hxxps://modmenuz[.]com/fivem/eulen-mod-menu/

Analysis

max time kernel
114s
max time network
115s
platform
windows10-1703_x64
resource
win10-20240214-en
resource tags

arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
submitted
20/02/2024, 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://modmenuz.com/fivem/eulen-mod-menu/

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\io.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\va.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	msiexec.exe
File created	C:\Program Files\7-Zip\readme.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\br.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	msiexec.exe
File created	C:\Program Files\7-Zip\History.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\co.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	msiexec.exe
File created	C:\Program Files\7-Zip\License.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\th.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt	msiexec.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zip32.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zCon.sfx	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zFM.exe	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.exe	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.sfx	msiexec.exe
File created	C:\Windows\Installer\e587088.msi	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zG.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\e587088.msi	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zip.dll	msiexec.exe
File created	C:\Windows\Installer\e5870d6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zip32.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zip.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.sfx	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zCon.sfx	msiexec.exe
File created	C:\Windows\Installer\SourceHash{23170F69-40C1-2702-2201-000001000000}	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zFM.exe	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI726C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zG.exe	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133529308386958448"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 35 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Drive\shellex\DragDropHandlers\7-Zip	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Directory\shellex\DragDropHandlers\7-Zip	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\PackageCode = "96F071321C0420722210000020000000"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\7-Zip	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000\Program = "Complete"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000\Complete	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Version = "369164288"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0420720000000040000000\96F071321C0420722210000010000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\PackageName = "7z2201-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\ProductName = "7-Zip 22.01 (x64 edition)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-820923436-2084397322-3365974649-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000\LanguageFiles = "Complete"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0420720000000040000000	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2212	WINWORD.EXE
2212	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
916	chrome.exe
916	chrome.exe
3960	msiexec.exe
3960	msiexec.exe
916	chrome.exe
916	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
4252	msiexec.exe
4252	msiexec.exe
4604	msiexec.exe
4604	msiexec.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2212	WINWORD.EXE
2212	WINWORD.EXE
2212	WINWORD.EXE
2212	WINWORD.EXE
2212	WINWORD.EXE
2212	WINWORD.EXE
2212	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 3972	916	chrome.exe	55
PID 916 wrote to memory of 3972	916	chrome.exe	55
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 3832	916	chrome.exe	77
PID 916 wrote to memory of 520	916	chrome.exe	75
PID 916 wrote to memory of 520	916	chrome.exe	75
PID 916 wrote to memory of 4932	916	chrome.exe	76
PID 916 wrote to memory of 4932	916	chrome.exe	76
PID 916 wrote to memory of 4932	916	chrome.exe	76
PID 916 wrote to memory of 4932	916	chrome.exe	76
PID 916 wrote to memory of 4932	916	chrome.exe	76
PID 916 wrote to memory of 4932	916	chrome.exe	76
PID 916 wrote to memory of 4932	916	chrome.exe	76
PID 916 wrote to memory of 4932	916	chrome.exe	76
PID 916 wrote to memory of 4932	916	chrome.exe	76
PID 916 wrote to memory of 4932	916	chrome.exe	76
PID 916 wrote to memory of 4932	916	chrome.exe	76
PID 916 wrote to memory of 4932	916	chrome.exe	76
PID 916 wrote to memory of 4932	916	chrome.exe	76
PID 916 wrote to memory of 4932	916	chrome.exe	76
PID 916 wrote to memory of 4932	916	chrome.exe	76
PID 916 wrote to memory of 4932	916	chrome.exe	76
PID 916 wrote to memory of 4932	916	chrome.exe	76
PID 916 wrote to memory of 4932	916	chrome.exe	76
PID 916 wrote to memory of 4932	916	chrome.exe	76
PID 916 wrote to memory of 4932	916	chrome.exe	76
PID 916 wrote to memory of 4932	916	chrome.exe	76
PID 916 wrote to memory of 4932	916	chrome.exe	76

