12f549154477c0a9d17e958d3936c66e2fb52e449836d5c7c1ba1eafd9a1985e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 12:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
Size

4.5MB
MD5

8ccb8230a30e9f05535d856f579e14c6
SHA1

78676258cfc26636c57b17ec4e9a6930358fad91
SHA256

12f549154477c0a9d17e958d3936c66e2fb52e449836d5c7c1ba1eafd9a1985e
SHA512

c19fc909a0128e9164d1e12c001ef223c82a89a25436b609f42030f2856d5d4e804513870377fb9ecf1ba01eb0afba5489a517b00af180925f88b15c92d5903b
SSDEEP

49152:z+zV7GWhurl7KS43ktY8sFRnoAXWgsuW0+UH6qMnzohHixayHjJnS+Ze4GTRBq2D:N5cktY8sFRjWgeLHchFfqGsQr

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4548	alg.exe
2060	DiagnosticsHub.StandardCollector.Service.exe
2972	fxssvc.exe
4296	elevation_service.exe
1896	elevation_service.exe
3804	maintenanceservice.exe
4480	msdtc.exe
1264	OSE.EXE
2448	PerceptionSimulationService.exe
1964	perfhost.exe
1456	locator.exe
3148	SensorDataService.exe
3944	snmptrap.exe
5016	spectrum.exe
2704	ssh-agent.exe
2608	TieringEngineService.exe
1648	AgentService.exe
4584	vds.exe
2096	vssvc.exe
4544	wbengine.exe
1872	WmiApSrv.exe
4084	SearchIndexer.exe
5420	chrmstp.exe
5540	chrmstp.exe
5632	chrmstp.exe
3088	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f911b6fc696f5a03.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	chrmstp.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	chrmstp.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Crashpad\metadata	chrmstp.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86171\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{0D7441D9-805B-4A69-8B48-2E7E818702D0}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e62389fc20f6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008eaddbf520f6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000036f1ef620f6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133689760360113243"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002cd4e2f520f6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c70b6fc20f6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000daaa19f620f6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000420efdf520f6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000514af8f520f6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000036f1ef620f6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4540	chrome.exe
4540	chrome.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
2060	DiagnosticsHub.StandardCollector.Service.exe
2060	DiagnosticsHub.StandardCollector.Service.exe
2060	DiagnosticsHub.StandardCollector.Service.exe
2060	DiagnosticsHub.StandardCollector.Service.exe
2060	DiagnosticsHub.StandardCollector.Service.exe
2060	DiagnosticsHub.StandardCollector.Service.exe
2060	DiagnosticsHub.StandardCollector.Service.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3480	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
Token: SeTakeOwnershipPrivilege	532	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
Token: SeAuditPrivilege	2972	fxssvc.exe
Token: SeShutdownPrivilege	4540	chrome.exe
Token: SeCreatePagefilePrivilege	4540	chrome.exe
Token: SeRestorePrivilege	2608	TieringEngineService.exe
Token: SeManageVolumePrivilege	2608	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1648	AgentService.exe
Token: SeBackupPrivilege	2096	vssvc.exe
Token: SeRestorePrivilege	2096	vssvc.exe
Token: SeAuditPrivilege	2096	vssvc.exe
Token: SeBackupPrivilege	4544	wbengine.exe
Token: SeRestorePrivilege	4544	wbengine.exe
Token: SeSecurityPrivilege	4544	wbengine.exe
Token: SeShutdownPrivilege	4540	chrome.exe
Token: SeCreatePagefilePrivilege	4540	chrome.exe
Token: SeShutdownPrivilege	4540	chrome.exe
Token: SeCreatePagefilePrivilege	4540	chrome.exe
Token: 33	4084	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeShutdownPrivilege	4540	chrome.exe
Token: SeCreatePagefilePrivilege	4540	chrome.exe
Token: SeShutdownPrivilege	4540	chrome.exe
Token: SeCreatePagefilePrivilege	4540	chrome.exe
Token: SeShutdownPrivilege	4540	chrome.exe
Token: SeCreatePagefilePrivilege	4540	chrome.exe
Token: SeShutdownPrivilege	4540	chrome.exe
Token: SeCreatePagefilePrivilege	4540	chrome.exe
Token: SeShutdownPrivilege	4540	chrome.exe
Token: SeCreatePagefilePrivilege	4540	chrome.exe
Token: SeShutdownPrivilege	4540	chrome.exe
Token: SeCreatePagefilePrivilege	4540	chrome.exe
Token: SeShutdownPrivilege	4540	chrome.exe
Token: SeCreatePagefilePrivilege	4540	chrome.exe
Token: SeShutdownPrivilege	4540	chrome.exe
Token: SeCreatePagefilePrivilege	4540	chrome.exe
Token: SeShutdownPrivilege	4540	chrome.exe
Token: SeCreatePagefilePrivilege	4540	chrome.exe
Token: SeShutdownPrivilege	4540	chrome.exe
Token: SeCreatePagefilePrivilege	4540	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
5632	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 532	3480	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe	84
PID 3480 wrote to memory of 532	3480	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe	84
PID 3480 wrote to memory of 4540	3480	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe	85
PID 3480 wrote to memory of 4540	3480	2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe	85
PID 4540 wrote to memory of 1392	4540	chrome.exe	87
PID 4540 wrote to memory of 1392	4540	chrome.exe	87
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 1564	4540	chrome.exe	94
PID 4540 wrote to memory of 4224	4540	chrome.exe	95
PID 4540 wrote to memory of 4224	4540	chrome.exe	95
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96
PID 4540 wrote to memory of 912	4540	chrome.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Users\Admin\AppData\Local\Temp\2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-08-24_8ccb8230a30e9f05535d856f579e14c6_cobalt-strike_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=127.0.6533.120 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403641f8,0x140364204,0x140364210
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0x80,0x104,0x7ffe54e3cc40,0x7ffe54e3cc4c,0x7ffe54e3cc58
    3⤵
    PID:1392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,1797161508882536937,7033582930672102246,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1896 /prefetch:2
    3⤵
    PID:1564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,1797161508882536937,7033582930672102246,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2148 /prefetch:3
    3⤵
    PID:4224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,1797161508882536937,7033582930672102246,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2440 /prefetch:8
    3⤵
    PID:912
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2956,i,1797161508882536937,7033582930672102246,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3128 /prefetch:1
    3⤵
    PID:2592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3048,i,1797161508882536937,7033582930672102246,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3076 /prefetch:1
    3⤵
    PID:3612
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4560,i,1797161508882536937,7033582930672102246,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4592 /prefetch:1
    3⤵
    PID:5876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,1797161508882536937,7033582930672102246,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3052 /prefetch:8
    3⤵
    PID:5892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1592,i,1797161508882536937,7033582930672102246,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4484 /prefetch:8
    3⤵
    PID:5352
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:5420
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2c0,0x2d0,0x140384698,0x1403846a4,0x1403846b0
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:5540
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5632
    - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x2cc,0x2d0,0x2d4,0x2c8,0x2d8,0x140384698,0x1403846a4,0x1403846b0
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5096,i,1797161508882536937,7033582930672102246,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4864 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4376

