ChromeStandaloneSetup64.exe
This report is generated from a file or URL submitted to this webservice on August 25th 2022 01:51:51 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v9.3.2 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
-
Accesses potentially sensitive information from local browsers
Found browser information locations related strings
Tries to steal browser sensitive information (file access) - Persistence
-
Installs hooks/patches the running process
Modifies auto-execute functionality by setting/creating a value in the registry
Spawns a lot of processes
Writes data to a remote process - Fingerprint
-
Queries kernel debugger information
Queries the display settings of system associated file extensions
Reads the active computer name
Reads the cryptographic machine GUID
Reads the windows installation date
Reads the windows installation language - Evasive
- Marks file for deletion
- Network Behavior
- Contacts 11 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 7
-
Installation/Persistence
-
Allocates virtual memory in a remote process
- details
-
"setup.exe" allocated memory in "%WINDIR%\System32\uxtheme.dll"
"setup.exe" allocated memory in "%PROGRAMFILES%\Google\Chrome\Application\master_preferences"
"chrmstp.exe" allocated memory in "%WINDIR%\System32\uxtheme.dll" - source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055.012 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"chrome_installer.exe" wrote 32 bytes to a remote process "%PROGRAMFILES%\(x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\CR_6093A.tmp\setup.exe" (Handle: 216)
"chrome_installer.exe" wrote 52 bytes to a remote process "C:\Program Files (x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\CR_6093A.tmp\setup.exe" (Handle: 216)
"chrome_installer.exe" wrote 8 bytes to a remote process "C:\Program Files (x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\CR_6093A.tmp\setup.exe" (Handle: 216)
"setup.exe" wrote 32 bytes to a remote process "C:\Program Files (x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\CR_6093A.tmp\setup.exe" (Handle: 384)
"setup.exe" wrote 52 bytes to a remote process "C:\Program Files (x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\CR_6093A.tmp\setup.exe" (Handle: 384)
"setup.exe" wrote 8 bytes to a remote process "C:\Program Files (x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\CR_6093A.tmp\setup.exe" (Handle: 384)
"setup.exe" wrote 32 bytes to a remote process "C:\Program Files (x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\CR_6093A.tmp\setup.exe" (Handle: 524)
"setup.exe" wrote 52 bytes to a remote process "C:\Program Files (x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\CR_6093A.tmp\setup.exe" (Handle: 524)
"setup.exe" wrote 8 bytes to a remote process "C:\Program Files (x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\CR_6093A.tmp\setup.exe" (Handle: 524)
"setup.exe" wrote 32 bytes to a remote process "C:\Program Files (x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\CR_6093A.tmp\setup.exe" (Handle: 376)
"setup.exe" wrote 52 bytes to a remote process "C:\Program Files (x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\CR_6093A.tmp\setup.exe" (Handle: 376)
"setup.exe" wrote 8 bytes to a remote process "C:\Program Files (x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\CR_6093A.tmp\setup.exe" (Handle: 376)
"chrmstp.exe" wrote 32 bytes to a remote process "C:\Program Files\Google\Chrome\Application\104.0.5112.102\Installer\chrmstp.exe" (Handle: 376)
"chrmstp.exe" wrote 52 bytes to a remote process "C:\Program Files\Google\Chrome\Application\104.0.5112.102\Installer\chrmstp.exe" (Handle: 376)
"chrmstp.exe" wrote 8 bytes to a remote process "C:\Program Files\Google\Chrome\Application\104.0.5112.102\Installer\chrmstp.exe" (Handle: 376) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Network Related
-
Contacts very many different hosts
- details
- Contacted 11 (or more) hosts in at least 1 different countries
- source
- Network Traffic
- relevance
- 9/10
-
Contacts very many different hosts
-
Spyware/Information Retrieval
-
Found browser information locations related strings
- details
-
"--type=crashpad-handler "--user-data-dir=%LOCALAPPDATA%\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=%LOCALAPPDATA%\Google\Chrome\User Data\Crashpad" "--metrics-dir=%LOCALAPPDATA%\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=104.0.5112.102 --initial-client-data=0xa4,0xa8,0xac,0x78,0xb0,0x7fef36e6bb0,0x7fef36e6bc0,0x7fef36e6bd0" (Indicator: "google\chrome\user data") in Source: chrome.exe
"2022/08/25-01:57:40.630 c64 Creating DB %LOCALAPPDATA%\Google\Chrome\User Data\Default\Local Storage\leveldb since it was missing.
2022/08/25-01:57:42.814 c64 Reusing MANIFEST C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb/MANIFEST-000001" (Indicator: "google\chrome\user data") in Source: LOG
"2022/08/25-01:57:40.630 c64 Creating DB C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb since it was missing." (Indicator: "google\chrome\user data") in Source: LOG
"2022/08/25-01:57:42.814 c64 Reusing MANIFEST C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb/MANIFEST-000001" (Indicator: "google\chrome\user data") in Source: LOG
"2022/08/25-01:57:42.134 984 Creating DB C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Session Storage since it was missing." (Indicator: "google\chrome\user data") in Source: LOG - source
- File/Memory
- relevance
- 5/10
- ATT&CK ID
- T1005 (Show technique in the MITRE ATT&CK™ matrix)
-
Tries to steal browser sensitive information (file access)
- details
-
"setup.exe" trying to touch file "%LOCALAPPDATA%\Google\Chrome\User Data\WIDEVINECDM"
"setup.exe" trying to touch file "%LOCALAPPDATA%\Google\Chrome\User Data\MEIPRELOAD"
"setup.exe" trying to touch file "%LOCALAPPDATA%\Google\Chrome\User Data\Crashpad"
"setup.exe" trying to touch file "%LOCALAPPDATA%\Google\Chrome\User Data\Crashpad\reports"
"setup.exe" trying to touch file "%LOCALAPPDATA%\Google\Chrome\User Data\Crashpad\attachments"
"setup.exe" trying to touch file "%LOCALAPPDATA%\Google\Chrome\User Data\Crashpad\settings.dat"
"setup.exe" trying to touch file "%LOCALAPPDATA%\Google\Chrome\User Data\Default\WEB APPLICATIONS\TEMP"
"setup.exe" trying to touch file "%LOCALAPPDATA%\Google\Chrome\User Data\Default\EXTENSIONS\TEMP"
"setup.exe" trying to touch file "%LOCALAPPDATA%\Google\Chrome\User Data\Default\EXTENSIONS"
"setup.exe" trying to touch file "%LOCALAPPDATA%\Google\Chrome\User Data\Crashpad\metadata"
"chrome.exe" trying to touch file "%LOCALAPPDATA%\Google\Chrome\User Data\Variations"
"chrome.exe" trying to touch file "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\SAFE BROWSING\URLCSDDOWNLOADWHITELIST.STORE"
"chrome.exe" trying to touch file "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\SAFE BROWSING\URLCSDWHITELIST.STORE"
"chrome.exe" trying to touch file "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\07829481-e2fc-4cc1-8283-d508a1cfa894.tmp"
"chrome.exe" trying to touch file "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\LOCAL STATE"
"chrome.exe" trying to touch file "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\EXTENSION SCRIPTS__TMP_FOR_REBUILD"
"chrome.exe" trying to touch file "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\EXTENSION SCRIPTS"
"chrome.exe" trying to touch file "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\LOG"
"chrome.exe" trying to touch file "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\CODE CACHE\WASM"
"chrome.exe" trying to touch file "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\CODE CACHE"
"chrome.exe" trying to touch file "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\INDEX"
"chrome.exe" trying to touch file "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index"
"chrome.exe" trying to touch file "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\SAFE BROWSING"
"chrome.exe" trying to touch file "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\LOCK"
"chrome.exe" trying to touch file "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\CURRENT"
"chrome.exe" trying to touch file "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Safe Browsing\IPMALWARE.STORE"
"chrome.exe" trying to touch file "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Safe Browsing\URLSOCENG.STORE"
"chrome.exe" trying to touch file "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Safe Browsing\URLMALWARE.STORE"
"chrome.exe" trying to touch file "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Safe Browsing\URLUWS.STORE"
"chrome.exe" trying to touch file "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Safe Browsing\URLMALBIN.STORE"
"chrome.exe" trying to touch file "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Safe Browsing\CHROMEEXTMALWARE.STORE"
"chrome.exe" trying to touch file "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Safe Browsing\CHROMEURLCLIENTINCIDENT.STORE"
"chrome.exe" trying to touch file "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Safe Browsing\URLBILLING.STORE"
"chrome.exe" trying to touch file "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Safe Browsing\URLCSDDOWNLOADALLOWLIST.STORE"
"chrome.exe" trying to touch file "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Safe Browsing\URLCSDALLOWLIST.STORE" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1005 (Show technique in the MITRE ATT&CK™ matrix)
-
Found browser information locations related strings
-
Unusual Characteristics
-
Spawns a lot of processes
- details
-
Spawned process "ChromeStandaloneSetup64.exe" (Show Process)
Spawned process "GoogleUpdate.exe" with commandline "/installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={A43FBFAB-3F24-33C6-D5F0-EDBDD01AF967}&lang=en&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty"" (Show Process)
Spawned process "GoogleUpdate.exe" with commandline "/regsvc" (Show Process)
Spawned process "GoogleUpdate.exe" with commandline "/regserver" (Show Process)
Spawned process "GoogleUpdateComRegisterShell64.exe" (Show Process)
Spawned process "GoogleUpdateComRegisterShell64.exe" (Show Process)
Spawned process "GoogleUpdateComRegisterShell64.exe" (Show Process)
Spawned process "GoogleUpdate.exe" with commandline "/ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RkY0MTVDNzItRTNDMi00QjJFLTk0OUUtNjVEQzBEMTUxOEE3fSIgdXNlcmlkPSJ7Qjc4MzU5M0QtRkFFNC00RjRELThEQzgtMTQzNzZERTAyNUU0fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0Q1NzY0NTRGLUI4OTMtNEYzRC04RDBCLTdGNkVCNzg3NTIzQX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xLjc2MDEuMCIgc3A9IlNlcnZpY2UgUGFjayAxIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjM2LjEzMSIgbGFuZz0iZW4iIGJyYW5kPSIiIGNsaWVudD0iIiBpaWQ9IntBNDNGQkZBQi0zRjI0LTMzQzYtRDVGMC1FREJERDAxQUY5Njd9Ij48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBpbnN0YWxsX3RpbWVfbXM9IjYxNzIiLz48L2FwcD48L3JlcXVlc3Q-" (Show Process)
Spawned process "GoogleUpdate.exe" with commandline "/handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={A43FBFAB-3F24-33C6-D5F0-EDBDD01AF967}&lang=en&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty" /installsource offline /sessionid "{FF415C72-E3C2-4B2E-949E-65DC0D1518A7}" /offlinedir "{86394862-E944-4C47-A998-98329608FD27}"" (Show Process)
Spawned process "GoogleUpdate.exe" with commandline "/svc" (Show Process)
Spawned process "chrome_installer.exe" with commandline "--do-not-launch-chrome --system-level /installerdata="%PROGRAMFILES%\(x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\gui9DA9.tmp"" (Show Process)
Spawned process "setup.exe" with commandline "--install-archive="%PROGRAMFILES%\(x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\CR_6093A.tmp\CHROME.PACKED.7Z" --do-not-launch-chrome --system-level /installerdata="%PROGRAMFILES%\(x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\gui9DA9.tmp"" (Show Process)
Spawned process "setup.exe" with commandline "--type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=%WINDIR%\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=104.0.5112.102 --initial-client-data=0x16c,0x170,0x174,0x140,0x178,0x13fb546c8,0x13fb546d8,0x13fb546e8" (Show Process)
Spawned process "setup.exe" with commandline "--system-level --verbose-logging --installerdata="%PROGRAMFILES%\(x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\gui9DA9.tmp" --create-shortcuts=0 --install-level=1" (Show Process)
Spawned process "setup.exe" with commandline "--type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=%WINDIR%\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=104.0.5112.102 --initial-client-data=0x164,0x168,0x16c,0x138,0x170,0x13fb546c8,0x13fb546d8,0x13fb546e8" (Show Process)
Spawned process "GoogleCrashHandler.exe" (Show Process)
Spawned process "GoogleCrashHandler64.exe" (Show Process)
