gh0strat | 39243396378dc3cb8518cc7066078542a78a41d9c364dcf13a6dd31755aff025

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-02_b8011778039c766a9c0b06c4f9e90212_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Size

30.4MB
MD5

b8011778039c766a9c0b06c4f9e90212
SHA1

f223edc9b2006f69673768e1d7e0a429f9c91b8d
SHA256

39243396378dc3cb8518cc7066078542a78a41d9c364dcf13a6dd31755aff025
SHA512

0294aca91e79df8da569d887c426a17d17ebe6a785d1d2f0daf6aede9cf74c3a5905ff03b6a03f320a0e7902d0a67c4787a4528c7fcf1c9681d121ac2bfd2bf2
SSDEEP

393216:cj6Fuy2Eko3SfP7ewAArcVbiYZN/NzTNIOvh1UR8ChT4JSb6y43wjYPz95vO:cmD3UDAL5Rh1at+yUDP3m

Score

10^/10

gh0strat purplefox defense_evasion discovery execution rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 3 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/1136-253-0x000000002C190000-0x000000002C34E000-memory.dmp	purplefox_rootkit
behavioral1/memory/1136-258-0x000000002C190000-0x000000002C34E000-memory.dmp	purplefox_rootkit
behavioral1/memory/1136-259-0x000000002C190000-0x000000002C34E000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/1136-253-0x000000002C190000-0x000000002C34E000-memory.dmp	family_gh0strat
behavioral1/memory/1136-258-0x000000002C190000-0x000000002C34E000-memory.dmp	family_gh0strat
behavioral1/memory/1136-259-0x000000002C190000-0x000000002C34E000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4872	powershell.exe