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4548

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3384

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1896

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3804

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4480

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1264

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2448

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1964

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1456

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3148

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3944

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5016

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2704

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:452

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1872

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4084
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5268
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
dcf3848f1beabfcea9b5a389bb612e30

SHA1
c3720f3b5c0828846bca9c8f35c8a8a77c24d8d6

SHA256
a05c9f060643d0b87835f6a63cc41d4709635c68368d425119063af0ceeaf90e

SHA512
e11e1c2a5c15d622d7a569038a012386432c6147f01225cd8c9713fdab7ade7fc88586ff5749d320b7b3b8f05a52cf5971edd93605ce6878c151ae09a46e6861

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
704ebda9dfa2ebd64767495d52399737

SHA1
54fa715c3cc13648fd6f6c5236bd7513a2359a69

SHA256
92615df2ef2e1889d23936ab696c002c99df8cdfd716ca00cbe74ebcb47d382f

SHA512
dff465fa1b5dbeeda0a2c6620193535f4b5d94426dcfb78da8187708ac72c27f1475a1073455e6c5ec3bdd869f1a802cd73ea1c24af3e0e7d03d4d6726f34e74

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
92052326ab6ff3daba1b146887985db3

SHA1
aeb0b2c7527c8c7fa91c4685569278282dc1f296

SHA256
dcfb9dff6cbe8b11031f78196049e23a8c93749e35f4f41e6b2fe94a0cd5eb69

SHA512
75000a9519968085fc8771861068ee9205623be4c87519d7365c7343e6afbbb459d0c1588f48f96344b3584a55176f7839c03e501987cd91b9d36ade7471f51d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e994d86fd09eaada009575ab7be3d8cd

SHA1
1fa604007c89cf4dcd83f5b43642b60973e44d85

SHA256
151677b70a050511959210855dc64829a641827fc61e551e4410685194a45f75

SHA512
74ce12a5ada8d7bb4424017169a6c72bab80eaeee88f75f34acf6414a067f0d2100c16489b80294df1281baf496ddb88d2df0ae76b9a87c91805c6a617fae169

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
86b18a281757ac2438ec85e926a3670e