Spawned process "GoogleUpdate.exe" with commandline "/ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RkY0MTVDNzItRTNDMi00QjJFLTk0OUUtNjVEQzBEMTUxOEE3fSIgdXNlcmlkPSJ7Qjc4MzU5M0QtRkFFNC00RjRELThEQzgtMTQzNzZERTAyNUU0fSIgaW5zdGFsbHNvdXJjZT0ib2ZmbGluZSIgcmVxdWVzdGlkPSJ7QUIyRjg0NjAtQUJEMS00N0Y5LTg1QTEtODg4NzQyMTg4OUNCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSI4IiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M0MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMDQuMC41MTEyLjEwMiIgYXA9Ing2NC1zdGFibGUtc3RhdHNkZWZfMSIgbGFuZz0iZW4iIGJyYW5kPSIiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIiBpaWQ9IntBNDNGQkZBQi0zRjI0LTMzQzYtRDVGMC1FREJERDAxQUY5Njd9Ij48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NjA5IiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMTYiIHRvdGFsPSI4OTUzMDQxNiIgaW5zdGFsbF90aW1lX21zPSIxMzkyNjYiLz48L2FwcD48L3JlcXVlc3Q-" (Show Process)
Spawned process "GoogleUpdate.exe" with commandline "/ondemand" (Show Process)
Spawned process "chrmstp.exe" with commandline "--configure-user-settings --verbose-logging --system-level --force-configure-user-settings" (Show Process)
Spawned process "chrmstp.exe" with commandline "--type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=%WINDIR%\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=104.0.5112.102 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x1402c46c8,0x1402c46d8,0x1402c46e8" (Show Process)
Spawned process "chrmstp.exe" with commandline "--system-level --verbose-logging --installerdata="%PROGRAMFILES%\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0" (Show Process)
Spawned process "chrmstp.exe" with commandline "--type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=%WINDIR%\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=104.0.5112.102 --initial-client-data=0x164,0x168,0x16c,0x138,0x170,0x1402c46c8,0x1402c46d8,0x1402c46e8" (Show Process)
Spawned process "GoogleUpdate.exe" with commandline "/ua /installsource scheduler" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Spawns a lot of processes
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 32
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
-
"setup.exe" at 00000000-00003124-00000033-25597133
"setup.exe" at 00000000-00003904-00000033-5349342
"chrmstp.exe" at 00000000-00003588-00000033-183269 - source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Environment Awareness
-
Reads the cryptographic machine GUID
- details
-
"GoogleUpdate.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the windows installation date
- details
-
"setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION"; Key: "INSTALLDATE")
"chrmstp.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION"; Key: "INSTALLDATE") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
-
General
-
Reads configuration files
- details
-
"setup.exe" read file "C:\Program Files\desktop.ini"
"setup.exe" read file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\desktop.ini"
"setup.exe" read file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini"
"setup.exe" read file "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\desktop.ini"
"setup.exe" read file "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Installation/Persistence
-
Drops executable files
- details
-
"chrome_proxy.exe" has type "PE32+ executable (GUI) x86-64 for MS Windows"- Location: [%PROGRAMFILES%\Google\Chrome\Temp\source3124_235476766\Chrome-bin\chrome_proxy.exe]- [targetUID: 00000000-00003124]
"setup.exe" has type "PE32+ executable (GUI) x86-64 for MS Windows"- Location: [%PROGRAMFILES%\(x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\CR_6093A.tmp\setup.exe]- [targetUID: 00000000-00000644]
"chrmstp.exe" has type "PE32+ executable (GUI) x86-64 for MS Windows"- Location: [%PROGRAMFILES%\Google\Chrome\Application\104.0.5112.102\Installer\chrmstp.exe]- [targetUID: 00000000-00003700]
"chrome.exe" has type "PE32+ executable (GUI) x86-64 for MS Windows"- Location: [%PROGRAMFILES%\Google\Chrome\Application\chrome.exe]- [targetUID: 00000000-00003904] - source
- Binary File
- relevance
- 10/10
-
Modifies auto-execute functionality by setting/creating a value in the registry
- details
-
"GoogleUpdate.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GOOGLEUPDATE.EXE"; Key: "DISABLEEXCEPTIONCHAINVALIDATION"; Value: "00000000")
"GoogleUpdate.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GOOGLEUPDATE.EXE") - source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1547.001 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes a PE file header to disc
- details
-
"ChromeStandaloneSetup64.exe" wrote 37560 bytes starting with PE header signature to file "%PROGRAMFILES%\(x86)\Google\Temp\GUM16C6.tmp\GoogleUpdate.exe": 4d5aff000300000004000000ffff0000ff00000000000000400000000000000000000000000000000000000000000000000000000000000000000000000100000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"ChromeStandaloneSetup64.exe" wrote 49336 bytes starting with PE header signature to file "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\GoogleUpdateBroker.exe": 4d5aff000300000004000000ffff0000ff00000000000000400000000000000000000000000000000000000000000000000000000000000000000000100100000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"ChromeStandaloneSetup64.exe" wrote 49336 bytes starting with PE header signature to file "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\GoogleUpdateOnDemand.exe": 4d5aff000300000004000000ffff0000ff00000000000000400000000000000000000000000000000000000000000000000000000000000000000000100100000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"ChromeStandaloneSetup64.exe" wrote 61112 bytes starting with PE header signature to file "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\GoogleUpdateComRegisterShell64.exe": 4d5aff000300000004000000ffff0000ff00000000000000400000000000000000000000000000000000000000000000000000000000000000000000000100000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"ChromeStandaloneSetup64.exe" wrote 30904 bytes starting with PE header signature to file "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\GoogleUpdateCore.exe": 4d5aff000300000004000000ffff0000ff00000000000000400000000000000000000000000000000000000000000000000000000000000000000000080100000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"ChromeStandaloneSetup64.exe" wrote 49848 bytes starting with PE header signature to file "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_am.dll": 4d5aff000300000004000000ffff0000ff00000000000000400000000000000000000000000000000000000000000000000000000000000000000000ff0000000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"ChromeStandaloneSetup64.exe" wrote 48824 bytes starting with PE header signature to file "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_ar.dll": 4d5aff000300000004000000ffff0000ff00000000000000400000000000000000000000000000000000000000000000000000000000000000000000ff0000000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"ChromeStandaloneSetup64.exe" wrote 51896 bytes starting with PE header signature to file "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_bg.dll": 4d5aff000300000004000000ffff0000ff00000000000000400000000000000000000000000000000000000000000000000000000000000000000000ff0000000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"ChromeStandaloneSetup64.exe" wrote 51896 bytes starting with PE header signature to file "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_bn.dll": 4d5aff000300000004000000ffff0000ff00000000000000400000000000000000000000000000000000000000000000000000000000000000000000ff0000000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"ChromeStandaloneSetup64.exe" wrote 51896 bytes starting with PE header signature to file "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_ca.dll": 4d5aff000300000004000000ffff0000ff00000000000000400000000000000000000000000000000000000000000000000000000000000000000000ff0000000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"ChromeStandaloneSetup64.exe" wrote 50872 bytes starting with PE header signature to file "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_cs.dll": 4d5aff000300000004000000ffff0000ff00000000000000400000000000000000000000000000000000000000000000000000000000000000000000ff0000000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"ChromeStandaloneSetup64.exe" wrote 50872 bytes starting with PE header signature to file "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_da.dll": 4d5aff000300000004000000ffff0000ff00000000000000400000000000000000000000000000000000000000000000000000000000000000000000ff0000000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"ChromeStandaloneSetup64.exe" wrote 52920 bytes starting with PE header signature to file "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_de.dll": 4d5aff000300000004000000ffff0000ff00000000000000400000000000000000000000000000000000000000000000000000000000000000000000ff0000000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"ChromeStandaloneSetup64.exe" wrote 52408 bytes starting with PE header signature to file "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_el.dll": 4d5aff000300000004000000ffff0000ff00000000000000400000000000000000000000000000000000000000000000000000000000000000000000ff0000000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"ChromeStandaloneSetup64.exe" wrote 50360 bytes starting with PE header signature to file "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_en.dll": 4d5aff000300000004000000ffff0000ff00000000000000400000000000000000000000000000000000000000000000000000000000000000000000ff0000000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"ChromeStandaloneSetup64.exe" wrote 49848 bytes starting with PE header signature to file "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_en-GB.dll": 4d5aff000300000004000000ffff0000ff00000000000000400000000000000000000000000000000000000000000000000000000000000000000000ff0000000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"ChromeStandaloneSetup64.exe" wrote 52920 bytes starting with PE header signature to file "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_es.dll": 4d5aff000300000004000000ffff0000ff00000000000000400000000000000000000000000000000000000000000000000000000000000000000000ff0000000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"ChromeStandaloneSetup64.exe" wrote 51384 bytes starting with PE header signature to file "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_es-419.dll": 4d5aff000300000004000000ffff0000ff00000000000000400000000000000000000000000000000000000000000000000000000000000000000000ff0000000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"ChromeStandaloneSetup64.exe" wrote 50360 bytes starting with PE header signature to file "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_et.dll": 4d5aff000300000004000000ffff0000ff00000000000000400000000000000000000000000000000000000000000000000000000000000000000000ff0000000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"ChromeStandaloneSetup64.exe" wrote 49848 bytes starting with PE header signature to file "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_fa.dll": 4d5aff000300000004000000ffff0000ff00000000000000400000000000000000000000000000000000000000000000000000000000000000000000ff0000000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ... - source
- API Call
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"1.3.36.131"
Potential IPs "1.3.36.131"
"1.3.36.13" found in string "<?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" updater="Omaha" updaterversion="1.3.36.131" shell_version="1.3.36.13", Potential IP "1.3.36.131" found in string "%PROGRAMFILES%\(x86)\Google\Update\1.3.36.131\psmachine.dll", Potential IP "1.3.36.131" found in string "@%PROGRAMFILES%\(x86)\Google\Update\1.3.36.131\goopdate.dll
-1004", Potential IP "1.3.36.131" found in string ""%PROGRAMFILES%\(x86)\Google\Update\1.3.36.131\GoogleUpdateBroker.exe"", Potential IP "1.3.36.131" found in string "@%PROGRAMFILES%\(x86)\Google\Update\1.3.36.131\goopdate.dll
-3000", Potential IP "1.3.36.131" found in string ""%PROGRAMFILES%\(x86)\Google\Update\1.3.36.131\GoogleUpdateOnDemand.exe"", Potential IP "1.3.36.131" found in string "%PROGRAMFILES%\(x86)\Google\Update\1.3.36.131\psmachine_64.dll" - source
- File/Memory
- relevance
- 3/10
-
Process binds to unusual ports
- details
- Process "%PROGRAMFILES%\Google\Chrome\Application\chrome.exe" binds to port 5353
- source
- Network Traffic
- relevance
- 10/10
- ATT&CK ID
- T1571 (Show technique in the MITRE ATT&CK™ matrix)
-
Found potential IP address in binary/memory
-
Spyware/Information Retrieval
-
Accesses potentially sensitive information from local browsers
- details
-
