redline | bc677d2df4c9acb50253987d5904b573c12e62661923a022194ae09e103e8144

Resubmissions

29-06-2024 20:27

240629-y8r5rayfjl 10

29-06-2024 20:19

240629-y4ad5svfmc 7

Analysis

max time kernel
780s
max time network
784s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ChromeSetup.exe
Size

8.0MB
MD5

4641579bd234f353da345f009bf460ea
SHA1

5a0201eddda21cf7f6156495f99da66b4715cb01
SHA256

bc677d2df4c9acb50253987d5904b573c12e62661923a022194ae09e103e8144
SHA512

1b68e095ae7d578ee31e5d4d8a2978499d3c5164708a1d0cdd2fec9448e0542e4201738755ce82a6b5d890ad5cd79c40faf96502f182232d9aeab02e27d5c2ff
SSDEEP

196608:bWi1ZYP2rPma7ts+ndryl6xmrsUbX1YmbWxAnwvS:b7e2rua7tsedwrsUbX1YcWxAnw

Score

10^/10

redline xmrig discovery evasion execution infostealer miner persistence privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/5896-2900-0x0000000000410000-0x0000000000472000-memory.dmp family_redline
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

resource	yara_rule
behavioral1/memory/5896-2900-0x0000000000410000-0x0000000000472000-memory.dmp	family_redline

XMRig Miner payload 8 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2792-3029-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2792-3030-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2792-3032-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2792-3034-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2792-3035-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2792-3036-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2792-3033-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2792-3042-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4416 powershell.exe
628 powershell.exe
2896 powershell.exe
4260 powershell.exe
6112 powershell.exe
4792 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4416	powershell.exe
628	powershell.exe
2896	powershell.exe
4260	powershell.exe
6112	powershell.exe
4792	powershell.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2792-3025-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2792-3028-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2792-3029-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2792-3030-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2792-3027-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2792-3026-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2792-3024-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2792-3032-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2792-3034-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2792-3035-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2792-3036-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2792-3033-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2792-3042-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\126.0.6478.127\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

updater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Power Settings 1 TTPs 16 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid	process
1132	powercfg.exe
4752	powercfg.exe
5396	powercfg.exe
3488	powercfg.exe
5080	powercfg.exe
4664	powercfg.exe
3324	powercfg.exe
4344	powercfg.exe
3636	powercfg.exe
3548	powercfg.exe
5696	powercfg.exe
1564	powercfg.exe
2248	powercfg.exe
5296	powercfg.exe
5232	powercfg.exe
3424	powercfg.exe

Checks computer location settings 2 TTPs 33 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	chrome.exe

Drops file in System32 directory 15 IoCs

Processes:

leirdnhqqedj.exeWeMod.exepowershell.exeleirdnhqqedj.exesetup.exepowershell.exeleirdnhqqedj.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	leirdnhqqedj.exe
File opened for modification	C:\Windows\system32\MRT.exe	WeMod.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439}\5724.obs	leirdnhqqedj.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk	setup.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439}	leirdnhqqedj.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439}	leirdnhqqedj.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439}\4788.obs	leirdnhqqedj.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439}\5852.obs	leirdnhqqedj.exe
File opened for modification	C:\Windows\system32\MRT.exe	leirdnhqqedj.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439}	leirdnhqqedj.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

WeMod.exeleirdnhqqedj.exeleirdnhqqedj.exeleirdnhqqedj.exe

pid process

5936 WeMod.exe
5852 leirdnhqqedj.exe
4788 leirdnhqqedj.exe
5724 leirdnhqqedj.exe

pid	process
5936	WeMod.exe
5852	leirdnhqqedj.exe
4788	leirdnhqqedj.exe
5724	leirdnhqqedj.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

leirdnhqqedj.exeleirdnhqqedj.exe

description	pid	process	target process
PID 5852 set thread context of 4212	5852	leirdnhqqedj.exe	conhost.exe
PID 5852 set thread context of 2792	5852	leirdnhqqedj.exe	explorer.exe
PID 4788 set thread context of 1656	4788	leirdnhqqedj.exe	explorer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 8 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	chrome.exe

Drops file in Program Files directory 64 IoCs

Processes:

setup.exeupdater.exe7z2407-x64.exe126.0.6478.127_chrome_installer.exeupdater.exechrome.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\Temp\source4472_1151377816\Chrome-bin\126.0.6478.127\VisualElements\LogoBeta.png	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\18e63e41-1902-47a6-b31a-cd0b45298589.tmp	updater.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2407-x64.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping440_1285460182\CR_53831.tmp\CHROME.PACKED.7Z	126.0.6478.127_chrome_installer.exe
File created	C:\Program Files\Google\Chrome\Temp\source4472_1151377816\Chrome-bin\126.0.6478.127\Locales\ms.pak	setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2407-x64.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping440_1285460182\e0b7b584-bd20-4111-9141-23c7bb2c073a.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source4472_1151377816\Chrome-bin\126.0.6478.127\vulkan-1.dll	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3580_1939685702\manifest.fingerprint	chrome.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2407-x64.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping440_1285460182\126.0.6478.127_chrome_installer.exe	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\80268a61-498e-4ae4-a508-26e82e6f73d5.tmp	updater.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7z2407-x64.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata	updater.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping440_1285460182\manifest.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source4472_1151377816\Chrome-bin\126.0.6478.127\VisualElements\SmallLogo.png	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4472_1151377816\Chrome-bin\126.0.6478.127\libEGL.dll	setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2407-x64.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source4472_1151377816\Chrome-bin\126.0.6478.127\Locales\tr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4472_1151377816\Chrome-bin\126.0.6478.127\VisualElements\LogoDev.png	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4472_1151377816\Chrome-bin\126.0.6478.127\dxcompiler.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4472_1151377816\Chrome-bin\126.0.6478.127\eventlog_provider.dll	setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	7z2407-x64.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source4472_1151377816\Chrome-bin\126.0.6478.127\Locales\et.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log.old	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2407-x64.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\prefs.json	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source4472_1151377816\Chrome-bin\126.0.6478.127\Locales\id.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4472_1151377816\Chrome-bin\126.0.6478.127\vk_swiftshader_icd.json	setup.exe
File created	C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\setup.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe5cde23.TMP	updater.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2407-x64.exe
File created	C:\Program Files\Google\Chrome\Temp\source4472_1151377816\Chrome-bin\126.0.6478.127\Locales\ar.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4472_1151377816\Chrome-bin\126.0.6478.127\Locales\hr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7z2407-x64.exe
File created	C:\Program Files\Google\Chrome\Temp\source4472_1151377816\Chrome-bin\126.0.6478.127\Locales\da.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source4472_1151377816\Chrome-bin\126.0.6478.127\Locales\mr.pak	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3580_1939685702\LICENSE.txt	chrome.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2407-x64.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\settings.dat	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source4472_1151377816\Chrome-bin\126.0.6478.127\d3dcompiler_47.dll	setup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log.old	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\settings.dat	updater.exe

Executes dropped EXE 64 IoCs

Processes:

updater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exe126.0.6478.127_chrome_installer.exesetup.exesetup.exesetup.exesetup.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeelevation_service.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe7z2407-x64.exe7zG.exe7zG.exechrome.exe

pid	process
4900	updater.exe
4320	updater.exe
3372	updater.exe
1432	updater.exe
440	updater.exe
3596	updater.exe
4464	126.0.6478.127_chrome_installer.exe
4472	setup.exe
4708	setup.exe
3156	setup.exe
3920	setup.exe
3580	chrome.exe
2952	chrome.exe
1220	chrome.exe
1540	chrome.exe
3956	chrome.exe
4808	chrome.exe
3960	chrome.exe
4444	elevation_service.exe
3104	chrome.exe
2840	chrome.exe
1216	chrome.exe
4156	chrome.exe
3684	chrome.exe
5604	chrome.exe
5780	chrome.exe
5984	chrome.exe
1320	chrome.exe
1908	chrome.exe
1384	chrome.exe
5408	chrome.exe
1528	chrome.exe
4380	chrome.exe
5516	chrome.exe
5224	chrome.exe
216	chrome.exe
3744	chrome.exe
1816	chrome.exe
5880	chrome.exe
2268	chrome.exe
5340	chrome.exe
5892	chrome.exe
5236	chrome.exe
5948	chrome.exe
5872	chrome.exe
3480	updater.exe
3836	updater.exe
5548	updater.exe
4560	updater.exe
2052	updater.exe
1416	updater.exe
4960	chrome.exe
4476	chrome.exe
4932	chrome.exe
5784	chrome.exe
5516	chrome.exe
5264	chrome.exe
5136	chrome.exe
5612	chrome.exe
812	chrome.exe
1944	7z2407-x64.exe
1260	7zG.exe
3408	7zG.exe
3992	chrome.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1928	sc.exe
3516	sc.exe
1696	sc.exe
4568	sc.exe
5736	sc.exe
5376	sc.exe
1792	sc.exe
2024	sc.exe
3448	sc.exe
5984	sc.exe
5232	sc.exe
5204	sc.exe
2360	sc.exe
3684	sc.exe
2856	sc.exe
4744	sc.exe
4800	sc.exe
6036	sc.exe
2376	sc.exe
5060	sc.exe
4568	sc.exe
2976	sc.exe
5984	sc.exe
2580	sc.exe

Loads dropped DLL 64 IoCs

Processes:

pid	process
3580	chrome.exe
2952	chrome.exe
3580	chrome.exe
1220	chrome.exe
1540	chrome.exe
1540	chrome.exe
3956	chrome.exe
1220	chrome.exe
3956	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
4808	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
4808	chrome.exe
3960	chrome.exe
3960	chrome.exe
3104	chrome.exe
3104	chrome.exe
2840	chrome.exe
2840	chrome.exe
1216	chrome.exe
4156	chrome.exe
1216	chrome.exe
4156	chrome.exe
3684	chrome.exe
3684	chrome.exe
5604	chrome.exe
5604	chrome.exe
5780	chrome.exe
5780	chrome.exe
5984	chrome.exe
5984	chrome.exe
1320	chrome.exe
1320	chrome.exe
1908	chrome.exe
1908	chrome.exe
1384	chrome.exe
1384	chrome.exe
5408	chrome.exe
5408	chrome.exe
1528	chrome.exe
4380	chrome.exe
1528	chrome.exe
4380	chrome.exe
5516	chrome.exe
5516	chrome.exe
5224	chrome.exe
5224	chrome.exe
216	chrome.exe
216	chrome.exe
3744	chrome.exe
3744	chrome.exe
1816	chrome.exe
1816	chrome.exe
5880	chrome.exe
5880	chrome.exe
2268	chrome.exe
2268	chrome.exe
5340	chrome.exe
5340	chrome.exe
5892	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exedwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 14 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exechrome.exechrome.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4148 taskkill.exe

pid	process
4148	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exedwm.exepowershell.exesetup.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe

Modifies registry class 64 IoCs

Processes:

updater.exeupdater.exesetup.exe7z2407-x64.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{34527502-D3DB-4205-A69B-789B27EE0414}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F966A529-43C6-4710-8FF4-0B456324C8F4}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8582249A-7E37-5C77-A5F4-1FBFEAFCBC5F}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\TypeLib\ = "{85AE4AE3-8530-516B-8BE4-A456BF2637D3}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\TypeLib\ = "{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8FCD652C-D470-570F-9A74-B31F9AB8F368}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\ = "ICompleteStatusSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F966A529-43C6-4710-8FF4-0B456324C8F4}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1588C1A8-27D9-563E-9641-8D20767FB258}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{4DC034A8-4BFC-4D43-9250-914163356BB0}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{8582249A-7E37-5C77-A5F4-1FBFEAFCBC5F}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\LocalService = "GoogleUpdaterService128.0.6537.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4DC034A8-4BFC-4D43-9250-914163356BB0}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\TypeLib\ = "{D106AB5F-A70E-400E-A21B-96208C1D8DBB}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EB300E9-4F8A-5D14-B795-36796C40660C}\AppID = "{4EB300E9-4F8A-5D14-B795-36796C40660C}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8FCD652C-D470-570F-9A74-B31F9AB8F368}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\1.0\ = "TypeLib for Interface {463ABECF-410D-407F-8AF5-0DF35A005CC8}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C4622B28-A747-44C7-96AF-319BE5C3B261}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ = "IProcessLauncher"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\TypeLib\ = "{F258BE54-7C5F-44A0-AAE0-730620A31D23}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\1.0\ = "GoogleUpdater TypeLib for IAppWebSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3WebMachine\CLSID\ = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B685B009-DBC4-4F24-9542-A162C3793E77}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B685B009-DBC4-4F24-9542-A162C3793E77}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\ = "IProcessLauncherSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{8FCD652C-D470-570F-9A74-B31F9AB8F368}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{27634814-8E41-4C35-8577-980134A96544}\1.0\0\win32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27634814-8E41-4C35-8577-980134A96544}\1.0\ = "GoogleUpdater TypeLib for IPolicyStatusValue"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4EB300E9-4F8A-5D14-B795-36796C40660C}\LocalService = "GoogleUpdaterInternalService128.0.6537.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F966A529-43C6-4710-8FF4-0B456324C8F4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

updater.exeupdater.exeupdater.exechrome.exechrome.exeupdater.exeupdater.exeupdater.exeWeMod.exeSirus.exe

pid	process
4900	updater.exe
4900	updater.exe
4900	updater.exe
4900	updater.exe
4900	updater.exe
4900	updater.exe
3372	updater.exe
3372	updater.exe
3372	updater.exe
3372	updater.exe
3372	updater.exe
3372	updater.exe
440	updater.exe
440	updater.exe
440	updater.exe
440	updater.exe
440	updater.exe
440	updater.exe
440	updater.exe
440	updater.exe
4900	updater.exe
4900	updater.exe
3580	chrome.exe
3580	chrome.exe
5892	chrome.exe
5892	chrome.exe
3480	updater.exe
3480	updater.exe
3480	updater.exe
3480	updater.exe
5548	updater.exe
5548	updater.exe
5548	updater.exe
5548	updater.exe
2052	updater.exe
2052	updater.exe
2052	updater.exe
2052	updater.exe
2052	updater.exe
2052	updater.exe
2052	updater.exe
2052	updater.exe
5936	WeMod.exe
5936	WeMod.exe
5896	Sirus.exe
5896	Sirus.exe
5896	Sirus.exe
5896	Sirus.exe
5896	Sirus.exe
5896	Sirus.exe
5896	Sirus.exe
5896	Sirus.exe
5896	Sirus.exe
5896	Sirus.exe
5896	Sirus.exe
5896	Sirus.exe
5896	Sirus.exe
5896	Sirus.exe
5896	Sirus.exe
5896	Sirus.exe
5896	Sirus.exe
5896	Sirus.exe
5896	Sirus.exe
5896	Sirus.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exetaskmgr.exe

pid process

3168 OpenWith.exe
3928 taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exe

pid	process
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
2008	chrome.exe
2008	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ChromeSetup.exe126.0.6478.127_chrome_installer.exechrome.exeAUDIODG.EXE

description	pid	process
Token: 33	216	ChromeSetup.exe
Token: SeIncBasePriorityPrivilege	216	ChromeSetup.exe
Token: 33	4464	126.0.6478.127_chrome_installer.exe
Token: SeIncBasePriorityPrivilege	4464	126.0.6478.127_chrome_installer.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: 33	6032	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	6032	AUDIODG.EXE
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid	process
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4736	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

OpenWith.exe7z2407-x64.exeFieroHack.exeWeMod.exeOpenWith.exe

pid	process
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
3168	OpenWith.exe
1944	7z2407-x64.exe
4484	FieroHack.exe
5936	WeMod.exe
4440	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ChromeSetup.exeupdater.exeupdater.exeupdater.exe126.0.6478.127_chrome_installer.exesetup.exesetup.exechrome.exe

description	pid	process	target process
PID 216 wrote to memory of 4900	216	ChromeSetup.exe	updater.exe
PID 216 wrote to memory of 4900	216	ChromeSetup.exe	updater.exe
PID 216 wrote to memory of 4900	216	ChromeSetup.exe	updater.exe
PID 4900 wrote to memory of 4320	4900	updater.exe	updater.exe
PID 4900 wrote to memory of 4320	4900	updater.exe	updater.exe
PID 4900 wrote to memory of 4320	4900	updater.exe	updater.exe
PID 3372 wrote to memory of 1432	3372	updater.exe	updater.exe
PID 3372 wrote to memory of 1432	3372	updater.exe	updater.exe
PID 3372 wrote to memory of 1432	3372	updater.exe	updater.exe
PID 440 wrote to memory of 3596	440	updater.exe	updater.exe
PID 440 wrote to memory of 3596	440	updater.exe	updater.exe
PID 440 wrote to memory of 3596	440	updater.exe	updater.exe
PID 440 wrote to memory of 4464	440	updater.exe	126.0.6478.127_chrome_installer.exe
PID 440 wrote to memory of 4464	440	updater.exe	126.0.6478.127_chrome_installer.exe
PID 4464 wrote to memory of 4472	4464	126.0.6478.127_chrome_installer.exe	setup.exe
PID 4464 wrote to memory of 4472	4464	126.0.6478.127_chrome_installer.exe	setup.exe
PID 4472 wrote to memory of 4708	4472	setup.exe	setup.exe
PID 4472 wrote to memory of 4708	4472	setup.exe	setup.exe
PID 4472 wrote to memory of 3156	4472	setup.exe	setup.exe
PID 4472 wrote to memory of 3156	4472	setup.exe	setup.exe
PID 3156 wrote to memory of 3920	3156	setup.exe	setup.exe
PID 3156 wrote to memory of 3920	3156	setup.exe	setup.exe
PID 4900 wrote to memory of 3580	4900	updater.exe	chrome.exe
PID 4900 wrote to memory of 3580	4900	updater.exe	chrome.exe
PID 3580 wrote to memory of 2952	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 2952	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1220	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1540	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 1540	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 3956	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 3956	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 3956	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 3956	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 3956	3580	chrome.exe	chrome.exe
PID 3580 wrote to memory of 3956	3580	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe
"C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216

C:\Program Files (x86)\Google216_668674802\bin\updater.exe
"C:\Program Files (x86)\Google216_668674802\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={AFF3F6A6-5D24-D774-8CB7-D20D4EC68D2D}&lang=pl&browser=3&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
2⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4900

C:\Program Files (x86)\Google216_668674802\bin\updater.exe
"C:\Program Files (x86)\Google216_668674802\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0xb22604,0xb22610,0xb2261c
3⤵
- Executes dropped EXE
PID:4320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer
3⤵
- Checks computer location settings
- Checks system information in the registry
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc9d601c70,0x7ffc9d601c7c,0x7ffc9d601c88
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=1924 /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1716,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=2224 /prefetch:3
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2280,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=2420 /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=3192 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=3216 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4540,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=4568 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4772,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=4456 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:2840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4896,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=4912 /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4908,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5060 /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --field-trial-handle=4900,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=4868 /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4536,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5076 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5384,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5332 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=4568,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=3140 /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --field-trial-handle=4608,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5564 /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4484,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=4668 /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5544,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5620 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:1384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5716,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5380 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5800,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5760 /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5748,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5924 /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=728,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5784 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5452,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5556 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5608,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=4500 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6008,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5928 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5640,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5968 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:1816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5764,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5904 /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5904,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=6132 /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=6124,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=4700 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5536,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5756 /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=6252,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=6116 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:5236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=6376,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5880 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:5948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=5552,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=6404 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:5872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=5928,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=3200 /prefetch:8
4⤵
- Executes dropped EXE
PID:4960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=5380,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=3404 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=5960,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5900 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:4932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5688,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5720 /prefetch:8
4⤵
- Executes dropped EXE
PID:5784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4560,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=5520 /prefetch:8
4⤵
- Executes dropped EXE
PID:5516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=4884,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=6328 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:5264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=3284,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=4668 /prefetch:8
4⤵
- Executes dropped EXE
PID:5136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=6536,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=6356 /prefetch:8
4⤵
- Executes dropped EXE
PID:5612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=5064,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=6580 /prefetch:8
4⤵
- Executes dropped EXE
PID:812

C:\Users\Admin\Downloads\7z2407-x64.exe
"C:\Users\Admin\Downloads\7z2407-x64.exe"
4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=4544,i,10570936483877367830,17124657954688327386,262144 --variations-seed-version=20240611-050132.334000 --mojo-platform-channel-handle=6392 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:3992

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3372

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x532604,0x532610,0x53261c
2⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:1432

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update
1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:440

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x532604,0x532610,0x53261c
2⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:3596

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping440_1285460182\126.0.6478.127_chrome_installer.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping440_1285460182\126.0.6478.127_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping440_1285460182\e0b7b584-bd20-4111-9141-23c7bb2c073a.tmp"
2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping440_1285460182\CR_53831.tmp\setup.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping440_1285460182\CR_53831.tmp\setup.exe" --install-archive="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping440_1285460182\CR_53831.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping440_1285460182\e0b7b584-bd20-4111-9141-23c7bb2c073a.tmp"
3⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4472

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping440_1285460182\CR_53831.tmp\setup.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping440_1285460182\CR_53831.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff7c0c846a8,0x7ff7c0c846b4,0x7ff7c0c846c0
4⤵
- Executes dropped EXE
PID:4708

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping440_1285460182\CR_53831.tmp\setup.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping440_1285460182\CR_53831.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
4⤵
- Drops file in System32 directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3156

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping440_1285460182\CR_53831.tmp\setup.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping440_1285460182\CR_53831.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff7c0c846a8,0x7ff7c0c846b4,0x7ff7c0c846c0
5⤵
- Executes dropped EXE
PID:3920

C:\Program Files\Google\Chrome\Application\126.0.6478.127\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\126.0.6478.127\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:5172

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x310 0x154
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6032

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --wake --system
1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3480

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x532604,0x532610,0x53261c
2⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:3836

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5548

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x532604,0x532610,0x53261c
2⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:4560

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update
1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2052

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x532604,0x532610,0x53261c
2⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:1416

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3168

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5892

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Melonity_Installer v3.6\" -spe -an -ai#7zMap27444:108:7zEvent9651
1⤵
- Executes dropped EXE
PID:1260

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Melonity_Installer v3.6\" -spe -an -ai#7zMap21411:108:7zEvent24774
1⤵
- Executes dropped EXE
PID:3408

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x310 0x154
1⤵
PID:912

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Melonity_Installer v3.6\" -spe -an -ai#7zMap12708:108:7zEvent27549
1⤵
PID:4780

C:\Users\Admin\Downloads\Melonity_Installer v3.6\FieroHack.exe
"C:\Users\Admin\Downloads\Melonity_Installer v3.6\FieroHack.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4484

C:\Users\Admin\AppData\Roaming\WeMod.exe
C:\Users\Admin\AppData\Roaming\WeMod.exe
2⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5936

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:5824

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:4488

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
3⤵
- Launches sc.exe
PID:4800

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:5232

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
3⤵
- Launches sc.exe
PID:5204

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
3⤵
- Launches sc.exe
PID:6036

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
3⤵
- Launches sc.exe
PID:1928

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
- Power Settings
PID:4344

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
- Power Settings
PID:5696

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
- Power Settings
PID:5296

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
- Power Settings
PID:3488

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "BFFESVJT"
3⤵
- Launches sc.exe
PID:5736

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "BFFESVJT" binpath= "C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe" start= "auto"
3⤵
- Launches sc.exe
PID:2376

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:3516

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "BFFESVJT"
3⤵
- Launches sc.exe
PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\WeMod.exe"
3⤵
PID:4300

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4704

C:\Users\Admin\AppData\Roaming\Sirus.exe
C:\Users\Admin\AppData\Roaming\Sirus.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5896

C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe
C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe
1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:5852

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:5680

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:5908

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:1696

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:4568

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:2976

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:2360

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:3684

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
PID:5080

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
PID:5232

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
PID:4664

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
PID:3636

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:4212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2896

C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe
"C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe"
3⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:4788

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:4972

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:5340

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
4⤵
- Launches sc.exe
PID:5376

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1792

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
4⤵
- Launches sc.exe
PID:5984

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
4⤵
- Launches sc.exe
PID:2856

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
4⤵
- Launches sc.exe
PID:2024

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
- Power Settings
PID:3424

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
- Power Settings
PID:3548

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
- Power Settings
PID:3324

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
- Power Settings
PID:1564

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:1656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6112

C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe
"C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe"
3⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5724

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:3432

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:5716

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
4⤵
- Launches sc.exe
PID:4744

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:4568

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
4⤵
- Launches sc.exe
PID:3448

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
4⤵
- Launches sc.exe
PID:5984

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
4⤵
- Launches sc.exe
PID:2580

