xworm | a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

Analysis

max time kernel
1513s
max time network
1792s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sv.exe
Size

63KB
MD5

c095a62b525e62244cad230e696028cf
SHA1

67232c186d3efe248b540f1f2fe3382770b5074a
SHA256

a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA512

5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
SSDEEP

1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM

Score

10^/10

xworm discovery evasion execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

amount-acceptance.gl.at.ply.gg:7420

Attributes

Install_directory
%ProgramData%
install_file
svhost.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

behavioral2/memory/3696-1-0x00000000008D0000-0x00000000008E6000-memory.dmp family_xworm
C:\ProgramData\svhost.exe family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

resource	yara_rule
behavioral2/memory/3696-1-0x00000000008D0000-0x00000000008E6000-memory.dmp	family_xworm
C:\ProgramData\svhost.exe	family_xworm

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\126.0.6478.127\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4592 powershell.exe
2188 powershell.exe
4916 powershell.exe
1688 powershell.exe

pid	process
4592	powershell.exe
2188	powershell.exe
4916	powershell.exe
1688	powershell.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exesv.exechrome.exechrome.exeosu!.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	sv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	osu!.exe

Drops startup file 2 IoCs

Processes:

sv.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

Processes:

svhost.execphrlp.exesvhost.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exesvhost.exe126.0.6478.127_chrome_installer.exesetup.exesetup.exesetup.exesetup.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeelevation_service.exechrome.exechrome.exesvhost.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exesvhost.exechrome.exechrome.exechrome.exesvhost.exesvhost.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exe

pid	process
2724	svhost.exe
5872	cphrlp.exe
5260	svhost.exe
1728	updater.exe
5488	updater.exe
5852	updater.exe
5908	updater.exe
3392	updater.exe
1088	updater.exe
6128	svhost.exe
3976	126.0.6478.127_chrome_installer.exe
3432	setup.exe
2356	setup.exe
5756	setup.exe
5124	setup.exe
2572	chrome.exe
2468	chrome.exe
216	chrome.exe
4756	chrome.exe
5324	chrome.exe
3180	chrome.exe
964	chrome.exe
1408	chrome.exe
2604	elevation_service.exe
6004	chrome.exe
4852	chrome.exe
5464	svhost.exe
1004	chrome.exe
5164	chrome.exe
5708	chrome.exe
1164	chrome.exe
3840	chrome.exe
3460	chrome.exe
4800	chrome.exe
2668	chrome.exe
404	chrome.exe
1412	svhost.exe
3864	chrome.exe
5480	chrome.exe
3936	chrome.exe
5072	svhost.exe
2836	svhost.exe
2896	updater.exe
5856	updater.exe
1548	updater.exe
5340	updater.exe
5996	updater.exe
3460	updater.exe
5984	svhost.exe
5076	svhost.exe
3840	svhost.exe
5728	svhost.exe
5268	svhost.exe
3628	svhost.exe
3792	svhost.exe
5196	svhost.exe
5900	svhost.exe
5076	svhost.exe
5736	svhost.exe
4520	svhost.exe
4896	svhost.exe
4148	svhost.exe
4284	svhost.exe
4944	svhost.exe

Loads dropped DLL 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeosu!.exe

pid	process
2572	chrome.exe
2468	chrome.exe
2572	chrome.exe
216	chrome.exe
4756	chrome.exe
216	chrome.exe
4756	chrome.exe
3180	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
5324	chrome.exe
964	chrome.exe
216	chrome.exe
964	chrome.exe
216	chrome.exe
216	chrome.exe
5324	chrome.exe
1408	chrome.exe
1408	chrome.exe
3180	chrome.exe
6004	chrome.exe
6004	chrome.exe
4852	chrome.exe
4852	chrome.exe
1004	chrome.exe
1004	chrome.exe
5164	chrome.exe
5708	chrome.exe
5164	chrome.exe
5708	chrome.exe
1164	chrome.exe
1164	chrome.exe
3840	chrome.exe
3840	chrome.exe
3460	chrome.exe
3460	chrome.exe
4800	chrome.exe
4800	chrome.exe
2668	chrome.exe
2668	chrome.exe
404	chrome.exe
404	chrome.exe
3864	chrome.exe
3864	chrome.exe
5480	chrome.exe
5480	chrome.exe
3936	chrome.exe
3936	chrome.exe
3936	chrome.exe
3936	chrome.exe
3936	chrome.exe
1344	osu!.exe
1344	osu!.exe
1344	osu!.exe
1344	osu!.exe
1344	osu!.exe
1344	osu!.exe
1344	osu!.exe
1344	osu!.exe
1344	osu!.exe
1344	osu!.exe
1344	osu!.exe
1344	osu!.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

sv.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" sv.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe"	sv.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

updater.exeupdater.exeupdater.exeupdater.exeupdater.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 1 IoCs

Processes:

setup.exe

description ioc process

File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk setup.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk	setup.exe

Drops file in Program Files directory 64 IoCs

Processes:

setup.exeupdater.exeupdater.exe126.0.6478.127_chrome_installer.exesetup.exeupdater.exechrome.exeupdater.exeupdater.exeupdater.exeupdater.execphrlp.exeupdater.exeupdater.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\Locales\fi.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\Locales\it.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\Locales\ta.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\eventlog_provider.dll	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\964ba5c4-e582-494b-a1d3-27650f9ae2de.tmp	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\9f7195c3-44fd-47c0-8dc7-064b076a9c6f.tmp	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe60710d.TMP	updater.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3392_76082282\CR_D0107.tmp\CHROME.PACKED.7Z	126.0.6478.127_chrome_installer.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log.old	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\Extensions\external_extensions.json	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\Locales\lt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\settings.dat	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\Locales\zh-TW.pak	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2572_1253763127\_metadata\verified_contents.json	chrome.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\Locales\pt-BR.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\Locales\gu.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\VisualElements\LogoDev.png	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2572_1253763127\crl-set	chrome.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log.old	updater.exe
File created	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe5be953.TMP	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\Locales\bg.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Application\126.0.6478.127\Installer\chrmstp.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log.old	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\f6c812c5-d1a6-472d-957a-5f93e8d9582a.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\Locales\ms.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\Locales\es-419.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\Locales\es.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\Locales\th.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\icudtl.dat	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\f6c812c5-d1a6-472d-957a-5f93e8d9582a.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\d3dcompiler_47.dll	setup.exe
File created	C:\Program Files (x86)\Google5872_1447366934\UPDATER.PACKED.7Z	cphrlp.exe
File opened for modification	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3392_76082282\CR_D0107.tmp\setup.exe	126.0.6478.127_chrome_installer.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3392_76082282\manifest.fingerprint	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\WidevineCdm\LICENSE	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\settings.dat	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\Locales\cs.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\Locales\hu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\chrome_200_percent.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\Locales\zh-CN.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\vulkan-1.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\libEGL.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\chrome.VisualElementsManifest.xml	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2572_215479060\manifest.fingerprint	chrome.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\Locales\en-GB.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\Locales\el.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\chrome_proxy.exe	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2572_1253763127\LICENSE	chrome.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\resources.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\mojo_core.dll	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2572_215479060\manifest.json	chrome.exe
File created	C:\Program Files\Google\Chrome\Temp\source3432_323752827\Chrome-bin\126.0.6478.127\Locales\te.pak	setup.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3392_76082282\manifest.json	updater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

osu!.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	osu!.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	osu!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	osu!.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	osu!.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 12 IoCs

Processes:

setup.exesvchost.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Google	setup.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\InstallerPinned = "0"	setup.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133643062857404616"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	setup.exe