SHA1
ba429d29eab9d4de505cd829784a90ae9f14a3b7

SHA256
5c60175d73724e216ef293ee67c4ff47784bc8fc52ff040f67c2668cb43e310b

SHA512
8beb314d05c174af11de9bcd0e3ce111a5869efa2ed698a34605c4936f3330b8bcc0f24d9e09aa666ac68da87ae8ae925e0e7e48442766e1fbf1492192d6520a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
f82074a9162f01efb80dc6de9fd3ef0c

SHA1
ec47753390c9908b4a166314561348ba91c55e23

SHA256
efb30de0695981235a003a0a211c2d8b1e7dd80cc0d055b956d2922eac20786c

SHA512
8d64807262528a2a29abe7864cae0fe80d32a1fb6186d49057f2646b60fc1d8417cfe896d55b1a7f780db317732a7b3d8d88a5a295e7a65d7ad38befe991934b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
9ad2f2418052fb90db91269d81241f55

SHA1
a918f1385fbba9a44bb58e73db02588883bcc0db

SHA256
0e1374784732ad7c097811e54cc9a7a5b5530fda5be7c8de017c01adab00a7cc

SHA512
8fa8b94f5c97ff4c83cdafda4e8ccf803972de112a5c7387dd162ee072b968b73d8eb5e2c2df47dc87b7dffc268a583c63a88f9009bc5d5dcc0ea9d6e17b6713

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ca1c234050a88f568f2cf4026625dee0

SHA1
d6a7f0ad8a59c0b393f8f50fb0b94e6172ff0e76

SHA256
27d93a84890f931989175b699c9ae54e8b02a3a79405e9e18d2497c653133ba5

SHA512
b436050142777446f772cf3a78835bc7c8be37ef27bc46d87d679bcb1d96e5aca93b5606f326c7f609d8c49ec62f6ee35d185b542435d45af15e7e78eb98397d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
3470dcc2e57990cc8896aed1c8c97c11

SHA1
1408fe5bfa1aab54a3d500e357b486c774ee8c11

SHA256
b61de111a844a024bbd1170a66f13223d59747cd2af6fab16c8315f12cbe71f6

SHA512
8295668d22d643474c75329f5993d6a8571ff62c6231858af1f3e89ee5a3b6c2dfed35fba8a8d84be8c93bb5a8ad72298ff121b608ed2453a0fa6fcae4897a36

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ec415a63561a20400b6a827bfcfeef1c

SHA1
363eabbdfba9192c7fa3dbb219d464911435ab01

SHA256
d41bf5a3f6a89e5a5497f2afbbcb0382789cf5f9a5bb59d8400e2dfba36fc31c

SHA512
832e0a67122043134aee9193f69f51b8adb82c7d4f99d7e6e60e6c6accf8fa9eb06e7c1a8184fc4d80f4fe24c27035fb290aa6263e32e63f343fd8f27cc52b3d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
290e1c34af6dc0ab66c115f6a093a8af

SHA1
30d5437a1dfd68e22cd82f3d377d9c9b271e6432

SHA256
40835b8b7ab58a91ba57b451c83eb75d5a979495e3a2926479b61aeaa58e54da

SHA512
2ad78752f61cf7d6bc65a0342bc8ff6c660ef9860caad52f91a363de7607fb123bf1264406434df4a522f482ae673a6fb193ee3c1b6fe4715a315bde815c1465

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1e0713f0649b1e15af6fcbfe8f952fe3

SHA1
1eece0f166d1bc17868bb8b0dc569341f03ea881

SHA256
9f4e7e3a8dcbc808685fac74e7028a954c28ff46e055953a42498913d07087fc

SHA512
f955703b5c1d94ff170d4bd16ecc04a9cffe69c2a8b8f9e6c5a573981b1a198c80d747ecfb5dd9f3e7436a8bad480b275cc4422f5cbb89f058cb0f41bd9dc102

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
f79b90833643e03b0cc10d7317e10eb5

SHA1
6c5511ead7d784e291e96bdf0c9ed8760eeb796a

SHA256
91f20815498a42adafc9698295730c3587b285fcaa7e8cde259ba0c6e1d92513

SHA512
76c7b9a9396ef94eb5f232aa874d36fbb2ed051be5220ee82e0ce705f5c562dab2bf4f4c06e3619fa4eb1e5549feedf6965140e7f460898d3c43179c6623f126

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
0bf79f9d404ceaa372a4ab71abf17822

SHA1
0eb6aa955f82b754a8ed86482597b383c2bf78f1

SHA256
30029095512aa20af09ef23460089e031fae75a773f4f6a929245fa38957a4c6

SHA512
20153f4221842775b1a5ebddf0ba553da7f513c9ea0bca3685cfa045ff7aa9186bcc9a42a0c01fcf04b1da4fa1a092fd4f86da6a1ec123dd7a19e25487934cbb

Download Submit
C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
7e5aa4109d15ecfd7c800777bf8536df