Executes dropped EXE 23 IoCs

pid	Process
4036	MHHqcyuFBAXhiZh.exe
5900	MHHqcyuFBAXhiZh.exe
5992	DetailUnderline.exe
5860	DeploymentFind.exe
3864	CJXeaoXxYmBNXbEL.exe
5696	updater.exe
4316	updater.exe
1412	updater.exe
5540	updater.exe
2976	updater.exe
6036	updater.exe
1520	DeploymentFind.exe
1532	DeploymentFind.exe
4396	IntegrityRadiant.exe
5608	IdentifyDiscover.exe
3916	IdentifyDiscover.exe
4016	DeploymentFind.exe
4312	DeploymentFind.exe
720	ServiceDetect.exe
5808	ServiceDetect.exe
5296	IdentifyDiscover.exe
5800	DetailUnderline.exe
1136	DetailUnderline.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Enumerates connected drives 3 TTPs 45 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	DetailUnderline.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	DetailUnderline.exe
File opened (read-only)	\??\S:	DetailUnderline.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	DetailUnderline.exe
File opened (read-only)	\??\Q:	DetailUnderline.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	DetailUnderline.exe
File opened (read-only)	\??\P:	DetailUnderline.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	DetailUnderline.exe
File opened (read-only)	\??\G:	DetailUnderline.exe
File opened (read-only)	\??\K:	DetailUnderline.exe
File opened (read-only)	\??\O:	DetailUnderline.exe
File opened (read-only)	\??\W:	DetailUnderline.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	DetailUnderline.exe
File opened (read-only)	\??\U:	DetailUnderline.exe
File opened (read-only)	\??\X:	DetailUnderline.exe
File opened (read-only)	\??\Z:	DetailUnderline.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	DetailUnderline.exe
File opened (read-only)	\??\N:	DetailUnderline.exe
File opened (read-only)	\??\R:	DetailUnderline.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	DetailUnderline.exe
File opened (read-only)	\??\V:	DetailUnderline.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	DetailUnderline.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ServiceDetect.exe.log	ServiceDetect.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DeploymentFind.exe.log	DeploymentFind.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_83F29ED1D5F129EB605BF640EBE52C8C	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_83F29ED1D5F129EB605BF640EBE52C8C	updater.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\IdentifyDiscover.exe.log	IdentifyDiscover.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WatchLocate\IntegrateOrganizerTrusty	msiexec.exe
File created	C:\Program Files\WatchLocate\HxCommModel.dll	MsiExec.exe
File created	C:\Program Files\WatchLocate\MHHqcyuFBAXhiZh.exe	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\uninstall.cmd	updater.exe
File opened for modification	C:\Program Files\WatchLocate\2_IntegrityRadiant.exe	MHHqcyuFBAXhiZh.exe
File opened for modification	C:\Program Files\WatchLocate\ServiceDetect.xml	MHHqcyuFBAXhiZh.exe
File opened for modification	C:\Program Files\TechnicianClarify	DetailUnderline.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\Crashpad\metadata	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\0dc043cb-4aa1-4b8d-88b3-2e0d81367d7d.tmp	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe57f915.TMP	updater.exe
File created	C:\Program Files (x86)\WatchLocate\HxCommModel.dll	msiexec.exe
File created	C:\Program Files\WatchLocate\IntegrityRadiant.exe	MsiExec.exe
File opened for modification	C:\Program Files\TechnicianClarify\DeploymentFind.wrapper.log	DeploymentFind.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\updater.exe	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\03507b04-7beb-4344-8f09-43152408c9b3.tmp	updater.exe
File created	C:\Program Files\SearchOutline\CJXeaoXxYmBNXbEL.exe	2025-04-02_b8011778039c766a9c0b06c4f9e90212_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
File created	C:\Program Files (x86)\WatchLocate\MHHqcyuFBAXhiZh.exe	msiexec.exe
File opened for modification	C:\Program Files\WatchLocate\2_DetailUnderline.exe	MHHqcyuFBAXhiZh.exe
File opened for modification	C:\Program Files\WatchLocate\DeploymentFind.xml	MHHqcyuFBAXhiZh.exe
File opened for modification	C:\Program Files\WatchLocate\IdentifyDiscover.exe	MHHqcyuFBAXhiZh.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	CJXeaoXxYmBNXbEL.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\Crashpad\metadata	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\uninstall.cmd	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe57d0dd.TMP	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files\WatchLocate\2_UpdateOutline.exe	MHHqcyuFBAXhiZh.exe
File created	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\03507b04-7beb-4344-8f09-43152408c9b3.tmp	updater.exe
File opened for modification	C:\Program Files\ControlEmphasize\ServiceDetect.wrapper.log	ServiceDetect.exe
File opened for modification	C:\Program Files\WatchLocate\IdentifyDiscover.wrapper.log	IdentifyDiscover.exe
File opened for modification	C:\Program Files\TechnicianClarify\DeploymentFind.wrapper.log	DeploymentFind.exe
File opened for modification	C:\Program Files\WatchLocate\DeploymentFind.exe	MHHqcyuFBAXhiZh.exe
File opened for modification	C:\Program Files\WatchLocate\IdentifyDiscover.xml	MHHqcyuFBAXhiZh.exe
File created	C:\Program Files\WatchLocate\UpdateOutline.exe	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\Crashpad\settings.dat	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\prefs.json	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File opened for modification	C:\Program Files\WatchLocate\IdentifyDiscover.wrapper.log	IdentifyDiscover.exe
File created	C:\Program Files\WatchLocate\bdeuiMMreplece.dll	MsiExec.exe
File opened for modification	C:\Program Files\ControlEmphasize	DetailUnderline.exe
File created	C:\Program Files (x86)\Google3864_731198230\updater.7z	CJXeaoXxYmBNXbEL.exe
File created	C:\Program Files (x86)\Google3864_731198230\bin\uninstall.cmd	CJXeaoXxYmBNXbEL.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\Crashpad\settings.dat	updater.exe
File created	C:\Program Files (x86)\chrome_url_fetcher_2976_805867180\-8a69d345-d564-463c-aff1-a69d9e530f96-_134.0.6998.178_all_jokgxrnp5esicq6ypegro2gjq4.crx3	updater.exe
File created	C:\Program Files (x86)\WatchLocate\bdeuiMMreplece.dll	msiexec.exe
File opened for modification	C:\Program Files\WatchLocate	DetailUnderline.exe
File created	C:\Program Files (x86)\Google3864_731198230\bin\updater.exe	CJXeaoXxYmBNXbEL.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\Crashpad\settings.dat	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\Crashpad\settings.dat	updater.exe
File opened for modification	C:\Program Files\ControlEmphasize\ServiceDetect.wrapper.log	ServiceDetect.exe
File opened for modification	C:\Program Files\WatchLocate\AchieveAdvisorDynamic	MHHqcyuFBAXhiZh.exe
File opened for modification	C:\Program Files\WatchLocate\IllustrateDrive.sys	MHHqcyuFBAXhiZh.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\0dc043cb-4aa1-4b8d-88b3-2e0d81367d7d.tmp	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe57ce9a.TMP	updater.exe
File opened for modification	C:\Program Files\WatchLocate\IdentifyDiscover.wrapper.log	IdentifyDiscover.exe
File created	C:\Program Files\WatchLocate\IntegrateOrganizerTrusty	MsiExec.exe
File created	C:\Program Files (x86)\Google3864_1641070497\UPDATER.PACKED.7Z	CJXeaoXxYmBNXbEL.exe
File opened for modification	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe	updater.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e577aed.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e577aed.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5752D351-0979-4E07-BBF1-911F1957AE27}	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D4E.tmp	msiexec.exe
File created	C:\Windows\Installer\e577af1.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MHHqcyuFBAXhiZh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DetailUnderline.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CJXeaoXxYmBNXbEL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IntegrityRadiant.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DetailUnderline.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DetailUnderline.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-02_b8011778039c766a9c0b06c4f9e90212_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	DetailUnderline.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DetailUnderline.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	24	Go-http-client/1.1