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
- Power Settings
PID:2248

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
- Power Settings
PID:5396

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
- Power Settings
PID:4752

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
- Power Settings
PID:1132

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:2916

C:\Windows\explorer.exe
explorer.exe
2⤵
PID:2792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks computer location settings
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcac781c70,0x7ffcac781c7c,0x7ffcac781c88
2⤵
PID:4084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1980,i,2919210094693581027,3324475404449875101,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=1976 /prefetch:2
2⤵
PID:3844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1856,i,2919210094693581027,3324475404449875101,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=2012 /prefetch:3
2⤵
PID:5320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2236,i,2919210094693581027,3324475404449875101,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=2504 /prefetch:8
2⤵
PID:3496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,2919210094693581027,3324475404449875101,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=3128 /prefetch:1
2⤵
- Checks computer location settings
PID:3128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,2919210094693581027,3324475404449875101,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=3264 /prefetch:1
2⤵
- Checks computer location settings
PID:2460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4684,i,2919210094693581027,3324475404449875101,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=3584 /prefetch:1
2⤵
- Checks computer location settings
PID:2600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4844,i,2919210094693581027,3324475404449875101,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=4796 /prefetch:8
2⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4652,i,2919210094693581027,3324475404449875101,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=4940 /prefetch:8
2⤵
PID:6012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --field-trial-handle=5016,i,2919210094693581027,3324475404449875101,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=5080 /prefetch:8
2⤵
PID:5388

C:\Program Files\Google\Chrome\Application\126.0.6478.127\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\126.0.6478.127\elevation_service.exe"
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks computer location settings
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcac781c70,0x7ffcac781c7c,0x7ffcac781c88
2⤵
PID:5940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,14321004604872802184,2511335002828855406,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=1928 /prefetch:2
2⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=2180,i,14321004604872802184,2511335002828855406,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=2188 /prefetch:3
2⤵
PID:1820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2248,i,14321004604872802184,2511335002828855406,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=2284 /prefetch:8
2⤵
PID:5932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,14321004604872802184,2511335002828855406,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=3128 /prefetch:1
2⤵
- Checks computer location settings
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3380,i,14321004604872802184,2511335002828855406,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=3392 /prefetch:1
2⤵
- Checks computer location settings
PID:5616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4484,i,14321004604872802184,2511335002828855406,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=3588 /prefetch:1
2⤵
- Checks computer location settings
PID:1408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,14321004604872802184,2511335002828855406,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=4776 /prefetch:2
2⤵
PID:5588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4748,i,14321004604872802184,2511335002828855406,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=4080 /prefetch:2
2⤵
PID:504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=3136,i,14321004604872802184,2511335002828855406,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=4764 /prefetch:8
2⤵
PID:1452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=4720,i,14321004604872802184,2511335002828855406,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=4912 /prefetch:2
2⤵
PID:5728

C:\Program Files\Google\Chrome\Application\126.0.6478.127\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\126.0.6478.127\elevation_service.exe"
1⤵
PID:4772

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4440

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:6012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks computer location settings
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcac781c70,0x7ffcac781c7c,0x7ffcac781c88
2⤵
PID:1756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,17170886207114556380,17884900630959432146,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=1892 /prefetch:2
2⤵
PID:5300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=2184,i,17170886207114556380,17884900630959432146,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=2236 /prefetch:3
2⤵
PID:1296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2228,i,17170886207114556380,17884900630959432146,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=2424 /prefetch:8
2⤵
PID:2828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,17170886207114556380,17884900630959432146,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=3160 /prefetch:1
2⤵
- Checks computer location settings
PID:5516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,17170886207114556380,17884900630959432146,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=3392 /prefetch:1
2⤵
- Checks computer location settings
PID:5464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3752,i,17170886207114556380,17884900630959432146,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=3192 /prefetch:2
2⤵
PID:5788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,17170886207114556380,17884900630959432146,262144 --variations-seed-version=20240628-130141.777000 --mojo-platform-channel-handle=3220 /prefetch:2
2⤵
PID:3724

C:\Program Files\Google\Chrome\Application\126.0.6478.127\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\126.0.6478.127\elevation_service.exe"
1⤵
PID:6028

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
PID:3928

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:5952

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
PID:1584

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4168

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
2⤵
- Kills process with taskkill
PID:4148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google216_668674802\bin\updater.exe
Filesize
4.4MB

MD5
512a822caed80f9fa3f0dfce20d4faa1

SHA1
16f470de73681ce7ec9b3251ac081879fb37798c

SHA256
8de9266347276d18fe49f84b86f09e6035df2c10e39f22d85bf33d43cf0f5f2c

SHA512
9fc3d74dddd28b325fe3b803c1217d7374b61ae6d7eecb46aa2dafb643b7a45387caba015421da524cc0416c9b3bdbb3d871120c1275e421f86e9d80a3781802

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\settings.dat
Filesize
40B

MD5
091eb1d520e3303f35f37814f4c5ea64

SHA1
7e21755c72d23b000228a2c95f995a45acff78c0

SHA256
a62dbcf5b9366b0c5465384dc91cf1b7f628b57123bed797160efe8a4f3dc88c

SHA512
0b32a416868262bc9d2eeb101207afad41c418ae349072dbdce9682e533942e10a3db016372ca6ed13b3e450f8cd52d22d6fa7a88515a850d94ee487f53498dd

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json
Filesize
354B

MD5
e0ee4da712ce8c124aa6591511138c42

SHA1
3c995aa84f0c88624b3998304a39803bd99f116e

SHA256
44ea110f766b1c1df4863665f334421b1d0dd450b859f2d75a53a96d005ab7ff

SHA512
dd93f581ecbf41c75c85388d0eeb809fe64f5c5e0e8b24f13b20b8d2b88cb98c873ebfaeff8a6bdc985b548ed6e866ffc53f465ac5a01018fcd9c58c7faec17c

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json
Filesize
492B

MD5
e02e9e113d9fd8c416e7c5f68bfec02e

SHA1
66f0282d1f4938d6e37879b1bfc93a474c3ca0b5

SHA256
c797de5105833f8f577690a371a28390404a7c6bf186e281ef43bb50a68b0061

SHA512
e1e650ed9a1e46154fa67b9917d33805cf73febcacd8f0819d3ddf1ae1920759c38abaf0894d30eee053f4d56a5fb8a41f5765f058ead9f8b5ef6b6052b866a9

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json
Filesize
655B

MD5
1c3b5b9edbb95ddd73619206b6b213a5

SHA1
8c00fcd0b44241081e06c362b3fe99e78f711f03

SHA256
f31c7a6416f0d919de470c805a509ba0502cd3087d411b841cd52e936185a69b

SHA512
6d4adb83dedf2edbe793ba343a5e84caff98fa907d7e8470f3d93e310f0ebb4fcbca77407f022e77715434c3d370cb508f0f2fa4c40f662b6d2a2f4077072756

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json
Filesize
1KB

MD5
deefb0ad984dcb22568d2455de5258df

SHA1
2f595f416cd13e275507352a5eef859eb602e86e

SHA256
dcdfc12e92845e64eaf8294026c3ab88adc35144621170c6b5ea7faa88cb2673

SHA512
182372baf6e6889938e54aa96b2c6a89f37cd9fa7f089f1e6cdc385197a328533fa76a47554053bd48c23e08827ef0c0eae7c5908a2538b571a21ddc77106c87

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json
Filesize
592B

MD5
993871bf8c51376ea940af4d54145568

SHA1
20ce115ad641e47bc788d800ae17d60ddba7be21

SHA256
4993eb8ffa5769ad57b7423da0d5f137dd74094c22fd6e7cf69f623456d3ee4d

SHA512
ed969172948456160f31369c734d1fb104e54df1c136fb12a0e502eced75048cb9a279c464b6950c7a2ce79288ae426100f3f0df3f901e78782342038b098ae5

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json
Filesize
49B

MD5
a640ca2e70d5d86ee61c65b5fa0a5de3

SHA1
932854c7284e88d764a5f455c2559430282630e3

SHA256
143f8c59a52692d27d38a2da2d510f37237faeee74850381917768adee0975e6

SHA512
855f3de6bda41d5a015922c4127947bd9ad51b2b137ccdbef5232b2f373c24b7c99f0806466c1cbd49387a4d6984f10f71e69dc7ab9a9274e4ec1d376758cdf2

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json
Filesize
745B

MD5
9c816ee8b74c47e6fdc7996cb16d239e

SHA1
06bdf7a3f435e13ac00643e6c28d962d0f80b9b5

SHA256
14f81e022bb08d1712c3143b22ae74cef3d19b4f0e9168ff9f846bee26dc4198

SHA512
3f24102c97d7a267b6f0e0f5c550d80f678e551ed65d5b46b7f5b12a9f8325f56b006648d011eb146c36a32a2354b0616ecb8f8433d475a439775b2bc2193808

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log
Filesize
4KB

MD5
8d9d3bb6c0011fcee9882811cfa240b9

SHA1
d219e6d7845ac6ce03a50ceb37b29454b20733a6

SHA256
4767b5efffe9bd7c226c90d6671889364de9288ee9f2ced5628d512ed68bb96b

SHA512
0ad24f213b862105abdb5e014ee3ae4d67db965967454257f85969dce6b7099e9a2a1e976000023ed4fffad2d5643bef8aad7b5c2f77bd3b9afdae362eb09723

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log
Filesize
4KB

MD5
12e5495fdeb04ed0ed7c26502f264b42

SHA1
999a1376a249ec416263ccebb239b8fa664d181e

SHA256
e9ad2e0eca1321747d0483de19e299fefd8b77c0fcfed03ae39c592edf683bfa

SHA512
829fa28087732fb3be5413ddb55a43898d09a716e7e0c2741be230a5ce57d2efeb73b05865b07986817ebf98ee0da8b7248695e86ed18ea430a0b48b9b7b76db

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log
Filesize
9KB

MD5
ab8b8b82a51f0ba3077ef1788f1430e4

SHA1
7d5d8a4057c03d0dc5b1429cd4843c76dfeacfab

SHA256
edf69ca8b940e1fbc2fea8e643139b89163aa6200c2cd777595a584cad75cf2a

SHA512
d4ba634e0287496665c6e0891e36ec5bf96c1b9fd81de10b6199317f06c1d10ee23e576ed533e6f417c16a732abfb27dc71208c1b9aa406c9cd8dbe3228e8f8c

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log
Filesize
12KB

MD5
3a172acdd6ca857958f5015ef399d1d5

SHA1
5ff7c39f55c2eadfb03333409663a4ee9593a981

SHA256
24ef2ad65893dd878c7678af024f663377c3f98764be592af450d9d6d20ec983

SHA512
22db0140b8a57f9c7d0f56a5ca5dfc28181b30a555e928cd90904b5deb9d6fe9f2a748008a760bac80a97bdee6e53d5389addd6db1110a9f338e55d2df8e4283

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log
Filesize
1KB

MD5
8ae032e56ac4e77c3190175f71dfcdf9

SHA1
3b6add16c55643b84023985ea67a2aefe6d39c74

SHA256
309f2f82e577a55c38e4b4ff8c3ebfa4b04b7554b25f0db863c76ff5ea8f4293

SHA512
d07088ba5617ccf19b3ba51205236f9b0c36082052fe8f5303b5baf6fd71c42ad2dc57bcfecea410f200461bdef490461a99029ad4a74399693a895318b6fc5c

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log
Filesize
2KB

MD5
c15fdcb666e4a111267f1f732121f664

SHA1
057ac704f8e1b63a747b46121cdb2d3a2a44e912

SHA256
295ca02813b30f7ad25f9ba422c749c95f1c80b28e5ffc45d7a2c69a96366d2f

SHA512
b68b157d4190ff00c481c828e68c12625f46b9b400a1fac457dc788197a8c9b720dfb73f78722e9e29c8d70c632136dbad2eb10f085719f2e53df9f644d5bd95

Download Submit
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping440_1285460182\CR_53831.tmp\setup.exe
Filesize
4.1MB

MD5
0849095a80f74794bcac8b3561fc4a58

SHA1
5b27f31892bb7b04c62d3b1f612a45415a3bc32e

SHA256
27dbc6e6ac8630b50fc5473e9a7f341c7d759806f762aa522698ec10bf2f2e62

SHA512
1f52e20fc2812af55e00b7aea59b00af262ea87bc7b652504a3be9b26e500fffeffbed52dc21132b22645f46f2a59f546485e9089e7cfb5f0154041918f52e5c

Download Submit
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping440_1285460182\e0b7b584-bd20-4111-9141-23c7bb2c073a.tmp
Filesize
652KB

MD5
44c7f06f320e8068a00af6f8930c0511

SHA1
e68c5ff16e0c28a2ec146198b96bfad291743c4b

SHA256
c0dd8ff1c80385821da0fe5102b40420ebe4b476b5832382553dbb6d51ae33c9

SHA512
82343ada963b593fce6718b9d460bfc7d359be629de1b8cf38dc638ba30495d0b5d271d658a9125fe674fe5b3375767e88ce7d8ae6f23d34f89e342d796aa644