SHA1
daf9a682a914271118ffacd309e494b2a85badb0

SHA256
905a21267d0d2781d4b381e80503c5151f9ad33dac3be6dca83f50dfb7cdee02

SHA512
7ff72305ba56d94f76c514667b49683e2f53c308b1313d91d632810823c6a6b2b7ef7313d58fd343b2bc753e875dc7ceea967f8eb5a96b64f4e5bd639a5154eb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
9970fca29c092df64aa305625e6d99cb

SHA1
9ea02b4c42171e92d3faa5a9ac8c616858d795b3

SHA256
ba94df0a3471828d89ec1af71927ae814d91b8f42b1b3df54094e7f5f182eb89

SHA512
c42a35b025b9d7aeadebd22bae28595356ce1a7a54a36f3e63281a13c97d9821cd514225b0cd07676cbc7c6c408d5e9a34e6fe1ef003e362d934093d78ba7ec9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
ec3569d688536f9609403f6e45310218

SHA1
894a2e0973877dc78a4134b636eb93ce3f20a8f3

SHA256
0161a4ddb15d6fd1d108564fdfd9068f1904b60c65715ffcc798751c3876851f

SHA512
3845feaaa23b5b744e38308e87f57b2c01798355b0b7e5b6af8d9bb01c5670697f58563e10b36d94e672962bcdcf6618ac890c9fd764ca01bc095b483a07cb47

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
4a6d84075435551260e4fe4e09b194d0

SHA1
53e1d64a0a91976bc55e9dab8f9f0fc3231d045e

SHA256
0f30e245e85ad1c1dcadedbba1e688930c5474daf00f6819f98c746fda771054

SHA512
33ded166d0813efe327b2d2c1f58bfd1f7f878d64ea0157cac49364aaa6281b473e2b0933893da53ea0360b148b2695c44cb8056a816aae12264604c18af6b3d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
8921a152bdcdb20871bdd212161def8a

SHA1
0c62bcd89ea9fc9ff91850c8aa3048c9f3efed9b

SHA256
d16113fa325529e9e06a468619a810615acabeaab93f12f84ec5923bb4c3ab3a

SHA512
48b1db761dee58b2acae4faeb6a8c60289ca61833d5cfa1dc47fd72e1b8a85c4dac6a2aec0e680dd7ce59f0ef03436cd59e90c2073aa9e31caf58f3371a8f347

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
84fc3de29200e3d2229a34483d1938a4

SHA1
7b4d3fed0e2ce724b193437253794f295923c14d

SHA256
d30c8ff7717e8c99e91f91257b04c5df83672397fb889c716c4e77b940d31c80

SHA512
830fba7c1e5402521d7034f61ccc8418c187d68bbf6a57556019d2646915150d45a100e793ad44a244b3b3dd64e6df3e810ee48e5cc030a4a940f10f0d2ceda7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
2a16a4732e29e229e2d20eb710bfa498

SHA1
600deaf9b6372c0db05191a3c440ce8e714e1621

SHA256
5ba97a895bc1dd228d5f8ca6264993cffb1dfef1c0ec2d72b321051c792663dc

SHA512
a6268c9500dc878423698aba81173ab56e0522c18fa3559543be8cd12a1d2c1f47b502d3fc86ac1a661907d960a647fbc6bfbf00c30703d5c80a3db6192ebae7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7ab42df15c0a0b8654e5294b18a9f942

SHA1
9366a2980d2598d3910db745836f42661c43ce40

SHA256
0fac69d176e2a5e8da9d42e9385efb0e258e21f55e3fe875d826d05acd95d7a3

SHA512
106a553061b40827ceb32e9533bf65b80bd12bcf6a283216617bf28d570eec8f57f82bd3ddfc5a9f185aa1772decb1f502984ce91ba04ada70657ad117b410ae

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
5ba0248e4dec11bb29e109dfb602e2af

SHA1
71330a1dfe8a60ce6bc03d501e8eb8f72aed3329

SHA256
c422557c99a840b1cf94c10676cfa5dea8982069b77fdbc583bec84511b854a5

SHA512
36b1ef08981490a8a961b584886b99abfd67a4127703ddcd0c9a3948907fb4cd293d4111a394c6514dd7410e56283a7e41944996905f320e0f5f92e451a85e14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
eb942bdb6305f3315f94ae3c05f48dbb

SHA1
7674299d7f21d68d74ebbcb1de993f2c99ea6a1a

SHA256
e306a68470836c921619dbbd8ec7c697a25625402fc95add71250d41231787dc

SHA512
1509991d75b19506b3c4fbee4b75b5caee8e5f1ec7c810d4cbe21ef9ffc32b472851c25da616fcf8cdd9a4b4e57bc5625eafa3d1803f2e41c888d449a2972c4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a351db27d0eaea4e182b18614ac3d2a1

