bf632925cf37663f2f2eb003da05ccb2e43c2b64383768474ddd51a5e89f94f2b1ee8c9c5afc36083f2a3ee3e6622abdf473f857b1e

Download Submit
C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
f01e65058c636560dd0255771ab123da

SHA1
b33200d635cf05e3820e05f7b7bb5d04772146b2

SHA256
20aac04791cdc0e6c4e8dc0f00125ff91daee53992a1ce2e71d8186e00c6a395

SHA512
adf73d69a20328e5a3c0cbe3f0a99951ecaa119c50182cc2d661a39d707e90440dce3506e8ed4e6c9ac8e569106dd400481e950dd42113d21385bcebec95d58d

Download Submit
C:\Program Files\Google\Chrome\Application\132.0.6834.110\chrome_elf.dll

Filesize
1.3MB

MD5
662c84bd541a03f39214251901f23e83

SHA1
a089af7acc3fd5ce7320b012dc2feaf7b548b82c

SHA256
c89e45dfde56c4db52c4f44607cb4c47cb53250be307601e22d7ba5374c99fde

SHA512
cba8f284186d82c650bb8e3cd68db6867d195f05ee6374867ea7928650e5b6eec1db664ea6dc87aaf5874a2864ab75c2d24ff6f48ddf17ccbc692afa45aff6e8

Download Submit
C:\Program Files\Google\Chrome\Application\132.0.6834.110\d3dcompiler_47.dll

Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
C:\Program Files\Google\Chrome\Application\132.0.6834.110\dxcompiler.dll

Filesize
24.6MB

MD5
b16ed32935726c2266a989cb04f83ab7

SHA1
651b2b99fb778a05c53c2abeb04b46fcc075bcd8

SHA256
f7452ab35b343ee4a398a090558494ea8ba98d7ca3c90334ace768dd31d22d51

SHA512
7a549ffe2c27c5a63760283fce4dbf17ae067e47528431c3f55a718041b7fa607bd1651b25e17e9383560b70a7cd1bb1e5651cf40dd8a32bc47ed3b8c911a980

Download Submit
C:\Program Files\Google\Chrome\Application\132.0.6834.110\dxil.dll

Filesize
1.4MB

MD5
30da04b06e0abec33fecc55db1aa9b95

SHA1
de711585acfe49c510b500328803d3a411a4e515

SHA256
a5fe1d8d9caa2ff29daffd53f73a9a4e19c250351b2abe4fc7b57e60ce67ac68

SHA512
67790874377e308d1448d0e41df9dd353a5f63686df4eb9a8e70a4da449b0c63a5d3655ab38d24b145ad3c57971b1c6793ea6c5ac2257b6eb2e8964a44ab0f08

Download Submit
C:\Program Files\Google\Chrome\Application\132.0.6834.110\elevation_service.exe

Filesize
1.7MB

MD5
4ef2d2d356792c9a0cc8d3ea3d885da2

SHA1
a3745e3f888630d191b820a6c03f952cd4c8109d

SHA256
0bf90e454a5e8d468b61f642cf5a86c2365f5a355ba8f5ceca413102a2f234cc

SHA512
b33876e233253a8cfcab4a1d07e458dded065f0b80757bed140a48897398440a83ebe4d82b357d087e318bf969f65706716025ab135dde145104b860066ed004

Download Submit
C:\Program Files\Google\Chrome\Application\132.0.6834.110\libEGL.dll

Filesize
492KB

MD5
571ae5a425ac715fd9bd1b2e75180b0b

SHA1
b14b63d8c46097a5033f50f1c40ac54da0460331

SHA256
6052ff30844cf9699237500f6fba1f535478641554b0bbcdad0093ff8edb8e43

SHA512
373d6ddddd0d6e73930be6fec30dfacec6941e3715cb863a6a8fc9551ea53f9f0589b56d45a4241ea56a1a3967b9e28925974b9050525aab7b913480041791c1

Download Submit
C:\Program Files\Google\Chrome\Application\132.0.6834.110\libGLESv2.dll