Modifies registry class 64 IoCs

Processes:

updater.exeupdater.exeosu!.exesetup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\AppID = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ = "IAppWeb"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\TypeLib\ = "{0CD01D1E-4A1C-489D-93B9-9B6672877C57}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F4334319-8210-469B-8262-DD03623FEB5B}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{34527502-D3DB-4205-A69B-789B27EE0414}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{8582249A-7E37-5C77-A5F4-1FBFEAFCBC5F}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\ = "IPolicyStatusValue"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ = "IProcessLauncher2"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\TypeLib\ = "{247954F9-9EDC-4E68-8CC3-150C2B89EADF}"	updater.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\osu.File.osr\Shell\Open\Command	osu!.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\osump\Shell\Open	osu!.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{5F793925-C903-4E92-9AE3-77CA5EAB1716}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{708860E0-F641-4611-8895-7D867DD3675B}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\4"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0	updater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\osu.File.osr\ = "osu! Replay"	osu!.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{699F07AD-304C-5F71-A2DA-ABD765965B54}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\osu.File.osz\Shell	osu!.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\AppID = "{521FDB42-7130-4806-822A-FC5163FAD983}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\1.0\ = "GoogleUpdater TypeLib for IUpdaterObserverSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{699F07AD-304C-5F71-A2DA-ABD765965B54}\ = "IUpdaterAppStatesCallbackSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{6430040A-5EBD-4E63-A56F-C71D5990F827}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{6430040A-5EBD-4E63-A56F-C71D5990F827}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\1.0\ = "GoogleUpdater TypeLib for IProcessLauncher2"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\128.0.6537.0\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\TypeLib\ = "{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\TypeLib\ = "{0CD01D1E-4A1C-489D-93B9-9B6672877C57}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}	updater.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\VersionIndependentProgID	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ServiceParameters = "--com-service"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\ProxyStubClsid32	updater.exe

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

4280 regedit.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3428 schtasks.exe

pid	process
4280	regedit.exe

pid	process
3428	schtasks.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeupdater.exeupdater.exeupdater.exechrome.exechrome.exeupdater.exeupdater.exeupdater.exesquEFF3.tmp.exe

pid	process
2188	powershell.exe
2188	powershell.exe
4916	powershell.exe
4916	powershell.exe
1688	powershell.exe
1688	powershell.exe
4592	powershell.exe
4592	powershell.exe
1728	updater.exe
1728	updater.exe
1728	updater.exe
1728	updater.exe
1728	updater.exe
1728	updater.exe
5852	updater.exe
5852	updater.exe
5852	updater.exe
5852	updater.exe
5852	updater.exe
5852	updater.exe
3392	updater.exe
3392	updater.exe
3392	updater.exe
3392	updater.exe
3392	updater.exe
3392	updater.exe
3392	updater.exe
3392	updater.exe
1728	updater.exe
1728	updater.exe
2572	chrome.exe
2572	chrome.exe
3936	chrome.exe
3936	chrome.exe
2896	updater.exe
2896	updater.exe
2896	updater.exe
2896	updater.exe
1548	updater.exe
1548	updater.exe
1548	updater.exe
1548	updater.exe
5996	updater.exe
5996	updater.exe
5996	updater.exe
5996	updater.exe
5996	updater.exe
5996	updater.exe
5996	updater.exe
5996	updater.exe
4060	squEFF3.tmp.exe
4060	squEFF3.tmp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

sv.exe

pid process

3696 sv.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

2572 chrome.exe
2572 chrome.exe
2572 chrome.exe
2572 chrome.exe
2572 chrome.exe
2572 chrome.exe

pid	process
3696	sv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sv.exepowershell.exepowershell.exepowershell.exepowershell.exesvhost.exefirefox.exesvhost.execphrlp.exesvhost.exe126.0.6478.127_chrome_installer.exechrome.exesvhost.exe

description	pid	process
Token: SeDebugPrivilege	3696	sv.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	3696	sv.exe
Token: SeDebugPrivilege	2724	svhost.exe
Token: SeDebugPrivilege	2680	firefox.exe
Token: SeDebugPrivilege	2680	firefox.exe
Token: SeDebugPrivilege	5260	svhost.exe
Token: 33	5872	cphrlp.exe
Token: SeIncBasePriorityPrivilege	5872	cphrlp.exe
Token: SeDebugPrivilege	6128	svhost.exe
Token: 33	3976	126.0.6478.127_chrome_installer.exe
Token: SeIncBasePriorityPrivilege	3976	126.0.6478.127_chrome_installer.exe
Token: SeShutdownPrivilege	2572	chrome.exe
Token: SeCreatePagefilePrivilege	2572	chrome.exe
Token: SeShutdownPrivilege	2572	chrome.exe
Token: SeCreatePagefilePrivilege	2572	chrome.exe
Token: SeShutdownPrivilege	2572	chrome.exe
Token: SeCreatePagefilePrivilege	2572	chrome.exe
Token: SeShutdownPrivilege	2572	chrome.exe
Token: SeCreatePagefilePrivilege	2572	chrome.exe
Token: SeDebugPrivilege	5464	svhost.exe
Token: SeShutdownPrivilege	2572	chrome.exe
Token: SeCreatePagefilePrivilege	2572	chrome.exe
Token: SeShutdownPrivilege	2572	chrome.exe
Token: SeCreatePagefilePrivilege	2572	chrome.exe
Token: SeShutdownPrivilege	2572	chrome.exe
Token: SeCreatePagefilePrivilege	2572	chrome.exe
Token: SeShutdownPrivilege	2572	chrome.exe
Token: SeCreatePagefilePrivilege	2572	chrome.exe
Token: SeShutdownPrivilege	2572	chrome.exe
Token: SeCreatePagefilePrivilege	2572	chrome.exe
Token: SeShutdownPrivilege	2572	chrome.exe
Token: SeCreatePagefilePrivilege	2572	chrome.exe
Token: SeShutdownPrivilege	2572	chrome.exe
Token: SeCreatePagefilePrivilege	2572	chrome.exe
Token: SeShutdownPrivilege	2572	chrome.exe
Token: SeCreatePagefilePrivilege	2572	chrome.exe
Token: SeShutdownPrivilege	2572	chrome.exe
Token: SeCreatePagefilePrivilege	2572	chrome.exe
Token: SeShutdownPrivilege	2572	chrome.exe
Token: SeCreatePagefilePrivilege	2572	chrome.exe
Token: SeShutdownPrivilege	2572	chrome.exe
Token: SeCreatePagefilePrivilege	2572	chrome.exe
Token: SeShutdownPrivilege	2572	chrome.exe
Token: SeCreatePagefilePrivilege	2572	chrome.exe
Token: SeShutdownPrivilege	2572	chrome.exe
Token: SeCreatePagefilePrivilege	2572	chrome.exe
Token: SeShutdownPrivilege	2572	chrome.exe
Token: SeCreatePagefilePrivilege	2572	chrome.exe
Token: SeShutdownPrivilege	2572	chrome.exe
Token: SeCreatePagefilePrivilege	2572	chrome.exe
Token: SeShutdownPrivilege	2572	chrome.exe
Token: SeCreatePagefilePrivilege	2572	chrome.exe
Token: SeShutdownPrivilege	2572	chrome.exe
Token: SeCreatePagefilePrivilege	2572	chrome.exe
Token: SeShutdownPrivilege	2572	chrome.exe
Token: SeCreatePagefilePrivilege	2572	chrome.exe
Token: SeShutdownPrivilege	2572	chrome.exe
Token: SeCreatePagefilePrivilege	2572	chrome.exe
Token: SeShutdownPrivilege	2572	chrome.exe
Token: SeCreatePagefilePrivilege	2572	chrome.exe