"setup.exe" had access to "%PROGRAMFILES%\Google\Chrome\Application\104.0.5112.102\Installer\setup.exe" (Type: "FileHandle")
"setup.exe" had access to "C:\Program Files\Google\Chrome\Temp\source3124_235476766\Chrome-bin\chrome.VisualElementsManifest.xml" (Type: "FileHandle")
"setup.exe" had access to "C:\Program Files\Google\Chrome\Application\104.0.5112.102\Installer\chrmstp.exe" (Type: "FileHandle")
"setup.exe" had access to "C:\Program Files\Google\Chrome\Temp" (Type: "FileHandle")
"setup.exe" had access to "C:\Program Files\Google\Chrome\Application\SetupMetrics" (Type: "FileHandle")
"setup.exe" had access to "C:\Program Files\Google\Chrome\Temp\source3124_235476766" (Type: "FileHandle")
"setup.exe" had access to "C:\Program Files\Google\Chrome\Temp\source3124_235476766\Chrome-bin" (Type: "FileHandle")
"setup.exe" had access to "C:\Program Files\Google\Chrome\Temp\source3124_235476766\Chrome-bin\104.0.5112.102\VisualElements" (Type: "FileHandle")
"setup.exe" had access to "C:\Program Files\Google\Chrome\Temp\source3124_235476766\Chrome-bin\104.0.5112.102\WidevineCdm\_platform_specific" (Type: "FileHandle")
"setup.exe" had access to "C:\Program Files\Google\Chrome\Temp\source3124_235476766\Chrome-bin\104.0.5112.102\WidevineCdm\_platform_specific\win_x64" (Type: "FileHandle")
"setup.exe" had access to "C:\Program Files\Google\Chrome\Application\chrome_proxy.exe" (Type: "FileHandle")
"setup.exe" had access to "C:\Program Files\Google\Chrome\Application\master_preferences" (Type: "FileHandle")
"setup.exe" had access to "C:\Program Files\Google\Chrome\Application\chrome.exe" (Type: "FileHandle")
"setup.exe" had access to "C:\Program Files\Google\Chrome\Application" (Type: "FileHandle")
"chrmstp.exe" had access to "C:\Program Files\Google\Chrome\Application\104.0.5112.102" (Type: "FileHandle")
"chrmstp.exe" had access to "C:\Program Files\Google\Chrome\Application\master_preferences" (Type: "FileHandle")
"chrmstp.exe" had access to "C:\Program Files\Google\Chrome\Application\104.0.5112.102\Installer\chrmstp.exe" (Type: "FileHandle")
"chrmstp.exe" had access to "C:\Program Files\Google\Chrome\Application" (Type: "FileHandle") - source
- Touched Handle
- relevance
- 7/10
- ATT&CK ID
- T1005 (Show technique in the MITRE ATT&CK™ matrix)
-
Accesses potentially sensitive information from local browsers
-
System Destruction
-
Marks file for deletion
- details
-
"C:\ChromeStandaloneSetup64.exe" marked "%PROGRAMFILES%\(x86)\Google\Temp\GUM16C6.tmp\GoogleUpdate.exe" for deletion
"C:\ChromeStandaloneSetup64.exe" marked "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\GoogleCrashHandler.exe" for deletion
"C:\ChromeStandaloneSetup64.exe" marked "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdate.dll" for deletion
"C:\ChromeStandaloneSetup64.exe" marked "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\GoogleUpdateBroker.exe" for deletion
"C:\ChromeStandaloneSetup64.exe" marked "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\GoogleUpdateOnDemand.exe" for deletion
"C:\ChromeStandaloneSetup64.exe" marked "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\GoogleUpdateComRegisterShell64.exe" for deletion
"C:\ChromeStandaloneSetup64.exe" marked "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\psmachine.dll" for deletion
"C:\ChromeStandaloneSetup64.exe" marked "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\psmachine_64.dll" for deletion
"C:\ChromeStandaloneSetup64.exe" marked "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\psuser.dll" for deletion
"C:\ChromeStandaloneSetup64.exe" marked "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\psuser_64.dll" for deletion
"C:\ChromeStandaloneSetup64.exe" marked "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\GoogleCrashHandler64.exe" for deletion
"C:\ChromeStandaloneSetup64.exe" marked "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\GoogleUpdateCore.exe" for deletion
"C:\ChromeStandaloneSetup64.exe" marked "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_am.dll" for deletion
"C:\ChromeStandaloneSetup64.exe" marked "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_ar.dll" for deletion
"C:\ChromeStandaloneSetup64.exe" marked "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_bg.dll" for deletion
"C:\ChromeStandaloneSetup64.exe" marked "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_bn.dll" for deletion
"C:\ChromeStandaloneSetup64.exe" marked "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_ca.dll" for deletion
"C:\ChromeStandaloneSetup64.exe" marked "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_cs.dll" for deletion
"C:\ChromeStandaloneSetup64.exe" marked "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_da.dll" for deletion
"C:\ChromeStandaloneSetup64.exe" marked "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_de.dll" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1070.004 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"ChromeStandaloneSetup64.exe" opened "%PROGRAMFILES%\(x86)\Google\Temp\GUM16C6.tmp\GoogleUpdate.exe" with delete access
"ChromeStandaloneSetup64.exe" opened "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\GoogleCrashHandler.exe" with delete access
"ChromeStandaloneSetup64.exe" opened "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdate.dll" with delete access
"ChromeStandaloneSetup64.exe" opened "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\GoogleUpdateBroker.exe" with delete access
"ChromeStandaloneSetup64.exe" opened "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\GoogleUpdateOnDemand.exe" with delete access
"ChromeStandaloneSetup64.exe" opened "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\GoogleUpdateComRegisterShell64.exe" with delete access
"ChromeStandaloneSetup64.exe" opened "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\psmachine.dll" with delete access
"ChromeStandaloneSetup64.exe" opened "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\psmachine_64.dll" with delete access
"ChromeStandaloneSetup64.exe" opened "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\psuser.dll" with delete access
"ChromeStandaloneSetup64.exe" opened "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\psuser_64.dll" with delete access
"ChromeStandaloneSetup64.exe" opened "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\GoogleCrashHandler64.exe" with delete access
"ChromeStandaloneSetup64.exe" opened "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\GoogleUpdateCore.exe" with delete access
"ChromeStandaloneSetup64.exe" opened "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_am.dll" with delete access
"ChromeStandaloneSetup64.exe" opened "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_ar.dll" with delete access
"ChromeStandaloneSetup64.exe" opened "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_bg.dll" with delete access
"ChromeStandaloneSetup64.exe" opened "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_bn.dll" with delete access
"ChromeStandaloneSetup64.exe" opened "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_ca.dll" with delete access
"ChromeStandaloneSetup64.exe" opened "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_cs.dll" with delete access
"ChromeStandaloneSetup64.exe" opened "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_da.dll" with delete access
"ChromeStandaloneSetup64.exe" opened "C:\Program Files (x86)\Google\Temp\GUM16C6.tmp\goopdateres_de.dll" with delete access - source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1070.004 (Show technique in the MITRE ATT&CK™ matrix)
-
Marks file for deletion
-
System Security
-
Adjusts debug privileges
- details
-
"setup.exe" adjusted SE_DEBUG_PRIVILEGE
"chrmstp.exe" adjusted SE_DEBUG_PRIVILEGE - source
- API Call
- relevance
- 3/10
-
Modifies Software Policy Settings
- details
-
"GoogleUpdate.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"GoogleUpdate.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"GoogleUpdate.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"GoogleUpdate.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"GoogleUpdate.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"GoogleUpdate.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLS")
"GoogleUpdate.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLS")
"GoogleUpdate.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CERTIFICATES")
"GoogleUpdate.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST")
"GoogleUpdate.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLS")
"GoogleUpdate.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLS")
"GoogleUpdate.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CERTIFICATES")
"GoogleUpdate.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST")
"GoogleUpdate.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLS")
"GoogleUpdate.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLS")
"GoogleUpdate.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CERTIFICATES")
"GoogleUpdate.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE")
"GoogleUpdate.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries the display settings of system associated file extensions
- details
-
"GoogleUpdate.exe" (Access type: "QUERYVAL"; Path: "HKLM\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.EXE"; Key: "NEVERSHOWEXT")
"GoogleUpdate.exe" (Access type: "QUERYVAL"; Path: "HKLM\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.EXE"; Key: "ALWAYSSHOWEXT")
"setup.exe" (Access type: "QUERYVAL"; Path: "HKLM\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.LNK"; Key: "ALWAYSSHOWEXT")
"setup.exe" (Access type: "QUERYVAL"; Path: "HKLM\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.EXE"; Key: "NEVERSHOWEXT")
"setup.exe" (Access type: "QUERYVAL"; Path: "HKLM\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.EXE"; Key: "ALWAYSSHOWEXT")
"chrmstp.exe" (Access type: "QUERYVAL"; Path: "HKLM\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.LNK"; Key: "ALWAYSSHOWEXT")
"chrmstp.exe" (Access type: "QUERYVAL"; Path: "HKLM\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.EXE"; Key: "NEVERSHOWEXT")
"chrmstp.exe" (Access type: "QUERYVAL"; Path: "HKLM\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.EXE"; Key: "ALWAYSSHOWEXT") - source
- Registry Access
- relevance
- 7/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Adjusts debug privileges
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"chrome_proxy.exe" claimed CRC 1078840 while the actual is CRC 212431
"setup.exe" claimed CRC 4581339 while the actual is CRC 1078840
"chrome.exe" claimed CRC 2857914 while the actual is CRC 4581339 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegOpenKeyExW
OutputDebugStringW
GetModuleFileNameW
LockResource
GetCommandLineW
UnhandledExceptionFilter
LoadLibraryExW
GetStartupInfoW
GetCommandLineA
GetProcAddress
WriteFile
FindNextFileW
FindResourceExW
FindFirstFileExW
GetModuleHandleW
GetFileAttributesExW
IsDebuggerPresent
TerminateProcess
GetModuleHandleExW
FindResourceW
CreateFileW
RegCloseKey
CreateProcessAsUserW
GetDriveTypeW
GetFileAttributesW
GetTempPathW
OutputDebugStringA
LoadLibraryExA
CreateThread
GetSystemDirectoryW
ExitThread
GetVersionExW
GetTickCount
VirtualProtect
DeleteFileW
GetFileSizeEx
GetNativeSystemInfo
GetSystemInfo
SleepConditionVariableSRW
GetModuleHandleA
CreateProcessW
Sleep
VirtualAlloc
ShellExecuteExW
RegCreateKeyExW
GetUserNameW
CreateServiceW
RegEnumKeyExW
RegDeleteValueW
OpenProcessToken
RegDeleteKeyExW
ChangeServiceConfigW
GetThreadContext
ConnectNamedPipe
CopyFileW
DisconnectNamedPipe
SleepEx
CreateToolhelp32Snapshot
LoadLibraryW
WriteProcessMemory
OpenProcess
ReadProcessMemory
CreateDirectoryW
CreateFileMappingW
CreateFileA
VirtualAllocEx
Process32NextW
Process32FirstW
MapViewOfFile
ShellExecuteW
GetWindowThreadProcessId
SetWindowsHookExW
CreateRemoteThread
GetComputerNameExW
VirtualProtectEx - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"chrome.exe" wrote bytes "2c001200" to virtual address "0x76BA02A8" (part of module "KERNEL32.DLL")
"chrome.exe" wrote bytes "b09e67f3fe070000" to virtual address "0x4015D0F0" (part of module "CHROME.EXE")
"chrome.exe" wrote bytes "e01062fdfe0700000000000000000000c0f4d6760000000080c2d676000000000000000000000000001ab27600000000e019b2760000000060dcd676000000000000000000000000" to virtual address "0x73252000" (part of module "KSUSER.DLL")
"chrome.exe" wrote bytes "a09774e9fe070000" to virtual address "0xE1B81638" (part of module "DWRITE.DLL")
"chrome.exe" wrote bytes "f09774e9fe070000" to virtual address "0xE1B81628" (part of module "DWRITE.DLL")
"chrome.exe" wrote bytes "109874e9fe070000" to virtual address "0xE1B81658" (part of module "DWRITE.DLL")
"chrome.exe" wrote bytes "409874e9fe070000" to virtual address "0xE1B81B88" (part of module "DWRITE.DLL")