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time"	DetailUnderline.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-491 = "India Daylight Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-392 = "Arab Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	DetailUnderline.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-492 = "India Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time"	DetailUnderline.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	updater.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	DetailUnderline.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	DetailUnderline.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	DetailUnderline.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	DetailUnderline.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\ = "IPolicyStatus3System"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\TypeLib\ = "{D106AB5F-A70E-400E-A21B-96208C1D8DBB}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\132.0.6833.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\ = "IUpdaterCallbackSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{34527502-D3DB-4205-A69B-789B27EE0414}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{27634814-8E41-4C35-8577-980134A96544}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1588C1A8-27D9-563E-9641-8D20767FB258}\ = "IUpdateStateSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1588C1A8-27D9-563E-9641-8D20767FB258}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F966A529-43C6-4710-8FF4-0B456324C8F4}\ = "IPolicyStatus4System"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\TypeLib\ = "{4DC034A8-4BFC-4D43-9250-914163356BB0}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\TypeLib\ = "{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D624A353-7B91-5E8B-B5AC-AA415F46F083}\TypeLib\ = "{D624A353-7B91-5E8B-B5AC-AA415F46F083}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{D624A353-7B91-5E8B-B5AC-AA415F46F083}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\ = "IUpdaterAppStatesCallbackSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\132.0.6833.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ = "IProcessLauncher"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ = "IAppWeb"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\1.0\ = "GoogleUpdater TypeLib for IPolicyStatus"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\AppID = "{521FDB42-7130-4806-822A-FC5163FAD983}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\ = "IUpdaterObserverSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\1.0\ = "GoogleUpdater TypeLib for IAppWebSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1588C1A8-27D9-563E-9641-8D20767FB258}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\TypeLib\ = "{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\153D2575979070E4BB1F19F19175EA72\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{699F07AD-304C-5F71-A2DA-ABD765965B54}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\1.0\0\win32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\132.0.6833.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F966A529-43C6-4710-8FF4-0B456324C8F4}\1.0\0\win32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6430040A-5EBD-4E63-A56F-C71D5990F827}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\132.0.6833.0\\updater.exe\\6"	updater.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4444	msiexec.exe
4444	msiexec.exe
4872	powershell.exe
4872	powershell.exe
4872	powershell.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe
5992	DetailUnderline.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4584	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4584	msiexec.exe
Token: SeSecurityPrivilege	4444	msiexec.exe
Token: SeCreateTokenPrivilege	4584	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4584	msiexec.exe
Token: SeLockMemoryPrivilege	4584	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4584	msiexec.exe
Token: SeMachineAccountPrivilege	4584	msiexec.exe
Token: SeTcbPrivilege	4584	msiexec.exe
Token: SeSecurityPrivilege	4584	msiexec.exe
Token: SeTakeOwnershipPrivilege	4584	msiexec.exe
Token: SeLoadDriverPrivilege	4584	msiexec.exe
Token: SeSystemProfilePrivilege	4584	msiexec.exe
Token: SeSystemtimePrivilege	4584	msiexec.exe
Token: SeProfSingleProcessPrivilege	4584	msiexec.exe
Token: SeIncBasePriorityPrivilege	4584	msiexec.exe
Token: SeCreatePagefilePrivilege	4584	msiexec.exe
Token: SeCreatePermanentPrivilege	4584	msiexec.exe
Token: SeBackupPrivilege	4584	msiexec.exe
Token: SeRestorePrivilege	4584	msiexec.exe
Token: SeShutdownPrivilege	4584	msiexec.exe
Token: SeDebugPrivilege	4584	msiexec.exe
Token: SeAuditPrivilege	4584	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4584	msiexec.exe
Token: SeChangeNotifyPrivilege	4584	msiexec.exe
Token: SeRemoteShutdownPrivilege	4584	msiexec.exe
Token: SeUndockPrivilege	4584	msiexec.exe
Token: SeSyncAgentPrivilege	4584	msiexec.exe
Token: SeEnableDelegationPrivilege	4584	msiexec.exe
Token: SeManageVolumePrivilege	4584	msiexec.exe
Token: SeImpersonatePrivilege	4584	msiexec.exe
Token: SeCreateGlobalPrivilege	4584	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 5840 wrote to memory of 4584	5840	2025-04-02_b8011778039c766a9c0b06c4f9e90212_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	93
PID 5840 wrote to memory of 4584	5840	2025-04-02_b8011778039c766a9c0b06c4f9e90212_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	93
PID 5840 wrote to memory of 4584	5840	2025-04-02_b8011778039c766a9c0b06c4f9e90212_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	93
PID 4444 wrote to memory of 5588	4444	msiexec.exe	96
PID 4444 wrote to memory of 5588	4444	msiexec.exe	96
PID 5588 wrote to memory of 4872	5588	MsiExec.exe	97
PID 5588 wrote to memory of 4872	5588	MsiExec.exe	97
PID 5588 wrote to memory of 5884	5588	MsiExec.exe	100
PID 5588 wrote to memory of 5884	5588	MsiExec.exe	100
PID 5884 wrote to memory of 4036	5884	cmd.exe	102
PID 5884 wrote to memory of 4036	5884	cmd.exe	102
PID 5884 wrote to memory of 4036	5884	cmd.exe	102
PID 5588 wrote to memory of 2908	5588	MsiExec.exe	103
PID 5588 wrote to memory of 2908	5588	MsiExec.exe	103
PID 2908 wrote to memory of 5900	2908	cmd.exe	107
PID 2908 wrote to memory of 5900	2908	cmd.exe	107
PID 2908 wrote to memory of 5900	2908	cmd.exe	107
PID 5588 wrote to memory of 5992	5588	MsiExec.exe	108
PID 5588 wrote to memory of 5992	5588	MsiExec.exe	108
PID 5588 wrote to memory of 5992	5588	MsiExec.exe	108
PID 5992 wrote to memory of 3864	5992	DetailUnderline.exe	112
PID 5992 wrote to memory of 3864	5992	DetailUnderline.exe	112
PID 5992 wrote to memory of 3864	5992	DetailUnderline.exe	112
PID 3864 wrote to memory of 5696	3864	CJXeaoXxYmBNXbEL.exe	113
PID 3864 wrote to memory of 5696	3864	CJXeaoXxYmBNXbEL.exe	113
PID 3864 wrote to memory of 5696	3864	CJXeaoXxYmBNXbEL.exe	113
PID 5696 wrote to memory of 4316	5696	updater.exe	114
PID 5696 wrote to memory of 4316	5696	updater.exe	114
PID 5696 wrote to memory of 4316	5696	updater.exe	114
PID 1412 wrote to memory of 5540	1412	updater.exe	116
PID 1412 wrote to memory of 5540	1412	updater.exe	116
PID 1412 wrote to memory of 5540	1412	updater.exe	116
PID 2976 wrote to memory of 6036	2976	updater.exe	118
PID 2976 wrote to memory of 6036	2976	updater.exe	118
PID 2976 wrote to memory of 6036	2976	updater.exe	118
PID 1532 wrote to memory of 4396	1532	DeploymentFind.exe	123
PID 1532 wrote to memory of 4396	1532	DeploymentFind.exe	123
PID 1532 wrote to memory of 4396	1532	DeploymentFind.exe	123
PID 5296 wrote to memory of 5800	5296	IdentifyDiscover.exe	142
PID 5296 wrote to memory of 5800	5296	IdentifyDiscover.exe	142
PID 5296 wrote to memory of 5800	5296	IdentifyDiscover.exe	142
PID 5800 wrote to memory of 1136	5800	DetailUnderline.exe	145
PID 5800 wrote to memory of 1136	5800	DetailUnderline.exe	145
PID 5800 wrote to memory of 1136	5800	DetailUnderline.exe	145