Filesize
7.6MB

MD5
72f402e97f424f5fbb83153790d5a9c4

SHA1
427b46c201e942de9d9172dabba0cb0d90865030

SHA256
1eedd6662b432b02b5b934476b3a9a194b72c1ca4f590d484af0478a3e49b7ad

SHA512
14d0a5453ad9a20911ec56a84cafcad93c4e9b703b8fbf567cc1cd2b4cd6c84cbecbb73030913e209d85f47957fef4f25adb46b44b8a96227ba42822cd34ac9a

Download Submit
C:\Program Files\Google\Chrome\Application\132.0.6834.110\vk_swiftshader.dll

Filesize
5.1MB

MD5
64cc21b64cdea736e5fa799228c4f289

SHA1
235b8bc1fd2d8fec16a76136b4c72a5266e5fbc3

SHA256
2ff20a2b4d3eb9bfbb16510c51bb6fa4057fb14b7288b30a0ae94c5a98e48ec9

SHA512
100a26aad6a404f916493167fe4ba5176b38b8c5bfba3b61a31847756a7e63b1cb1f672a3af6b6974f7c365c974b172a59564accd74e4d88e66ef8af1503908d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.8MB

MD5
86b39fd17d75075c5d4eea4e5aa8dc0f

SHA1
a5bf606e93ccb45c6b3e82d678d32dd38680c55e

SHA256
18e78b0626b9a79d14b7909016fa28ee75651a2a1bb01729b1fdf7cb73495a19

SHA512
0e48386faa93f7e612b2d16359f4a141cf83f68e2cad4b9be6aa85cd95447d4423fff8944afba58f78c5d907110840cdf65e607fac2fe0e691dd7fab4847782a

Download Submit
C:\Program Files\chrome_installer.log

Filesize
21KB

MD5
0ec057d1f297f8eac0e200f8b81bcfcf

SHA1
cf72271bdb3a2202331379883e366285f05ae961

SHA256
43c9aeacf464ea2558e09aeef5cf74220949c84b394b4d4ccfae2897f3b9de3a

SHA512
008aa0190233fb8392a6bac8fd034a8d0c07219998d10b1b4ca53a29970903ea754f2098fb7f2c7e0d6e6ed636ca9692408b5370e983dee0bc21f70868bc5dbd

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk

Filesize
2KB

MD5
0e0b90377684a8c7a6337a6b86987287

SHA1
cbc49f11e7ce7f0f147ec7fb596e8364f3ee8dca

SHA256
e3b245290a54a158f1aa1dd6c56386150e4234251175e143a767e68c4337e134

SHA512
5aeba0cb7729f32fe8a4df9d794500b56c1c75276bdafec0494cb79c320304a144988fef007558f53c7835e5f1e9da43b9575fd095da2136278e4050a8482a32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
46176815c8f5b7f2b34b792ddbde3b8b

SHA1
24f07654a6c9b718d1229bf91c7bbf7c6af8909a

SHA256
6cc1e4bd2c7e645441bdcf0b350f6f45e112643ed18f461b6ddc65571e260111

SHA512
c52347755813e972fd8cb821ab77e6e22593c717373234442b7e9f683499155ee1d5c68c26099f88916791775344896c750a290013c19682b4be9d26bdda9826

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
02c1d1acd613b58b8233dd674eef75d3

SHA1
5a061ac9be74a13d81217572a3e1e5ff7dc581c5

SHA256
5317500369ad3c658574e48820e5975559ff1ad395a17c4e9c9a84d094af3e97

SHA512
ad65fe6ec6861ca1bee70d4f0ed1c2394b6f4143363d6186b7352b9fad8394dc7a5e3fedda1924f3fa01c8206e0fe452699fc05f1dbfe12d3e1d1fe62160aac7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
505a174e740b3c0e7065c45a78b5cf42

SHA1
38911944f14a8b5717245c8e6bd1d48e58c7df12

SHA256
024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d

SHA512
7891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
2e556de090b113b1c1365ced527b1087