SHA1
c8df439f1c513aa0b8972d1ae00de40d078a83a6

SHA256
3b1422b04a263b03d8016c47ebaeb83410a7745c6c0fdcdaef1174e9777f47d8

SHA512
c76be18917268ac2a161e325cc241b9c813b3edef2ece0e3a6e3673ac788c5d43dacac0d0e16cf4c8f514c9b8bf4e2dfd3ebbefe58c750d1016f37826482df28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a5a5cd79c52bfc0e1f11d0f5359adc67

SHA1
1d4ebbd31d40a40a00d84ea126894d6c4bc64a9e

SHA256
bcb49ead524a91ff29cbec7f1c18573bd058a24d27daeddef6097069b39bf118

SHA512
ae23500be83ac4dc762ca4cbcd0eaf6bff708e5ed05b88471dacfd2f429a828a19edd9e834f800c502f50baf4161ccf91839ade66242dabbfd62967968ddca23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
df17649b71d1a6ba977c3e5f44b111ee

SHA1
98ab34c99b9af7f58d4d36461e48954e11d4bf46

SHA256
a9a4ee56ec6f7244ee986c17c8f6b42f7439fa09cdc200fffd86e52f3f18a17a

SHA512
a6d6986a831afc7cd2335aa86eee84756ba8a8a59f09a0ad994be13f524ad516838db0d5c0a19f3f916212eb9594445f3e4b20c641cab8a4af4acf7a783d0f06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
27d14214fb8873ffcee1987117fcfd9f

SHA1
6454b366c5bd1b8cf51703d705f873129f660f6b

SHA256
54a51b1586def331641ee2790dda17cc7de81ee9b4960ec31372ea0a1ee15412

SHA512
6cf7774fb745577086c172c4070dc19a81e55390cd6be78ea9468f4bd3befd12ce92d11c55d96394860ac6e8702f33e58a37efd4e1cafb678ce15d591f9ff6d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9302b50eab64e05db22b70b99fead26b

SHA1
c3096f4ae9cbcee9a0ca620e6a3e8a5e323295a8

SHA256
0ef6bf2bbc60557d9a181a8f87109276c0cdbf379a68497694672ae369e584c0

SHA512
f64e190fac40c492f756a348d6f04d2a3bb1b8242f37d636fa95e03b9a0d505eaf076803afbcad073e7cf4faaf8591075abf6feafba39e9adc2e9d5875723137

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ba0d2b4ef8dbecad82016722c12fb388

SHA1
21dfe1bb337f6c11cddd5a4e0078c72b98006852

SHA256
691a226d0e6cb816e9090e6191cc8f69d965f288ca7bfcaea871be828824b397

SHA512
79287dab52a674df42a71c1dca3ef6dc4240f7f56eea97c576c7c7c77867c3ceac193660c596ce96fc392668f70b5808d0b070924a0aaa19a03ef230222b6e9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fba388b8d0778a312c25655bca84b4a4

SHA1
60027fea96aee0017f2bd64a1dd480c46ca6304a

SHA256
bad58be65566e90c83758c8a602ada857d1577a7389e73967d8ba8bb7d2a0880

SHA512
231a0535f36bf2e36d755273346df17f63838bd55eb5770d211027c4f519626198e7fe3657bafffceb18ee7224f266367a24b12ed69b865334a0bd7451cc2d46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6be263fd37b5778a0fe6f33532db47ee

SHA1
5d49de54d798d678e570bf01c855b1739a373d5f

SHA256
62b61fd7424eae15012cd1b0a8d77e3eb850f1b3672f73ce1794889b4a4724b8

SHA512
49166a1109e9ad8547967f114cda493435c5eca197733d27c6b334b7eb5df56d03077cde034b0e52c937658732667e2bfb61c89906be20fc7d27bc935357a589

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57cb01.TMP

Filesize
1KB

MD5
b77390e666804d2d4b63ee7d333869de

SHA1
bef199c56bdd8befde72369097fb517cae3e5653

SHA256
3ab6d2b4d9d99f7da257f2693bb90b05f5fc8a9bf6b1b718a4f080780df2a4c7

SHA512
915a5ba9fcfd7da0c355f4ceea7c23603176263f92d5d8ff9955785e79121e5c1c4dd222133c65e778b2f0dfe6dcbcbf5fda5622859c9b37832447a68fb0305e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
fe9511c69a5435a515e78c2dd7c35eee

SHA1
a3658765d8ae311158f3d6600474dc5b0fe1d13c

SHA256
5a6ff4c07124765b876c0d07ed16105676330e15cf8258995155487df294d1b8

SHA512
9a7836d6aa5eab292a1c50fff014fd0fc2e5a5883dd39007824d071bbe6da04343c42c7727085b903af01dd11f03248cbab883e75f4c40417c3e0bde32f85ff4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
625ebaf5ab49d7f16d332639d4a156c3