C:\Users\Admin\AppData\Local\Temp\2025-04-02_b8011778039c766a9c0b06c4f9e90212_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-02_b8011778039c766a9c0b06c4f9e90212_frostygoop_gcleaner_poet-rat_sliver_snatch.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5840
- C:\Windows\SysWOW64\msiexec.exe
  msiexec /i C:\ProgramData\gcjMwhAdMDgEeaaZ /qn
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4584

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 6C66159AF79646A6A033D1848D11EB72 E Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:5588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WatchLocate','C:\Program Files\TechnicianClarify','C:\Program Files\ControlEmphasize'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4872
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ""C:\Program Files\WatchLocate\MHHqcyuFBAXhiZh.exe" x "C:\Program Files\WatchLocate\IntegrateOrganizerTrusty." -f -to "C:\Program Files\WatchLocate" -key "@9)30AarTUjBAutomateBuilderTrusty""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5884
  - - C:\Program Files\WatchLocate\MHHqcyuFBAXhiZh.exe
      "C:\Program Files\WatchLocate\MHHqcyuFBAXhiZh.exe" x "C:\Program Files\WatchLocate\IntegrateOrganizerTrusty." -f -to "C:\Program Files\WatchLocate" -key "@9)30AarTUjBAutomateBuilderTrusty"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:4036
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ""C:\Program Files\WatchLocate\MHHqcyuFBAXhiZh.exe" x "C:\Program Files\WatchLocate\AchieveAdvisorDynamic." -not "1_DetailUnderline.exe" -not "sss" -not "UuovEfPLBaztjuP" -not "1_//__EDRFILENAME1__" -not "" -not "1_IntegrityRadiant.exe" -not "1_UpdateOutline.exe" -not "sa" -f -to "C:\Program Files\WatchLocate" -key "@;128vJAukaaSustainBuilderNimble""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Program Files\WatchLocate\MHHqcyuFBAXhiZh.exe
      "C:\Program Files\WatchLocate\MHHqcyuFBAXhiZh.exe" x "C:\Program Files\WatchLocate\AchieveAdvisorDynamic." -not "1_DetailUnderline.exe" -not "sss" -not "UuovEfPLBaztjuP" -not "1_//__EDRFILENAME1__" -not "" -not "1_IntegrityRadiant.exe" -not "1_UpdateOutline.exe" -not "sa" -f -to "C:\Program Files\WatchLocate" -key "@;128vJAukaaSustainBuilderNimble"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:5900
- - C:\Program Files\WatchLocate\DetailUnderline.exe
    "C:\Program Files\WatchLocate\DetailUnderline.exe" -WatchLocated Watch -WatchLocateS Locat -WatchLocateP 1007
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5992
  - - C:\Program Files\SearchOutline\CJXeaoXxYmBNXbEL.exe
      "C:\Program Files\SearchOutline\CJXeaoXxYmBNXbEL.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3864
    - - C:\Program Files (x86)\Google3864_731198230\bin\updater.exe
        
        "C:\Program Files (x86)\Google3864_731198230\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={1B5B4C03-7369-8C4F-1A7A-4D9FACA7609D}&lang=zh-CN&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/enterprise_companion/*=2,*/chrome/updater/*=2
        5⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies data under HKEY_USERS
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5696
      - C:\Program Files (x86)\Google3864_731198230\bin\updater.exe
        
        "C:\Program Files (x86)\Google3864_731198230\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=132.0.6833.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0xf29488,0xf29494,0xf294a0
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4316

C:\Program Files\TechnicianClarify\DeploymentFind.exe
"C:\Program Files\TechnicianClarify\DeploymentFind.exe" install
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:5860

C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=132.0.6833.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x1139488,0x1139494,0x11394a0
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:5540

C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=132.0.6833.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x1139488,0x1139494,0x11394a0
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:6036

C:\Program Files\TechnicianClarify\DeploymentFind.exe
"C:\Program Files\TechnicianClarify\DeploymentFind.exe" start
1⤵
- Executes dropped EXE
PID:1520

C:\Program Files\TechnicianClarify\DeploymentFind.exe
"C:\Program Files\TechnicianClarify\DeploymentFind.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Program Files\TechnicianClarify\IntegrityRadiant.exe
  "C:\Program Files\TechnicianClarify\IntegrityRadiant.exe" -TechnicianClarifyd Technici -TechnicianClarifyS anClarif -TechnicianClarifyP 1196
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4396