"chrome.exe" wrote bytes "c09774e9fe070000" to virtual address "0xE1B81630" (part of module "DWRITE.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1056.004 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"ChromeStandaloneSetup64.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "EMPTY")
"ChromeStandaloneSetup64.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "EN-US")
"ChromeStandaloneSetup64.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "EN-US")
"GoogleUpdate.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"GoogleUpdate.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "EMPTY")
"GoogleUpdate.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "EN-US")
"GoogleUpdate.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "EN-US")
"GoogleUpdateComRegisterShell64.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "EN-US")
"GoogleUpdateComRegisterShell64.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "EN-US") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Hiding 13 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 36
-
Environment Awareness
-
Contains ability to read software policies
- details
-
"ChromeStandaloneSetup64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "TRANSPARENTENABLED")
"ChromeStandaloneSetup64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "AUTHENTICODEENABLED")
"GoogleUpdate.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "TRANSPARENTENABLED")
"GoogleUpdate.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "AUTHENTICODEENABLED")
"GoogleUpdateComRegisterShell64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "TRANSPARENTENABLED")
"chrome_installer.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "TRANSPARENTENABLED")
"chrome_installer.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "AUTHENTICODEENABLED") - source
- Registry Access
- relevance
- 1/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information
- details
-
"setup.exe" queries volume information of "%PROGRAMFILES%\(x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\gui9DA9.tmp" at 00000000-00003124-00000046-2547742
"setup.exe" queries volume information of "C:\Program Files (x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\gui9DA9.tmp" at 00000000-00003904-00000046-1543480
"setup.exe" queries volume information of "C:\" at 00000000-00003904-00000046-4898071
"setup.exe" queries volume information of "C:\Program Files\Google\Chrome\Application\chrome.exe" at 00000000-00003904-00000046-4899261
"setup.exe" queries volume information of "C:\" at 00000000-00003904-00000046-10681380446367853
"setup.exe" queries volume information of "C:\Program Files\Google\Chrome\Application\chrome.exe" at 00000000-00003904-00000046-10681380446409243
"setup.exe" queries volume information of "C:\" at 00000000-00003904-00000046-10681380447022222
"setup.exe" queries volume information of "C:\Program Files\Google\Chrome\Application\chrome.exe" at 00000000-00003904-00000046-10681380447023425
"setup.exe" queries volume information of "C:\" at 00000000-00003904-00000046-10681380452444480
"setup.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk" at 00000000-00003904-00000046-10681380452526984
"chrmstp.exe" queries volume information of "C:\" at 00000000-00003588-00000046-26776782
"chrmstp.exe" queries volume information of "C:\Program Files\Google\Chrome\Application\chrome.exe" at 00000000-00003588-00000046-27065141
"chrmstp.exe" queries volume information of "C:\Program Files\Google\Chrome\Application\master_preferences" at 00000000-00003588-00000046-10681380447932827 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"setup.exe" queries volume information of "C:\" at 00000000-00003904-00000046-4898071
"setup.exe" queries volume information of "C:\" at 00000000-00003904-00000046-10681380446367853
"setup.exe" queries volume information of "C:\" at 00000000-00003904-00000046-10681380447022222
"setup.exe" queries volume information of "C:\" at 00000000-00003904-00000046-10681380452444480
"chrmstp.exe" queries volume information of "C:\" at 00000000-00003588-00000046-26776782 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"GoogleUpdate.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\GOOGLEUPDATE.EXE")
"GoogleUpdate.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\GOOGLEUPDATE.EXE")
"setup.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\GOOGLE CHROME"; Key: "VERSIONMINOR")
"setup.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\GOOGLE CHROME")
"setup.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\GOOGLE CHROME"; Key: "VERSIONMAJOR")
"setup.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\GOOGLE CHROME"; Key: "INSTALLDATE")
"setup.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\GOOGLE CHROME"; Key: "DISPLAYVERSION")
"setup.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\GOOGLE CHROME"; Key: "VERSION")
"setup.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\GOOGLE CHROME"; Key: "PUBLISHER")
"setup.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\GOOGLE CHROME"; Key: "NOREPAIR")
"setup.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\GOOGLE CHROME"; Key: "NOMODIFY")
"setup.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\GOOGLE CHROME"; Key: "DISPLAYICON")
"setup.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\GOOGLE CHROME"; Key: "INSTALLLOCATION")
"setup.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\GOOGLE CHROME"; Key: "UNINSTALLSTRING")
"setup.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\GOOGLE CHROME"; Key: "DISPLAYNAME") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1518 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to read software policies
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/67 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Accesses Software Policy Settings
- details
-
"GoogleUpdate.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"GoogleUpdate.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"GoogleUpdate.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"GoogleUpdate.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"GoogleUpdate.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"GoogleUpdate.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLS"; Key: "")
"GoogleUpdate.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLS"; Key: "")
"GoogleUpdate.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CERTIFICATES"; Key: "")
"GoogleUpdate.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST"; Key: "")
"GoogleUpdate.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLS"; Key: "")
"GoogleUpdate.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLS"; Key: "")
"GoogleUpdate.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CERTIFICATES"; Key: "")
"GoogleUpdate.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST"; Key: "")
"GoogleUpdate.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLS"; Key: "")
"GoogleUpdate.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLS"; Key: "")
"GoogleUpdate.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CERTIFICATES"; Key: "")
"GoogleUpdate.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE"; Key: "")
"GoogleUpdate.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Accesses System Certificates Settings
- details
-
"GoogleUpdate.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\AUTOUPDATE"; Key: "DISALLOWEDCERTSYNCDELTATIME")
"GoogleUpdate.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\5AEAEE3F7F2A9449CEBAFEEC68FDD184F20124A7"; Key: "BLOB")
"GoogleUpdate.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\902EF2DEEB3C5B13EA4C3D5193629309E231AE55"; Key: "BLOB")
"GoogleUpdate.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\C86EDBC71AB05078F61ACDF3D8DC5DB61EB75FB6"; Key: "BLOB")
"GoogleUpdate.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"GoogleUpdate.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"GoogleUpdate.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"GoogleUpdate.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"GoogleUpdate.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"GoogleUpdate.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\2A83E9020591A55FC6DDAD3FB102794C52B24E70"; Key: "BLOB")
"GoogleUpdate.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\1916A2AF346D399F50313C393200F14140456616"; Key: "BLOB")
"GoogleUpdate.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"GoogleUpdate.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\43D9BCB568E039D073A74A71D8511F7476089CC3"; Key: "BLOB") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Contacts server
- details
-
"142.251.45.99:443"
"172.253.122.94:443"
"172.253.63.113:443"
"172.253.115.84:443"
"172.253.115.106:443"
"172.253.115.101:443"
"172.253.115.139:443"
"172.253.122.132:443"
"172.217.15.99:443"
"172.253.115.103:443"
"172.253.122.95:443" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
- "mi_exe_stub.pdb"
- source
- File/Memory
- relevance
- 1/10
-
Contains export functions
- details
-
"chrome_proxy.exe" contains export function called "GetHandleVerifier" at ordinal 1
"setup.exe" contains export function called "GetHandleVerifier" at ordinal 1
"chrome.exe" contains export function called "GetHandleVerifier" at ordinal 1
"chrome.exe" contains export function called "GetMainTargetServices" at ordinal 2
"chrome.exe" contains export function called "GetPakFileHashes" at ordinal 3
"chrome.exe" contains export function called "IsSandboxedProcess" at ordinal 4 - source
- Static Parser
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\ChromeSetupMutex_6904726713431416151"
"\Sessions\1\BaseNamedObjects\Global\ChromeSetupExitEventMutex_6904726713431416151"
"Global\ChromeSetupMutex_6904726713431416151"
"Global\ChromeSetupExitEventMutex_6904726713431416151" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "GoogleUpdate.exe.bin" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "chrome_proxy.exe" as clean (type is "PE32+ executable (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "setup.exe" as clean (type is "PE32+ executable (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "chrmstp.exe" as clean (type is "PE32+ executable (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "chrome.exe" as clean (type is "PE32+ executable (GUI) x86-64 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Found API related strings
- details
-
"FlsGetValue" (Indicator: "FlsGetValue") in Source: 870a4c6fb58723956374d9c2d4ff67e5ff5417fa1d97a4722446e84cb399ac2c.bin
"FlsSetValue" (Indicator: "FlsSetValue") in Source: 870a4c6fb58723956374d9c2d4ff67e5ff5417fa1d97a4722446e84cb399ac2c.bin
"InitializeCriticalSectionEx" (Indicator: "InitializeCriticalSection") in Source: 870a4c6fb58723956374d9c2d4ff67e5ff5417fa1d97a4722446e84cb399ac2c.bin
"CorExitProcess" (Indicator: "ExitProcess") in Source: 870a4c6fb58723956374d9c2d4ff67e5ff5417fa1d97a4722446e84cb399ac2c.bin
"LocaleNameToLCID" (Indicator: "LocaleNameToLCID") in Source: 870a4c6fb58723956374d9c2d4ff67e5ff5417fa1d97a4722446e84cb399ac2c.bin
"QueryPerformanceCounter" (Indicator: "QueryPerformanceCounter") in Source: 870a4c6fb58723956374d9c2d4ff67e5ff5417fa1d97a4722446e84cb399ac2c.bin
"GetCurrentProcessId" (Indicator: "GetCurrentProcess") in Source: 870a4c6fb58723956374d9c2d4ff67e5ff5417fa1d97a4722446e84cb399ac2c.bin
"GetCurrentThreadId" (Indicator: "GetCurrentThreadId") in Source: 870a4c6fb58723956374d9c2d4ff67e5ff5417fa1d97a4722446e84cb399ac2c.bin
"GetSystemTimeAsFileTime" (Indicator: "GetSystemTime") in Source: 870a4c6fb58723956374d9c2d4ff67e5ff5417fa1d97a4722446e84cb399ac2c.bin
"InitializeSListHead" (Indicator: "InitializeSListHead") in Source: 870a4c6fb58723956374d9c2d4ff67e5ff5417fa1d97a4722446e84cb399ac2c.bin
"IsDebuggerPresent" (Indicator: "IsDebuggerPresent") in Source: 870a4c6fb58723956374d9c2d4ff67e5ff5417fa1d97a4722446e84cb399ac2c.bin
"UnhandledExceptionFilter" (Indicator: "UnhandledExceptionFilter") in Source: 870a4c6fb58723956374d9c2d4ff67e5ff5417fa1d97a4722446e84cb399ac2c.bin
"SetUnhandledExceptionFilter" (Indicator: "SetUnhandledExceptionFilter") in Source: 870a4c6fb58723956374d9c2d4ff67e5ff5417fa1d97a4722446e84cb399ac2c.bin
"GetStartupInfoW" (Indicator: "GetStartupInfoW") in Source: 870a4c6fb58723956374d9c2d4ff67e5ff5417fa1d97a4722446e84cb399ac2c.bin
"IsProcessorFeaturePresent" (Indicator: "IsProcessorFeaturePresent") in Source: 870a4c6fb58723956374d9c2d4ff67e5ff5417fa1d97a4722446e84cb399ac2c.bin
"GetModuleHandleW" (Indicator: "GetModuleHandleW") in Source: 870a4c6fb58723956374d9c2d4ff67e5ff5417fa1d97a4722446e84cb399ac2c.bin
"GetCurrentProcess" (Indicator: "GetCurrentProcess") in Source: 870a4c6fb58723956374d9c2d4ff67e5ff5417fa1d97a4722446e84cb399ac2c.bin
"TerminateProcess" (Indicator: "TerminateProcess") in Source: 870a4c6fb58723956374d9c2d4ff67e5ff5417fa1d97a4722446e84cb399ac2c.bin