Download Submit
C:\Program Files\Crashpad\settings.dat
Filesize
40B

MD5
c4f2bbf980a04686832c8fc74f0de257

SHA1
aa4ebb93f4c7cafe23a5662c6668d1a20381f9f1

SHA256
f4f5c5a0957703bf81682954b853891ec67eea8f47375ef210257db4f12e6ff1

SHA512
dee3d1ef9a2b2a17761f41fe105edfaefccf86444200e87cad200b756ad5d09e51d8f498e8e2bd5eb3a657ca641cc8a88a8ce9e6c75e4b72fd8373e81779cd62

Download Submit
C:\Program Files\Google\Chrome\Application\126.0.6478.127\chrome_elf.dll
Filesize
1.2MB

MD5
576f4379df97be0689013c7de1ae64b0

SHA1
6751967e285bb8008c5a582dc87f1e3c132bee15

SHA256
114b6fb306bbc3e5f0a903c7bd2c3ccf01a6df1ef12a31f418a478ccc7b5ebdc

SHA512
e70a1698880f654d0ca2d63ab74ed01c4f4d6e7b3979c726d9e9b11b4d93622967a494f91bf014ad6def451c38815b5ca9dabb7db8613a3174e25a0c64a78c4b

Download Submit
C:\Program Files\Google\Chrome\Application\126.0.6478.127\d3dcompiler_47.dll
Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
C:\Program Files\Google\Chrome\Application\126.0.6478.127\dxcompiler.dll
Filesize
21.0MB

MD5
a68af7f67a2f2e45f5025aba6aebc80d

SHA1
221ec780ef522b8005d3c4bbaf01b5888b280d84

SHA256
369fa1f39fa991a63f4926e4bce7b1bd0e0e2ff195d503db78ddbb0e61018ad6

SHA512
18e865e68e0005daa52a3b4e971aa0cbb55d310fb8d4fd97aa35496d4d06ca10330a4ac9cc0189a3534ccf54154eabbbd08f9455232f34629b3174f2d3c19d91

Download Submit
C:\Program Files\Google\Chrome\Application\126.0.6478.127\dxil.dll
Filesize
1.4MB

MD5
30da04b06e0abec33fecc55db1aa9b95

SHA1
de711585acfe49c510b500328803d3a411a4e515

SHA256
a5fe1d8d9caa2ff29daffd53f73a9a4e19c250351b2abe4fc7b57e60ce67ac68

SHA512
67790874377e308d1448d0e41df9dd353a5f63686df4eb9a8e70a4da449b0c63a5d3655ab38d24b145ad3c57971b1c6793ea6c5ac2257b6eb2e8964a44ab0f08

Download Submit
C:\Program Files\Google\Chrome\Application\126.0.6478.127\elevation_service.exe
Filesize
1.7MB

MD5
2443c7dd8a97f8d5e11baa95382bdc2b

SHA1
5daf6babd97de71bcdb2711cb418f02d2b65da7d

SHA256
1bfb23895b47127dff1558ae789cf190aac5c32565736ee81f962de4286cac79

SHA512
db15a71249a2e3adf1830942eb15807db2363815cbb8f4245ed448ab68f6d714050d034bfd84b2c4db76ad1c9031e38e2b785dda771bc0b58a968eecf2a74929

Download Submit
C:\Program Files\Google\Chrome\Application\126.0.6478.127\libEGL.dll
Filesize
471KB

MD5
cdced1a4260cdc41d3e9be5cc6aec522

SHA1
822ae5e7d93e5c62a880fe4dd9672a8b7ce73897

SHA256
c37efa9208dc887d45a0afe04158f309ad71bd3e7d325715ace3c792a5079942

SHA512
feda57975b129af62198498b01f971f8096ff341c396890253059a2e6218a4f47d39d77f8d3ce0b92bba26366fbcf33e45666747619b970e8ee0137b8a08b1bc

Download Submit
C:\Program Files\Google\Chrome\Application\126.0.6478.127\libGLESv2.dll
Filesize
7.7MB

MD5
b01b66222632a03ee1d229205c509fc1

SHA1
0446bb4057138da8f0610eaf85e1df5cd8055107

SHA256
392baff224b58a9f448a726556422cf374e0ff3a28f480692c5e54e4f7fb4e58

SHA512
fb6b5190c3107de3f070461aee8c697611940eb82777a466565a7b311b7ec6634d285c1281727166b5b21ad85ba5af6b826ff32d104e300a2e0c0c8ec581dc26

Download Submit
C:\Program Files\Google\Chrome\Application\126.0.6478.127\vk_swiftshader.dll
Filesize
5.1MB

MD5
d6285e5802f833f3a1db44180251b032

SHA1
b018c660e1685118df520211b08168f1316d3258

SHA256
2dbf576a11ec521dcfa42528339fd20b7d711e90610c360e77cc5783c1ef5f73

SHA512
4c5ef6340e70754ebc6a65b53cd529ee0392eb62f760b5e2f66734dacd921f0259a34259be0b835e293ca87c034041ef95246ff07c7732e15aeac9f2c0fcb4b6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe
Filesize
2.7MB

MD5
d09b0bceaaccb0b4c2fc6b95b9a5241a

SHA1
5ada2eddc6954dfc50aff07276909866418ce799

SHA256
13e2a3b4ddff74975fd41b9a1d4ed57de5ec67c0f377791dbbba5c8402690eb8

SHA512
aec811b8ae222d21108fff90c501278cfccc1d76f4b01469339f08f09514ff31d508e2abec7ed3c53e196f34ab73544be969e5e284a220e0206d680d8e602ba7

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3580_1939685702\Filtering Rules
Filesize
68KB

MD5
6274a7426421914c19502cbe0fe28ca0

SHA1
e4d1c702ca1b5497a3abcdd9495a5d0758f19ffc

SHA256
ae2fd01d2908591e0f39343a5b4a78baa8e7d6cac9d78ba79c502fe0a15ce3ee

SHA512
bf1287f502013308cdd906f6e42998c422ef1e272b348e66122dc4a4e471d01333b418f48d1bb2198c72845bdc950612597e179e612aaa1ba6cf8d48fb8f0cf5

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3580_1939685702\manifest.json
Filesize
114B

MD5
4c30f6704085b87b66dce75a22809259

SHA1
8953ee0f49416c23caa82cdd0acdacc750d1d713

SHA256
0152e17e94788e5c3ff124f2906d1d95dc6f8b894cc27ec114b0e73bf6da54f9

SHA512
51e2101bcad1cb1820c98b93a0fb860e4c46172ca2f4e6627520eb066692b3957c0d979894e6e0190877b8ae3c97cb041782bf5d8d0bb0bf2814d8c9bb7c37f3

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
Filesize
2KB

MD5
9b6149d63d26f338dd3cf750bd4c339c

SHA1
b098235ac24b54ccb463f225296473ff432b742c

SHA256
157f21ae8d1d3b79c608f18866f04a746dd64821dca93566b51592ac64b2cb07

SHA512
3ee4a8747fb08b2da3f93c082a02c72fa09308d345b7951093f813098f8098df2b22a46fe721182917a8464971fe5fa8bdb33f1b0f8163a6a7afb72b4d431651

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
12b83e989851738f4289adcc37d5023b

SHA1
dae4ffd3ea26a44812a491b93fa1cc360c63ff12

SHA256
0671e614cf8e13a6f5c0785637d353773dbbf4c3e127fb463ce099c79c8f5950

SHA512
c4f3930765c45d90abc5c2a5f5be42e6d4cb98f533a8c72f8fd9c4ce73156850f1482f103584dbda8aa911568dcac35f8322cd27083ac3ad78132e6af8857f46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\33067a0b-68e1-49a3-8074-cc6f28de00a2.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006
Filesize
59KB

MD5
1d5f57b36984d3bc13513937212f7c85

SHA1
6962d480bc6216080b90505c9f25c8a3ed4c8df0

SHA256
7c5544c2101aa4a9ab3bd0ed98d6d1126457f802c8073333d2e7fb7be273dc30

SHA512
dcb01342a2eb9ff3ed03a23b7e0914ccb626e1136c2a24dc4e8144cd785c90acdbffc877408a922519055f0a375b4a31172e3120744de656d55dcd83b84a4f4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f
Filesize
32KB

MD5
fe0cb11576905a924b316b72b715c2e3

SHA1
31a833346d235602a4fc51b49ef9bf57d9d1409f

SHA256
ee9fdfd767036158d8d3bc22f6c3095c5bfa6c17d4611eaacd45a5a829a864b9

SHA512
0227816287e01021bc07b84db89642ed0cc5e1c3a653a8be2c38bc53dcb17cd62b1a45051cf143ba9c2a5880df961d281192547fbb0788d95659ec5169e98ac4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010
Filesize
32KB

MD5
a37cb5b2be3ac24f85e18e0f6af90e18

SHA1
7888cab4667f8997bee7cfe1357b6d090e5f987b

SHA256
38322e4056896c3d332335130caef7ebf6f02a9e902e87adeb3141aaaefc5eb1

SHA512
f2772d825de479756299954d0d6b67c3c940e41a2e2329a733e755b8b3d107c53fbf845d64330ae9b75f75f56f872b9f6fbcefacb55606a0ae7fda58eab6b384

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d
Filesize
110KB

MD5
a3b4e70a7580a08bd5f7e8d1a9dac97b

SHA1
b6105b77c20e9a99dc1771bce08bb1be98337fad

SHA256
17d95c2f150d6ba6ffb32f375604210203e95f0fe777d936fa993275f019dc36

SHA512
ac9e4f737389b881dfb21d75b4a8d16fcfd4cf3b3e75a992996f5f0a97f87c2145833dcc976b4ff5f263a408e9801279addb160a07b7d3d5335f2742a7718e77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000037
Filesize
1024KB

MD5
fddbecb3d1a277e17fef8f2c6fb5b7a4

SHA1
1c6c43986da1e1ab295558f966602e8dbb3c4284

SHA256
e64fa4f857d6aa411547391114ba4fe3d77edf32e0b730dce05950a03fc2d222

SHA512
22c06ac10e7ea81956ebbeda19a331105caa1d023184ecd845d0dec8c5044d7d547bd7dcf62e9167cd45589870d4e57bef4d8376f785bc7b228ba783fd5d66ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000039
Filesize
1024KB

MD5
8086d3b4a7893acc7e8e11c67e44d848

SHA1
2239333e9f05638302c7c55e43ab2f30d227b6a2

SHA256
22115e7503dcace034394029b237d6e6a71663aa8c9ed2370f7252976d13541d

SHA512
6c6b346417842a22b56d195f26995bd21f8496fd6d9a8d87aeaa7dc3fdb2ddcdfe6578a574efa084d2903169b60c2ebbdc48773280c106e9e624207dcca0dec1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
912B

MD5
b2b020e6e5e7e53a2d5b63a738d22254

SHA1
e2359b5c1e070f894d6adf60b344d18a975d5f6f

SHA256
a947007474845105869e41b36bc11a150bbdf0c76911ec52c973b8436b6bc557

SHA512
7a67582947234a5597127c18aa1c67a90b5c0d3ddd476a3d9b809d2c7055f7163020d0fcc412c93800c236d6a625bd34f214a84f800515dca36481fa11d6cfb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
c0c7e3cfa0c916a62a5925dd3faa7f42

SHA1
a3a6f64daae2317421d312a0ec54b1886c3409e5

SHA256
c262ad831e5053500e411d5430a08e69e65856b22c0384ac9763142ad5005301

SHA512
22e765a64d8ec0a54920531ed8a88297134fe479cc0727215fd6a9c45ef30bf7ad207a62d9c10252465aa1d81790096c47afde34a406297568b8a7f090ca2612

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0
Filesize
44KB

MD5
27068e85d3f9c6beeede96a898f1ba5f

SHA1
e9e65a3048f13a1b746d8ba994e60d70c3eaf529

SHA256
5df413694496771dc9ddef3aca82b88360d0bda0f736a5df932fcdc8f572a295

SHA512
818bd46e0da0ea2545f52ccd7550d8fa02dc2cac3202fd58813a7a74cce446f8ecb5a19d958f7bc6a7f71719285c02e5c2c40dd34f753d00543903568a7f161e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
2bc22c0ae6f8771a4a74f988211d7ed6