Suspicious use of FindShellTrayWindow 39 IoCs

Processes:

firefox.exechrome.exesquEFF3.tmp.exe

pid	process
2680	firefox.exe
2680	firefox.exe
2680	firefox.exe
2680	firefox.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
4060	squEFF3.tmp.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe

Suspicious use of SendNotifyMessage 35 IoCs

Processes:

firefox.exechrome.exe

pid	process
2680	firefox.exe
2680	firefox.exe
2680	firefox.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe
2572	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

firefox.exeosu!.exe

pid process

2680 firefox.exe
368 osu!.exe
368 osu!.exe
368 osu!.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sv.exefirefox.exefirefox.exe

description	pid	process	target process
PID 3696 wrote to memory of 2188	3696	sv.exe	powershell.exe
PID 3696 wrote to memory of 2188	3696	sv.exe	powershell.exe
PID 3696 wrote to memory of 4916	3696	sv.exe	powershell.exe
PID 3696 wrote to memory of 4916	3696	sv.exe	powershell.exe
PID 3696 wrote to memory of 1688	3696	sv.exe	powershell.exe
PID 3696 wrote to memory of 1688	3696	sv.exe	powershell.exe
PID 3696 wrote to memory of 4592	3696	sv.exe	powershell.exe
PID 3696 wrote to memory of 4592	3696	sv.exe	powershell.exe
PID 3696 wrote to memory of 3428	3696	sv.exe	schtasks.exe
PID 3696 wrote to memory of 3428	3696	sv.exe	schtasks.exe
PID 3852 wrote to memory of 2680	3852	firefox.exe	firefox.exe
PID 3852 wrote to memory of 2680	3852	firefox.exe	firefox.exe
PID 3852 wrote to memory of 2680	3852	firefox.exe	firefox.exe
PID 3852 wrote to memory of 2680	3852	firefox.exe	firefox.exe
PID 3852 wrote to memory of 2680	3852	firefox.exe	firefox.exe
PID 3852 wrote to memory of 2680	3852	firefox.exe	firefox.exe
PID 3852 wrote to memory of 2680	3852	firefox.exe	firefox.exe
PID 3852 wrote to memory of 2680	3852	firefox.exe	firefox.exe
PID 3852 wrote to memory of 2680	3852	firefox.exe	firefox.exe
PID 3852 wrote to memory of 2680	3852	firefox.exe	firefox.exe
PID 3852 wrote to memory of 2680	3852	firefox.exe	firefox.exe
PID 2680 wrote to memory of 1468	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 1468	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe
PID 2680 wrote to memory of 3096	2680	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sv.exe
"C:\Users\Admin\AppData\Local\Temp\sv.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3428

C:\Users\Admin\AppData\Local\Temp\cphrlp.exe
"C:\Users\Admin\AppData\Local\Temp\cphrlp.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5872

C:\Program Files (x86)\Google5872_640399510\bin\updater.exe
"C:\Program Files (x86)\Google5872_640399510\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={1E5E5C4F-2824-A1A8-B948-33835CA392B5}&lang=en&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1728

C:\Program Files (x86)\Google5872_640399510\bin\updater.exe
"C:\Program Files (x86)\Google5872_640399510\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x672604,0x672610,0x67261c
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa02651c70,0x7ffa02651c7c,0x7ffa02651c88
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,10270952339445306231,508843890913811047,262144 --variations-seed-version --mojo-platform-channel-handle=1948 /prefetch:2
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=2192,i,10270952339445306231,508843890913811047,262144 --variations-seed-version --mojo-platform-channel-handle=2204 /prefetch:3
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2320,i,10270952339445306231,508843890913811047,262144 --variations-seed-version --mojo-platform-channel-handle=2284 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2892,i,10270952339445306231,508843890913811047,262144 --variations-seed-version --mojo-platform-channel-handle=3060 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2900,i,10270952339445306231,508843890913811047,262144 --variations-seed-version --mojo-platform-channel-handle=3352 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3200,i,10270952339445306231,508843890913811047,262144 --variations-seed-version --mojo-platform-channel-handle=3724 /prefetch:2
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:1408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4564,i,10270952339445306231,508843890913811047,262144 --variations-seed-version --mojo-platform-channel-handle=4592 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:6004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4900,i,10270952339445306231,508843890913811047,262144 --variations-seed-version --mojo-platform-channel-handle=4924 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:1004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5140,i,10270952339445306231,508843890913811047,262144 --variations-seed-version --mojo-platform-channel-handle=5172 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4876,i,10270952339445306231,508843890913811047,262144 --variations-seed-version --mojo-platform-channel-handle=5160 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4300,i,10270952339445306231,508843890913811047,262144 --variations-seed-version --mojo-platform-channel-handle=5332 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --field-trial-handle=5468,i,10270952339445306231,508843890913811047,262144 --variations-seed-version --mojo-platform-channel-handle=5364 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=4140,i,10270952339445306231,508843890913811047,262144 --variations-seed-version --mojo-platform-channel-handle=5380 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5360,i,10270952339445306231,508843890913811047,262144 --variations-seed-version --mojo-platform-channel-handle=5460 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5264,i,10270952339445306231,508843890913811047,262144 --variations-seed-version --mojo-platform-channel-handle=6040 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5956,i,10270952339445306231,508843890913811047,262144 --variations-seed-version --mojo-platform-channel-handle=5364 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-dinosaur-easter-egg-alt-images --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5752,i,10270952339445306231,508843890913811047,262144 --variations-seed-version --mojo-platform-channel-handle=4172 /prefetch:2
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=4652,i,10270952339445306231,508843890913811047,262144 --variations-seed-version --mojo-platform-channel-handle=4644 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5364,i,10270952339445306231,508843890913811047,262144 --variations-seed-version --mojo-platform-channel-handle=5532 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5644,i,10270952339445306231,508843890913811047,262144 --variations-seed-version --mojo-platform-channel-handle=5872 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3936

C:\Users\Admin\AppData\Local\Temp\zyqnhc.exe
"C:\Users\Admin\AppData\Local\Temp\zyqnhc.exe"
2⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\squEFF3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\squEFF3.tmp.exe" --setup "C:\Users\Admin\AppData\Local\Temp\squEFF4.tmp.nupkg"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4060

C:\Users\Admin\AppData\Local\osulazer\app-2024.521.2\osu!.exe
"C:\Users\Admin\AppData\Local\osulazer\app-2024.521.2\osu!.exe" --squirrel-install 2024.521.2
4⤵
- Loads dropped DLL
- Modifies registry class
PID:1344

C:\Users\Admin\AppData\Local\osulazer\app-2024.521.2\osu!.exe
"C:\Users\Admin\AppData\Local\osulazer\app-2024.521.2\osu!.exe" --squirrel-firstrun
4⤵
- Checks computer location settings
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\dhzcar.html
2⤵
PID:5576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:3556

C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\Desktop\DismountPing.reg"
1⤵
- Runs .reg file with regedit
PID:4280

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3852

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2680.0.846836284\1161656760" -parentBuildID 20221007134813 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5626b26b-5146-4e47-b47c-2b0014c2e7b5} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" 2000 22446a0ab58 gpu
3⤵
PID:1468

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2680.1.639697251\1885026882" -parentBuildID 20221007134813 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1da3d59f-2c7a-44c0-8fdf-51b8d4148069} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" 2380 22446a0de58 socket
3⤵
- Checks processor information in registry
PID:3096

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2680.2.1836870028\1364456219" -childID 1 -isForBrowser -prefsHandle 3116 -prefMapHandle 3104 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3ac487b-b629-49ab-8e07-d3c97f568725} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" 3288 2244abb8c58 tab
3⤵
PID:4852