"RtlUnwind" (Indicator: "RtlUnwind") in Source: 870a4c6fb58723956374d9c2d4ff67e5ff5417fa1d97a4722446e84cb399ac2c.bin
"GetLastError" (Indicator: "GetLastError") in Source: 870a4c6fb58723956374d9c2d4ff67e5ff5417fa1d97a4722446e84cb399ac2c.bin - source
- File/Memory
- relevance
- 1/10
-
Launches a browser
- details
-
Launches browser "chrome.exe" (Show Process)
Launches browser "chrome.exe" (Show Process)
Launches browser "chrome.exe" (Show Process)
Launches browser "chrome.exe" (Show Process)
Launches browser "chrome.exe" (Show Process)
Launches browser "chrome.exe" (Show Process)
Launches browser "chrome.exe" (Show Process)
Launches browser "chrome.exe" (Show Process)
Launches browser "chrome.exe" (Show Process)
Launches browser "chrome.exe" (Show Process)
Launches browser "chrome.exe" (Show Process)
Launches browser "chrome.exe" (Show Process)
Launches browser "chrome.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Overview of unique CLSIDs touched in registry
- details
-
"GoogleUpdate.exe" touched "XML DOM Document" (Path: "HKCU\WOW6432NODE\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\PROGID")
"GoogleUpdate.exe" touched "TaskScheduler class" (Path: "HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TREATAS")
"GoogleUpdate.exe" touched "Memory Mapped Cache Mgr" (Path: "HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\TREATAS")
"GoogleUpdate.exe" touched "Computer" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"GoogleUpdate.exe" touched "PSDispatch" (Path: "HKCU\WOW6432NODE\CLSID\{00020420-0000-0000-C000-000000000046}\TREATAS")
"GoogleUpdate.exe" touched "Background Intelligent Transfer Control Class 1.0" (Path: "HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{4991D34B-80A1-4291-83B6-3328366B9097}\TREATAS")
"GoogleUpdate.exe" touched "PSFactoryBuffer" (Path: "HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{5CE34C0D-0DC9-4C1F-897C-DAA1B78CEE7C}\PROGID")
"setup.exe" touched "HNetCfg.FwPolicy2" (Path: "HKLM\SOFTWARE\CLASSES\CLSID\{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}\TREATAS")
"setup.exe" touched "HNetCfg.FwRule" (Path: "HKLM\SOFTWARE\CLASSES\CLSID\{2C5BC43E-3369-4C33-AB0C-BE9469677AF4}\INPROCHANDLER")
"setup.exe" touched "Shortcut" (Path: "HKLM\SOFTWARE\CLASSES\CLSID\{00021401-0000-0000-C000-000000000046}\IMPLEMENTED CATEGORIES\{00021490-0000-0000-C000-000000000046}")
"setup.exe" touched "CompatContextMenu Class" (Path: "HKLM\SOFTWARE\CLASSES\CLSID\{1D27F844-3A1F-4410-85AC-14651078412D}")
"setup.exe" touched "Copy as Path Menu" (Path: "HKCU\CLSID\{F3D06E7C-1E45-4A26-847E-F9FCDEE59BE0}")
"setup.exe" touched "Microsoft SendTo Service" (Path: "HKLM\SOFTWARE\CLASSES\CLSID\{7BA4C740-9E81-11CF-99D3-00AA004AE837}")
"setup.exe" touched "Groove GFS Context Menu Handler" (Path: "HKLM\SOFTWARE\CLASSES\CLSID\{6C467336-8281-4E60-8204-430CED96822D}")
"setup.exe" touched "Previous Versions Property Page" (Path: "HKCU\CLSID\{596AB062-B4D2-4215-9F74-E9109B0A8153}\PROGID")
"setup.exe" touched "Property System Both Class Factory" (Path: "HKCU\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\TREATAS")
"setup.exe" touched "Offline Files Service Control" (Path: "HKLM\SOFTWARE\CLASSES\CLSID\{69486DD6-C19F-42E8-B508-A53F9F8E67B8}\LOCALSERVER32")
"setup.exe" touched "Taskband Pin" (Path: "HKCU\CLSID\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\SHELLEX\NOADDTORECENT")
"setup.exe" touched "Start Menu Cache" (Path: "HKLM\SOFTWARE\CLASSES\CLSID\{660B90C8-73A9-4B58-8CAE-355B7F55341B}\TREATAS")
"setup.exe" touched "Start Menu Pin" (Path: "HKCU\CLSID\{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
PE file contains executable sections
- details
-
"GoogleUpdate.exe.bin" has an executable section named ".text"
"chrome_proxy.exe" has an executable section named ".text"
"setup.exe" has an executable section named ".text"
"chrome.exe" has an executable section named ".text" - source
- Static Parser
- relevance
- 1/10
-
Process launched with changed environment
- details
-
Process "GoogleUpdate.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64""
Process "GoogleUpdate.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "GoogleUpdate.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, LOCALAPPDATA, USERDOMAIN, PROCESSOR_ARCHITECTURE, TEMP, APPDATA, USERPROFILE, TMP, ProgramFiles"
Process "GoogleUpdate.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432, LOGONSERVER, HOMEPATH, HOMEDRIVE"
Process "chrome_installer.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64", LOGONSERVER="\\HAPUBWS-PC", GoogleUpdateIsMachine="1", HOMEPATH="\Users\PUFM9uG", HOMEDRIVE="C:""
Process "chrome_installer.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, Path, LOCALAPPDATA, USERDOMAIN, TEMP, APPDATA, USERPROFILE, TMP, ProgramFiles"
Process "setup.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, ProgramFiles"
Process "setup.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432"
Process "setup.exe" (Show Process) was launched with new environment variables: "CHROME_CRASHPAD_PIPE_NAME="\\.\pipe\crashpad_3124_ORKZRGQSEFZOESQI""
Process "GoogleCrashHandler.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64""
Process "GoogleCrashHandler.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, Path, LOCALAPPDATA, USERDOMAIN, PROCESSOR_ARCHITECTURE, TEMP, APPDATA, USERPROFILE, TMP, ProgramFiles"
Process "GoogleCrashHandler.exe" (Show Process) was launched with missing environment variables: "LOGONSERVER, GoogleUpdateIsMachine, HOMEPATH, HOMEDRIVE, CHROME_CRASHPAD_PIPE_NAME"
Process "GoogleUpdate.exe" (Show Process) was launched with new environment variables: "LOGONSERVER="\\HAPUBWS-PC", GOOGLE_UPDATE_UI_DISPLAYED_EVENT_NAME="{023664C2-908D-4740-9124-4FFC14EB4802}", HOMEPATH="\Users\PUFM9uG", HOMEDRIVE="C:""
Process "GoogleUpdate.exe" (Show Process) was launched with modified environment variables: "LOCALAPPDATA, USERDOMAIN, TEMP, APPDATA, USERPROFILE, TMP"
Process "chrome.exe" (Show Process) was launched with modified environment variables: "PROCESSOR_ARCHITECTURE"
Process "chrome.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432, GOOGLE_UPDATE_UI_DISPLAYED_EVENT_NAME"
Process "chrome.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, ProgramFiles"
Process "chrome.exe" (Show Process) was launched with new environment variables: "CHROME_CRASHPAD_PIPE_NAME="\\.\pipe\crashpad_3544_VTUFPOTOOIRYUAXG""
Process "chrome.exe" (Show Process) was launched with new environment variables: "CHROME_RESTART="Google Chrome|Whoa! Google Chrome has crashed. Relaunch now?|LEFT_TO_RIGHT""
Process "chrmstp.exe" (Show Process) was launched with modified environment variables: "CHROME_CRASHPAD_PIPE_NAME"
Process "GoogleUpdate.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64", PROMPT="$P$G""
Process "GoogleUpdate.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, Path, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "GoogleUpdate.exe" (Show Process) was launched with missing environment variables: "CHROME_RESTART, CHROME_CRASHPAD_PIPE_NAME" - source
- Monitored Target
- relevance
- 10/10
-
References url in command line
- details
-
Process "setup.exe" with commandline "--type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=%WINDIR%\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=104.0.5112.102 --initial-client-data=0x16c,0x170,0x174,0x140,0x178,0x13fb546c8,0x13fb546d8,0x13fb546e8" (Show Process)
Process "setup.exe" with commandline "--type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=%WINDIR%\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=104.0.5112.102 --initial-client-data=0x164,0x168,0x16c,0x138,0x170,0x13fb546c8,0x13fb546d8,0x13fb546e8" (Show Process)
Process "chrome.exe" with commandline "--type=crashpad-handler "--user-data-dir=%LOCALAPPDATA%\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=%LOCALAPPDATA%\Google\Chrome\User Data\Crashpad" "--metrics-dir=%LOCALAPPDATA%\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=104.0.5112.102 --initial-client-data=0xa4,0xa8,0xac,0x78,0xb0,0x7fef36e6bb0,0x7fef36e6bc0,0x7fef36e6bd0" (Show Process)
Process "chrmstp.exe" with commandline "--type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=%WINDIR%\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=104.0.5112.102 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x1402c46c8,0x1402c46d8,0x1402c46e8" (Show Process)
Process "chrmstp.exe" with commandline "--type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=%WINDIR%\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=104.0.5112.102 --initial-client-data=0x164,0x168,0x16c,0x138,0x170,0x1402c46c8,0x1402c46d8,0x1402c46e8" (Show Process) - source
- Monitored Target
-
Sample shows a variety of benign indicators
- details
- The input file/all extracted files were not detected as malicious and the input file is signed with a validated certificate
- source
- Indicator Combinations
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "GoogleUpdate.exe" with commandline "/installsource taggedmi /install "appguid={8A69D345-D564-463C-AF ..." (Show Process), Spawned process "GoogleUpdate.exe" with commandline "/regsvc" (Show Process), Spawned process "GoogleUpdate.exe" with commandline "/regserver" (Show Process), Spawned process "GoogleUpdateComRegisterShell64.exe" (Show Process), Spawned process "GoogleUpdateComRegisterShell64.exe" (Show Process), Spawned process "GoogleUpdateComRegisterShell64.exe" (Show Process), Spawned process "GoogleUpdate.exe" with commandline "/ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdW ..." (Show Process), Spawned process "GoogleUpdate.exe" with commandline "/handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={A4 ..." (Show Process)
Spawned process "GoogleUpdate.exe" with commandline "/svc" (Show Process)
Spawned process "chrome_installer.exe" with commandline "--do-not-launch-chrome --system-level /installerdata="%PROGRAMFI ..." (Show Process), Spawned process "setup.exe" with commandline "--install-archive="%PROGRAMFILES%\(x86)\Google\Update\Install\{A ..." (Show Process)
Spawned process "setup.exe" with commandline "--type=crashpad-handler /prefetch:7 --monitor-self-annotation=pt ..." (Show Process)
Spawned process "setup.exe" with commandline "--system-level --verbose-logging --installerdata="%PROGRAMFILES% ..." (Show Process), Spawned process "setup.exe" with commandline "--type=crashpad-handler /prefetch:7 --monitor-self-annotation=pt ..." (Show Process), Spawned process "GoogleCrashHandler.exe" (Show Process), Spawned process "GoogleCrashHandler64.exe" (Show Process), Spawned process "GoogleUpdate.exe" with commandline "/ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdW ..." (Show Process), Spawned process "GoogleUpdate.exe" with commandline "/ondemand" (Show Process), Spawned process "chrome.exe" with commandline "--from-installer" (Show Process), Spawned process "chrome.exe" with commandline "--type=crashpad-handler "--user-data-dir=%LOCALAPPDATA%\Google\C ..." (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "GoogleUpdate.exe" with commandline "/installsource taggedmi /install "appguid={8A69D345-D564-463C-AF ..." (Show Process), Spawned process "GoogleUpdate.exe" with commandline "/regsvc" (Show Process), Spawned process "GoogleUpdate.exe" with commandline "/regserver" (Show Process), Spawned process "GoogleUpdateComRegisterShell64.exe" (Show Process), Spawned process "GoogleUpdateComRegisterShell64.exe" (Show Process), Spawned process "GoogleUpdateComRegisterShell64.exe" (Show Process), Spawned process "GoogleUpdate.exe" with commandline "/ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdW ..." (Show Process), Spawned process "GoogleUpdate.exe" with commandline "/handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={A4 ..." (Show Process)
Spawned process "GoogleUpdate.exe" with commandline "/svc" (Show Process)
Spawned process "chrome_installer.exe" with commandline "--do-not-launch-chrome --system-level /installerdata="%PROGRAMFI ..." (Show Process), Spawned process "setup.exe" with commandline "--install-archive="%PROGRAMFILES%\(x86)\Google\Update\Install\{A ..." (Show Process)
Spawned process "setup.exe" with commandline "--type=crashpad-handler /prefetch:7 --monitor-self-annotation=pt ..." (Show Process)
Spawned process "setup.exe" with commandline "--system-level --verbose-logging --installerdata="%PROGRAMFILES% ..." (Show Process), Spawned process "setup.exe" with commandline "--type=crashpad-handler /prefetch:7 --monitor-self-annotation=pt ..." (Show Process), Spawned process "GoogleCrashHandler.exe" (Show Process), Spawned process "GoogleCrashHandler64.exe" (Show Process), Spawned process "GoogleUpdate.exe" with commandline "/ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdW ..." (Show Process), Spawned process "GoogleUpdate.exe" with commandline "/ondemand" (Show Process), Spawned process "chrome.exe" with commandline "--from-installer" (Show Process), Spawned process "chrome.exe" with commandline "--type=crashpad-handler "--user-data-dir=%LOCALAPPDATA%\Google\C ..." (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "C=US, S=California, L=Mountain View, O=Google LLC, CN=Google LLC" (SHA1: 26:73:EA:6C:C2:3B:EF:FD:A4:9A:C7:15:B1:21:54:40:98:A1:28:4C: (1.2.840.113549.1.1.11); see report for more information)