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://modmenuz.com/fivem/eulen-mod-menu/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8cdb69758,0x7ff8cdb69768,0x7ff8cdb69778
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1788 --field-trial-handle=1932,i,5039259783045353677,11291721903296500827,131072 /prefetch:8
  2⤵
  PID:520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2116 --field-trial-handle=1932,i,5039259783045353677,11291721903296500827,131072 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1552 --field-trial-handle=1932,i,5039259783045353677,11291721903296500827,131072 /prefetch:2
  2⤵
  PID:3832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2872 --field-trial-handle=1932,i,5039259783045353677,11291721903296500827,131072 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2852 --field-trial-handle=1932,i,5039259783045353677,11291721903296500827,131072 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1932,i,5039259783045353677,11291721903296500827,131072 /prefetch:8
  2⤵
  PID:3780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1932,i,5039259783045353677,11291721903296500827,131072 /prefetch:8
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4972 --field-trial-handle=1932,i,5039259783045353677,11291721903296500827,131072 /prefetch:1
  2⤵
  PID:192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4880 --field-trial-handle=1932,i,5039259783045353677,11291721903296500827,131072 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5096 --field-trial-handle=1932,i,5039259783045353677,11291721903296500827,131072 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5032 --field-trial-handle=1932,i,5039259783045353677,11291721903296500827,131072 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4712 --field-trial-handle=1932,i,5039259783045353677,11291721903296500827,131072 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 --field-trial-handle=1932,i,5039259783045353677,11291721903296500827,131072 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4708 --field-trial-handle=1932,i,5039259783045353677,11291721903296500827,131072 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1932,i,5039259783045353677,11291721903296500827,131072 /prefetch:8
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3156 --field-trial-handle=1932,i,5039259783045353677,11291721903296500827,131072 /prefetch:8
  2⤵
  PID:3780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1816 --field-trial-handle=1932,i,5039259783045353677,11291721903296500827,131072 /prefetch:8
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2924 --field-trial-handle=1932,i,5039259783045353677,11291721903296500827,131072 /prefetch:8
  2⤵
  PID:2920
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\7z2201-x64.msi"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5872 --field-trial-handle=1932,i,5039259783045353677,11291721903296500827,131072 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=2924 --field-trial-handle=1932,i,5039259783045353677,11291721903296500827,131072 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5788 --field-trial-handle=1932,i,5039259783045353677,11291721903296500827,131072 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4416 --field-trial-handle=1932,i,5039259783045353677,11291721903296500827,131072 /prefetch:1
  2⤵
  PID:828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=4712 --field-trial-handle=1932,i,5039259783045353677,11291721903296500827,131072 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5160 --field-trial-handle=1932,i,5039259783045353677,11291721903296500827,131072 /prefetch:1
  2⤵
  PID:4560

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4248

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3960
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3228

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3780

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4576

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\7z2201-x64.msi"
1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:4604

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Opened.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e587089.rbs

Filesize
26KB

MD5
f9de650ef51792d5b48e12f405640a67

SHA1
60834150d45eeb121f4f77638d7af2eeb03f2d8a

SHA256
d2c3104454e3929f0b907f300e702fdc199252603097d510a986869c8fa43b55

SHA512
f7075b1e9a23ad1c078ea50ecd7eeb2ee451da90a45ed5ce7b649a634af04490423b0dea438cef38ea9c1b1ec824a40d343ead2cb79fedce50d4cef5f62190b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\68d0cec8-0ebd-4ef9-94e7-10043f8ae2d5.tmp

Filesize
6KB

MD5
1137478e69d19b74ae136605f28cc4f9

SHA1
d898030acdeed0989c6702511b849dcf2abc92ce

SHA256
b384f408cb820aaa619f222480294925de6d74e8ad9370d2d0d00c4a6b94aaea

SHA512
7c0cd3b921a51e898cc47dcea75f61bbe2233a2f1af03d21ca8f607675c257af55eee0d04c3f44201f3c19d688d9b4dad4666c7e63b5de79088fdea3bd8367c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
18KB