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2680.3.1786845047\2019604623" -childID 2 -isForBrowser -prefsHandle 2416 -prefMapHandle 1316 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5712758b-94d1-4fa6-a059-5965bbe63e79} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" 1020 2243a363858 tab
3⤵
PID:4220

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2680.4.740881572\1798915385" -childID 3 -isForBrowser -prefsHandle 3840 -prefMapHandle 3836 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a85bccf-9cae-4785-ac26-d043acd6874d} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" 3852 224490dd058 tab
3⤵
PID:4676

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2680.5.1173584558\389772335" -childID 4 -isForBrowser -prefsHandle 4980 -prefMapHandle 4984 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87802d62-0bdd-47ba-9a79-c04e60ad8c5c} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" 4948 224493bee58 tab
3⤵
PID:5400

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2680.6.788447102\1550414826" -childID 5 -isForBrowser -prefsHandle 4888 -prefMapHandle 4968 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {364d9a23-421f-4e59-88d5-74eb3cfdc6b7} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" 4976 2244cf25858 tab
3⤵
PID:5424

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2680.7.1512551256\73159359" -childID 6 -isForBrowser -prefsHandle 5316 -prefMapHandle 4948 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6ab0b1b-5467-46e7-a53e-dd52371c52d4} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" 5220 2244cf27c58 tab
3⤵
PID:5516

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5260

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5852

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x1312604,0x1312610,0x131261c
2⤵
- Executes dropped EXE
PID:5908

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3392

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x280,0x284,0x288,0x25c,0x28c,0x1312604,0x1312610,0x131261c
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1088

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3392_76082282\126.0.6478.127_chrome_installer.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3392_76082282\126.0.6478.127_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3392_76082282\9cb5eed9-d087-426a-aaf5-ec424f6916fd.tmp"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3392_76082282\CR_D0107.tmp\setup.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3392_76082282\CR_D0107.tmp\setup.exe" --install-archive="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3392_76082282\CR_D0107.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3392_76082282\9cb5eed9-d087-426a-aaf5-ec424f6916fd.tmp"
3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
PID:3432

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3392_76082282\CR_D0107.tmp\setup.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3392_76082282\CR_D0107.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff6092946a8,0x7ff6092946b4,0x7ff6092946c0
4⤵
- Executes dropped EXE
PID:2356

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3392_76082282\CR_D0107.tmp\setup.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3392_76082282\CR_D0107.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:5756

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3392_76082282\CR_D0107.tmp\setup.exe
"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3392_76082282\CR_D0107.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff6092946a8,0x7ff6092946b4,0x7ff6092946c0
5⤵
- Executes dropped EXE
PID:5124

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6128

C:\Program Files\Google\Chrome\Application\126.0.6478.127\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\126.0.6478.127\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2604

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:5280

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:1412

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5072

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:2836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3184 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:2144

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --wake --system
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2896

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x1312604,0x1312610,0x131261c
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5856

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1548

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x1312604,0x1312610,0x131261c
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5340

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:5996

C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x1312604,0x1312610,0x131261c
2⤵
- Executes dropped EXE
PID:3460

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5984

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5076

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:3840

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5728

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5268

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:3628

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:3792

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5196

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5900

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5076

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5736

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4520

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4896

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4148

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4284

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4944

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
PID:5600

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x320 0x41c
1⤵
PID:3576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=3712 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:1
1⤵
PID:13528

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google5872_640399510\bin\updater.exe
Filesize
4.4MB

MD5
512a822caed80f9fa3f0dfce20d4faa1

SHA1
16f470de73681ce7ec9b3251ac081879fb37798c

SHA256
8de9266347276d18fe49f84b86f09e6035df2c10e39f22d85bf33d43cf0f5f2c

SHA512
9fc3d74dddd28b325fe3b803c1217d7374b61ae6d7eecb46aa2dafb643b7a45387caba015421da524cc0416c9b3bdbb3d871120c1275e421f86e9d80a3781802

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad\settings.dat
Filesize
40B

MD5
e63b75e9711ba9f9ed2fc478c250f66f

SHA1
d4f32a7ea3a5988f555c159d1affa22b7bb144e7

SHA256
b273f89dd79a9a143003560ea80c8bef2863781ac4ce7f0f909b1e5ca4afab52

SHA512
a2bffbf8555bcf295fce0afdc944b3a6061d0f0f0e657d064aba6a26f12337148d5529afd84ce8c5fa0eb40833af40f5ace6ca14f1c9f117850ac72a8761930c

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json
Filesize
492B

MD5
b22731894884f58f821716a9a4933617

SHA1
8dff465f8f7d68f4ef6964e57332627762374810

SHA256
c83c40a5789dc85606f06020e66376b46b499739ad09b83e56dda67cab912aba

SHA512
a3c2757dfd946a29f95ce3fe19de2e4af94f7a8bd9b5d925c393706822e455c78e83314a6a1ca925018fd805af515d32769a6f867945b0f10ab91a93a408a7b4

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json
Filesize
49B

MD5
a640ca2e70d5d86ee61c65b5fa0a5de3

SHA1
932854c7284e88d764a5f455c2559430282630e3

SHA256
143f8c59a52692d27d38a2da2d510f37237faeee74850381917768adee0975e6

SHA512
855f3de6bda41d5a015922c4127947bd9ad51b2b137ccdbef5232b2f373c24b7c99f0806466c1cbd49387a4d6984f10f71e69dc7ab9a9274e4ec1d376758cdf2

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json
Filesize
744B

MD5
3c3bc63e51f5bbe34ea45828ade220ea

SHA1
dc3bd0303c4796c506972b148e74856ff162c292

SHA256
1401430b936889889bde32313d36dfb8d4db83580b083d9044658aae4553b433

SHA512
0c0f3467c811177ed34bef294a15cfa1305e4380bdfef9af033259b3bdbc18ef790b6d739f75e4d0da0b4432851dd0adfbdf1eed900cbc8a613d361cdfded44f

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json
Filesize
654B

MD5
705f45ec33a9756bc8970566f7c38fd6

SHA1
28fa8730edeff8cf845722a25967357e8e9ac483

SHA256
e7daed2133bea727f4d9acafc197a45f3b25b5a8bca14c56492a2599a9f0dd3c

SHA512
b5b25f42a222966e6f4d560582c8a824896413552d88c28223496947fa7434bded6e639a253e609c0e5e92354624c844742c4474bb3fda436b9556426eb1755a

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json
Filesize
1KB

MD5
501a35f3e229f9548c12b2cdc13574a5

SHA1
533ff402dd69e437d0a704e7c61e731fc0f9df16

SHA256
99d50a40a13d1c9d2d551801684e5f306ca4d13e028d2500b5daeeb11c63bba3

SHA512
b2d469965b0e5a559c4d7245fd146638ca2fbe5c25a2ac7b55237b6ebe1b39270af940e0bc4267514e2da945aa413c87e9c4a579fd70cafc95931089d9b410a1

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json
Filesize
592B

MD5
fe2b17949bab057311f0d81d6a5c6419

SHA1
e8a8020e9ff813a9c2b823fd890e585d22bfec00

SHA256
7ac3e2526855ed69a54af0cb61a361dce6aed8deae764f34923485fb6c03ba3b

SHA512
e6b54d6c0fcba03ee6fb3ddf57f1e2945fb2b0345c4bbc23cc900dffc542ec407a92b1a6f80972a5a036fa7a4c4bb83e22a7926426c46545fbd582a294c27ea6