SHA1
40c440e5f82d8902f018ea10c518da225b17ee71

SHA256
1ba9f787492a1f36e73b3f5af7a2e8531cee173d0884fe32e64d56c1fb1d981e

SHA512
e0ab10b21ecf0ecadbd652f9db806ea0084f7ab245cde7191c6925795e7bb238b724ebaae71a821ce0968a48720ee11b4765589819c1fbd954d67d612985d51c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
240affa25713c4af0cffdd5a335bfa1d

SHA1
b9ea05fa83823ee8cc3bf642c2c7c418e14ed2e7

SHA256
4612d5fcb91950e98f2da327f6f23deee507862fbf39b6e9bf8b5b71325bb155

SHA512
37a0b2d50805cf7046a0f6b729fd455d7fc3a5ff4681e9ec1a8983794dfcefd3cc2f2d515446b0d21173160871c174f7cb67e0197392ca1ab2e2c1db2dbf41e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f641756d5a2450f16a806ff9c93a454f

SHA1
92f8e61c1e3387dfee1d358323bcc75ec6674df7

SHA256
2d7fd91f61a16e927bcd0b0c78eaa532eac8ba42d5326c587aef98200c27c4e8

SHA512
1371245d3cab4a7c9edb7f36435420821fe7c627bb58c08dbb30045a88b55192682dc82dc541f661b02a3f64461c7828cd2bf4fff975db7346a0443990a5fc0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ed0b912c4875ead09666e0802c283a09

SHA1
eeb74c7fd5ce2f1ff6045df4488e49e02bf9559a

SHA256
5e963c4fcc6a3015d9ba74e501ddd19c40b9b83b85188ec7101d59f36edd7fa6

SHA512
d27bdefec3d36ca46cec1d96f6f1c629b0dcf4c61f61b36edc4971be760214d807d37fa822d64336b37b11555f3f97b2b88c611de298d26b84d565b09a889222

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mdpkiolbdkhdjpekfbkbmhigcaggjagi\Icons\32.png

Filesize
1KB

MD5
a3a00ef924278ba60be0fffeec04995e

SHA1
69ab25402bb5ef6d99538ec8044c6edb128be0d3

SHA256
a5670fe56dbae316511d6f8c7349477c69c53dc59fe5615984eed5c8cf55a717

SHA512
fd53f2c0e8f493817f5ff5c2f9b87ffb82a11bc2b56a9798072efdf22677d2760bc489a2c8d76fdee6f65a0f4509d4bc257851811b4f720120780e796c6bc4b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mdpkiolbdkhdjpekfbkbmhigcaggjagi\Icons\48.png

Filesize
1KB

MD5
5bfbb6b6a7e313f5d67a1219f7866c4a

SHA1
c49ec46ca5fb945b582c99b47a2b7c09da8f766e

SHA256
6dc4e5c4c1722173cb9d40e7edd2947c12677b12fd2fdd6e2544bda6bb456ab1

SHA512
55928faf39965083855cf6e1a8bc477560b41f3d8d8f678de7271960c6b59b7f2a256ae4e03428f86c1fc0e431370512e9c69a5631cad9e103e8978faa10ac13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mdpkiolbdkhdjpekfbkbmhigcaggjagi\Icons\64.png

Filesize
1KB

MD5
0aa5ac35c79f5cb38dd5fafbabf2983c

SHA1
36658f24dbb49f5ff2a19897b22071f72e523f12

SHA256
3695587d1d40ba3171aa991cb77e6c9080b550db7c3d3b52097c1723ab060f32

SHA512
fcbc8a65c4b852c848a13fa12131fa7b17b1310ad3278e78545e8334ddf199b627110bde2fc0a5e7312fad3a5f12b0db54c665d00f1feb1cf3b7c4b18e7569e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir17592_1227118599\Icons\128.png

Filesize
3KB

MD5
654cafa7846b64b91835e202c3efca65

SHA1
4e0fa549b16a47ca9e22e0a510229f528740d51b

SHA256
956bd19ad9a62b83792bed90a6e6457e0812abb36ef85763f62883d70f65241b

SHA512
65db6e4824ee4caa38fa4ec837c2ee4290e34c8d2c5099b33720e7b6ab83997608ae8a6d47961d8506be3d23606b179cf792cc040a7c6c3f251855c294b26223