MD5
531db07a6e1e5fdffaea27f9e6a1be0f

SHA1
e8c0bccd958b408f7127cbe19e62e69d16db179e

SHA256
a30d3e0a8f49b8bb9486a7643360c7ff9479a3d109c95258ef69ab706d95fb12

SHA512
1580e775789e19b9f16fb173848ca9d13aaa35625825dafe155893c6b2b28a8685f19e7191ef01dcbcaa8e57caeafa3aa19e2103b7ddda138bcaa34167553833

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
c4f07301bf49483c413ba77eb14f77f3

SHA1
80cc5d7c8dc13d9094f1ddbf74d44beed6ac26fa

SHA256
93983b2c545374c337faa7c90058bf7e243fb59c9ebba722abc72e5379a5455d

SHA512
7572aaa1b7a5438938e02f1b8c53cbd0615112affdc797a475f473bc92fae2753b86411d65f6329fae8123c7affc48a05035fd3adaf20e6ed9e4a42be519f876

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
a466c4a54afafb4cafef8f23210f6bf7

SHA1
c8adc1a88665c5d359f9910ebc9b50be21c78c48

SHA256
89c1bbddc689c50b43e570576ae67c58d22cd377fc7cecbc362c4f6440df2505

SHA512
4632e88c01bf102ec78c7dfb100e408a2427de1472324a9b8b0fafa2fed725fb26a90a680c62124ca2e767813455aab91e29115187005c6e0e9de63e3f6f7eca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
2f8bb52d793470d8393647e52018a234

SHA1
531c194dd3e719dea396bba5cd3e36231bcaff1c

SHA256
f10f00ea102cac7d50fcdbfdab23274f52778064c9c5060f7bfede77ca32960e

SHA512
a2ccfcb87c8b80f4cba2df440d7f480b8574bcaa0a795ba0debc6816cd934d9d90ab9c13fbc052ca23374f7d09a738e023ed2f9321a7f347fa36bab3a09100fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4d1129cd4aad283764ba7dc6f79e2414

SHA1
ab3b9d3dab9e9d3f61b56bca76114c770323b9c2

SHA256
37fbdb69f179f0eb7e6b418dad9bbbf50d416ba80485f2f166a7b02bb281227e

SHA512
6b9c253ef3c0e8fd5de62fce90b4a70a7ba73c496add002595635141a31d47938da8e286184efdcfe36bdadb6467e77d44880e841646d055256f3e6c7e3dadb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
49f3d5a3f4b0cff0cd4b9244dc291959

SHA1
35809efb921d9e5d223db6e66a4bc0fa50e97250

SHA256
fe60ac17bc56708422b07f9c854d84c72a757f20f874e64c350e707baee01926

SHA512
8b1756b94d0c82fc264ef640bfa7a214814c3bdbe32c81f37e4f76a4b891dc90dae79a3678e18b5a494d7a6b3a6934d3ee6bce4487a8fea9de4d8a8238e53920

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b896a0b77cfd491439508f53ddc48bbc

SHA1
f0ba9fb9808c91fbad7f6da203cff811fb5e11b3

SHA256
5fb8324eaa7b23aec70376b97f8d277c3e0905f13747b34c84aa518f79c159d1

SHA512
9f48b83fc10ba0b1670c6074fd93fc5f72cc2d6bc63ece7f4eba20b28470ec0cdfc494ba0e1607453d1c42350da55f60b8e26f6bb03a25a633d4d30255b55826

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6e84c0f88c0664193c6a736d8df9af88

SHA1
19ceba5413be5e305c0e35efda184cc3686d0750

SHA256
9c5b5129f33483873e07c7f4e5904bd9fbaaba6360e03937d0d6a6a7f18f8404

SHA512
f3d977d86ecbb0cb12b1ad57dbeec3b87edd85d41e4bfd6e826094011a735754d5bdf7e0dd07c4ce48009f372ca8ba238a9190f506f299b8a15ece87ecc89835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1d20d078652f3b632764266777eb5e7c