The input sample is signed with a certificate issued by "C=US, O="DigiCert
Inc.", CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" (SHA1: 7B:0F:36:0B:77:5F:76:C9:4A:12:CA:48:44:5A:A2:D2:A8:75:70:1C: (1.2.840.113549.1.1.12); see report for more information)
The input sample is signed with a certificate issued by "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4" (SHA1: A9:9D:5B:79:E9:F1:CD:A5:9C:DA:B6:37:31:69:D5:35:3F:58:74:C6: (1.2.840.113549.1.1.12); see report for more information)
The input sample is signed with a certificate issued by "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA" (SHA1: 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43: (sha1RSA(RSA)); see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1553.002 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1553.002 (Show technique in the MITRE ATT&CK™ matrix)
-
Accesses Software Policy Settings
-
Installation/Persistence
-
Accessed IE Quick Launch directory
- details
- "setup.exe" obtained handle to "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" (Type: "FileHandle")
- source
- Touched Handle
- relevance
- 10/10
-
Connects to LPC ports
- details
-
"setup.exe" connecting to "\ThemeApiPort"
"chrome.exe" connecting to "\ThemeApiPort"
"chrmstp.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"GoogleUpdate.exe.bin" has type "PE32 executable (GUI) Intel 80386 for MS Windows"- [targetUID: N/A]
"chrome_proxy.exe" has type "PE32+ executable (GUI) x86-64 for MS Windows"- Location: [%PROGRAMFILES%\Google\Chrome\Temp\source3124_235476766\Chrome-bin\chrome_proxy.exe]- [targetUID: 00000000-00003124]
"setup.exe" has type "PE32+ executable (GUI) x86-64 for MS Windows"- Location: [%PROGRAMFILES%\(x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\CR_6093A.tmp\setup.exe]- [targetUID: 00000000-00000644]
"Google Chrome.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Description string Has Relative path Has Working directory Icon number=0 Archive ctime=Wed Aug 24 23:55:38 2022 mtime=Wed Aug 24 23:55:38 2022 atime=Mon Aug 15 23:07:19 2022 length=2852640 window=hide"- Location: [%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk]- [targetUID: 00000000-00003904]
"chrmstp.exe" has type "PE32+ executable (GUI) x86-64 for MS Windows"- Location: [%PROGRAMFILES%\Google\Chrome\Application\104.0.5112.102\Installer\chrmstp.exe]- [targetUID: 00000000-00003700]
"chrome.exe" has type "PE32+ executable (GUI) x86-64 for MS Windows"- Location: [%PROGRAMFILES%\Google\Chrome\Application\chrome.exe]- [targetUID: 00000000-00003904]
"000001.dbtmp" has type "ASCII text"- Location: [%LOCALAPPDATA%\Google\Chrome\User Data\Default\Local Storage\leveldb\000001.dbtmp]- [targetUID: 00000000-00003544]
"master_preferences" has type "UTF-8 Unicode (with BOM) text"- Location: [%PROGRAMFILES%\Google\Chrome\Application\master_preferences]- [targetUID: 00000000-00003544]
"Reporting and NEL-journal" has type "data"- Location: [%LOCALAPPDATA%\Google\Chrome\User Data\Default\Network\Reporting and NEL-journal]- [targetUID: 00000000-00003796]
"MANIFEST-000001" has type "PGP\011Secret Key -"- Location: [%LOCALAPPDATA%\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001]- [targetUID: 00000000-00003544]
"d7ab0264-60c9-4b56-889f-fdc47b4885ee.tmp" has type "data"- Location: [%PROGRAMFILES%\Google\Chrome\Application\SetupMetrics\d7ab0264-60c9-4b56-889f-fdc47b4885ee.tmp]- [targetUID: 00000000-00003904]
"c21ea056-cfdd-45dc-9c80-3e229552787a.tmp" has type "ASCII text with very long lines with no line terminators"- Location: [%LOCALAPPDATA%\Google\Chrome\User Data\Default\Network\c21ea056-cfdd-45dc-9c80-3e229552787a.tmp]- [targetUID: 00000000-00003796]
"f_000001" has type "data"- Location: [%LOCALAPPDATA%\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001]- [targetUID: 00000000-00003796]
"Cookies-journal" has type "data"- Location: [%LOCALAPPDATA%\Google\Chrome\User Data\Default\Network\Cookies-journal]- [targetUID: 00000000-00003796]
"data_2" has type "data"- Location: [%LOCALAPPDATA%\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2]- [targetUID: 00000000-00003544] - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"GoogleUpdate.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"GoogleUpdate.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"chrome_installer.exe" touched file "%WINDIR%\AppPatch\AppPatch64\sysmain.sdb"
"setup.exe" touched file "%WINDIR%\AppPatch\AppPatch64\sysmain.sdb"
"setup.exe" touched file "%WINDIR%\Temp\Crashpad"
"setup.exe" touched file "%WINDIR%\Temp\Crashpad\reports"
"setup.exe" touched file "%WINDIR%\Temp\Crashpad\metadata"
"setup.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches"
"setup.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk"
"setup.exe" touched file "%WINDIR%\Temp\Crashpad\settings.dat"
"setup.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"setup.exe" touched file "%WINDIR%\Temp\Crashpad\attachments"
"chrome.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches"
"chrmstp.exe" touched file "%WINDIR%\Temp\Crashpad" - source
- API Call
- relevance
- 7/10
-
Accessed IE Quick Launch directory
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "gM,'f;d}.gD"- [Source: 870a4c6fb58723956374d9c2d4ff67e5ff5417fa1d97a4722446e84cb399ac2c.bin]
Heuristic match: "=c\'{%.CL"- [Source: 870a4c6fb58723956374d9c2d4ff67e5ff5417fa1d97a4722446e84cb399ac2c.bin]
Heuristic match: "a5UiC`.SY"- [Source: 870a4c6fb58723956374d9c2d4ff67e5ff5417fa1d97a4722446e84cb399ac2c.bin]
Pattern match: "https://clients2.google.com/cr/report"- [Source: setup.exe]
Pattern match: "https://clients2.google.com,supports_spdy:true},{alternative_service:[{advertised_alpns:[h3],expiration:13308451071973957,port:443,protocol_str:quic}],isolation:[],server:https://accounts.google.com,supports_spdy:true},{alternat"- [Source: c21ea056-cfdd-45dc-9c80-3e229552787a.tmp] - source
- File/Memory
- relevance
- 10/10
-
Possibly tries to communicate over SSL connection (HTTPS)
- details
-
"--type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=%WINDIR%\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=104.0.5112.102 --initial-client-data=0x16c,0x170,0x174,0x140,0x178,0x13fb546c8,0x13fb546d8,0x13fb546e8" (Indicator: "https://") in Source: setup.exe
"--type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=%WINDIR%\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=104.0.5112.102 --initial-client-data=0x164,0x168,0x16c,0x138,0x170,0x13fb546c8,0x13fb546d8,0x13fb546e8" (Indicator: "https://") in Source: setup.exe
"--type=crashpad-handler "--user-data-dir=%LOCALAPPDATA%\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=%LOCALAPPDATA%\Google\Chrome\User Data\Crashpad" "--metrics-dir=%LOCALAPPDATA%\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=104.0.5112.102 --initial-client-data=0xa4,0xa8,0xac,0x78,0xb0,0x7fef36e6bb0,0x7fef36e6bc0,0x7fef36e6bd0" (Indicator: "https://") in Source: chrome.exe
"--type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=%WINDIR%\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=104.0.5112.102 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x1402c46c8,0x1402c46d8,0x1402c46e8" (Indicator: "https://") in Source: chrmstp.exe - source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1573 (Show technique in the MITRE ATT&CK™ matrix)
-
Uses HTTPS for communication
- details
-
"HTTPS traffic to 142.251.45.99 on port 443"
"HTTPS traffic to 172.253.122.94 on port 443"
"HTTPS traffic to 172.253.63.113 on port 443"
"HTTPS traffic to 172.253.115.84 on port 443"
"HTTPS traffic to 172.253.115.106 on port 443"
"HTTPS traffic to 172.253.115.101 on port 443"
"HTTPS traffic to 172.253.115.139 on port 443"
"HTTPS traffic to 172.253.122.132 on port 443"
"HTTPS traffic to 172.217.15.99 on port 443"
"HTTPS traffic to 172.253.115.103 on port 443"
"HTTPS traffic to 172.253.122.95 on port 443" - source
- Network Traffic
- relevance
- 3/10
- ATT&CK ID
- T1573 (Show technique in the MITRE ATT&CK™ matrix)
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Imports GetCommandLine API
- details
-
"Observed import api GetCommandLineA which can "Retrieves the command-line string for the current process" (Source: GoogleUpdate.exe.bin)"
"Observed import api GetCommandLineA which can "Retrieves the command-line string for the current process" (Source: chrome_proxy.exe)"
"Observed import api GetCommandLineA which can "Retrieves the command-line string for the current process" (Source: setup.exe)" - source
- Static Parser
- relevance
- 1/10
- ATT&CK ID
- T1106 (Show technique in the MITRE ATT&CK™ matrix)
-
Imports GetEnvironmentVariable API
- details
- Observed import api GetEnvironmentVariable which can read the host's architecture (Source: setup.exe)
- source
- Static Parser
- relevance
- 1/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Imports GetCommandLine API
-
System Security
-
Creates or modifies windows services
- details
-
"GoogleUpdate.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS")
"setup.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\CHROME")
"setup.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION")
"setup.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG")
"setup.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES")
"setup.exe" (Access type: "SETVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\CHROME"; Key: "PARAMETERMESSAGEFILE"; Value: "%PROGRAMFILES%\Google\Chrome\Application\104.0.5112.102\eventl")
"setup.exe" (Access type: "SETVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\CHROME"; Key: "EVENTMESSAGEFILE"; Value: "%PROGRAMFILES%\Google\Chrome\Application\104.0.5112.102\eventl")
"setup.exe" (Access type: "SETVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\CHROME"; Key: "CATEGORYMESSAGEFILE"; Value: "%PROGRAMFILES%\Google\Chrome\Application\104.0.5112.102\eventl")
"setup.exe" (Access type: "SETVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\CHROME"; Key: "TYPESSUPPORTED"; Value: "07000000")
"setup.exe" (Access type: "SETVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\CHROME"; Key: "CATEGORYCOUNT"; Value: "01000000") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Imports system security related APIs
- details
-
"Observed import api CreateWellKnownSid which can "Creates a SID for predefined aliases" (Source: setup.exe)"
"Observed import api DuplicateToken which can "Creates a new access token that duplicates one already in existence" (Source: setup.exe)"
"Observed import api GetLengthSid which can "Returns the length in bytes of a valid security identifier (SID)" (Source: setup.exe)"
"Observed import api GetSidSubAuthority which can "Returns a pointer to a specified subauthority in a security identifier (SID)" (Source: setup.exe)"
"Observed import api GetSidSubAuthorityCount which can "Returns a pointer to the member in a security identifier (SID) structure that contains the subauthority count" (Source: setup.exe)"
"Observed import api GetTokenInformation which can "Retrieves a specified type of information about an access token" (Source: setup.exe)"
"Observed import api InitializeSid which can "Initializes a security identifier (SID)" (Source: setup.exe)"
"Observed import api IsValidSid which can "Validates a security identifier (SID) by verifying that the revision number is within a known range and that the number of subauthorities is less than the maximum" (Source: setup.exe)"
"Observed import api RevertToSelf which can "Terminates the impersonation of a client application" (Source: setup.exe)" - source
- Static Parser
- relevance
- 1/10
- ATT&CK ID
- T1134.001 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"chrome_installer.exe" opened "\Device\KsecDD"
"setup.exe" opened "\Device\KsecDD"
"chrome.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "GoogleUpdate.exe.bin" was detected as "VC8 -> Microsoft Corporation"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1027.002 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
ChromeStandaloneSetup64.exe
- Filename
- ChromeStandaloneSetup64.exe
- Size
- 88MiB (92141616 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 870a4c6fb58723956374d9c2d4ff67e5ff5417fa1d97a4722446e84cb399ac2c
- MD5
- 5b5a6a4416f3265237465e4360a55a6f
- SHA1
- d038ed85ee3e21f8f1a6803c52b61f420b399300
File Certificates
Certificate chain was successfully validated.