C:\Program Files\WatchLocate\IdentifyDiscover.exe
"C:\Program Files\WatchLocate\IdentifyDiscover.exe" install
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:5608

C:\Program Files\WatchLocate\IdentifyDiscover.exe
"C:\Program Files\WatchLocate\IdentifyDiscover.exe" start
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3916

C:\Program Files\TechnicianClarify\DeploymentFind.exe
"C:\Program Files\TechnicianClarify\DeploymentFind.exe" install
1⤵
- Executes dropped EXE
PID:4016

C:\Program Files\TechnicianClarify\DeploymentFind.exe
"C:\Program Files\TechnicianClarify\DeploymentFind.exe" start
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4312

C:\Program Files\ControlEmphasize\ServiceDetect.exe
"C:\Program Files\ControlEmphasize\ServiceDetect.exe" install
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:720

C:\Program Files\ControlEmphasize\ServiceDetect.exe
"C:\Program Files\ControlEmphasize\ServiceDetect.exe" start
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5808

C:\Program Files\WatchLocate\IdentifyDiscover.exe
"C:\Program Files\WatchLocate\IdentifyDiscover.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5296
- C:\Program Files\WatchLocate\DetailUnderline.exe
  "C:\Program Files\WatchLocate\DetailUnderline.exe" -WatchLocated Watch -WatchLocateS Locat -WatchLocateP 1017
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:5800
- - C:\Program Files\WatchLocate\DetailUnderline.exe
    "C:\Program Files\WatchLocate\DetailUnderline.exe" -WatchLocated Watch -WatchLocateS Locat -WatchLocateP 1010
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e577af0.rbs

Filesize
7KB

MD5
1c4fb1cf49cb0578e683c166ea3ca8cb

SHA1
6f537646977302cb01be823c821f98f34cedd73f

SHA256
8c02bfed91480b36359a879afe7aa95fd58af72073a44dc1b2123beaf52771d2

SHA512
b1bbfb16f6d12c0184609c8c29f17be452af96fa64a70d8d4d1fd85918d3766e193a906b1d1e7d80d981f449e446d35d5ec6b9a338cc13fea8cb6e2950a5e6eb

Download Submit
C:\Program Files (x86)\Google3864_731198230\bin\updater.exe

Filesize
5.3MB

MD5
9db9d09b6a58e5c09773f754504ac148

SHA1
7cd31865c0858319128bbd2483c19f59b7208cea

SHA256
c294551059a85542127811249b8e725d3ab885efdd4996b201db588899769e85

SHA512
80a036cc6d42e72bf6be634c6134945750da105ab7e026c2e53e0a02362db3101acd9402b0383bcedc9dfb29b3a87cb0951191fdcf4d29a780d5380c6ad6a05f

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\Crashpad\settings.dat

Filesize
40B

MD5
3b58fc442b057e4bafefe6cb834b4728

SHA1
c5ae37bc14cada95e2254685b1f4efee0f286a1d

SHA256
9d3eb2563353187d096145f5a140045890cd69dcd1e090b67d7da544543ba58d

SHA512
f69adb38742f64c0955373b9b4d028d630ae5267c855b11e56e2909212d188513a3b3f49555c139be1c98f750d32cb75d7ba842a9926c4231f1c79cecac4e2cc

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0\prefs.json

Filesize
19B

MD5
aa2d0c0c72bb528cf4168ea91c1c9a56

SHA1
67be5a0c29b13b92dd86ba935f605c4ba7eea2cc

SHA256
e03e9d262ca3b7d19e37c3a69c7d8b46bd3f5542aa555a17d864071c28257b2c

SHA512
6bdb9a72b73f11f7627e6fca0ee1d417201b038cb255d445dd29e5f27de08e99a6c4729c4c893ffe97e4bc1835532879c47cceaa051f07b3cdad06ad17b2d5e7

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
415B

MD5
eed1680f7a1ce427b96cf8911c1d1123

SHA1
4664cf6272090a9446ac5087c6cbadc362244032

SHA256
5409640bc7d2d6ca30130d8e08fedc755ad8516c7fe83bd3a5cbd391fe020d5e

SHA512
f76b779a4a3fad40262fb614b9a487163118907c8e26243e038c048402759de9b9fdebcf096cab1b33c4cbe443dee3f1479536fa956c378109dd30b1aa8af67e

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
414B

MD5
203ecc1ee2c0a7b8ff683e55c9e33f90

SHA1
b65006df55e81e38758d697fc2d993b1781b602b

SHA256
ff5dfe3b0a83b65202c4bcfd00ff6261776a05a64bddb73c85b94e2b84dfce1f

SHA512
e48a09f6f79187107f7fb0878cc144f14de39ae0a1084447c9370c2729ea0395830f2b1dd11a8aad9f339afb739d39c9f62e7d2e483b8e728e12b844b17cbb28

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
534B

MD5
088b99562f1fef41b311c98d23da3a29

SHA1
6b2d0e8fd28d92c0c11b24242dbe83dc86ab5468

SHA256
588a448ed9015bbdd3d712ff9c0f30d658dd2dc504f510620a55399e9d65fe1a

SHA512
51d73b62d46bcf39a8347d2fc9579d128b6ef28daff442a8c5bf47ecc41e0ff657d773dd89297a1e54164c824d7981e48865e94be477db1bf7352067735f4853