SHA1
c6437806adaef1fce46a320cc6d312da53126d4c

SHA256
74f190a1ad135515edee04d8e0b4b8ef460526e24eb1ca020ca1351f72928805

SHA512
aa6489c7cd0c8e69220931e835ab1b0b0d128bf8af485c569b82b2286b6029c428869559a3f330f77eeba0209fcb191d184e5693d85e8a240e404eccb5e167a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
192KB

MD5
505a174e740b3c0e7065c45a78b5cf42

SHA1
38911944f14a8b5717245c8e6bd1d48e58c7df12

SHA256
024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d

SHA512
7891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000011.ldb
Filesize
31KB

MD5
f5b8040821c3800ef465a46440c6a874

SHA1
fdcf58a9475d1662377c50f9e99b91ff646c7d9a

SHA256
6b147392c0f53c500878c14b6acf7bdb1c954a379e2b96f51f2b4690ca95c18e

SHA512
d10e63a00dd8eed39a3ea4eba0a8315a365825f635802223784addc502c2d45892238723c76a25419624d6c05806cc06d13867d406c7e12eac22da1e447f8944

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000012.log
Filesize
341KB

MD5
234ba21d00b3f71a71caafd4a4924b16

SHA1
a8c26b03413ad11a4f074f33e0ff6f16299ddbf4

SHA256
158b229c8c248abef5c8976bc250e70af3b08707235f7c6530803f1461fdd8c8

SHA512
91725e53de0e183f19073df75edc76343a8124116c83fdba23e717346ee60ae18a4504a366635951190b87a3dcf2515c13c89b0b04c530cb6ee7d5e7ef098683

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000014.ldb
Filesize
17KB

MD5
437da5f4a0564d20d388dd0175a43fdf

SHA1
598e63ba9a4ecffcd2c64746e93d56e701a8b8f3

SHA256
dbc45c9529de4d0c1f8b743f2fd3fd37a31fcd14f918e1536d5cdf1d650d0763

SHA512
d12929ef9f5b45f3fe8c2f67510f3b7aa7b4de22f87d845cfbc8c66f6c337061cf885ddc6c36967862408dc3f10e57d0488c9c93f1a88d3b355810610903eb87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\LOG
Filesize
4KB

MD5
0876292f74d6367e04c9d3fce2051fdc

SHA1
ee7568b9c032a429f141548cef3eed68f211ead9

SHA256
da5f8363417daea29034b6eabccb4093d0268a0fd9a7eaf9855d1e235f42a703

SHA512
4d78a50e2957187c3611c13b06d1e8cae4c0870498fa71351347323368fdc0b013e2498a1b2f90a605452ac7a5ddef9514bbd35243e7d5247e210efef4ab14c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\MANIFEST-000001
Filesize
855B

MD5
4def3d0412f013eb7ecfb797d2670c12

SHA1
35733ebd3a6c59164306704ebc931d1eabc076af

SHA256
b3db449affcd5655c27f76945689d6afa955ba11477a407d24a3d0ff9ed5ce51

SHA512
3005be7fadd0c0e08245d90a8690fa8c15fdad4dcf6cac047cd3a5d2054bed39f119e2dac803d7e6141b5d83c7918899c86c3bc666b93c7e542127093093d2e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
12KB

MD5
241c6d6ae32b1dceb1c658dffb848015

SHA1
52311292e58ea776388491a1db738f71c233484d

SHA256
6acb66d07939519fc3bbd41bbf788394803f00055591dfd5a9807163ff668583

SHA512
f54d62bb48649b7475d353a35c79136313d09ec81da09a871bdb16fd48e8e201998cdd98916ebbd1c6bd3517fda701d9d44d3cbd589c47bcb73ee59073d86e6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
9KB

MD5
c6abff53abffe787fbe494f27c364894

SHA1
4f60428262d99440fe0df43e0aa20bc294cf86d9

SHA256
7b470ddb6643e74c3cf703b3a43fe0edd76bc446f7d91540c637fd78d53c40bc

SHA512
4e084270029ca6e382ef2b3cf13edb4bbb2b0b29874014432da11dda86453a9bb739aa6cee9efa67d02efadc696bd115e5cdf1cccb7cfab33cab375e533ea45f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
12KB

MD5
053e68f5f124f6ec32967cef795d8276

SHA1
7aca839382c513091839518f9af97c0e0d2179c7

SHA256
daf32056fac11559c6d2f0f1df32f90b67dafa130081782d0080b07058f4d8a7

SHA512
e12f3318a24e652d1b20bb6b00c10ec97611526aa8cefdc6c42240d9be884a5777e6baa9fe0c0b45d7f0ce9c85f01b432afac5932648932273d56acac142fff8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
12KB

MD5
5cb3f1a16f5888dd3f53975ee620176d

SHA1
ca95fef6d8285f61d01aca2be28a6b91160d7270

SHA256
89a29dda271952a28d3e482120546b06f6c6c8a7687401871723880b4d5b4f88

SHA512
ede5ff53282357032ff86314fad1d37c04120b1152d945a2f12208549c4bfa2f0d2d9e48f53c2cae7fd83af7d6285c271550216232ceac09be9f29ba3ad81045

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
c0ef6db8a70fa341c29e4bb67fad1eed

SHA1
73f8e0102cf73a3b3e343f352d7b1d6bdafb634e

SHA256
38233b2d344b2dea44c0033b6c96ff1efc3d4087947b7bd5a023327d5b5ca263

SHA512
7bf270468332dce3c9424459769569afe27a39c400987b3137c30b859b6fb8726a5e990f4ccc906fe79fcc3fe1dfbfe345aa1bebbcbccef8aaf29828211ff2b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
392e41f9a7c493968ae3c0ea34ce4d83

SHA1
a40613980c960c9294f1d8ded3edb1f73e1b85c0

SHA256
65554502ab3205bb16104a8cef12f5c130dcec95cbf54b544a49f0519b010a0a

SHA512
d164b4d333dbc67f21d163d6139c39d0f37abeb62c27ae3737e6207f5d8a595c2e856b50106452dcab844316d4ea0190cbc181b1221c4306a51624e3f576d924

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
859B

MD5
e03811cb44fd7cd26f735dc2e2aed0b1

SHA1
856ed0a121f0d79904af0f94db40d262375f0a0b

SHA256
6a3916a1cb8b352e217b69dfe2a0119485d908e9de4c0a2fc7411347e69de141

SHA512
fe2467e80b0818751517ab76bb05bd24e49c46703c8ec19a1ad3a290bfbeb47e8abe6132bcd1bf99ce995aeb413a42064d2df83bdd3699b1ab90c6d644db03ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
859B

MD5
a2bb1b1765bae474bbe1c35c1c232b32

SHA1
605e8eaff265cd7e38bff1f049076de91724082b

SHA256
cba4d0beaf0fcac9ca20e562385f4452ce068d481be4bf13ba64617860e78483

SHA512
b5a61c4ee0cfbdfaa415e027899b748cf5a00862a482fd1f38d3ac51b280d2c0f13ec3d4028f85490aa0a627ce270bb54f8b18d4560ad0e4f66d1129f701cf0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
a399aaae7687024277ef3655cab7c56f

SHA1
2c9682ebc82c9626498e765f96452913826d5d4b

SHA256
140b8b14390c202f6f5ff8e1d2fad1cea87db77dec5cb8da0a8c49bf6fcee5cd

SHA512
03d4e8f5c4f95ff1a6d7c523cdd4e830196d659f9692eb661d8b1c2770d475a406776fd04c9e9d996651a9bf13fb24f72ed8cd6efbd90f61eecd29b2c1cdb961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
6cfb23c275747577d2d3ad266155b6c8

SHA1
e572604eca6da54da0fe79d5603e5f8bf0c573a3

SHA256
94f2f980f6c4bc46074e09bdc6ac11fc30f18e44e782bb7ae98990735db03e0b

SHA512
54b39a3fbd5201b31431d2574024f6ea1c7173f59fbf5906022f797e1a5647201db20d0631cc2272dad7a62f8818e7b632c81333fb013bf34800c79d5b04907f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
c10219f09a5a9bb2e647097647243cd2

SHA1
d6dca94c41c0be2494ac65d192d74b23b8393178

SHA256
7940231464881a2153eb62ab775e93fe7bcc9eb2c5b3aeeee49500fa912fe346

SHA512
1b13a4e3012a243af0306e288aa88b7671e63772e588b610f5f08dc22249122a439308919ba28966a53ecfd0f03957780c4e94993ebb190bfb39577f71e545aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
410c8b5543c08b621a16229ffe5d9cc6

SHA1
d802a90e74959b734e649fb34d1329dbbe20317a

SHA256
1a0b09f8603f851a0966afc5a919b5c3eae4022bf13cdf47978148ca59155395

SHA512
67bae33099c9f69db76b88d5c766a02c0556b117dea05be49095155d950421f17cc18f3ca9cfe46aa8c152ab55a340b295bf7fcad313fd7c724829f6124dcba4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
91daa7005e99b24338d4661874f2cd6d

SHA1
4dd1def5f2be1b03f1af4fae3c48bb4f6614adad

SHA256
0c915b1f2814c4fcc4f86b40c95fd40fa665f7bf83918cfcb21cea9979f31840

SHA512
227fc705a32dd784c149c293a6a0fd0ac07660ca949625361f64ba2084df1a27afd9ced3331ea6db4e444922497d86dff232f3a945cbc6c9a6b51823b7db725c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
d6568da0e9d049f2c75fdde2c0875973

SHA1
cc81c71472239eed182a13970d2f7bb3d04e0a5e

SHA256
1c7ccfd5f5e3249abe29256954223ffcb8d0ce1ca5d82c64b2cd7a3abec5dca2

SHA512
cd10e9a9afe4eab8a4f267e8848b0bbe35b2ed06b528604378b0b702d580895b1246849f2b54247acdc8a0f971e9cf997a2eb3bf09d749c39f3e5ee2c557d9ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
e56af80feae76efd2e8be6a6751fb383

SHA1
13d28baa99d8238a0c684fab58e0bee13fe69754

SHA256
6b3854a379a613922514424c1f6f1a075da607a4db0328e56d25c07790c10fa7

SHA512
9a0238871c3625cfe4f0ab29986bafb81bae42bae4e0845ae3af0d95b7c4785f6d50539896e01f2285dba9f6cfc9eac8753f9202e9b59636515845b6f2ede648

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
436b77b2813381afb3b9468741e2a77f

SHA1
b3b585bfe5d794e3544231e971c020ac15a36659

SHA256
5003acba0c8cbee4bbc94ec7565a8c1061004646de5b2c37df435a4be24a4165

SHA512
5d74f76cf0cfd1e0615812a798d5e8d24419d0f51ddceba3d48bcf90981a18ed03ca2c59c313c5893247ed90772ca2db9a5a2b8d83d09bb2a6b184e04950ee51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
97911b5e5542e85ae15152b8f96cda21

SHA1
14324d0b35ef31c79f87c74591296c30d7055b69

SHA256
15a7ba01edc82fd6e16f1708b88348324b79c5495de5902e78089dbd2d387066

SHA512
76f9448189c750519806ef53c05881f4f177ac5c30e53e37f25cc0d63e94f562144f7141d33a3f6f069c48ef74709fbda2d88c4523c9609beece5946b6a4b487

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
43b47209e1ed17bea6fd99e27c24198f

SHA1
2ae70fc5d70b15da2b417cf31d7563b4ee045734

SHA256
c2786e617f5b17869a0199a96c5cba7c85e689780a4c3b887f26d6c229335ac8

SHA512
728289d78eebebdb01fe042cbab1ee1d88e23e087f9573b393f176c5f2725b115e9c6a537be8be0a6586cbd6d3d765fa5f432fc7723ec85b025bff065b6e9ae6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
321ea0bfe1e1cb0d936a0349429a4753

SHA1
39f92562900ba34b06c8f27a61a79194f1c5c1b5

SHA256
4d01a4bdd35a3da05b63d7d5a407d5f154c1dff8cc07e85108a7656195e9cd57

SHA512
29dfd22643c24400c75fc585ec877cf172d896fefe7746da203ca71fb57b1f27b72de0cabfb0cded82d5f451df04469f99ca4c962328196380169989850345f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
10e726f64d608d9eba500ad6e7377bf8

SHA1
33333b9ccee3d58f387f3edf60030548231c0300

SHA256
1f8617529c5256afde303933342627c3d783f71931985370a047b0585efdb099

SHA512
f9ec54f922ebaf0e4db349b4a2452db12bbef84ae027b1ef567051ba70ab709f0bc40df75cb9fbfe33224f7079152446e7ff1aeedc19483d2a184ceb984c25cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
16KB