Download Certificate File (19KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
C=US, S=California, L=Mountain View, O=Google LLC, CN=Google LLC | C=US, S=California, L=Mountain View, O=Google LLC, CN=Google LLC Serial: 0e4418e2dede36dd2974c3443afb5ce5 |
07/02/2021 02:00:00 07/11/2024 01:59:59 |
26:73:EA:6C:C2:3B:EF:FD:A4:9A:C7:15:B1:21:54:40:98:A1:28:4C: (1.2.840.113549.1.1.11) |
C=US, O="DigiCert, Inc.", CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | C=US, O="DigiCert, Inc.", CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 Serial: 08ad40b260d29c4c9f5ecda9bd93aed9 |
04/29/2021 02:00:00 04/29/2036 01:59:59 |
7B:0F:36:0B:77:5F:76:C9:4A:12:CA:48:44:5A:A2:D2:A8:75:70:1C: (1.2.840.113549.1.1.12) |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4 | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4 Serial: 0e9b188ef9d02de7efdb50e20840185a |
08/01/2022 02:00:00 11/10/2031 01:59:59 |
A9:9D:5B:79:E9:F1:CD:A5:9C:DA:B6:37:31:69:D5:35:3F:58:74:C6: (1.2.840.113549.1.1.12) |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA Serial: 0ce7e0e517d846fe8fe560fc1bf03039 |
11/10/2006 02:00:00 11/10/2031 02:00:00 |
05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43: (sha1RSA(RSA)) |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 37 processes in total.
-
ChromeStandaloneSetup64.exe
(PID: 2572)
-
GoogleUpdate.exe
/installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={A43FBFAB-3F24-33C6-D5F0-EDBDD01AF967}&lang=en&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty"
(PID: 2900)
- GoogleUpdate.exe /regsvc (PID: 2584)
-
GoogleUpdate.exe
/regserver
(PID: 2924)
- GoogleUpdateComRegisterShell64.exe (PID: 1316)
- GoogleUpdateComRegisterShell64.exe (PID: 3364)
- GoogleUpdateComRegisterShell64.exe (PID: 1760)
- GoogleUpdate.exe /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RkY0MTVDNzItRTNDMi00QjJFLTk0OUUtNjVEQzBEMTUxOEE3fSIgdXNlcmlkPSJ7Qjc4MzU5M0QtRkFFNC00RjRELThEQzgtMTQzNzZERTAyNUU0fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0Q1NzY0NTRGLUI4OTMtNEYzRC04RDBCLTdGNkVCNzg3NTIzQX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xLjc2MDEuMCIgc3A9IlNlcnZpY2UgUGFjayAxIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjM2LjEzMSIgbGFuZz0iZW4iIGJyYW5kPSIiIGNsaWVudD0iIiBpaWQ9IntBNDNGQkZBQi0zRjI0LTMzQzYtRDVGMC1FREJERDAxQUY5Njd9Ij48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBpbnN0YWxsX3RpbWVfbXM9IjYxNzIiLz48L2FwcD48L3JlcXVlc3Q- (PID: 2752)
- GoogleUpdate.exe /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={A43FBFAB-3F24-33C6-D5F0-EDBDD01AF967}&lang=en&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty" /installsource offline /sessionid "{FF415C72-E3C2-4B2E-949E-65DC0D1518A7}" /offlinedir "{86394862-E944-4C47-A998-98329608FD27}" (PID: 3280)
-
GoogleUpdate.exe
/installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={A43FBFAB-3F24-33C6-D5F0-EDBDD01AF967}&lang=en&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty"
(PID: 2900)
-
GoogleUpdate.exe
/svc
(PID: 2560)
-
chrome_installer.exe
--do-not-launch-chrome --system-level /installerdata="%PROGRAMFILES%\(x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\gui9DA9.tmp"
(PID: 644)
-
setup.exe
--install-archive="%PROGRAMFILES%\(x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\CR_6093A.tmp\CHROME.PACKED.7Z" --do-not-launch-chrome --system-level /installerdata="%PROGRAMFILES%\(x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\gui9DA9.tmp"
(PID: 3124)
- setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=%WINDIR%\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=104.0.5112.102 --initial-client-data=0x16c,0x170,0x174,0x140,0x178,0x13fb546c8,0x13fb546d8,0x13fb546e8 (PID: 2068)
-
setup.exe
--system-level --verbose-logging --installerdata="%PROGRAMFILES%\(x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\gui9DA9.tmp" --create-shortcuts=0 --install-level=1
(PID: 3904)
- setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=%WINDIR%\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=104.0.5112.102 --initial-client-data=0x164,0x168,0x16c,0x138,0x170,0x13fb546c8,0x13fb546d8,0x13fb546e8 (PID: 3672)
-
setup.exe
--install-archive="%PROGRAMFILES%\(x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\CR_6093A.tmp\CHROME.PACKED.7Z" --do-not-launch-chrome --system-level /installerdata="%PROGRAMFILES%\(x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\gui9DA9.tmp"
(PID: 3124)
- GoogleCrashHandler.exe (PID: 3564)
- GoogleCrashHandler64.exe (PID: 2996)
- GoogleUpdate.exe /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RkY0MTVDNzItRTNDMi00QjJFLTk0OUUtNjVEQzBEMTUxOEE3fSIgdXNlcmlkPSJ7Qjc4MzU5M0QtRkFFNC00RjRELThEQzgtMTQzNzZERTAyNUU0fSIgaW5zdGFsbHNvdXJjZT0ib2ZmbGluZSIgcmVxdWVzdGlkPSJ7QUIyRjg0NjAtQUJEMS00N0Y5LTg1QTEtODg4NzQyMTg4OUNCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSI4IiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M0MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMDQuMC41MTEyLjEwMiIgYXA9Ing2NC1zdGFibGUtc3RhdHNkZWZfMSIgbGFuZz0iZW4iIGJyYW5kPSIiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIiBpaWQ9IntBNDNGQkZBQi0zRjI0LTMzQzYtRDVGMC1FREJERDAxQUY5Njd9Ij48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NjA5IiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMTYiIHRvdGFsPSI4OTUzMDQxNiIgaW5zdGFsbF90aW1lX21zPSIxMzkyNjYiLz48L2FwcD48L3JlcXVlc3Q- (PID: 992)
-
chrome_installer.exe
--do-not-launch-chrome --system-level /installerdata="%PROGRAMFILES%\(x86)\Google\Update\Install\{A3895568-AB6C-435E-88D1-6915A00DA4F1}\gui9DA9.tmp"
(PID: 644)
-
GoogleUpdate.exe
/ondemand
(PID: 1400)
-
chrome.exe
--from-installer
(PID: 3544)
- chrome.exe --type=crashpad-handler "--user-data-dir=%LOCALAPPDATA%\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=%LOCALAPPDATA%\Google\Chrome\User Data\Crashpad" "--metrics-dir=%LOCALAPPDATA%\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=104.0.5112.102 --initial-client-data=0xa4,0xa8,0xac,0x78,0xb0,0x7fef36e6bb0,0x7fef36e6bc0,0x7fef36e6bd0 (PID: 1156)
- chrome.exe --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1108 --field-trial-handle=1188,i,13991449233411198892,392344246861588602,131072 /prefetch:2 (PID: 1172)
- chrome.exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1320 --field-trial-handle=1188,i,13991449233411198892,392344246861588602,131072 /prefetch:8 (PID: 3796)
- chrome.exe --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1404 --field-trial-handle=1188,i,13991449233411198892,392344246861588602,131072 /prefetch:8 (PID: 2028)
- chrome.exe --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --launch-time-ticks=1154904043 --mojo-platform-channel-handle=2076 --field-trial-handle=1188,i,13991449233411198892,392344246861588602,131072 /prefetch:1 (PID: 2668)
- chrome.exe --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --launch-time-ticks=1156147726 --mojo-platform-channel-handle=2088 --field-trial-handle=1188,i,13991449233411198892,392344246861588602,131072 /prefetch:1 (PID: 2836)
- chrome.exe --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --launch-time-ticks=1157137162 --mojo-platform-channel-handle=2388 --field-trial-handle=1188,i,13991449233411198892,392344246861588602,131072 /prefetch:1 (PID: 1928)
- chrome.exe --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --launch-time-ticks=1158083832 --mojo-platform-channel-handle=2432 --field-trial-handle=1188,i,13991449233411198892,392344246861588602,131072 /prefetch:1 (PID: 3224)
- chrome.exe --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --launch-time-ticks=1158932151 --mojo-platform-channel-handle=2440 --field-trial-handle=1188,i,13991449233411198892,392344246861588602,131072 /prefetch:1 (PID: 2252)
- chrome.exe --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1804 --field-trial-handle=1188,i,13991449233411198892,392344246861588602,131072 /prefetch:2 (PID: 2928)
- chrome.exe --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3864 --field-trial-handle=1188,i,13991449233411198892,392344246861588602,131072 /prefetch:8 (PID: 352)
-
chrmstp.exe
--configure-user-settings --verbose-logging --system-level --force-configure-user-settings
(PID: 3700)
- chrmstp.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=%WINDIR%\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=104.0.5112.102 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x1402c46c8,0x1402c46d8,0x1402c46e8 (PID: 3608)
-
chrmstp.exe
--system-level --verbose-logging --installerdata="%PROGRAMFILES%\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
(PID: 3588)
- chrmstp.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=%WINDIR%\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=104.0.5112.102 --initial-client-data=0x164,0x168,0x16c,0x138,0x170,0x1402c46c8,0x1402c46d8,0x1402c46e8 (PID: 3720)
- chrome.exe --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 --field-trial-handle=1188,i,13991449233411198892,392344246861588602,131072 /prefetch:8 (PID: 3864)
-
chrome.exe
--from-installer
(PID: 3544)
- GoogleUpdate.exe /ua /installsource scheduler (PID: 4024)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
142.251.45.99 |
443
TCP |
googleupdate.exe PID: 2752 googleupdate.exe PID: 992 |
United States |
172.253.122.94 |
443
TCP |
chrome.exe PID: 3796 |
United States |
172.253.63.113 |
443
TCP |
chrome.exe PID: 3796 |
United States |
172.253.115.84 |
443
TCP |
chrome.exe PID: 3796 |
United States |
172.253.115.106 |
443
TCP |
chrome.exe PID: 3796 |
United States |
172.253.115.101 |
443
TCP |
chrome.exe PID: 3796 |
United States |
172.253.115.139 |
443
TCP |
chrome.exe PID: 3796 |
United States |
172.253.122.132 |
443
TCP |
chrome.exe PID: 3796 |
United States |
172.217.15.99 |
443
TCP |
chrome.exe PID: 3796 |
United States |
172.253.115.103 |
443
TCP |
chrome.exe PID: 3796 |
United States |
172.253.122.95 |
443
TCP |
chrome.exe PID: 3796 |
United States |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 24 extracted file(s). The remaining 15 file(s) are available in the full version and XML/JSON reports.