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json
Filesize
354B

MD5
2284e51f10d336086e1fd4147567d52d

SHA1
62a1e694dce8ceca5b6ebbcc35298ef2f1cfebfd

SHA256
781ff17406014aa6def5974c7bb33a97c1e504146dabb610c5d390d7ea416a4b

SHA512
480f6974b0f88b0b794b32693edc7613d21098a57195ec559813368b2be24923eb4d62c5272c03cd8a5c2300d4ec62abe8995a230f5663b6127ec760e0d163d0

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log
Filesize
421B

MD5
35e4ba4a0e9308cbf904989e64d12cf2

SHA1
c2d5f2b3bf326a23292cd895d0cb4fa72aeb3b28

SHA256
43518e3f4721c2967c997f340a62ecebca99fd69d6cb809cb17e6a894e8a0423

SHA512
ec2edf891d8ff73c3373978bf210c1423b013fe51b9ec9bf150a5aba242d8a108ca13f0e4dbfb36e7457c2e16380a9e65ba558715deed423a5767a974a48914a

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log
Filesize
2KB

MD5
55bfc44b2da793207e6afcf47d37e1dd

SHA1
a558828c58e4515ae1d5a46dbe48f0f0232e29a4

SHA256
1a7af4a159a159048debcd80a0a66d57d4b96f30c79c5f2ac4d150d57b2a9769

SHA512
5ea3b0eac525090dbabfb00fbe8f736c7d173c7847a593a8bf28a6d28cf975e5835fe5179d164c8d0d1cf5917b195b9b3dbb1be3ad275a2fa01e65d3ce4b6ae7

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log
Filesize
4KB

MD5
0e35e6ffbaa78c2693beadeedca8262f

SHA1
f234c23e9851002c4cab7409f19749ec0cd1c73c

SHA256
6961b7960f5808145d379aa267fb12323aedac365b253f53a4efdadb0ed204b8

SHA512
4eb081351522c18772bdd74e3e8d41c4b258f803fca63252725008b7c766fa6615674e7dd214b5ca93419b3ccccba177dc099d38375d95f444d31f8e755befaa

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log
Filesize
5KB

MD5
7259f2375ceaf66b3447f688e490401e

SHA1
7a3ae9738edfffb8bd7a07b4a94fd0de717be402

SHA256
5854fc530678d2779935d89d27f6f1e59abf5b4cb4f66699c11d22d16c82c68b

SHA512
5d18cf5df66428e923a74f3e0d8ec41fe1457fd06c1db2581f514d6199a34e309dd645618f49ba0293735a0f2ef5e6a42c3e444253389cfc6b57dd27621780ff

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log
Filesize
9KB

MD5
5ea743baeea78908ceaed52a8e3ab89e

SHA1
a29793d422a68e10b407ae45dbf7b422bab3cffd

SHA256
238fd86714d39877f7b1852d49c444614e3b3c75e0dd0408a407e434ce5fb538

SHA512
6a90210430a26dd8adbf95667ef00ba5ff1c5b5b3bda53d131b86e70c815dbd4c2fd0c6d0dce91e9bbb5700609be08a5467bec8671dfb15b086c238bd50d416d

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log
Filesize
9KB

MD5
2cbffa317f60471a24c1130f900b1f6a

SHA1
7cc2715cc5b1b25fde189fa58491871b114e19e7

SHA256
4ee47c72f59ed0d93cbe5053883e85f8337070f11fd443e3a3924bb39ec649de

SHA512
d8958670921ec4f759b502f21f6ad2df1a015d1b7a0e16d3d7eee720a47bddaf76d13d647620c9a0663620985ca45b4c5f652bc4059f734724b53cf2ca6c2c81

Download Submit
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3392_76082282\9cb5eed9-d087-426a-aaf5-ec424f6916fd.tmp
Filesize
652KB

MD5
44c7f06f320e8068a00af6f8930c0511

SHA1
e68c5ff16e0c28a2ec146198b96bfad291743c4b

SHA256
c0dd8ff1c80385821da0fe5102b40420ebe4b476b5832382553dbb6d51ae33c9

SHA512
82343ada963b593fce6718b9d460bfc7d359be629de1b8cf38dc638ba30495d0b5d271d658a9125fe674fe5b3375767e88ce7d8ae6f23d34f89e342d796aa644

Download Submit
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3392_76082282\CR_D0107.tmp\setup.exe
Filesize
4.1MB

MD5
0849095a80f74794bcac8b3561fc4a58

SHA1
5b27f31892bb7b04c62d3b1f612a45415a3bc32e

SHA256
27dbc6e6ac8630b50fc5473e9a7f341c7d759806f762aa522698ec10bf2f2e62

SHA512
1f52e20fc2812af55e00b7aea59b00af262ea87bc7b652504a3be9b26e500fffeffbed52dc21132b22645f46f2a59f546485e9089e7cfb5f0154041918f52e5c

Download Submit
C:\Program Files\Crashpad\settings.dat
Filesize
40B

MD5
23852caf56a6058c43fc6bb787051f7d

SHA1
e49a4912d991844d9477ec790d37b5fe1d13d4dc

SHA256
a502b2db2309f59f457bc6e9cf3513ec5f2a13de4eb564723897c1a49549ac9f

SHA512
f23c0be50d5fec241cd3b666715638e04579999f8d3522e497177b753ac9da8a1a33fd40ccd7a6ca7c33772d5dc3e23c67d6098793e376bcda2365df7e23ef97

Download Submit
C:\Program Files\Google\Chrome\Application\126.0.6478.127\chrome_elf.dll
Filesize
1.2MB

MD5
576f4379df97be0689013c7de1ae64b0

SHA1
6751967e285bb8008c5a582dc87f1e3c132bee15

SHA256
114b6fb306bbc3e5f0a903c7bd2c3ccf01a6df1ef12a31f418a478ccc7b5ebdc

SHA512
e70a1698880f654d0ca2d63ab74ed01c4f4d6e7b3979c726d9e9b11b4d93622967a494f91bf014ad6def451c38815b5ca9dabb7db8613a3174e25a0c64a78c4b

Download Submit
C:\Program Files\Google\Chrome\Application\126.0.6478.127\d3dcompiler_47.dll
Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
C:\Program Files\Google\Chrome\Application\126.0.6478.127\libEGL.dll
Filesize
471KB

MD5
cdced1a4260cdc41d3e9be5cc6aec522

SHA1
822ae5e7d93e5c62a880fe4dd9672a8b7ce73897

SHA256
c37efa9208dc887d45a0afe04158f309ad71bd3e7d325715ace3c792a5079942

SHA512
feda57975b129af62198498b01f971f8096ff341c396890253059a2e6218a4f47d39d77f8d3ce0b92bba26366fbcf33e45666747619b970e8ee0137b8a08b1bc

Download Submit
C:\Program Files\Google\Chrome\Application\126.0.6478.127\libGLESv2.dll
Filesize
7.7MB

MD5
b01b66222632a03ee1d229205c509fc1

SHA1
0446bb4057138da8f0610eaf85e1df5cd8055107

SHA256
392baff224b58a9f448a726556422cf374e0ff3a28f480692c5e54e4f7fb4e58

SHA512
fb6b5190c3107de3f070461aee8c697611940eb82777a466565a7b311b7ec6634d285c1281727166b5b21ad85ba5af6b826ff32d104e300a2e0c0c8ec581dc26

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe
Filesize
2.7MB

MD5
d09b0bceaaccb0b4c2fc6b95b9a5241a

SHA1
5ada2eddc6954dfc50aff07276909866418ce799

SHA256
13e2a3b4ddff74975fd41b9a1d4ed57de5ec67c0f377791dbbba5c8402690eb8

SHA512
aec811b8ae222d21108fff90c501278cfccc1d76f4b01469339f08f09514ff31d508e2abec7ed3c53e196f34ab73544be969e5e284a220e0206d680d8e602ba7