SHA1
51a9369b74998e9cf992ebd99b72089463024eff

SHA256
68797fb2cfdf75398fd7208126e5d337da67f06662ae5a80a2889e7760fbfb8d

SHA512
864875297e271ab74399e17708b69abd29fb998014739dc8470a6c57411b909bde2271a8efc89c0f2fe2f85f07cce82029dd9787685e4c59c7b14858e14cf0ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0f47ec45d38b7c6b5707a7ac848f9aaf

SHA1
6a24d4cab8b8be2e8ba61d38b3b78b2a5006769d

SHA256
8f565e8e21ad0ac8205f6cea8f812eff5942ffc1644d1a09c45d2490c14086d9

SHA512
dbe84b871a633d85952b85a804a0ffff4b02e54f705c58e7bb0a2d310f891973878f63e88488e702379cf4d2f438ce304319b8d240fa4ccc73343f23ac398439

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
132KB

MD5
12e56fa65c3cdc75df84a87bb9d5304e

SHA1
eaf0062010a8e52700557d14ffa64cf61c4c78d3

SHA256
1fed0cb887ea92152cd1a75a6f91649ea72657aa65cebde8719ef1bbb82c747b

SHA512
f3f40dee17b71593474c0fbbf87373f03ad361866a3555f5a4ff799fd1bb373e2c1e58731163e36f660dab7967156af4dbe2641c2c4534afafa429668539df82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
1708f23eb9515a821604f6bdb888befc

SHA1
2799268b4f78f5f70ff60cd29ec36ad3f72ab2d0

SHA256
b574c4b5252c8f60d89c11317d7d38f3a4099751ad06a891891cb2e73bdfddc7

SHA512
2db68161c29c1911b2b2aaf870bb7e28bd76e322bde47e0e332161080335d720e9282e3b16a7a76c9933a736567ab21792cb5639dc64bb97056af1a4d0966de3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
892a2f47ddc8ebcb8e33e2952232c40f

SHA1
97bcf07636b33444ab49fd03a1a905ca6cae0440

SHA256
aa2e203811366dc7d0a7c8fb895d25aaedd91e35e9939a020793c4f658389235

SHA512
720d28e6296326b8c80b01899c4a1c50e38d4a6b98196c42e54c74c6782c95d638e0e45548740d414c81639579be63be82bccb419b48cab98008cdca5766fdbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
595ca0992dbfd1834c2db88a0cdf6ecc

SHA1
c3e4bbd3ec91cbaf2ab43c5fe8d26b87d766fbf8

SHA256
c500d94918cdb50cf37f5bace845bc537fcd79421f176a6cb5867f9b1913ec83

SHA512
cbbfc93f645ca47b85d9106f933c6dd95dee7845b2a8143c1b661bee53e6b8b24471529fc1c8ad41b3835834d465be919196b75bb8adaa32d3f4b3bf4f606f77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
d672014f3ce9e44f4f17e428d0dcb71f

SHA1
aa4922e532a23e13314a8093612a8ba81cbf17f8

SHA256
43bdef5391be0597e2f7cc47bc7ac742cf80f06b45b75d117a729b68af9d48fe

SHA512
a9533ef6b1c39498f41133b95979a1d9ed66b1db6664312ceed9232929155269adb5c74c4fe53fe5ee9dbe5ffff98edb375536570079719527ba63bac73472f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
cb3671fc5e1a3a6a8de513997e6ebcbf

SHA1
94f6609fa0895c05e4cf04efa226c5901481ed29

SHA256
703fbf284dc4581de32211c835bab3198f455df14dc62bb131fc45865d1af90c

SHA512
c714d8fa9d7326e4f4f834945fcdf8d4de1a6356ed34c59a2da318fead08c30ed1d069d1ed15d1e225509b37ecf95b65db4324d208535a561dee7fa6be87a560