SHA1
1e286bd9c3043c3dc72c3d3f783d29912b9ea32a

SHA256
61066b02b57369f60780ccd6f45fd3e58f8d930c953aa0b3049b6eeee0d629a0

SHA512
51276ea92fc1c1583ee15c34cba3ede5e9c8f4c24ae7c01d665c56b58d9b1a38b77c3229dbc1d625ebae1c3903f0a5cf37f09ebc7e29b20f4f49a9164b6fb3ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
533015eed005890f1566f01f40fd90f3

SHA1
58fa2b7faaf941cf314fda9a4ea14210f69f29ae

SHA256
aded19df90a5f2910abfe308f49e12ef1bba4819c416329224578ddbf0bcc65e

SHA512
5c6f794a00c383c4663324ceb5360c27b11867e81a9277f241d27b2f3aef65c697a2c3e371ba8a253672e44a5176f9bc83f64928e26aabb812c4e77c1eb75813

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
000a1a36eeb52310752b1b27c174d400

SHA1
24bbd80cc348c6d10f2841a500ff9f48e4e1d989

SHA256
7b18ee98a9d63a4040e9e464c7d34ad95f5f6441c867f1d922bbc55440fda08a

SHA512
dcfb3e295fa4acbdffb67eebda5e8d632a46a1aadf4571613fb4f373cb15be97c7b8ba21557cf02cb0ecc1572be54a1dd7722e95722e207e9d45281fa55963db

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
b8d0a4c43e11ad03f8b2221a39bb8b3f

SHA1
eb0062128e468f507c977cf8055b42fc1b8952ba

SHA256
7566c20dc3ca5c6d359d6c37ac9a55f65ca2bf269f7ddae0bfdaf94394d072ea

SHA512
efd30d752796d7515de44a672cb626e5ae0e3e595edcf120c0fe4e410249167c5e0a446e51e7c2f74ab4aa060a21c6b871713811a4b68deda5c8afdd520edbb7

Download Submit
C:\Users\Admin\AppData\Roaming\f911b6fc696f5a03.bin

Filesize
12KB

MD5
f3512454212d297446ec4cf5c537bc6c

SHA1
35ff57d9f9e3ec77d907fa24206dafd3db40b95e

SHA256
26087f2755e5a05e48a7a33bd7f9906a06c250bf265148ceca9996ba4815ce82

SHA512
b2c0b2091cef8a35b24d32b916daad6912354d0c47a421cb75ae026477dec365140d22c3433601d0783b65daf43ba52ef3e17b7e5e666b627e310ce1895cc1aa

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
8025f27894d74341d65cfceeb417270a

SHA1
94ca0d1e0cf1edd473912793f130d1e6a86c5684

SHA256
cd24909099fa82c6784ff5c82875a27c18a92660b53ae5662f8ed4c082ce78cc

SHA512
2990c67d1a8acae020a32e95201a57495c8b430feb82ac732d0fcec058289b203ae5f45751d967b02bbbe584f2cbf92fc8e3e12c0a36e00827b48812b898570a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
93c5fd13cb82c22582b161320717fc6f

SHA1
395a1bbce9842666f49871629b83f9cb6140a9c8

SHA256
be338c454e513d0bee50476a054fe22123f8241ca73f00a8e78553b11176a4fe

SHA512
ee02d0c572ab653112291cb2a1a85376b6c370250cac8e3427514c588047efaf41ba173da307bdb8be09a60061072294003525e95063125169d9692d5cc0105f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
641a7022b95e178d6220e8f6a2a30f66

SHA1
9779d08fee470f19522005591c6a1eb86983046a

SHA256
a369705ef8d104c0619d80becddd08f8a957b0975d1744ba4c609b6b3599f748

SHA512
6dca91154029015e1edb42706bf6f4882ca8ade8f3769f2ce33b3221f0b4303aa542f87bfbc4b8b90a05caac5209843110dfa07db52521c5cb09a360c586d4a0

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e5a80148208311550ff64149ecbedac0

SHA1
897fb89812bc1c7d18490f9476094db2397fb088

SHA256
6388275814e09f87a47b65974b4eaf9da658b85d8d8e97b0546909d83baa891c

SHA512
63bf43eacf2b53d1cf1cf2914f43be0f099ca2a08e36e483c91b001e67f42f56dcf36db2cdfa694ba14b91961e3a2662c1d0bc4ade76302e8c87c0e51aa5f8a3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
f4399a2419113526eefb52707e3d6029