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
22KB

MD5
99a4c8bf6be6339fdce4b4a71901e961

SHA1
3a266ae2a32b9dc451750f90ff98ffefea793c95

SHA256
d510cc7012562ddd66d21cc829f712536eb506e08085cb6baf3fb55e2e924e53

SHA512
1e36f15d3154e0fb83ab7de2cfabf5243644fd4f1f31d8d8b1d687cdcdb9ca999981d74449ce0f2ee934d1e067af3ec5119ba42106670f373d0cddf3030b1c34

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
23KB

MD5
b9df76667937399321b29749d8760dfd

SHA1
1253932252b9b794c3351e02e17b88d70fd386f2

SHA256
c5fe239f4dbf74e4ea98da2a055595ecb00a40a64f1a43390a34029fa61c806d

SHA512
258e282316a9d4a3255178b1d2804f669c4a8c73fd2d9a6205153f0f8d09c7224cb37be23e3f0af1b2550185e2d3743e16bf1cbd714d88455cc6bb4214a11dec

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
25KB

MD5
dfc6976adb0d3b9ef8fbe28b1c9ad900

SHA1
1fa93485e831df07c08f40cbeacd8d17cfbeee77

SHA256
d72ff23fa9ca79461613d44ba02cdd495711dc330c96330423d0c7c71269873d

SHA512
9eb9d1eec592b804a6ed1e67627cbe57afffeacb275098d3aea61f4d279a98454ad22089f1f486814bfc5dc31e47bf12260f7df6a39652e5e4faa85068179d9a

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
26KB

MD5
bd9f1eb4d57b1166723dfd39789c6a57

SHA1
1e93f43715da71532e251119abad22451658ba19

SHA256
1675e397744fc7535b647bf3a0cdec3f92ed03d149542ea61e14e02cffaff00d

SHA512
3aa6591f62df736deb010c293f06999ea94d7d71b93661ee0a3c5f296107c3c59e5d0c7d84e3c35c4899538bf1b64ff2f204a025c0bd99c0fcc44f563498f77b

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
31KB

MD5
05f1c4e25360a6456299d2a148b77063

SHA1
4975e0e6ae7eb75227dc65cc774e0b5b490350cc

SHA256
70f9d165dcfca34dfce7dee9beeccc9a59a90e37cf86935c5c1d8afc007a4b1a

SHA512
6efede390f062e052a402758a8ede7508c14f27ee44de5dec9f9fff93ca81d66d8d5caa65239c1469ddd29a3f145389b342d642dff01490cc1b46ddb6edcd407

Download Submit
C:\Program Files (x86)\WatchLocate\IntegrateOrganizerTrusty

Filesize
10.7MB

MD5
1d18bfe76c4e859ae587c5464b57381e

SHA1
fe24ff5892c579e650ac6148adc5e5dccb647703

SHA256
e3c0854475508dae9e4504b95ac1af1776beefb22525cc7b8f7fb2fe89f04100

SHA512
fb1a393378332572b929d1da110802c513ebdd8e2b41bafb36f0dc16554c81072794a09d0cbaed6f735877237d0d4071086c2555803ceb39f5183fd57a2c5ed8

Download Submit
C:\Program Files (x86)\WatchLocate\MHHqcyuFBAXhiZh.exe

Filesize
1.0MB

MD5
0c28f2ab0db226962e61a1bbf39d0c2a

SHA1
5096f4959c0f4ba1d27ddd7181a1848d21603bd9

SHA256
7e2642901ff6760edfa8204e1f1261e6acb826d4f36b2fcf017de42ccbd506d4

SHA512
7412d8e9327e111f83651bb9078bb6a72ffd750b6e1e4d8862fabb376901362b1ce507a5fafacd19d084610e2a82ab2eb72112c0f7fd467d8a9670469be5e9b3

Download Submit
C:\Program Files (x86)\WatchLocate\bdeuiMMreplece.dll

Filesize
211KB

MD5
cdc4f8d59c67e9fb34d63506f8066fc3

SHA1
49848298a4a44887e2e09eaa19f9f08bfae58b7e

SHA256
9e90ca7b5b79811b13b4c395d2d255200f9c432d1eb6dbc73430476da58cd300

SHA512
3263dd60c2fdb8773f186124b8ce39ffb7766da11a4b40efddb3b61346aa6a82b711f23023577f5eb22cc373951441e360d5b7cf82ef6b6f4402096fddf7de0c

Download Submit
C:\Program Files\SearchOutline\CJXeaoXxYmBNXbEL.exe

Filesize
9.9MB

MD5
75cbdf7efaac4e9dd65a713f9ef3625b

SHA1
9b3197c315841ef6ce628884dd75284e349f3555

SHA256
d94f48d876e56f0c3465b7808387023b617a6e747137271a1012e7e48b031dfb

SHA512
62e750aa0364e5e82a50e26149608c462168ea4365bc26994c2edd1a16888f342eb56ed38bf2a92e9333f82e161af657c2961b62fcdccc51922d3ae80a44cbb7

Download Submit
C:\Program Files\TechnicianClarify\DeploymentFind.wrapper.log

Filesize
272B

MD5
1dc03db9a085a34e131e3b13faeb7df5

SHA1
aac3c5a2f657f7713488813f1998de42ec63771d

SHA256
ff4c53ecef6a9b0a99230478da14e8f7121bb1925821fc54d2e184b39fc14f76

SHA512
e0516789ab33cd20bb1a1d093535fb1172b7c0dc1c66bdb1b4d93677fe7eef98bdbc9d0653f427d69dd61e33fb8295de61cc334addac6301c0f04fe82aa15268