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\trusted_vault.pb

Filesize
38B

MD5
3433ccf3e03fc35b634cd0627833b0ad

SHA1
789a43382e88905d6eb739ada3a8ba8c479ede02

SHA256
f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d

SHA512
21a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
186KB

MD5
1643f7d199b3f3835ec89e2cd2808cd7

SHA1
6cebc1beae4624e3977b9ce05a331cabf051f72b

SHA256
7c08351bb797a2d0700655905df109f2ed8550188f470039a4be5175e0058bd0

SHA512
e42e5628611a999c3e14d8ead0cb345f49c1cc7bac91d53d7c9ab85a8ee8d25b81daee0bf63d2f3c93329dab63e209bb7800a788d9c2e0f89815c1c914fb5ef0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
03bb68cfa76fb9ae991a36bf562940db

SHA1
ec2c8b4a6893296b36d3cc2df50250ddb3c7eeac

SHA256
c02e3b41948e2f5178e6087eaa66593ed6cd06eddf57eeb86b8cf478826421b5

SHA512
011ad4e1394e7d279a93b1b3b59adfa0cb6f70d459a5633d8f848b864958e1c2e02fc6815c4593d20fa285fff249a1bc9a644641cb4964a86da4faca82353b47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
186KB

MD5
0eb352467781d75c6522900e39d7b3cf

SHA1
63c4f0f6f33c5370631e1078dbc37d9e159d982f

SHA256
df5cd6896d6943657501b91d088144267f78320493b8595c255f39660bf4e1da

SHA512
af51fe888e38e3a062eafde65df8b17381462a3d120c0ac2a24894cd5d75ae7462394d3c36c10fc4b876bb1a71e1f9783015515bed1ffb2e14312eb19deb74ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
50ba489a21f8b9b1a1f485c8034685c5

SHA1
238c425aa65ffa3dd08e34f7e6580cec6fb38a98

SHA256
d5f6d08d7348e5e47e313ff5c4b54efe9728532b3eee08574890e42fb9196ca8

SHA512
ced98093d520a1af80953529d830487af42e0eff53b386cc29419f2407ee00f505599b979e3c294a915b4fb39c8ace591df119fcb761a51f80d63cf4b72c37a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe

Filesize
8.5MB

MD5
cd32eed7ff292c4be642d7effbcb7a81

SHA1
168b1c3861b0ff480250284b70a6d57b8852a629

SHA256
2e8957863173f7c3ce0e966b7683c04c16c01bdd78e41b6dc2a4b91a1d8f9181

SHA512
597dd3315a05a0dc28a9fd31b24afbe4f6d2094fc95e8c3b5724368d5a15c97ad71c9dee178ae8ef467a32d8bc8aee304bb1b8e560bc964183ff1eaa610f83de

Download Submit
C:\Users\Admin\AppData\Local\Temp\LRGWPP2WW.exe

Filesize
7.3MB

MD5
4f0d9de0d534937dea9dcb479e3f09f7

SHA1
d99b0224a28d360cad57c3ee9b97b2ae1dcc9b74

SHA256
2daae00063e6141cfc30db8b7786566ff10feefa4ea65b4f9980a541a7a5c421

SHA512
11ed7f957eec283fc2846e00c8148c66c61538059bc659978c65d49b9c11500b7057deb8c1ea2f9e39b77a8c9d8df85774dcb41d24ca3e3254c46a2e23f2519b

Download Submit
C:\Users\Admin\AppData\Local\Temp\quubmrikb.exe

Filesize
27.6MB

MD5
cbd2d222fe6b60ec3ee2f0389a180dc5

SHA1
4648d3752b9f5e9c5c8cd2593794851654c60125

SHA256
1e806975407ff995659c6374f056b237f7b96a9da83977435b3bdf00fdb6e94b

SHA512
bafbec0555566430d0bdb5e6b95a6e7d8b495b9f93788babd294242f91ce30e95b5ec058f29bf6a2ee0a0250658839e7a8cf8f40a5c3b77551eb4fdbccb13d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir17592_604460794\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
memory/4296-13146-0x0000000000400000-0x0000000001FA5000-memory.dmp