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2572_1253763127\manifest.json
Filesize
95B

MD5
eda3c8ce26b6523d54a95c1bfee9709c

SHA1
571c29d648c06db970988df6bfe4cee7e4516269

SHA256
8aa1d575340e58926a4adc97398e6ee6705e9df99ec3ebb9895fb0c19a39ecc6

SHA512
8f2e46a3f98f9f7ffe9ad8a4f9f2ceef2c53547c44d2f22482f83a610099e68415b152843f59b2ceb5ae3eaaa849bdb629305a0dd79129408a1ff88471102e21

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2572_215479060\manifest.json
Filesize
114B

MD5
4c30f6704085b87b66dce75a22809259

SHA1
8953ee0f49416c23caa82cdd0acdacc750d1d713

SHA256
0152e17e94788e5c3ff124f2906d1d95dc6f8b894cc27ec114b0e73bf6da54f9

SHA512
51e2101bcad1cb1820c98b93a0fb860e4c46172ca2f4e6627520eb066692b3957c0d979894e6e0190877b8ae3c97cb041782bf5d8d0bb0bf2814d8c9bb7c37f3

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
Filesize
2KB

MD5
da3072c30e8af801b0379f4bd0235950

SHA1
9fe9e1061ce19cd9bad04f39914fa0335fdb9747

SHA256
059317209460fbf2cbfa529a10294f1bfd26d55d3703a49d0241fa866bfa9ffc

SHA512
b1091ef52d782d92776c1a785cc79473cff912e6920582a55ac8e44c6e48617ff54a6dd32c953fce80474ecf650340aa5e7e312e508f7238dfc478f52d94eb45

Download Submit
C:\ProgramData\svhost.exe
Filesize
63KB

MD5
c095a62b525e62244cad230e696028cf

SHA1
67232c186d3efe248b540f1f2fe3382770b5074a

SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CertificateRevocation\8895\crl-set
Filesize
21KB

MD5
b440b955c67a2eb7ceb6359d3c68a853

SHA1
a1bc6b4e2c35db9262bcd365ebf0aeba1830de08

SHA256
e0b171a1193a9e9efcfb4fa098405548d595d369a52a3050c167bd877e42b67c

SHA512
6bc5f402132a976234a90199f2a68ba9de1a08c734ed409ff924bbc51d9dc55c998bb3b81ea4376f58ea993ddbc4e657d46cb80bc1c5a1ad86e893e25f089755

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
5f1bb2fece215ad05d827f2748ff0eb7

SHA1
e415691c2454d1f1349efe6f53267c6b7cf2d26e

SHA256
bf3b7da5870a8c3e6688239d2601fa17996a165781d33a27d2fc36325c08bde9

SHA512
4a3c85d6022f9baa7ec6ee4bf7ecfbce7a188a9264be197a5c2abee6bb530f31d33b968f5e4e6cfb8accb65d524e1dedf93de5756de1d48dc4f47e5d7054c174

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en\messages.json
Filesize
593B

MD5
91f5bc87fd478a007ec68c4e8adf11ac

SHA1
d07dd49e4ef3b36dad7d038b7e999ae850c5bef6

SHA256
92f1246c21dd5fd7266ebfd65798c61e403d01a816cc3cf780db5c8aa2e3d9c9

SHA512
fdc2a29b04e67ddbbd8fb6e8d2443e46badcb2b2fb3a850bbd6198cdccc32ee0bd8a9769d929feefe84d1015145e6664ab5fea114df5a864cf963bf98a65ffd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
192KB

MD5
505a174e740b3c0e7065c45a78b5cf42

SHA1
38911944f14a8b5717245c8e6bd1d48e58c7df12

SHA256
024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d

SHA512
7891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
2ede2c52efb811a9d106f580d57314ed

SHA1
e8f11ff5e24360193a3e54313f68212175852b54

SHA256
c4ac5e7e60609f6976a38e0e258cc9c61b9db1385423c59f63fb66c050eab559

SHA512
86a8d47b2e1e17e37e50b5422282a4f78070df961314eb1f002d7652df70bf57b66f45bcee78d227c6c1aea0caea0812a9658fd3bab0e9c6cd0cf1a539268b43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
d3e7bed2c1b58ac1df3db1d07928bcef

SHA1
06ac7c2f935dec0c61491edb81db12d2f465f581

SHA256
d4cccc21bb35cb40f6d4e5ef06a6b912780840edb3d726ce18b67f7243094cac

SHA512
8cfcc7145bfe9c8b7d817918967db48da2a5e6c95ec5cba744417489e51136247cebad536aec710f6de5544b0a1c85cbb46fbbb6dd1373750f1e4d94bf8eec77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
881e684c21fa8eafb27c61ffbd065269

SHA1
ab629597092e99f80cd00f71e6ef45ae71192689

SHA256
6d2f8e228276e728496a17ea5966acf098734c5c9a9f610c169be3a064df2a1d

SHA512
c42d4fbf39e283e9d6b372bbd8c77e3f7cfd890f15e002af1a2f9c0f3fa17097b4ee8ed482def2ae31ba64f3ca9dbda2d7654dd82086e800ce98266d642c885b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
037de06ffd50c629060a52ea1e9c8919

SHA1
acd78f5f504c0ac22f387ba65f600c196e16dbd4

SHA256
5a75f65d468ce046e0a62d8ca2377ab26a784e4659500cf6f8e5ba9413a703c3

SHA512
930d7a453ded17d2083adea8a7137c8b53c7498d3596a1064a45165a730ee5255ca9159e5b5f21d6cb7647334a8b8925ecb5e9e7bcd02cdb0876948d3ac4c89c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
27013b6967384bab9b572d824e7396ab

SHA1
7404696d46e63c19d3c371e509d44808c5dc9e36

SHA256
987c3258a4ffcb801a6dd952043cf4c8a7dec0310afe0451fcb07bc80e307c18

SHA512
da534a981f27bb5578400e952c771d5b17fc8a669fde24402663e2dc0f44c9e7c1ae9a2d65db29baea23a8116236973850daf3c485f1cf69918c7d9ba35e7cc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
8097ce8fb1d7e92c106d0750d21b8032

SHA1
87016f343f42740f432f0546686dfd31765749a5

SHA256
d748a656c1c3b3380594abfc96407e1de7994740c30b4689c50b98bb02b214ae

SHA512
c5d4e6a31f86d15f76e831eb0bc62bd2260ec94de277f9db99a7e8e05fc39c155a8dccd1913a435fa7ed730faaa2e2e8ddcad21e214de2de6d06a560f2b980bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
10KB

MD5
89b6a99a1e370bcafae9a1164a2bd518

SHA1
48e6481f571f4ef65fee8a667403eb9500f3ab47

SHA256
c084c06cfbfb876dbcf55fae2d13b3348482fb7048bacace752ae144bfbd45f4

SHA512
b6d1aa5818eb6473780f90cc60d0458fa19284a2bcb0bab8b73d4702e26d441477f10ea38ece4d64ce7ef3429feee5af6f3b416f57416d6810493ec42ca73c86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
5329c017b292eeb185898c6fe9f22f97

SHA1
d1cd81052b90a14de8e4a683aed29d64dba5a334

SHA256
1050a0f7ab401104b8d4865bf0f70dfb74e648140a56aab90b439b3a156634d9

SHA512
b628c314de4ad4fe8fffb33f25f8aa0689b82a80614e7098a94b16be039f8d436b36de8d0aeeaf8cc035ed0c2b05b89e7b1f8177cbcb75f0f84684241ef95eeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
26834fba1ab975d5418ed74cdf8a0d94