Download Submit
C:\Program Files\TechnicianClarify\DeploymentFind.wrapper.log

Filesize
355B

MD5
10a63c16410d827bde79bfd653a982e9

SHA1
2a87409c2a74b6c128acf9de9e7829d531a48dd2

SHA256
6655ef36af04a28d43246ceafe936ebe08de0abeceb4fdf4913cc1e8729b5b67

SHA512
e1f4febd3026abf4aa5562d9b5ef6d1d0ca0f1caa2d706b94fbb7872dd29c1657467467f2fca72315f594c8501b6ea38517b58f887e8a66043d1492ddb1ed0bd

Download Submit
C:\Program Files\TechnicianClarify\DeploymentFind.wrapper.log

Filesize
482B

MD5
352f6a4f9db9902370d47c8fd8e00fce

SHA1
d617f1ecc250d25f15f501985a5454cb331755d4

SHA256
1cb8e3591fae8c1d2ebd38dc1a5db24fd2b9a604d852ce228ac654bc77dce07c

SHA512
3a3084909bf566fbd4eab0c2d881f56bdfb67915ba254be8d68ca600497f18ae78f6aef65dd7ec8abd934a6c35e11b2ded89159255366e39f95cbe06abb5febc

Download Submit
C:\Program Files\TechnicianClarify\DeploymentFind.wrapper.log

Filesize
663B

MD5
afb80f5e12ec86aff76d36079d6f0b0f

SHA1
70f3e7ce5d523848c59e0fa6152091ea647ec8d8

SHA256
bacf456b547edf5cd94c33d0f443760fc894f1e4eb61b160974a5d4d2b4ff8fa

SHA512
9d34c877fce822bc4a7daebbaf644c311f4a589f9b1bb132c94dc97a8639be0bc98bc81d819e4c5abcc1071db20227274bff74402027025b74ce306ed1e5070a

Download Submit
C:\Program Files\TechnicianClarify\DeploymentFind.wrapper.log

Filesize
854B

MD5
b760265b55b16ff6437e7ae591d49984

SHA1
9e52cb7832e9f5b2a682f07b8cb39b1f53367682

SHA256
0ba5e9e1f63c5e85a258f61de59b083a1e3f54621ab526b1ab8bb1ebdd7c4505

SHA512
bc73d0739657d5ff7e0f6a3015adae21dff0e9579f51d07591bcf315905418065a78fb3ece4206a81ce6db67dab8fc375c8917f2bea8905b3c1aa7ec4d1d2746

Download Submit
C:\Program Files\TechnicianClarify\DeploymentFind.wrapper.log

Filesize
918B

MD5
eb4e5324e17b6388f57dddd826140a75

SHA1
fd409bbd13bccd7d66896f60f97267c8053e1ea9

SHA256
9a6552d0db25279b3fc61537fbf2f6f0dcae7c4cc0f056b77b17369248831ba9

SHA512
ed252c87b19820eacfb7d641752910bd5c46ae37abeae0a5057ac35419d8511b7a7111d56ad63b04ee1fa557d57c91d19ad19fc280922204b2012a521f4566c1

Download Submit
C:\Program Files\WatchLocate\2_DetailUnderline.exe

Filesize
9.1MB

MD5
51982d054827554198b0bf8758432b17

SHA1
1eb2a4efe16310dfe4d10134c2c6d593cee4b77e

SHA256
8228a1095bb453c5f6fadaddcefae6a32b46bab6ac0b2a5692789d52234612da

SHA512
c2fa91764af3bf22ed502437cac9045703db6255b19aed6e84b4c3045ee2f3c623292a75bbaa1c58910ba348d505741d303e92a7ed377a6ee7f86da77a05b803

Download Submit
C:\Program Files\WatchLocate\2_IntegrityRadiant.exe

Filesize
8.7MB

MD5
406be85342b7857344710ca1a5ea2fe6

SHA1
a4d625289a0019754aba42b4478aa779401efac4

SHA256
06efd8e371b3f38ab44682417fd073162725e75da58ade48b807cfdeaacd6fda

SHA512
ae58d8d8c106229ea27ac1fa5a311a50078b5a5d3c35bf99481631bf00b89b521ea825430a1f3ab25e7493de4ff81b61e2d06b12ca995f6e0343b764d2ec8995

Download Submit
C:\Program Files\WatchLocate\2_UpdateOutline.exe

Filesize
9.7MB

MD5
b999867743de2ad43fadccded5b2132b

SHA1
95063595fae52d1747c47fc7482e8abadb64d9e9

SHA256
20e401ba5ab6273e3a85482d6bfd58d24c2c0eff43dde5daf4c0801c52c8e8e5

SHA512
8b6e72443006483741faa55f165bc4e8cfc387758c538127b941ad42fb555e7d50896e15dda639ffd0abf1614717a5be6440bc59995639818ed27b1fe3fdb2fb

Download Submit
C:\Program Files\WatchLocate\AchieveAdvisorDynamic

Filesize
10.7MB

MD5
185fd3aece8285912981a7e4e04d759a

SHA1
6f4261a89d94928a47e019186a3caafd9dfa2422

SHA256
7a36043803cc95da035f8b25d78bd9947ba519de3fe81da1aff0506ab0ce6aff

SHA512
ba450e3728ac1aac3c083fb7e6b7e1d22a46d1ae14dc6e4b44c98c3e21041c1eaee79442ed3d528ec7a98c3918fc1f7c225e691835d5664b0e8a96cbe2891aaa