MD5
11b8c1d2ed615dc9c90bab2b40af3883

SHA1
8e1ffe250d507e3d5ef9e7afab40e94c76d73c47

SHA256
4db099629a845adc46554bfeffe3f78dc580306770bc5b0197e4b18be4c0c12c

SHA512
b76ccd26d06720af34f3836f73852a4e41ea0d8c22171747ec067b2cacf0649a8748d92a8528402b5b17a34cbb2fa6d97e264643cb9b656f09421b1952c61cbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
4a620977da6dfa92d04f89d6a8001ab2

SHA1
e9bd9c1035a3e4db3d2f944d9014f916509a78da

SHA256
f4d6aa731dbf3da8a5aa6c73c487d55f994ebdc54375dfdb58b8ed903dd79eaa

SHA512
9f2700cc7376fcaf2efcb567bf5cce7f51a5eeeffd70ab86ce07ec0b9388514cb51b0ff6412c929366e814b6b0520148eccd436c17bfd0f41c468828f0cb19e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
12KB

MD5
27ee6bd6358c29578adbebb1f76b38a6

SHA1
9424763ec475e8e4c9fe854f13c96eff2d9ae95f

SHA256
558e5f7e36f368ac7abc6da8e653066d2205d2fdccb94173c3f64e6befe4361f

SHA512
504efb2e2857a265bea8fc03f9f2c237081d7daf4c6d8fc3513ecf4b324cf01c2e4e9ba0b492e3e98a0bbc9e114b2e0de714bc7a5bc477dd206045cefd3f5421

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
7930c656c13e75ad494c90a20bb65aab

SHA1
a19ac44662eb1f2f0488c3207158f44952ce46c0

SHA256
fa363945fb3e06913e1d24d19cfdbd72a5b4b28bdf1b2da06bfe3dd4c7affeeb

SHA512
307c35c74dc0021d092cb53e1773caff57734d708bbdffa2b1b97bbd75c938eb017653e023dc591327a72600902be92848a2dead33debc0bcd0f11456d671e8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
15KB

MD5
0496edf071fb7a211e271c24fd9ce2f5

SHA1
b0655b4e65c04c97b933bd14e225b3d872aed0f1

SHA256
6903ca0e9137219b9a8f420d84523fd13ad56194296bd9133abc05a1baea4846

SHA512
507c4a9d41ccdab5b8e4e8e824d8f32ba2b1faf34fcf44e164c6e5cf7251884666b1cd531f47f59e805479a4581389db7dadc8a411a6c7c354212f8ee65d75d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
12KB

MD5
2fe3b8d3913cd46a2f1252b07ecac2b9

SHA1
f9da60204a5f8d81cc5701daa1a5ebfa392d2bb5

SHA256
f45ee09d9cd12df6f899de2fc487bfb0e181af4359bb0596926b7c522fe00cd7

SHA512
b7f7bba55f43fc9e89ee4ef51097628b8b950c51e9f3d2a07351065ad49b91831739928bf0e44ff2171fbfdd718d6e79a47ac04bc37a39b988b1e30c92b67b57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
14KB

MD5
12ef3b33d98568a0c2a2b1ffaa05e483

SHA1
16a5ffdd3cf0fa7749acc94675dc61dbb4e921d6

SHA256
561395f3bc780a982224160bdcb64519bdff68ac34324c6084da0c7b98cb2730

SHA512
fa9ec5067f04b6ba9e8905239f5911d50562ab83d0864d6003821cf94a4558496aaabddd4d222be3d41e900823f87600a540f57ff42bdd809ff54f2946fe513d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
14KB

MD5
25147a0c140b381aa67b8f864b5f5455

SHA1
fe586b6af57a001fef19cad48920aebb8856636f

SHA256
c80558975f0b6922e308e86986615d380ee2542e757f7845fd6dd78c6b02a35a

SHA512
2cf3a316d5eac4337839e43bb4cde918f6a6d7fa4728cae5bf9af19c5302123d9807bbedb7654769ce0fc77a9c632f6b4ffac9ffdd90a06a54ac88c5f2f8150e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
15KB

MD5
e909823b8796fdc60cfa4754ab1167f1

SHA1
ab78654eb6cde4d1c720ec84f57bad7f0585c376

SHA256
86055da3e995e330051fef7d8e4d98275707d9621fe8af7ee9fae0e09afcb2a0

SHA512
881cf051f1113780805dc1a6d997ad13995eeba21a1d2732c57dc1f05b44ee9a8c061638b6220c7baa0d1fbe48979acaeabb9860d4cf6e5fe9f8825a8287f554

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
13KB

MD5
ca0df5120fa0d43a1f79f5847a4e9703

SHA1
6c95067998ee01b4b62875effb6a1c6d2983e483

SHA256
5d02c90e735b6befb038e5668b1ae2ee79a0347e2e48294f53ed74e74c147e7c

SHA512
ae249ce0393233f2829a04ca9ed797790de884b526462b3e114c03df5b3232883ce245917b24c4de69c1b5777882e981a4a6df9ec71764ce0a2cb2adc00554d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
13KB

MD5
845ce27ccb0e42d070f8cd4e98ed0ef1

SHA1
fb35947a4bcd4371c6bb7ea9ea993dfb8b626049

SHA256
2063cd7d8283641f74d22d2986e6f7f3a345c3264ac330dc089ea25203953de8

SHA512
1483130a32aaf3dfe565ff1b4470688f6bcba278606d7233d4cb7a5d85add003745f8e8ca8b0d650cd55edfad41ee58832647e89d5bc0d24c543c9bfb5ac50d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
13KB

MD5
ff2098aa05b0e08ff82293036a9fb5c9

SHA1
2ee834dfeb235948cad1cbb684b1e99b64e8dc9a

SHA256
f7bcda4eda4b6714fcb7e159f473c296c20c256d2b2277a50971947623cc798f

SHA512
5d8d9959f90e13858672d8e9c7207ca17c167c2a7e3eee00077ac090d3257f119d41490c88f9ef7c928f09e36a919b20e7fc5d6e31068167337f176b1632d75b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
14KB

MD5
dbdfa36da50c4a661b738810f211f7ac

SHA1
46a0f7eb317e58d1bc6701fa33f7f5dd9d82a7ed

SHA256
ffc250f143914f0e17a17f7f368934b5f803df6d1b27d44ad45afa502974df27

SHA512
938e6c5730d9302a72636598906899a8de406bc06d6202545a3ca5ce34d24cb7a08de40804666e61ea9ac9fcdbb0f54bc0e02cd0f30b6d5e7afb689fbdac0139

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
15KB

MD5
aab48e4ed299d5e25f1c7d049f504717

SHA1
06c0c74208dfbcc032f60873c99cb38147442ddb

SHA256
1e883f1c5634825024e7eb76eff7031f8cd4fa3893c85da3bf0d9b8d79812586

SHA512
f971a945e3b2603c99b1b211cd3d2ce368304246e919967c122bad9e42193821882c29145e815684b526c03e218f548928681076becceab67e6dce6d4e6e90f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
15KB

MD5
40e36ed64679a769fb83437bd39517c4

SHA1
581fedff0659f92c0232465e431f525c1163567e

SHA256
ca87ad83651a4f156f318cb0b739bcfda771505647e972ee8ad170d60822dd5c

SHA512
6b7b1231d29b023f80b94f596c0fd498e06665e3a2ee122d658d461ff541a777931110e0ab668c846b3c102a00cb8769014cf2829714d6d3d70eeaf0dc4ffe0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
16KB

MD5
d4167017f69ddcbd0bee32dbdb179b3c

SHA1
417c0d82e23ab920d954a12250a58c5c737b0d1a

SHA256
64b32cb2598e135f18a4dcdc70210f7822a078accd6295933372f453a348d59a

SHA512
ba408fafdba51d80598d36f13195e0cf10908ca91f06c1fb9aa8b62251483710b3ddcc3b7c0bcdba35a13b9b55c17a4e1a80b3073864fb02daaa323492d3b8eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
14KB

MD5
94e25b905249fd70d097167375e3d731

SHA1
b08d5383060726a625ec393d7d3f91ec44a60089

SHA256
48c826aa5ad6e9bb621667d343533ab0e3ef06b7e774edc5b7edcbff13bb352c

SHA512
bfe43a55daf6ad604e2fef7f4e25a1e318cbc79a178bfeb476738386921356a7e460ba3720e22e45fd59c1069f2f021b5dc77cb70c9379d9ef583be2072d9a16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
15KB

MD5
da3363ba07e7ffef5f2a045c756918fc

SHA1
46577c6c38bb58c7a817b156420fe3a51d6b0644

SHA256
7a9beadb3e4e091a471c9cde42cdb63e879e9f7803440b65eb4e130369af3edc

SHA512
38708a54aec0c58e9e91350dedc9bd843d7468f891f4af7102441282f6c8703fe1b75985ffe2820a75f1af51ba957e5eaaeef94c704b4fb05ad25971e5610920

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
e434ddcebfcbbc0e4b9d196642676d28

SHA1
c7919bb0a51b444916dbb388da4922f753bf67a3

SHA256
4337b6bf525127504f7e8d9cc1b2f423939015e00550510a7e45190b8e3c0297

SHA512
442d9a55140ec3e28bdd1e9fb320f963e908a9a2b1411f2362eefef8da909bb6682074668b662444a7f6f67bde98cd3f554b9b318f969bde7c16c6c607d0740a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
7971c5802898f27cef9c43779e361ad3

SHA1
74c27f29b01fe1fefbfd78907c1633db5c103ace

SHA256
d43425dab4f4d00ebe73b0c75a351b2c1237295cde86704104e32a80a6450316

SHA512
5004b60c17da6d67dcee79982bb34f15dace6284237efc7372a8a06fd7076ca17f1fcc107adde51728e43e2149df272e75579719597f9a4435f64619ac4a4094

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\2ae7b979-baff-481e-8e67-abcd729a1df3\index
Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\cb55a2a5-524d-4227-81cd-77d1138a47f8\b9ed6afd3d0638f9_0
Filesize
2KB

MD5
9f37ae00b0ac5c3b4a4fc1ed24e8f775

SHA1
ba718e1b4c69532eafdbcc927749f4bf7646838d

SHA256
9190e23c50ad359c908d7edb736f80a259c316e45b5066e80e484769607d65cb

SHA512
271850ac61dcad12ccabc7af84eb6d12a0230534705a14d0c1e219236f2fa90e41cf15a4ec5cad46653744f0fd409cb67038c7174b298ec38735324070f79085

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\cb55a2a5-524d-4227-81cd-77d1138a47f8\index-dir\the-real-index
Filesize
624B

MD5
e21e00f99489a4f10d0a38e092a5b189

SHA1
283b49e67b61e768def7cc57d2d1bb57c4fc4097

SHA256
5b8c1fc8368f0a1a4066d2afbe8d1aaca5ec39a3a63672c217d122d6386fa3cc

SHA512
fd01a39b8ef7de306d926834feb9f4ee566215dca5736b19a91b4e6491c7cef7bdbb4e8f37f0e97588185b8186c4879d520cbde3f3a5aa641d80e6b4be778239

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\cb55a2a5-524d-4227-81cd-77d1138a47f8\index-dir\the-real-index~RFe58c5cc.TMP
Filesize
48B

MD5
9695765f927a2c690fbf479506a44ad4

SHA1
c3977f6d909ef8e6a09870dd4ddece36f52b917e

SHA256
3d1e7e92e895bb0c9227280ccfc93f863604b1b348f7e3afea6bc873b97c97fc

SHA512
d264d48a2715c08aca0fd3470a8850bb98b7d9a7d51271cb54579be0e766545c8ff59830af3d9b99febfd780a995ac9ccb5cb96638330b19615c9a312e6f5e13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\fa3f29d9-2281-4497-9361-340482f92580\index-dir\the-real-index
Filesize
2KB

MD5
faeef49f885525be6045297cab10591c

SHA1
e3bbd10412e61565f5fc31f83e20089c7b3b75a0

SHA256
09f0c4ee574479109cc9f809b3a38fd91478e404707f9615c855b12840c10748

SHA512
fff4af140f5a9d6af4a8722cc679c04b4eed8cfbcbe55eac351459df79eb9596e5f856ba8ce120f318dbdea98a268de3829ce16d0adfb5ea30b2b08e085489d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\fa3f29d9-2281-4497-9361-340482f92580\index-dir\the-real-index
Filesize
2KB

MD5
dddb526bc72d3ab77c5a8c6ead7f262b

SHA1
eb0acb8e0ed84ca67dee7af2fdba50294545126f

SHA256
7be4fd92631a4258a5c13410aa3ca8987f5076da8f74c8c69505d552e7f817d5

SHA512
0fdc7f27894902a2b06dcbbfc31a57831d3908c801f9658b3c470443010de592d2336f4198aaae41d3f093c1d58b02e0155721daae660c8d2c0b54ba14e467b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\fa3f29d9-2281-4497-9361-340482f92580\index-dir\the-real-index
Filesize
2KB