SHA1
7d5478cded82f23d4ce9cd6758c49bdd0761a48b

SHA256
4dcea3667caf4097ab91590892af29dc3aefb0321b46f73d97117d6b0bffa2d8

SHA512
f90de38783fad35e5fd4bab6aafa43477237451dd5dd8b0851a5c9c2c413b3c795a80ef4960ceba0f9527824d9063c41a039100fe43c4d5f00f2ffd1922c8b47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_1
Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
207KB

MD5
fb350b8d90440146d2f207ec4c94e9c1

SHA1
9e41d777596ccdc8c482d52805520840dd3d7fc6

SHA256
2c6b7a6aca8aab335bda60d7142c2b2aeca4f75ae06115664bd2b162a43fe29e

SHA512
10d6763b3c4bb63f8940e868e8b4dd7502aa53f6561eef496467240edf5294d5b2f5e3735024d3743bcab65b84d924e566f2de30e1be3126550ab24d9793a885

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
ba3663c6c77b63d859457f4f41ad7a1c

SHA1
e80ca200c79afd396b06f1089b9d0634c6964f63

SHA256
1a6390fd9bf7f21cf020aaaf0e6ffd6e34062e1d11580f8150a0044d80318b7f

SHA512
7efeed93cbb8bd5053278e8708bc9822e09f59a96a77de4c89a6ae6a75917243b43918a4863137233896ce56d7e0925bab9a9440f5678ebb352cf37ba4c1c788

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
207KB

MD5
708ef29ba31c33d9f3ea2fae539ec8d8

SHA1
357f3c37e9ca6c8e3a6510fa4c7ac8f0627ad0e9

SHA256
029ac229438352a3d85dad6d2cefb303d6ce25dc4f0c5b583c37e112ab230fd0

SHA512
36840a0890a43b549ee9dfb555fbfae29d241634e88eaee351b8f6628695a8f6908603283eed6f7ba31ffff87a7a2b080a5c6bbf3338779ffa8456f8811e3eca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
210KB

MD5
9b1ee4b84bfb1986c4064714b1f227db

SHA1
a2c1acb9d78e5ecd125d2c78a8c843171a877009

SHA256
075d3c0c419b177d7a38ed78aa4a16dfb29b31329af00b78d2444ce9c723f50d

SHA512
784f71ca285350f9d6b3afec85845446994e584b69bbcce2aad5ca676300f2b72fb69ab22c03d5e4440c2704a1a446d5e41b6d7bb02288eb9a7bd3429f403884

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
210KB

MD5
c846ebf9a62d97b4091ffcece2eba1f5

SHA1
5ba14eb845352cbe4af70f943e9695f897db35f8

SHA256
f9dfedaf6cd322fe024ae929da269da68a0fc5b0688b24d0cd52125ccf1d0477

SHA512
18727a089954be5128691d26cb0abed76a028e0df279a8b3a3742910dd1b8a891e7837c08607324397474d570382aa37295426d2a366e4444727675b1fe5feaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.49.1\Filtering Rules
Filesize
68KB

MD5
6274a7426421914c19502cbe0fe28ca0

SHA1
e4d1c702ca1b5497a3abcdd9495a5d0758f19ffc

SHA256
ae2fd01d2908591e0f39343a5b4a78baa8e7d6cac9d78ba79c502fe0a15ce3ee

SHA512
bf1287f502013308cdd906f6e42998c422ef1e272b348e66122dc4a4e471d01333b418f48d1bb2198c72845bdc950612597e179e612aaa1ba6cf8d48fb8f0cf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\c5ce46ef-6956-4ed7-b6db-77252b267276.tmp
Filesize
128KB

MD5
7aca1d45cf6365e712d6ddd604f51053

SHA1
ce6ca9fb9dcbbbd233908ac02ebea28224d82967

SHA256
6214e7955e6673d1a6125dbcd4925f20338a5ffddf8a71034a8abb514e426b1e

SHA512
65c63579bde5ac870fe01d19a8b631d9b748f341cec42327c0fafd4de02cbb74c5bdf7b8bfc530c1a56916f885fc27b183d332f7364c116a0fe49e9d81251c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
531f08ac3a06c5a3a09412a10fd95626

SHA1
ad756b5c27e710d81ece8a6d4fe865230cdc2bbf

SHA256
793902b936877a86b5d46d629a1c6d8c68ac8d42981788ddd4ede0f3381af6b0

SHA512
ac8c608fae29fa780400ac84e79b86c4a34ee7068f4f2c8056e4a2209a3ba62ae7716eaea2924e8412eab38ad003d59d4538d675019e50f15b3571e14c52fa73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
b6229ef27f9d0399d77fc4f05f168f5c

SHA1
b48d805587fd17278c6a93f9796afa11374e0a70

SHA256
71f61ccd863bdb3ff8918cf56a9a55f70fc468e1552db1b2bbf709c0fd8436a0

SHA512
a03983f132d1d2caaaf1545c2bbc10e35b159cb4ee42406d4e9f09f249591c7c9e574c481862e4d58746bafaadc054b5ed87d7e2c70d0c5eafeed8ab378d6550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5fa73171734cd4f8f2a24d7ad935dd1b

SHA1
970e3df6ab00381cb45b526089ec53817cf84a55

SHA256
adf4b0a50f4b435c330448af5ef177c09187f3384105d821154f71a1d3fa0be3

SHA512
fa5ec98a4ba9773f451f35fa38d18389268e1d7a3aa2a31c35600c125f6550b8625757cdbad6b9961cd6e071f53f0ced7170d609e33650798f5f175687269fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xlamf11k.nkr.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cphrlp.exe
Filesize
8.0MB

MD5
780d9df36221ccd24716da39ee3e2708

SHA1
3a2e4f8bc401856f1870e9fd3a3977044db68729

SHA256
f765d1d4012f47223a47c5992da55066e81d76b0714eb347ca6a54c55f4e374c

SHA512
36b1df97a9b0a3ae9cae704f722537c877c6b8a091c513be66bd16645cdf9ab424912e6dac3ddfbbf9419a9d0acc17113dec88418b8134e641a87028e8e4d6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2572_636361450\5a1c0b85-e2c1-4443-9ce7-9749c2c9d8e1.tmp
Filesize
242KB

MD5
541f52e24fe1ef9f8e12377a6ccae0c0

SHA1
189898bb2dcae7d5a6057bc2d98b8b450afaebb6

SHA256
81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82

SHA512
d779d78a15c5efca51ebd6b96a7ccb6d718741bdf7d9a37f53b2eb4b98aa1a78bc4cfa57d6e763aab97276c8f9088940ac0476690d4d46023ff4bf52f3326c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2572_636361450\CRX_INSTALL\_locales\en\messages.json
Filesize
450B

MD5
dbedf86fa9afb3a23dbb126674f166d2

SHA1
5628affbcf6f897b9d7fd9c17deb9aa75036f1cc

SHA256
c0945dd5fdecab40c45361bec068d1996e6ae01196dce524266d740808f753fe

SHA512
931d7ba6da84d4bb073815540f35126f2f035a71bfe460f3ccaed25ad7c1b1792ab36cd7207b99fddf5eaf8872250b54a8958cf5827608f0640e8aafe11e0071

Download Submit
C:\Users\Admin\AppData\Local\osulazer\app-2024.521.2\Squirrel.exe
Filesize
12.1MB