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
110KB

MD5
3acc4685742d82cc7f20c558a072ed75

SHA1
f462cc5027e61115a8823b1e73bedebfcb5dc20d

SHA256
e28337fb6ee820cf94485fdc7009494411487bc809dcd6a153b32c003380770d

SHA512
ce1f381dcf4dedf4dfa73632a09399d53ba6a24f144f7ecc51fb06bd5babf7fb4bc869e63fc1f3306b9bb41935109fdbb2a29089496485ee5f9c05eaae05b158

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5852af.TMP

Filesize
97KB

MD5
3c251c3336cba76da4dabf370f5430ae

SHA1
68fd33c9506cbd82522850195950e692ce520caa

SHA256
3810599a8276d64e73d41939130dd9baab6fb2ac170ce811350165c10999c75f

SHA512
345f70e439b9ddd385fe8100b69e04c05f6436631ccd93926cad5a196b579b02f242dc04570cf9d87aa49fbc305534878e5b74134c56f39a26d1cdfacf390b15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
225B

MD5
f184cc45cbe6f8ec72bb8e2cfc9bf359

SHA1
98718a5d45f587d78a4f6416db6a01ff9d8dbb44

SHA256
d3e8807d2df288ff98ff781912021e3d3f852a00da47493526ee0cd7a985bbc2

SHA512
3610e87638ce554e794cfef98a12f2e3b216aa58fb54f6541c91330b4e9b465f8f691fab6099de6a99c4dd6294bc4a50ff181660ea0b9e0b56a1d58ca74bfff9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 510464.crdownload

Filesize
1.8MB

MD5
50515f156ae516461e28dd453230d448

SHA1
3209574e09ec235b2613570e6d7d8d5058a64971

SHA256
f4afba646166999d6090b5beddde546450262dc595dddeb62132da70f70d14ca

SHA512
14593ca96d416a2fbb6bbbf8adec51978e6c0fb513882d5442ab5876e28dd79be14ca9dd77acff2d3d329cb7733f7e969e784c57e1f414d00f3c7b9d581638e5

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
9.4MB

MD5
de66fa7a52bab2495e8cbbb2277e1451

SHA1
bc9bdb18532a8ffac32d3f48b19fe142dd366a2f

SHA256
39ba82eace4d06c29f107925d9d5911ae2e71e99a01886e71121844eb89874ed

SHA512
2f7e4b04c4188b6e32cc4d90832e455c6518ddad0f3da63a2f15607229caa3164563ec940ab8a227319719092617f146d52406214924c46135bb732ce17f883e

Download Submit
\??\Volume{f37befdc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cb9997ad-ee39-44ac-a714-c5b93523b968}_OnDiskSnapshotProp

Filesize
5KB

MD5
0723357e0e3eaf38a94cef9d381171d4

SHA1
a150176a5e5ede42671d52cbb9747dfbfd12ef4b

SHA256
173a3f728a8cde11d21a3ef4ecfba7f990c6a077018b504b23b010bfb1eb1f9d

SHA512
9cbe7be0ed6163d4b881fc31e1627bafbc055d7a642c9283550348d12d4f67ee9a9beaa664fc495d9a8346f6fa7f275fb62e6ea410412c87f5cf9a16cfad53c6