MD5
1bbd68b025213af8544716078f01127e

SHA1
0ab6dd83571e04bdd0488d8d2a47444b971cd08e

SHA256
ad2a1d9da2966e690c7c307b2102a9da63e1d41287a1a10378c62adde2a1d600

SHA512
c154632fc76cd3922839b3e6fe110a558bdf1a56b9cf627ea2787dfe03d20eec2da0c861ef9aa4d4729edae75df70c36f1cf90b1acd7f4e62241c2a53be54bb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\fa3f29d9-2281-4497-9361-340482f92580\index-dir\the-real-index~RFe586aea.TMP
Filesize
48B

MD5
5e09049a4122d7a787ef7d11e95742be

SHA1
aab9b0f567d563bbf5058c8831f3d83288488bad

SHA256
605783f2a4921e28b18cc8c814466e93dd062481c5d40cd30cb8dabe80687f5f

SHA512
d362f59c43c387d3d35f4ff769468dfa2e06e873b5fa5dee2caead243aea7c5923205481627d55e0317e76f2815f6ffcc2b859a16f50b4dc6aff19f328bf5619

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
176B

MD5
6922446c978726e5b29d24f17b21e765

SHA1
958dd4caf2d9366528ab25e769a15d27aae7edcb

SHA256
e0eb684d40d1f77d32f9174ef867e5ad409e82fd3bfdcb1b51bd3afd3ddcffad

SHA512
a6f88c5049bf9dd24d63e7112bf9f4a9354bc91fd3b7a45b3e30e43e37ccda394b6602af86951a8f02d82fcf5bc27e7331009f86321883f24f9e062bbb8da672

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
112B

MD5
a357280cc9e7d851fbbb0e76cd8f1e20

SHA1
87bf02465904ee990c5dd38106e1a87f0e9aa672

SHA256
487c812dd58bae0c014427c93006036b1c80d75e6f881581ffccf3a9ea2e4e02

SHA512
41405baf091293a6fa9e457b7158ac133543565c60ce3a08a1f1e5975ddaa8c84157648f333f7277b6bd000f4dfe16a083390aa531fca188fc764bb54b116741

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
247B

MD5
0a592e060b5b0d7c2d309e420f6628b5

SHA1
05503496f7beccce0581c80355a9b8ab88600cca

SHA256
4407927b570955260fa5804203860f3b7d44833414f8d93a35d4070174059a10

SHA512
e25b4bffd7e498fa23a6d8685af4547ca0392ee1caa89f4cef6db61e7387de2f51b561a40fa9bcd8c0aebbf20acce455ac5135fdb3238c82ab40e645a5b09a36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
114B

MD5
f5ca7d960b78508012ea1fcfcb7c90f4

SHA1
48b227e276d7b47d63b1d30f109cbc97024a3456

SHA256
3e03c0542281828ea693f21777fe00e9eeaa4251640dbf2f93069697fc0e8727

SHA512
73f9377ef10643a8e67b6de9e78eeb9a202f7e69920f7d1b3d4537efbb8a10123f7bc6795cd83c4311a87d16244689e298475a897663d98b2a3cfd096a7a1160

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
183B

MD5
79315eda5990dde82edbfbe0c8d5b8d6

SHA1
e7a09ed842c4b11cee00572f0a0056f725d486ea

SHA256
0fa6ca949f802db145c0704e4942e484b2e0eed851a4bfbac9b16c106d841314

SHA512
b14ee7786f02311a76cebf184f72cdf72636f9c9b3d8f563007828c628ba9a5eb40f05ca7b0d1fa048eb1a7fab3dc8b96347ad79b57b9377fc6ee5e98281b998

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
178B

MD5
4b799484af22012972f7486aad765a34

SHA1
106a6a1b062fe47c0919d82219516d0ccb7faf01

SHA256
f6fb0e94e0a180481ec47ed7d27b552324136aa0c037fb2c48def9454f430d23

SHA512
689691fbf2a2e6278749ef49a25ae0590a3ce46da620ce9cb108060454c3eee5c2e6daebc35e963f1beece6a48b30cb670d5b65d4a6cc0115e4b71fb5cf0ac05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
187B

MD5
5f2902b45976e7c132f632bdd751b015

SHA1
463a44d27b1b8a8d3a87d8c6f708937de2250bef

SHA256
c582257e32432e16439257a097a392ff37060c32b590317e4925480e23cbc5b1

SHA512
5c63f7236701c1deb60479621c3048266d46cb01185dd2ce6fe5eab89dd1cc579593867489374c7fc3fb0c8a717de2f1cbf524d02171abf4ab12e10b3b1331bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
183B

MD5
8296fcd943d6060ce0db59df568781b2

SHA1
eaa4998b638428399207c4976a9e42d94305b08a

SHA256
4104c92fe60ac9a66f17a06d5bb8444cda32f2d069102c05eeb42f11f03eb820

SHA512
08fbe2d49c813ead3d0e33c82546c855e51f2644c166dc3189bc24c79351fd48378260bdddabb24a93f7c8157ae547e3b6a166c2717e89003991fcb7efdb444b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe58607a.TMP
Filesize
119B

MD5
ddbed3a00abec97e4abf909daf89dd41

SHA1
adfa77ad35cba22454414d6ef10f9fe3a93023be

SHA256
d273dc5d5db6877bce34e9874101467c281af35d057fc5d27246e6f4f24ad86e

SHA512
c05bc3ba2ecbd8da8e6c1eccc9a826253891d6516097f94e38e239aa382874b8c9fed05d00a832cba753ca30b2904f7f8d6ad78799acf52809ffd6058e8d7e82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
120B

MD5
3a6910580cf57650a48b417fe46a4de4

SHA1
c91b2052fe86a5d2fddc1e1ae56b53ade8424c25

SHA256
97227f3b149a01e7cb4975f226fd8557587ceccf171fc371afa4d0fcc7fbbf7f

SHA512
023cef7d01bdf07dcd80ab4d1908df4684e5e41116986c5e0cfcce29c9e2e3aa3282c1a759f78995bbc1930d7f52203cb428b10e61a87ad3b07ad37c47ebfd1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\trusted_vault.pb
Filesize
38B

MD5
3433ccf3e03fc35b634cd0627833b0ad

SHA1
789a43382e88905d6eb739ada3a8ba8c479ede02

SHA256
f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d

SHA512
21a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0
Filesize
44KB

MD5
e6be7ea33d7a1fc8e3e5a38d3a0bd737

SHA1
b0cbbdb350e591355c5602af7e77c3acc8c791d8

SHA256
479c47a922a20ce8d6437152f366547e573a16ac285e015d04344003333bf3e9

SHA512
81b662c67dea3abc9d7b85fa4dbfaad54ca1674f42955c43723fe40756830577ac83fc8be1f6d49970349984e4b289d105fd98b0b4e15710ce3a758cda03f3c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1
Filesize
264KB

MD5
96b3a803e764bf94c4d429c0357376ef

SHA1
51546c8c435d815fc96a7e75919b39ad863ed5af

SHA256
e2d7890efde69d15aaa544d12211cbd301f229075309ccd14daac1e4e41c5fb4

SHA512
0b58b21e336e5d4630532bcbc44767511b427ead7de2ede3ace1649f4c4d9f135c6f6c9f98f8707f270fb59d92689bcb17367609ff2ec9a86576715ca2268db1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1
Filesize
264KB

MD5
ca8b376a040578b331493d1340fef847

SHA1
8e91dfd9f11b369b183d99071b5a6ef070116108

SHA256
7eb9947567e1e31aba84f269013f15efaca106c759f7437930937d8b81e5bf28

SHA512
9d02838636efaf249fd5901282cbd45ed9b6a290f02d0355178b7f63fcbba6a8930ec72195a855037b24eed8c8debfcba2063be72d5d282c5477ca658114ae9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
221KB

MD5
6a999f8fb092356db897a25b89dde7a2

SHA1
f8a56afdd5bd9e37b159add3d284a20e9d9492d8

SHA256
b9672784083fea1c0c5d0146bced3529af88b3ff72b816846a2c0b660f254604

SHA512
73db6f1238a8e7842c485d2b27c13b0cc0fe6e8603516e8dd8634fea7be6e0a04ad7e2a50cea66d48a9ccc43ae3094085c2859a2a4ce7aa5add1cd060017bcb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
139KB

MD5
369dc6646d6576817b45648d8a6b7e55

SHA1
be47df6723e208308e7e0318e43f904550cebf9a

SHA256
9ac7954f12faa95be4551ae9554872e4ccce007169f4b278c53db3e8eec4bb51

SHA512
5df98b0f57e0a14e51229db1bead45b774500447a13786ae1a52b497035c30df795a7c9cb61eb8fe21e66875f3dbded1f7d25498cdacb1aaa7aa301f30b29351

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
138KB

MD5
f32c738b3713b1240afb89f3e6e88f21

SHA1
6ac8113341d710b29ff5f53e25adb29fdf164edf

SHA256
c30175efd9edebc6433b8608abeb13a766124b2caf36c744832bd486c0605e5c

SHA512
18f10575e79167d550ed0d31e9be3a5aafc03ad8ff7be00548c883d209eb80f8e32310f3924413501d7c3c8c069934a8cce331517893fe31d0d7d0f5b7b0499f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
221KB

MD5
20878d7e2d02143262dee9c5ba4163ff

SHA1
ef01bccd3c5202862648322d9c2ea721acf4e59b

SHA256
0da1b85f92f7171c579f5ce91b64c4038d27fc4564af16409d7cae19d49e79a8

SHA512
a8700fd96fc5618d89c058efbbb0089058ee0902102cf86471c2f57f322cd56b5277410abedcef6defb901c1012d272a0629100587c6e3d7c0c5c86d335f477a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
224KB

MD5
eb36e488adb7bdbee17ff485f4847d4b

SHA1
9fe5a2ce5331d327eb7c637c8105536315b12d19

SHA256
40d1808ef44f4f9fb60b752b5eb155a4fa2a6a24e68dd79c874ecdbd038d2a8c

SHA512
6a7c0ee55aad1ea2a6cc35d438c5db3bdcdbcccdd233e8c3139c9ed47c2c4b6fb8748ab8218b445449c2ebae8ab43e20150b9e7c643f6c795f9fd73852d17929

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
225KB

MD5
bd3a057f6ee41dc7ed7b0ed15665e6bc

SHA1
dcdc131954d66430fd9e94097aa21ec7086c58ce

SHA256
e09a16b0892a609d22d049067c39feb7894e0453300fc5752a3b719ae8f04b7e

SHA512
cadbb9c5395506c84bd09085b71ce7605f8310996d64e4f7e54d257d8a216980c694865f9a5b8418f73b24406e5561fbf7b54144947b1523832cdde120f57c98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
225KB

MD5
86bdd29016398bebfe7393b2c4535381

SHA1
670a79c5ea0c678010b67ececa1b91b3cd5a6905

SHA256
7c59c3790afc26e44a8a2a9a8c788d4a215b9f886635811fbf88122bb28b5d20

SHA512
760544e0afe10443179d096cf123211b467e8b7327906199bf921a24a645bcceaf2978a1cd872e815c784cadbf7fa5f347b53463de06422fe8b83d96a7bbe104

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
225KB

MD5
8beca031b6c040b2012e1973a1e7b44c

SHA1
88f8e0df3ee1bb10a89de7a9aad8db33f5a1ba8f

SHA256
7441f7512fd56ab10f4e9cdbb95ac595d140975798a56e9dde1288a726fdadac

SHA512
5df061c87eb822f27bea84fff55e3a71043d98354c78d5858ac4c8c8e6fefbfefef2453360c10da123cf91528df8747743224d9b6cda168e89ff4726eaabb7bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
225KB

MD5
f5f8a4f52511d5d16d7cd2c24fee684e

SHA1
0de5688f848d10893ee4b2b3b3cad83bcaff419d

SHA256
abc8df7a6baf8f42073ef44a829e0826274290761d00def631804a6178c23501

SHA512
67522815c92c0d1776cac0313cee4c8439c85a8b301a417abeac1612118935594c7799245e034b1cfac573dd9b370a4af45caa1f35daa6830ab113c2c0df37df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
89KB