MD5
19f260fd99cee82277338002e98b8729

SHA1
a2b688cde0c316fa40534aac2c34d53ea73de84b

SHA256
68376cde6708b39994c9d5d2d28097d4d6fb79f867f68298751ea3d3d854832d

SHA512
74d6e423e22f1f706fe72d0beab24eb4d0b87996746c0886234a572a6688c78919a2cc613594ee159723e06e9eaff3d0c78361542e7fa3acb7e4611f6c237c52

Download Submit
C:\Users\Admin\AppData\Local\osulazer\packages\RELEASES
Filesize
84B

MD5
5b88d4f2662a052f49658bba9194afd6

SHA1
48c7fa6746961416295be05834e91b6b7b154399

SHA256
f65eb383cc5a7b50eb4535dce25ca20f780fa1b451fb2aeaba79880e9464a317

SHA512
632ba5bc41db4e3e8cad1f60e4d8d2a528320e99fba8f0a64a8ac64c04503384c43971fcaff0ac6ec3eb8f4712dd19c7ec199422806f080c35c7e7fe1baad125

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
33d84974681035362b10f0fc4886c517

SHA1
4e868043e08e926f72f02f3947207aa17631f199

SHA256
737a39dbae79677997ae709b13d4bc09e685a478a8b67236185def397ed8205e

SHA512
83e4323a62b738acd8fb240ec8e9d31d8db0a831f8c2d4938317bae8922094404521f16db5b834284bb9a346609e2ec0131cd944bdeb16813e9398a91d97ece6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\d7d94d52-cf33-4e3f-900f-963270e32a71
Filesize
10KB

MD5
dbf310043e803182ceec744bcc6bc31a

SHA1
1e07d4aabb6d3de093165ed62fc77e0802f6d81d

SHA256
516bcbecb299de989a2c2a9728bef64ad462cb8c6ba4777c1c75d286774cf39f

SHA512
5de88d71228745f142725f83fb568131b0f8996512b3549b9b64c7b1f1b4bdd26d1c88ce6b219617722f968ed1b1c91fc003fefbaf9030eb1648e90cbcb68a0d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\e3a6b819-68a2-4bcf-9143-10949959c82a
Filesize
746B

MD5
c537aaab14ebe3063e197d313b1a50b6

SHA1
76895118593d3f8ab8cf0f4133ca21128b881f72

SHA256
69c80c61ac02e473ff5c83a2a5aff5a7b9ddffaad24ccb339d917078c6460900

SHA512
a6c9a253024ec9b4454abb043e51efed43c315dc38e8572338ba3e4c6eb78a1c1e89185a8131460c58d0efc0f3c7ff5e15070920ff301ae2f3b445ba70bc418b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
Filesize
6KB

MD5
f796de89963af2b0550ea5f23cdc6722

SHA1
be152841907fd4237ceb853f706075e96c9fcaf0

SHA256
625bb5ed4c7b432e07bb79958ebf8a71568f03b912bf78fb55c9cd4dba6d800d

SHA512
08465ab30a01e226b9ac4ce78e86b871ca558d20d91ca242eb38f024257295f18ff15489fd3c35145a5f31138be8e28f752c689b3548a227e1694c2a4d341a1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
Filesize
6KB

MD5
b511e097c9edde87f31287af08dfda33

SHA1
c93c133e0a3274a634c67cdf0dc0b7743fb70767

SHA256
d0352aa16487c46538ad70efedcff2761d2d3c7d2afe082abd24dae404b13038

SHA512
4a1c00747137833b697cab9c9cc9b7c3fa3914a4a387e411eedea187f10e2aad7a6413c7bc1907a39f45aafda62bd734dd590ea1c440f03d6e6c636f6688310a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore.jsonlz4
Filesize
985B

MD5
7727e71511187b88f2f5a0c461a55715

SHA1
85769c991167eacd7a4e1f8a69d866a1d2395596

SHA256
dfc702567bbd4fc35780a7d52f28212b52b42b4cedaa3c1433de532cfb5f6b94

SHA512
c0bae66f49244858f4c4e166285f10af5aefa908af431ca748e53f60324dd4dfb5be898615c43b29f1879041a6a4d3cb421fca0b69e1fc0ab777c2f4bc0f1f04

Download Submit
C:\Users\Admin\AppData\Roaming\osu\AuthNative.dll
Filesize
5.7MB

MD5
f8e5a5e057662043afab1882433270dd

SHA1
7b59c691bc49744cdb2a9350f0b06b646861b7e5

SHA256
b4608ecdda36ef14ccc894cbc148eb33585a23a77eda5aecdf3ef280c4676dda

SHA512
23e8d1c37cfa9da7a6a0343f1bcec327cb747cb087ea10ba090ca5e0a918fd00ab7ee7c54e752c011682e8d68840f093541d578763a8c05e45ab5253f83b208a

Download Submit
C:\Users\Admin\AppData\Roaming\osu\files\a\a1\a1556d0801b3a6b175dda32ef546f0ec812b400499f575c44fccbe9c67f9b1e5
Filesize
988B

MD5
27d9765612170a9517f0a5e8b4613f06

SHA1
660d4456ea71bdb48a9ef84cf65cd68d40d05a6e

SHA256
a1556d0801b3a6b175dda32ef546f0ec812b400499f575c44fccbe9c67f9b1e5

SHA512
eda5ae2dc0e123418f0e50a51ea651c10c82aa0620d89bbef47cad1c5ef336b43d19604a6281853cc2603dd0c25d445b0195780897f8606beb768132222fa41f

Download Submit
C:\Users\Admin\AppData\Roaming\osu\logs\1719833886.runtime.log
Filesize
5KB

MD5
b9b34e302c65b618ffedef89f2bc5602

SHA1
bf9b986e1fa2bc0ad24c0f1b91649556818dee3f

SHA256
3d28196198ab24cfba7c0bfcf11ce00444471a8408c745f52f84a44009b773bd

SHA512
86116d59406e1292950e0eb278999c62da82397d4650744b761d5cd76c539371bfac0d5845215f2d51511c552e70115f5d1e7319283ae32cafab06340615fc5e

Download Submit
C:\Windows\TEMP\chrome_installer.log
Filesize
22KB

MD5
6844084dbc0a1dd4ae92b6412b82886d

SHA1
578303064bde3b40adbe43f2e6c87e9fccbbe5ef

SHA256
8391a6cd9d23cbb7e61375013d817364896575cb6b9ae4ac79970d1c3c668364

SHA512
9182a273ba75c71aaf434e9212dabae36685b9f771ef842d3c96bdb3b092b201db3741c2ea3a0291c5a2e0dc305682adbfe6b507ef44608fb91f62d657922665

Download Submit
\??\pipe\crashpad_2572_XGBHBMYETZXAAVHX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/368-1508-0x00007FF9D81F0000-0x00007FF9D87A7000-memory.dmp

Filesize
5.7MB

Download
memory/2188-14-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp

Filesize
10.8MB

Download
memory/2188-11-0x000002549B010000-0x000002549B032000-memory.dmp

Filesize
136KB

Download
memory/2188-12-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp

Filesize
10.8MB

Download
memory/2188-13-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp

Filesize
10.8MB

Download
memory/2188-17-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp

Filesize
10.8MB

Download
memory/3696-1-0x00000000008D0000-0x00000000008E6000-memory.dmp

Filesize
88KB

Download
memory/3696-0-0x00007FFA05EA3000-0x00007FFA05EA5000-memory.dmp

Filesize
8KB

Download
memory/3696-57-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp

Filesize
10.8MB

Download
memory/3696-58-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp

Filesize
10.8MB

Download
memory/3696-29-0x00007FFA05EA3000-0x00007FFA05EA5000-memory.dmp

Filesize
8KB

Download