-
Clean 5
-
-
setup.exe
- Size
- 4.3MiB (4559136 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/70
- Runtime Process
- chrome_installer.exe (PID: 644)
- MD5
- 63622c178b0b847d18a2c2958e1218ae
- SHA1
- b5c438e32f92e2c30ee3a35e5093797064f6a232
- SHA256
- dc8efd6ba90b0d690249e7945230d3a0ea430abe8e3f98a933b33692ed56863e
-
chrmstp.exe
- Size
- 4.3MiB (4559136 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/70
- Runtime Process
- chrmstp.exe (PID: 3700)
- MD5
- 63622c178b0b847d18a2c2958e1218ae
- SHA1
- b5c438e32f92e2c30ee3a35e5093797064f6a232
- SHA256
- dc8efd6ba90b0d690249e7945230d3a0ea430abe8e3f98a933b33692ed56863e
-
chrome.exe
- Size
- 2.7MiB (2852640 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/70
- Runtime Process
- setup.exe (PID: 3904)
- MD5
- 7bc7b4aedc055bb02bcb52710132e9e1
- SHA1
- 1f3e160780992c39434a53f0aeabd4aff5ca21ab
- SHA256
- 91e39a6aff4f259121d6bab8076750616d2f9e8d4b92f755bbdd46bf2f00c441
-
chrome_proxy.exe
- Size
- 1003KiB (1027360 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/70
- Runtime Process
- setup.exe (PID: 3124)
- MD5
- 04e84414d046c724fa1b8489dc48ace2
- SHA1
- 7db20400bd4d0c8db97034dbdef8a6826b78227a
- SHA256
- ca9e3515dca996189ccb8bbca4d7217f58e646f1c7c094610c96a71dcf6c0e80
-
GoogleUpdate.exe.bin
- Size
- 165KiB (168632 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/70
- MD5
- e885bf92c289c674cd32f3e85ab2b922
- SHA1
- c0a98fd8c74d031f54fda658a1c67d8886b5e076
- SHA256
- 63854e78780866d2ae56a58958a1fda017a71f54b71fe70cf5403958e961862a
-
-
Informative Selection 3
-
-
index
- Size
- 256KiB (262512 bytes)
- Type
- unknown
- Description
- FoxPro FPT, blocks size 512, next free block index 3284796353, field type 0
- Runtime Process
- chrome.exe (PID: 3544)
- MD5
- 144a8776b6723410afe077ee239c25c1
- SHA1
- 65171149f7dc41077f68c4fefe1c21aad9fc1320
- SHA256
- c2af867dcaa062e30982f775c27d0b780fd21c4e1c4e3d15dde4bef18463cf49
-
LOG
- Size
- 293B (293 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- chrome.exe (PID: 3544)
- MD5
- 9655283d693e7bade148354b31a16e70
- SHA1
- 7f0ea58f50af77af41de3bdb95b641306736058a
- SHA256
- 7cf2de8a80a0d78ef4f3d53d2beb2f4915324a2b0276a6b995d8f00fd3d3a560
-
master_preferences
- Size
- 17B (17 bytes)
- Type
- text
- Description
- UTF-8 Unicode (with BOM) text
- Runtime Process
- chrome.exe (PID: 3544)
- MD5
- 82b48419e8f06d518e866f56bc6dfecf
- SHA1
- ef08d9cefec762b871cd9aaa974ad2e73ae6cefa
- SHA256
- 16d295c7f5551492ca329ae4dd9155ef1033cb4cd55aa1499938426daa519072
-
-
Informative 16
-
-
Google Chrome.lnk
- Size
- 2.2KiB (2242 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Wed Aug 24 23:55:38 2022, mtime=Wed Aug 24 23:55:38 2022, atime=Mon Aug 15 23:07:19 2022, length=2852640, window=hide
- Runtime Process
- setup.exe (PID: 3904)
- MD5
- 4af333d2f4cb725277e03115b554c509
- SHA1
- 3e3231d324ae3045afff280d58640dfaf5ea074c
- SHA256
- 44f76a8d6c1af5070438ab0d7fa0672d34d01b52cfc18b1cb4ee662006834495
-
data_0
- Size
- 8.1KiB (8264 bytes)
- Runtime Process
- chrome.exe (PID: 3544)
- MD5
- 4d1360b723369a3094a1028b1b037c70
- SHA1
- 9219abac691d488b4fa39e728f1ff7f18fc78e28
- SHA256
- 985c1bd4a99d3ecb49bba01bd193f8e4ef54c86c6f14af4dd0e00a62d0a386f9
-
data_1
- Size
- 9.5KiB (9728 bytes)
- Runtime Process
- chrome.exe (PID: 3544)
- MD5
- e3ed48c41cbaa02d1c1dfd582ad904be
- SHA1
- 1778044a35a53c5e75b0598882d9d035f5cef2b1
- SHA256
- 697670bba312acd735dde27e65629d62c8e4735370d3e1926900eb4bf97cd88e
-
data_2
- Size
- 8KiB (8192 bytes)
- Type
- data
- Runtime Process
- chrome.exe (PID: 3544)
- MD5
- 0962291d6d367570bee5454721c17e11
- SHA1
- 59d10a893ef321a706a9255176761366115bedcb
- SHA256
- ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
-
data_3
- Size
- 22KiB (22684 bytes)
- Runtime Process
- chrome.exe (PID: 3544)
- MD5
- 00b982968a19d8caaf1fb864354edc17
- SHA1
- 4f9386bbe379617b438f919ca131fffb7a8582e9
- SHA256
- 111e62e1f3ecc4e3d9c086ac47c84b91ea4c4cfb2c158072517f1d7f1b45907c
-
f_000001
- Size
- 441KiB (451968 bytes)
- Type
- data
- Runtime Process
- chrome.exe (PID: 3796)
- MD5
- 4604e676a0a7d18770853919e24ec465
- SHA1
- 415ef3b2ca0851e00ebaf0d6c9f6213c561ac98f
- SHA256
- a075b01d9b015c616511a9e87da77da3d9881621db32f584e4606ddabf1c1100
-
000001.dbtmp
- Size
- 16B (16 bytes)
- Runtime Process
- chrome.exe (PID: 3544)
- MD5
- 46295cac801e5d4857d09837238a6394
- SHA1
- 44e0fa1b517dbf802b18faf0785eeea6ac51594b
- SHA256
- 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
-
MANIFEST-000001
- Size
- 41B (41 bytes)
- Type
- unknown
- Description
- PGP\011Secret Key -
- Runtime Process
- chrome.exe (PID: 3544)
- MD5
- 5af87dfd673ba2115e2fcf5cfdb727ab
- SHA1
- d5b5bbf396dc291274584ef71f444f420b6056f1
- SHA256
- f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
-
939bc38b-5102-4dfe-9946-b874a4e69438.tmp
- Size
- 1.2KiB (1244 bytes)
- Runtime Process
- chrome.exe (PID: 3796)
- MD5
- 50fffedcf87b73094e113ef4ac1a4583
- SHA1
- ae4d894433c7a73e2c4da3acbf43fdd7a97c8663
- SHA256
- 717e935ddef9d3a1057c4eac4e4c7861e78c8b3e670181e4c7801b043f818552
-
99024c57-2d60-49cb-84cb-8286bf550153.tmp
- Size
- 1.2KiB (1244 bytes)
- Runtime Process
- chrome.exe (PID: 3796)
- MD5
- f27be037ffe00c61ab31151d19193862
- SHA1
- ae7a77b6bf4e89caaa8dd442280f3feae0b2d901
- SHA256
- ea551b59a3971167106c1827455c992ef50957c5bb383519b79966de98a0067e
-
Cookies-journal
- Size
- 512B (512 bytes)
- Type
- data
- Runtime Process
- chrome.exe (PID: 3796)
- MD5
- ec374470cc660c5e80cb25f1015f5c03
- SHA1
- cfb5ec92e3e8373f21cfab1999cfd1416b0d1cb7
- SHA256
- 5acf58e5a3b49c061921d0dc3742043faf5b05e5fe164f8135f5fa3d64a352f3
-
Reporting and NEL-journal
- Size
- 512B (512 bytes)
- Type
- data
- Runtime Process
- chrome.exe (PID: 3796)
- MD5
- 54ce1706ca2ac835c26c6cd015b8a6d6
- SHA1
- 8a44cb50d97c31b3060b519831951ba7b24a52ca
- SHA256
- f11b245a9c93b85b5e4264631d43c5e93292ee5201127ab7df2e5cbd2ac6f477
-
c21ea056-cfdd-45dc-9c80-3e229552787a.tmp
- Size
- 1.2KiB (1244 bytes)
- Type
- text
- Description
- ASCII text, with very long lines, with no line terminators
- Runtime Process
- chrome.exe (PID: 3796)
- MD5
- 50fffedcf87b73094e113ef4ac1a4583
- SHA1
- ae4d894433c7a73e2c4da3acbf43fdd7a97c8663
- SHA256
- 717e935ddef9d3a1057c4eac4e4c7861e78c8b3e670181e4c7801b043f818552
-
Safe Browsing Cookies-journal
- Size
- 512B (512 bytes)
- Runtime Process
- chrome.exe (PID: 3796)
- MD5
- cc87ec18ae7475007cb3a068359fcea7
- SHA1
- 3e21de25a8af479bbcb276a7d6425e14f77b6ea8
- SHA256
- 31223ebc003f48e56bff1a293f05e7715719bb74d4983de4389acbe5d0d1fb40
-
SETUP.EX_
- Size
- 1.5MiB (1540696 bytes)
- Runtime Process
- chrome_installer.exe (PID: 644)
- MD5
- 6213356f431f97fac12eae68c87d2c34
- SHA1
- 6526565a9aaf9e27d270ac836f40b27b44bd9fe9
- SHA256
- 3df6bc92a684d037e7d498e5f70c230a22daf0f941ee227d3d5c2b5d98d889e9
-
13390a8d-334e-46e5-80c7-daeb63231ca2.tmp
- Size
- 2.7KiB (2728 bytes)
- Runtime Process
- setup.exe (PID: 3124)
- MD5
- 100cf4d3d7973baed38ba85b0df8b65b
- SHA1
- 50ce3317baed16e80c323ce09a35b7ad4fbb4a02
- SHA256
- ba2481a3f6352b597646a3a9ddb5ebd607ca5287671901011f185a099fe899aa
-
Notifications
-
Runtime
- No static analysis parsing on sample was performed
- Not all Falcon MalQuery lookups completed in time
- Not all created files are visible for chrome.exe (PID: 3544)
- Not all file accesses are visible for ChromeStandaloneSetup64.exe (PID: 2572)
- Not all file accesses are visible for GoogleCrashHandler.exe (PID: 3564)
- Not all file accesses are visible for GoogleCrashHandler64.exe (PID: 2996)
- Not all file accesses are visible for GoogleUpdate.exe (PID: 1400)
- Not all file accesses are visible for GoogleUpdate.exe (PID: 2560)
- Not all file accesses are visible for GoogleUpdate.exe (PID: 2584)
- Not all file accesses are visible for GoogleUpdate.exe (PID: 2752)
- Not all file accesses are visible for GoogleUpdate.exe (PID: 2900)
- Not all file accesses are visible for GoogleUpdate.exe (PID: 2924)
- Not all file accesses are visible for GoogleUpdate.exe (PID: 3280)
- Not all file accesses are visible for GoogleUpdate.exe (PID: 4024)
- Not all file accesses are visible for GoogleUpdate.exe (PID: 992)
- Not all file accesses are visible for GoogleUpdateComRegisterShell64.exe (PID: 1316)
- Not all file accesses are visible for GoogleUpdateComRegisterShell64.exe (PID: 1760)
- Not all file accesses are visible for GoogleUpdateComRegisterShell64.exe (PID: 3364)
- Not all file accesses are visible for chrmstp.exe (PID: 3588)
- Not all file accesses are visible for chrmstp.exe (PID: 3608)
- Not all file accesses are visible for chrmstp.exe (PID: 3700)
- Not all file accesses are visible for chrmstp.exe (PID: 3720)
- Not all file accesses are visible for chrome.exe (PID: 1156)
- Not all file accesses are visible for chrome.exe (PID: 1172)
- Not all file accesses are visible for chrome.exe (PID: 1928)
- Not all file accesses are visible for chrome.exe (PID: 2028)
- Not all file accesses are visible for chrome.exe (PID: 2252)
- Not all file accesses are visible for chrome.exe (PID: 2668)
- Not all file accesses are visible for chrome.exe (PID: 2836)
- Not all file accesses are visible for chrome.exe (PID: 2928)
- Not all file accesses are visible for chrome.exe (PID: 3224)
- Not all file accesses are visible for chrome.exe (PID: 352)
- Not all file accesses are visible for chrome.exe (PID: 3544)
- Not all file accesses are visible for chrome.exe (PID: 3796)
- Not all file accesses are visible for chrome.exe (PID: 3864)
- Not all file accesses are visible for chrome_installer.exe (PID: 644)
- Not all file accesses are visible for setup.exe (PID: 2068)
- Not all file accesses are visible for setup.exe (PID: 3124)
- Not all file accesses are visible for setup.exe (PID: 3672)
- Not all file accesses are visible for setup.exe (PID: 3904)
- Not all sources for indicator ID "api-25" are available in the report
- Not all sources for indicator ID "api-26" are available in the report
- Not all sources for indicator ID "api-28" are available in the report
- Not all sources for indicator ID "api-37" are available in the report
- Not all sources for indicator ID "api-43" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "api-96" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "handle-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "registry-1" are available in the report
- Not all sources for indicator ID "registry-17" are available in the report
- Not all sources for indicator ID "registry-18" are available in the report
- Not all sources for indicator ID "registry-19" are available in the report
- Not all sources for indicator ID "registry-25" are available in the report
- Not all sources for indicator ID "registry-35" are available in the report
- Not all sources for indicator ID "registry-55" are available in the report
- Not all sources for indicator ID "registry-67" are available in the report
- Not all sources for indicator ID "registry-72" are available in the report
- Not all sources for indicator ID "registry-78" are available in the report
- Not all sources for indicator ID "static-17" are available in the report
- Not all sources for indicator ID "static-87" are available in the report
- Not all sources for indicator ID "static-88" are available in the report
- Not all sources for indicator ID "string-101" are available in the report
- Not all sources for indicator ID "string-98" are available in the report
- Not all sources for indicator ID "target-103" are available in the report
- Not all sources for indicator ID "target-25" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report