Download Submit
C:\Program Files\WatchLocate\DeploymentFind.xml

Filesize
484B

MD5
732201b6d1987ff6ecfc81af601514d4

SHA1
747774b1b3ded5306e1f7075347c626f8591d43e

SHA256
8bf400dba85a129eb12f4b58dece11b22bcaee7afdc2d630d4800d4eda5e6a99

SHA512
0a68a6fd3617f12707b871a276b444c5dae2c84a1b18c66e1eabc82c7aba9c3dd24991ee4cf4c16f521d2184c2028c4b5aa890f134294ce02c590e7f850f6b1a

Download Submit
C:\Program Files\WatchLocate\IdentifyDiscover.xml

Filesize
442B

MD5
7e31597fe17d4f6507aa429a6d77ee85

SHA1
08520c47e42813ba8ef1c1a1132d600fcd0260c1

SHA256
7c3efc5b9af19b759dc19934129a9c97466f13f999d4fa708014178e619583e2

SHA512
d88dccc7e3b3568b040f5704f37f3c12f2f5e8cf7254a94941e1e1cf1ffe22b2b4ff98d5c171823671d32dd9e4d2f5d87a263ef8cf83df0548473a259db22917

Download Submit
C:\Program Files\WatchLocate\IllustrateDrive.sys

Filesize
470KB

MD5
66437b33e0ea17f60cc706dab25d2677

SHA1
c26ec34ee4bc0552f0c1d4310c313a3814de262e

SHA256
8b4dc968351e1ce21a46c4fab3d769845f1508e17d0f4a2bf56652eb6437c449

SHA512
843d8a82d520007c7602a8c4fe62c2393a8abed939e705f55d3072460834fb32c5e3d29a9343539188218af60a789e9ca2bf3ab1551e246d0a74469a4dddfe7c

Download Submit
C:\Program Files\WatchLocate\ServiceDetect.exe

Filesize
606KB

MD5
4e85cc36adc996c3ddd3a9825d4b7f73

SHA1
e5aa0e5db7d9fd27e2a0484f3fd6c322fc5ee97f

SHA256
7b36e127e1fa53e0c6462312777c5d004ea83bde67e6df32fb8920b6c001d664

SHA512
2d7b7c5eb54cf68a218fca7239c0e194af0b81796e621bc039edccea64b60a202670a47af207988467a8c25584cef96a6652f52d53464ce3cf01006c680f2980

Download Submit
C:\Program Files\WatchLocate\ServiceDetect.xml

Filesize
483B

MD5
d914e1e848b2a87881f4b686c3c7040f

SHA1
37ffdf35a87de770165be57152e58a2d0be93253

SHA256
8585e3e32a2e5f48f6099361c072f3192ce073dfbee0ebed1497d151ea6f22aa

SHA512
6cc1a472bf569a7b014faf01eb48b430f5917f4fadc660ac7da0d691b31f6e52a217427491c943bee26cb992347235cbd1ad27f17444b17018d2c66964685e84

Download Submit
C:\ProgramData\gcjMwhAdMDgEeaaZ

Filesize
11.2MB

MD5
10087950f7f453230bbe2ad5644b9631

SHA1
a4a5d8c4e220572a63ad6226b647aaa69823d521

SHA256
b4da9208b075ddd13b89b7d220b2b6cacd117c505bc6a8ffa295b2d4534702c6

SHA512
477e0ce1bfe35acbfc451871602fe332c96097ec4fcd35beb33544800fb27d753f27a7ca18f7a95a2ce037fe17f49d7816946a3925523160becc1e71d06ae08e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l3bbevyy.e1r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DeploymentFind.exe.log

Filesize
1KB

MD5
2da44f7c2b3721a44a3760ab180ca05e

SHA1
ce3325e28e5911967b403fee03f6cbf6b1b303af

SHA256
7253a1555ca5787509e338a9b09e6bd99f9db0ac6102baf21ca632ca8f8380d4

SHA512
78d1cf7ea933c0d61426604c5010dde5d3111dcb1a0de2f1bb218b2bc654685de6830245e1a20efcb20b6cd16f0df862b75aa98b2ac467b3e6a66dfffe6ae1ee

Download Submit
memory/1136-258-0x000000002C190000-0x000000002C34E000-memory.dmp

Filesize
1.7MB

Download
memory/1136-252-0x000000002A590000-0x000000002A5D8000-memory.dmp

Filesize
288KB

Download
memory/1136-253-0x000000002C190000-0x000000002C34E000-memory.dmp

Filesize
1.7MB

Download
memory/1136-259-0x000000002C190000-0x000000002C34E000-memory.dmp

Filesize
1.7MB

Download
memory/4036-37-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/4396-192-0x000000002A1D0000-0x000000002A24B000-memory.dmp

Filesize
492KB

Download
memory/4396-198-0x000000002A1D0000-0x000000002A24B000-memory.dmp

Filesize
492KB

Download
memory/4396-184-0x000000002A100000-0x000000002A14A000-memory.dmp

Filesize
296KB

Download
memory/4872-19-0x000001B7AD600000-0x000001B7AD622000-memory.dmp

Filesize
136KB

Download
memory/5860-103-0x00000000001E0000-0x000000000027E000-memory.dmp

Filesize
632KB

Download
memory/5900-62-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/5992-88-0x000000002A200000-0x000000002A22C000-memory.dmp

Filesize
176KB

Download
memory/5992-105-0x000000002A280000-0x000000002A2C8000-memory.dmp

Filesize
288KB

Download
memory/5992-100-0x000000002A280000-0x000000002A2C8000-memory.dmp

Filesize
288KB

Download