Download Submit
memory/2212-404-0x00007FF8D67C0000-0x00007FF8D699B000-memory.dmp

Filesize
1.9MB

Download
memory/2212-423-0x00007FF8D67C0000-0x00007FF8D699B000-memory.dmp

Filesize
1.9MB

Download
memory/2212-401-0x00007FF896850000-0x00007FF896860000-memory.dmp

Filesize
64KB

Download
memory/2212-402-0x00007FF8D67C0000-0x00007FF8D699B000-memory.dmp

Filesize
1.9MB

Download
memory/2212-400-0x00007FF8D67C0000-0x00007FF8D699B000-memory.dmp

Filesize
1.9MB

Download
memory/2212-407-0x00007FF892D50000-0x00007FF892D60000-memory.dmp

Filesize
64KB

Download
memory/2212-408-0x00007FF8D67C0000-0x00007FF8D699B000-memory.dmp

Filesize
1.9MB

Download
memory/2212-409-0x00007FF8D67C0000-0x00007FF8D699B000-memory.dmp

Filesize
1.9MB

Download
memory/2212-406-0x00007FF8D67C0000-0x00007FF8D699B000-memory.dmp

Filesize
1.9MB

Download
memory/2212-410-0x00007FF8D67C0000-0x00007FF8D699B000-memory.dmp

Filesize
1.9MB

Download
memory/2212-412-0x00007FF8D67C0000-0x00007FF8D699B000-memory.dmp

Filesize
1.9MB

Download
memory/2212-411-0x00007FF8D67C0000-0x00007FF8D699B000-memory.dmp

Filesize
1.9MB

Download
memory/2212-413-0x00007FF892D50000-0x00007FF892D60000-memory.dmp

Filesize
64KB

Download
memory/2212-414-0x00007FF8D67C0000-0x00007FF8D699B000-memory.dmp

Filesize
1.9MB

Download
memory/2212-415-0x00007FF8D67C0000-0x00007FF8D699B000-memory.dmp

Filesize
1.9MB

Download
memory/2212-417-0x00007FF8D67C0000-0x00007FF8D699B000-memory.dmp

Filesize
1.9MB

Download
memory/2212-421-0x00007FF8D4410000-0x00007FF8D44BE000-memory.dmp

Filesize
696KB

Download
memory/2212-396-0x00007FF896850000-0x00007FF896860000-memory.dmp

Filesize
64KB

Download
memory/2212-424-0x00007FF8D67C0000-0x00007FF8D699B000-memory.dmp

Filesize
1.9MB

Download
memory/2212-419-0x00007FF8D67C0000-0x00007FF8D699B000-memory.dmp

Filesize
1.9MB

Download
memory/2212-425-0x00007FF8D67C0000-0x00007FF8D699B000-memory.dmp

Filesize
1.9MB

Download
memory/2212-428-0x00007FF8D67C0000-0x00007FF8D699B000-memory.dmp

Filesize
1.9MB

Download
memory/2212-430-0x00007FF8D67C0000-0x00007FF8D699B000-memory.dmp

Filesize
1.9MB

Download
memory/2212-432-0x00007FF8D67C0000-0x00007FF8D699B000-memory.dmp

Filesize
1.9MB

Download
memory/2212-434-0x00007FF8D67C0000-0x00007FF8D699B000-memory.dmp

Filesize
1.9MB

Download
memory/2212-399-0x00007FF896850000-0x00007FF896860000-memory.dmp

Filesize
64KB

Download
memory/2212-665-0x00007FF896850000-0x00007FF896860000-memory.dmp

Filesize
64KB

Download
memory/2212-664-0x00007FF896850000-0x00007FF896860000-memory.dmp

Filesize
64KB

Download
memory/2212-663-0x00007FF896850000-0x00007FF896860000-memory.dmp

Filesize
64KB

Download
memory/2212-666-0x00007FF896850000-0x00007FF896860000-memory.dmp

Filesize
64KB

Download
memory/2212-667-0x00007FF8D4410000-0x00007FF8D44BE000-memory.dmp

Filesize
696KB

Download
memory/2212-668-0x00007FF8D67C0000-0x00007FF8D699B000-memory.dmp

Filesize
1.9MB

Download
memory/2212-669-0x00007FF8D4410000-0x00007FF8D44BE000-memory.dmp

Filesize
696KB

Download
memory/2212-398-0x00007FF8D67C0000-0x00007FF8D699B000-memory.dmp

Filesize
1.9MB

Download
memory/2212-397-0x00007FF896850000-0x00007FF896860000-memory.dmp

Filesize
64KB

Download