SHA1
8dbfa777707d3e0c1740ce9bb7000653674ea3ba

SHA256
3b6ee8be06016f164cbf5191ff59127a25583e4c4355a7b853f18a270de8d99b

SHA512
abed1c1969c8748a3406459b5e482b81c3676d5d56261147a39e6c0550f54b869b3b567f08e52f0bcc6dd67cb24a03c6c88711b76baa6bb9a65a1e3c9224d187

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
b0a24180be8f2392cec02e955fa6e6da

SHA1
1239b1a5e8c9528e9f5344243e38363048870098

SHA256
e8d1f03d6a668f1e79f0d61ee21773c58f4d47bc91f02c400690ae806d28e1f1

SHA512
26b985d235277abdea8a5714f912384fe1a7656f31b550bf05c31d952e24da14b980ac5e94544cb74c489473770841147da93c63b762978f952261c2af91e841

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
64ce30253895be14e7015249479a10e8

SHA1
6de0a83f42ba47f085067c4acaba247a0e821432

SHA256
f6f5c17e773ca93f1115a3000db8a56609bd1cd125f0986c6f1a661dde9af605

SHA512
40ed831a51cddd7f7631e0aad800451cb36e322c433ad24dceb7babb3eb89267f3725fc285faa86936231517cefcefdc754625208465aa02dfbc8af0defc8be6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1ed68ea98676f669a14f095079c1013a

SHA1
37e21c30ec42b5ca2dcad10668d4a25008d2b216

SHA256
24ab559bfada76eabbe1b6fce6086b94e04c2da575ce4b317e4b0c6b500728a2

SHA512
5818e22383caef638e317fa5fe63d84b7a082c25bda447d1984b4e8ea244f08f437bc363b05e38aeac81c2ca8c2c2ca434d9d27f83504135a8d958293f7c76e8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bbdaa68de924deb4be388c2056a23a45

SHA1
ebd6937c5ff696558a16e3b8e239b3c1fc727bb0

SHA256
2a5d0463bacba26e45017996b4806053c6d96dfb9e0a300d211218f8b7751227

SHA512
bfc6dcf2f76539bc76c618f0216a43519d2f6cf2ca10b8fba1f75e46d75ce5a51b3a133c167d28d422e4fe77e626c2890c36fb6a6e0e9cfb762920741bfc2f82

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
aaed3c4f308063bd9d47912c696046e4

SHA1
619d0287953514f8bcc73a2fd60cb5b0967d1102

SHA256
24852c7c9693e62b37076c9adb9dafb017b1686ab2bf98c3aca27a19a916a05b

SHA512
efa3440e72caa7e46bc5f0a6a2980c0f72e07cd4447d79d30fb733de2ec5b97e6d9484d20953ebc0223c538f4d292fcba4a153164f9e715886a2b219fb4123d0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
0195661136f6bfe11cdcf055ea68cbb4

SHA1
e6bc4338f3dc6a0351740701a15094564dd4535f

SHA256
3d535267ab9a36a4503fced13c5687853f929ba4370bc910b8bdbcd3a0a5d0a5

SHA512
5811b73b4beaa996db74595487b99c9bd7c04ee2cd548ca3d39d7747998492d0025f0382c3eea375b1ba5d012a63fc3c2465e9860a582b536299136098e57bc3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
24349e11b13259a6e64f0cdb1ba97334

SHA1
297658fd55ead14111204b53f084582fe4945bcd

SHA256
99ec30839efad6149351109c785a3a20bd9ba58c0fde69ee2f1e38b74f64e685

SHA512
29257cda694abfff0ec917703f813297e1aa135571673b0e187c3143aed955ef8631e27905b4745bda68a3491a15dcfb901dcb932f6c25b0bffa5f85e11c20d6

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4db9f2cd375075e5375b667b4c90da88

SHA1
73518d1b481f5a243d3e6f440822238eb791611a

SHA256
6985a5bb1131b7b59a21f36a08c2fdda620045c0c9d4f5bc1e2bd2436d3c66fd

SHA512
8ccbe4a40d1bf9508fd4c33bb478b6d4f3044c88c54b1716c50441f32a15eefe9f0da71fd1bf5091897747808184c3465629a7d2061a96373893dffc0c8b6896

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
789ea5cb83b98d83ec2136e815ba8fd1

SHA1
ef5c172fceb8e199256061e106d1a7bf89b3f19e

SHA256
9074a1bf3eac3c2cf1bb665b3b464f22cc1dcf25d92bdab15ec71347b079b5a1

SHA512
45ea45196ba7c0c6751678ab723e1fc00c6c36ee214954d61244f3508ca5b6d9f09c0994000b61589b8ae881f08312be86c5ff9b0cb715342e93040200428927

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
17227a92559d5c7e88d46b88adc35235