Filesize
27.6MB

Download
memory/4296-26240-0x0000000000400000-0x0000000001FA5000-memory.dmp

Filesize
27.6MB

Download
memory/4296-28-0x0000000000400000-0x0000000001FA5000-memory.dmp

Filesize
27.6MB

Download
memory/4296-42-0x0000000076700000-0x0000000076915000-memory.dmp

Filesize
2.1MB

Download
memory/4296-3941-0x0000000076300000-0x00000000764A0000-memory.dmp

Filesize
1.6MB

Download
memory/4296-5950-0x0000000077AD0000-0x0000000077B4A000-memory.dmp

Filesize
488KB

Download
memory/4296-13135-0x0000000000400000-0x0000000001FA5000-memory.dmp

Filesize
27.6MB

Download
memory/4296-13141-0x0000000000400000-0x0000000001FA5000-memory.dmp

Filesize
27.6MB

Download
memory/4296-13143-0x0000000000400000-0x0000000001FA5000-memory.dmp

Filesize
27.6MB

Download
memory/4296-13145-0x0000000000400000-0x0000000001FA5000-memory.dmp

Filesize
27.6MB

Download
memory/4296-13147-0x0000000000400000-0x0000000001FA5000-memory.dmp

Filesize
27.6MB

Download
memory/4296-13151-0x0000000010000000-0x000000001019F000-memory.dmp

Filesize
1.6MB

Download
memory/7036-30140-0x0000000076300000-0x00000000764A0000-memory.dmp

Filesize
1.6MB

Download
memory/7036-26266-0x0000000076700000-0x0000000076915000-memory.dmp

Filesize
2.1MB

Download
memory/7036-39353-0x0000000000400000-0x0000000001FA5000-memory.dmp

Filesize
27.6MB

Download
memory/7036-39356-0x0000000000400000-0x0000000001FA5000-memory.dmp

Filesize
27.6MB

Download
memory/7036-39355-0x0000000000400000-0x0000000001FA5000-memory.dmp

Filesize
27.6MB

Download
memory/7036-39352-0x0000000000400000-0x0000000001FA5000-memory.dmp

Filesize
27.6MB

Download
memory/7036-39350-0x0000000000400000-0x0000000001FA5000-memory.dmp

Filesize
27.6MB

Download
memory/7036-32149-0x0000000077AD0000-0x0000000077B4A000-memory.dmp

Filesize
488KB

Download
memory/7036-39373-0x0000000000400000-0x0000000001FA5000-memory.dmp

Filesize
27.6MB

Download
memory/13620-26246-0x0000000000400000-0x0000000001FA5000-memory.dmp

Filesize
27.6MB

Download
memory/13620-26248-0x0000000000400000-0x0000000001FA5000-memory.dmp

Filesize
27.6MB

Download
memory/13620-26258-0x0000000000400000-0x0000000001FA5000-memory.dmp

Filesize
27.6MB

Download
memory/13620-13165-0x0000000076700000-0x0000000076915000-memory.dmp

Filesize
2.1MB

Download
memory/13620-17039-0x0000000076300000-0x00000000764A0000-memory.dmp

Filesize
1.6MB

Download
memory/13620-19048-0x0000000077AD0000-0x0000000077B4A000-memory.dmp

Filesize
488KB

Download
memory/13620-26239-0x0000000000400000-0x0000000001FA5000-memory.dmp

Filesize
27.6MB

Download
memory/13620-26245-0x0000000000400000-0x0000000001FA5000-memory.dmp

Filesize
27.6MB

Download
memory/13620-26241-0x0000000000400000-0x0000000001FA5000-memory.dmp

Filesize
27.6MB

Download
memory/13620-26243-0x0000000000400000-0x0000000001FA5000-memory.dmp

Filesize
27.6MB

Download
memory/13620-26244-0x0000000000400000-0x0000000001FA5000-memory.dmp

Filesize
27.6MB

Download