MD5
09f865ec7bb30e9d17355ad7ecd03ec7

SHA1
ea44a1a08362732e471025ef96cd90ff1a0892d5

SHA256
961782c74f29cb0d010a0870806dbae6497b09a6cd8b06d457aa379e78cdcaea

SHA512
16fc66ef003b277b729cf2e743353f75a5cd0b4d016d8be2537c4a046ad2fed9939134ec06539c759da4048be800affba69aaa091201d5ec5fe2acbb0d3f3db5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
89KB

MD5
f4c31189d421fc4d739fd30ef0e8bc57

SHA1
284921d92d8e26c1b7f715ef6e94ddadbc2edbe9

SHA256
c00737f2565559e024f76ef4e7221104dc9b13df2cb553c67ad32bf32b81103c

SHA512
631a0e86fd7f9a9c7bdf078050c4d3ee94434e57a5dbae37a88d6188f66e7be0fa9af78f4feb780de6132e6af8cbd3859c255d70b11d41b099752093cc26cef8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
225KB

MD5
0bdd0402ab8cd63d786991590a4d21d1

SHA1
87056227fc19d79da283e7cef555c659282b05e9

SHA256
3fd8881539d1201e4a4f220097af213639f5d114be38dc65874084e957246e5a

SHA512
47f0ee2234ce5159a7430a2676f6681c57063c72d949470f6bd1e8673b668434d46bc5fe2f4d96d4f994a7933497abac1f71263ff7a3f34dc1b816b880997f79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
89KB

MD5
7548cd2e99625b5953b8da703f342518

SHA1
5a7dc42d5ef184441f586692acf223594b2c382c

SHA256
0fca6b8c35660062adb23c88dcecde8f0aef08a55c1b7269e4e25ad5703da3d3

SHA512
2cbd121cd7f4f7e656914cff4a75e148c579c3c4960c6931a9d623c6cea5f809e2b9722a2a34aa2f73142d0643abe3d95398ae6ace00f2bcb9a623793dcbd335

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vm3fa1yk.vai.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize
14KB

MD5
1bdb2f32b513bad6f4408ed472a678d2

SHA1
8874da3c623359cda53c976da314b948bec6fa04

SHA256
f12ed31c566c0331c8789bccea2df1871854374e4fab4c9adc554ed0226c22ad

SHA512
14b0b77cdb0cce1949ac0b638b2afbbc7b3ba37f6fd718f74f16924aed30b90afab8031dd7f23b06614a1c415dc8447c45b2c4714e042ce74a4f4f935e617b45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize
10KB

MD5
4ccdf8fb1d5b0e686c692c9ed592e884

SHA1
434bab3c639c5f427d212f822105f4d0da175fa1

SHA256
686cbd82089883b4034480f46b6d3077743c58c48edafe790a502b5e3fe33a1f

SHA512
2e1b4b58ad17b537f59b93a197e9e3a7a999ae009bae0799b95c41ae4dd0c18753abf6a722923ca77a0080aa99611751a4cbabed83109cc2a3616c56f8acbcf6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize
15KB

MD5
9a00024fa7b13b2ffecb49a8d6414e39

SHA1
df66a709d7bb8618696de3084fd5461d268ed971

SHA256
719ad4bc276de31e2a1e031d6853d6f3aab217df4ecc6c3d2cd4f5ae526767b0

SHA512
789066681f1baca75537621cdef3091a65f6a6aac4571a05d146c0506a4c590b447efba664a071267290fcc537a40512ac8421cf26fb796301c7317318d9d30c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 627920.crdownload
Filesize
1.5MB

MD5
f1320bd826092e99fcec85cc96a29791

SHA1
c0fa3b83cf9f9ec5e584fbca4a0afa9a9faa13ed

SHA256
ad12cec3a3957ff73a689e0d65a05b6328c80fd76336a1b1a6285335f8dab1ba

SHA512
c6ba7770de0302dd90b04393a47dd7d80a0de26fab0bc11e147bf356e3e54ec69ba78e3df05f4f8718ba08ccaefbd6ea0409857973af3b6b57d271762685823a

Download Submit
C:\Windows\TEMP\chrome_installer.log
Filesize
22KB

MD5
73b476b1742b73a903c37567ad458edb

SHA1
17177de275d771732a31bd0d361ebf6eb8cf7b8b

SHA256
3ab680d954a8fbe0528343b189d14bee1813f01df1ca4499c410e59786be2075

SHA512
6bc61a0351e68a4d6d2985456cb24c50f778f6dfcceca86eaf53bdb199ef593627ff00fa3da05b550a4359866f85a2b2b91ba6a88318dd03845ea3d31e79636a

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/628-3010-0x0000023AD2770000-0x0000023AD2778000-memory.dmp

Filesize
32KB

Download
memory/628-3005-0x0000023AD2610000-0x0000023AD261A000-memory.dmp

Filesize
40KB

Download
memory/628-3004-0x0000023AD2550000-0x0000023AD2605000-memory.dmp

Filesize
724KB

Download
memory/628-3012-0x0000023AD27B0000-0x0000023AD27BA000-memory.dmp

Filesize
40KB

Download
memory/628-3007-0x0000023AD2780000-0x0000023AD279C000-memory.dmp

Filesize
112KB

Download
memory/628-3008-0x0000023AD2760000-0x0000023AD276A000-memory.dmp

Filesize
40KB

Download
memory/628-3009-0x0000023AD27C0000-0x0000023AD27DA000-memory.dmp

Filesize
104KB

Download
memory/628-3003-0x0000023AD2530000-0x0000023AD254C000-memory.dmp

Filesize
112KB

Download
memory/628-3011-0x0000023AD27A0000-0x0000023AD27A6000-memory.dmp

Filesize
24KB

Download
memory/2792-3027-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-3032-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-3025-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-3035-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-3036-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-3042-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-3034-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-3024-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-3026-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-3030-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-3031-0x0000000000BF0000-0x0000000000C10000-memory.dmp

Filesize
128KB

Download
memory/2792-3028-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-3029-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-3033-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2896-3160-0x0000026331190000-0x0000026331245000-memory.dmp

Filesize
724KB

Download
memory/4212-3017-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4212-3019-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4212-3018-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4212-3016-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4212-3023-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4212-3020-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4416-2918-0x000002B46DB00000-0x000002B46DB22000-memory.dmp

Filesize
136KB

Download
memory/4788-3165-0x00007FF6A2FB0000-0x00007FF6A34F0000-memory.dmp

Filesize
5.2MB

Download
memory/4788-3168-0x00007FF6A2FB0000-0x00007FF6A34F0000-memory.dmp

Filesize
5.2MB

Download
memory/4788-3167-0x0000025F45C60000-0x0000025F45CA7000-memory.dmp

Filesize
284KB

Download
memory/4788-3164-0x00007FF6A2FB0000-0x00007FF6A34F0000-memory.dmp

Filesize
5.2MB

Download
memory/4788-3205-0x00007FF6A2FB0000-0x00007FF6A34F0000-memory.dmp

Filesize
5.2MB

Download
memory/4788-3163-0x00007FF6A2FB0000-0x00007FF6A34F0000-memory.dmp

Filesize
5.2MB

Download
memory/4792-3545-0x000002215FC20000-0x000002215FCD5000-memory.dmp

Filesize
724KB

Download
memory/5724-3521-0x00007FF799330000-0x00007FF799870000-memory.dmp

Filesize
5.2MB

Download
memory/5724-3560-0x00007FF799330000-0x00007FF799870000-memory.dmp

Filesize
5.2MB

Download
memory/5852-3041-0x00007FF75A5E0000-0x00007FF75AB20000-memory.dmp

Filesize
5.2MB

Download
memory/5852-3039-0x00007FFCB8790000-0x00007FFCB8A59000-memory.dmp

Filesize
2.8MB

Download
memory/5852-2975-0x00007FF75A5E0000-0x00007FF75AB20000-memory.dmp

Filesize
5.2MB

Download
memory/5852-2977-0x00007FF75A5E0000-0x00007FF75AB20000-memory.dmp

Filesize
5.2MB

Download
memory/5852-2978-0x00007FF75A5E0000-0x00007FF75AB20000-memory.dmp

Filesize
5.2MB

Download
memory/5852-2979-0x000001F36DCC0000-0x000001F36DD07000-memory.dmp

Filesize
284KB

Download
memory/5852-2976-0x00007FF75A5E0000-0x00007FF75AB20000-memory.dmp

Filesize
5.2MB

Download
memory/5852-3038-0x00007FFCBAC30000-0x00007FFCBAE25000-memory.dmp

Filesize
2.0MB

Download
memory/5852-3040-0x00007FFCB95A0000-0x00007FFCB963E000-memory.dmp

Filesize
632KB

Download
memory/5852-2983-0x00007FFCB95A0000-0x00007FFCB963E000-memory.dmp

Filesize
632KB

Download
memory/5896-2913-0x000000000A8F0000-0x000000000AAB2000-memory.dmp

Filesize
1.8MB

Download
memory/5896-2911-0x00000000099B0000-0x0000000009A26000-memory.dmp

Filesize
472KB

Download
memory/5896-2914-0x000000000AFF0000-0x000000000B51C000-memory.dmp

Filesize
5.2MB

Download
memory/5896-2903-0x00000000052C0000-0x0000000005352000-memory.dmp

Filesize
584KB

Download
memory/5896-2901-0x0000000004E10000-0x0000000004E2E000-memory.dmp

Filesize
120KB

Download
memory/5896-2912-0x0000000009980000-0x000000000999E000-memory.dmp

Filesize
120KB

Download
memory/5896-2900-0x0000000000410000-0x0000000000472000-memory.dmp

Filesize
392KB

Download
memory/5896-2902-0x0000000005870000-0x0000000005E14000-memory.dmp

Filesize
5.6MB

Download
memory/5896-2910-0x00000000091C0000-0x0000000009226000-memory.dmp

Filesize
408KB

Download
memory/5896-2909-0x00000000087A0000-0x00000000087EC000-memory.dmp

Filesize
304KB

Download
memory/5896-2908-0x0000000008430000-0x000000000846C000-memory.dmp

Filesize
240KB

Download
memory/5896-2907-0x00000000083D0000-0x00000000083E2000-memory.dmp

Filesize
72KB

Download
memory/5896-2906-0x0000000008490000-0x000000000859A000-memory.dmp

Filesize
1.0MB

Download
memory/5896-2905-0x0000000008960000-0x0000000008F78000-memory.dmp

Filesize
6.1MB

Download
memory/5896-2904-0x0000000005040000-0x000000000504A000-memory.dmp

Filesize
40KB

Download
memory/5936-2934-0x00007FFCB95A0000-0x00007FFCB963E000-memory.dmp

Filesize
632KB

Download
memory/5936-2874-0x00007FFCB95A0000-0x00007FFCB963E000-memory.dmp

Filesize
632KB

Download
memory/5936-2931-0x00007FF7E97C0000-0x00007FF7E9D00000-memory.dmp

Filesize
5.2MB

Download
memory/5936-2933-0x00007FFCB8790000-0x00007FFCB8A59000-memory.dmp

Filesize
2.8MB

Download
memory/5936-2896-0x00007FFCBAC30000-0x00007FFCBAE25000-memory.dmp

Filesize
2.0MB

Download
memory/5936-2897-0x00007FFCB8790000-0x00007FFCB8A59000-memory.dmp

Filesize
2.8MB

Download
memory/5936-2898-0x00007FFCB95A0000-0x00007FFCB963E000-memory.dmp

Filesize
632KB

Download
memory/5936-2895-0x00007FF7E97C0000-0x00007FF7E9D00000-memory.dmp

Filesize
5.2MB

Download
memory/5936-2867-0x00007FF7E97C0000-0x00007FF7E9D00000-memory.dmp

Filesize
5.2MB

Download
memory/5936-2932-0x00007FFCBAC30000-0x00007FFCBAE25000-memory.dmp

Filesize
2.0MB

Download
memory/5936-2875-0x00000247642F0000-0x00000247642F1000-memory.dmp

Filesize
4KB

Download
memory/5936-2868-0x00007FF7E97C0000-0x00007FF7E9D00000-memory.dmp

Filesize
5.2MB

Download
memory/5936-2870-0x0000024764290000-0x00000247642D7000-memory.dmp

Filesize
284KB

Download
memory/5936-2865-0x00007FF7E97C0000-0x00007FF7E9D00000-memory.dmp

Filesize
5.2MB

Download
memory/5936-2869-0x00007FF7E97C0000-0x00007FF7E9D00000-memory.dmp

Filesize
5.2MB

Download
memory/5936-2866-0x00007FF7E97C0000-0x00007FF7E9D00000-memory.dmp

Filesize
5.2MB

Download
memory/6112-3513-0x0000028D1B0E0000-0x0000028D1B195000-memory.dmp

Filesize
724KB

Download