SHA1
b7b74e05dd0c15619c2b608cea859d40e3a9cacf

SHA256
102355ee47f6f9f61661a0d31df9278f15b1839d86ea6cd7333c7c55d436dbce

SHA512
099e12a9b3e84175b444e4fe67ac3f3e74d9bd198c0247f1faf2c419f0a06837c10f0c9f48e844c770a9321906c62b443a8c8a09b8da8f6435bec4f2aa48ffbe

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d5845fa9a136f1ecd89a8ffbe4a68c73

SHA1
ac1a103b2bf18983c35549d4810f86f6993f2723

SHA256
6e5a66f9a3ccfb6200721fc89ed67c32c28c63637c2f52390edf26c623ba3042

SHA512
d562d2d028bc19824c710b76b8c4bb765b7673268eab27954946c5ab2d670d8849e41ba27deb69c6d3a4cf7e1f6cf483ea64020e1f0a12101d9d9fba05a9e426

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
c1b3e4b0f1747a54b6f82baf26318e96

SHA1
b0f41ec8a04582047a06838521cadec36f2fe1d6

SHA256
4e118fec4a6c56cb59479159f8c02335c551ed4b22920bc4de21faa8cc17cd83

SHA512
0ecb8defd516cbc19c79e95930b445c94f540a3d386d8766beaba93aa030151ab6ba37703567a17342a932b137a1546c699e7e5d3864e8d4188051cc74fe394d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
dbb857fed71f865b39492f695e906b57

SHA1
a614158b3c349c3cc6fb35e75042d4da0d08f49b

SHA256
f214dba020cd5437209f28dfa93b0ce4a1bb31a4e4e14e15fdfa3af22f4acaef

SHA512
b6a7cbec659989975feb0af0b7acb5b07bb16991ecab4368c46ec4a4808744a0079df6d52d2979958feb6f6d12b68f4e02a6e1d4cada672bd42cab9b821f958f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7dc6a4a7d69c5e8bcc78e1191855cd34

SHA1
3376e88d71822c1862b2d709a9f98f722c16f4f5

SHA256
124be50f220e25c3e4dca0e328f454a2faf31be8870d93612135c31814fbbfc9

SHA512
eaab75843dbba45cd50d0c8ee05f70d36cebe08d46fedcb9c3129f0db5584abc719b4c70f544d7751edc5e7bc1740d6adb092bc3ca9483278a3cf586846e8cdc

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
b8ca3e32c69d47ea7e54dacce04d2a2c

SHA1
54150e5799012765ef4b856a2aa16acd9d503e82

SHA256
b8ac60a10df149e33aa1801562003d10b89c057c89fff00baac20262c700105b

SHA512
43d051b3ae80e175069358317ae861048532f9c866865ef84911830e3f332b5d08c2c8fb3096f3fe51d74ed9b36894beed1fb23e63f8e25089d942f5e718c720

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
69479c16cf64343e7dbebebf46c8e405

SHA1
ca62f5ff6f4ba3c7a0e437fba6e487a583a590eb

SHA256
fd441d99ad7028425aae22e4fb3cd476db50c2901383b936ccefa3b035751083

SHA512
ecffb7b41d314ae99126004fa28d4ee4c990a800a5071a72f695b6b21d6ac8159a7a1176d01012e7b2cbbec7a6b3dc3aac7fe312d72ce1d1df009f407cf9bd1f

Download Submit
memory/532-21-0x0000000140000000-0x000000014048F000-memory.dmp

Filesize
4.6MB

Download
memory/532-12-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/532-18-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/532-95-0x0000000140000000-0x000000014048F000-memory.dmp

Filesize
4.6MB

Download
memory/1264-195-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1264-100-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1264-106-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1264-127-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1456-206-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1456-146-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1648-191-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1648-193-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1872-506-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1872-207-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1896-74-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1896-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1896-182-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1896-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1964-199-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1964-128-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2060-45-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2060-46-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2060-36-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2096-446-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2096-200-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2448-134-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2448-110-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2608-183-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2608-414-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2704-179-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2704-397-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2972-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2972-63-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3088-541-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/3088-469-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/3148-512-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3148-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3148-211-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3480-29-0x0000000140000000-0x000000014048F000-memory.dmp

Filesize
4.6MB

Download
memory/3480-0-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3480-9-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3480-8-0x0000000140000000-0x000000014048F000-memory.dmp

Filesize
4.6MB

Download
memory/3804-87-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3804-93-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3804-82-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3804-91-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3804-76-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3944-156-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3944-353-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4084-212-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4084-513-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4296-60-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4296-52-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4296-58-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4296-150-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4480-96-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4544-203-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4544-459-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4548-145-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4548-26-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4584-196-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4584-433-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5016-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5016-375-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5420-503-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5420-421-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5540-540-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5540-442-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5632-456-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5632-496-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download