91bad06083437e3d3e68a7bd7b8083b29471b0f726d132bd951d029419c40e5e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
Size

4.5MB
MD5

93a45f6d531d6866942d8335a300ec3c
SHA1

6f2a394f1e301265c1238220e2cff34e603dda53
SHA256

91bad06083437e3d3e68a7bd7b8083b29471b0f726d132bd951d029419c40e5e
SHA512

f2c9e72a89f318eb063de3c40c53fe7714247782593a73158a0028d8f022493aa970f6e74467fa9c0e2247fd4a29f0dc5c9f701ffe5773cd7bd806f8f872a2b2
SSDEEP

49152:C+zV7GWhurl7KS43ktYEsFRnoAXWgsuW0+UH6qMnzohHixayHjJnS+Ze4GTRBq2O:05cktYEsFRjWgeLHchF4XuAR/Leg

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4568	alg.exe
912	DiagnosticsHub.StandardCollector.Service.exe
3880	fxssvc.exe
848	elevation_service.exe
60	elevation_service.exe
1100	maintenanceservice.exe
2024	msdtc.exe
1104	OSE.EXE
1572	PerceptionSimulationService.exe
1976	perfhost.exe
3260	locator.exe
728	SensorDataService.exe
3188	snmptrap.exe
540	spectrum.exe
316	ssh-agent.exe
4120	TieringEngineService.exe
2124	AgentService.exe
1432	vds.exe
3132	vssvc.exe
848	wbengine.exe
4624	WmiApSrv.exe
3184	SearchIndexer.exe
5472	chrmstp.exe
5632	chrmstp.exe
5156	chrmstp.exe
5132	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ed1fe4204521e136.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79125\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79125\javaws.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054e708173bf6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097ab71173bf6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b3ab0d173bf6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000510e10173bf6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003de404173bf6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133689872570847917"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000537ad3153bf6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e36811183bf6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b3ab0d173bf6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4584	chrome.exe
4584	chrome.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
912	DiagnosticsHub.StandardCollector.Service.exe
912	DiagnosticsHub.StandardCollector.Service.exe
912	DiagnosticsHub.StandardCollector.Service.exe
912	DiagnosticsHub.StandardCollector.Service.exe
912	DiagnosticsHub.StandardCollector.Service.exe
912	DiagnosticsHub.StandardCollector.Service.exe
912	DiagnosticsHub.StandardCollector.Service.exe
3676	chrome.exe
3676	chrome.exe
3676	chrome.exe
3676	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3060	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
Token: SeTakeOwnershipPrivilege	2488	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
Token: SeAuditPrivilege	3880	fxssvc.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeRestorePrivilege	4120	TieringEngineService.exe
Token: SeManageVolumePrivilege	4120	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2124	AgentService.exe
Token: SeBackupPrivilege	3132	vssvc.exe
Token: SeRestorePrivilege	3132	vssvc.exe
Token: SeAuditPrivilege	3132	vssvc.exe
Token: SeBackupPrivilege	848	wbengine.exe
Token: SeRestorePrivilege	848	wbengine.exe
Token: SeSecurityPrivilege	848	wbengine.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: 33	3184	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
5156	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2488	3060	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe	84
PID 3060 wrote to memory of 2488	3060	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe	84
PID 3060 wrote to memory of 4584	3060	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe	85
PID 3060 wrote to memory of 4584	3060	2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe	85
PID 4584 wrote to memory of 1148	4584	chrome.exe	86
PID 4584 wrote to memory of 1148	4584	chrome.exe	86
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 3944	4584	chrome.exe	97
PID 4584 wrote to memory of 1168	4584	chrome.exe	98
PID 4584 wrote to memory of 1168	4584	chrome.exe	98
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99
PID 4584 wrote to memory of 4176	4584	chrome.exe	99

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-08-24_93a45f6d531d6866942d8335a300ec3c_cobalt-strike_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=127.0.6533.120 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403641f8,0x140364204,0x140364210
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffade90cc40,0x7ffade90cc4c,0x7ffade90cc58
    3⤵
    PID:1148
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,14950449375850456581,17571965818623109449,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1896 /prefetch:2
    3⤵
    PID:3944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,14950449375850456581,17571965818623109449,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2512 /prefetch:3
    3⤵
    PID:1168
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2112,i,14950449375850456581,17571965818623109449,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2664 /prefetch:8
    3⤵
    PID:4176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,14950449375850456581,17571965818623109449,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3144 /prefetch:1
    3⤵
    PID:4124
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,14950449375850456581,17571965818623109449,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3316 /prefetch:1
    3⤵
    PID:4492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4456,i,14950449375850456581,17571965818623109449,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4452 /prefetch:1
    3⤵
    PID:4836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4496,i,14950449375850456581,17571965818623109449,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4704 /prefetch:8
    3⤵
    PID:5176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4944,i,14950449375850456581,17571965818623109449,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4952 /prefetch:8
    3⤵
    PID:5336
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5472
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2c0,0x2d0,0x140384698,0x1403846a4,0x1403846b0
      4⤵
      Executes dropped EXE
      PID:5632
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5156
    - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x2bc,0x2c0,0x2c4,0x298,0x2c8,0x140384698,0x1403846a4,0x1403846b0
        5⤵
        Executes dropped EXE
        
        PID:5132
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4812,i,14950449375850456581,17571965818623109449,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5012 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3676

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4568

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2388

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:848

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:60

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1100

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2024

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1104

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1572

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1976

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3260

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:728

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3188

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:540

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:316

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:548

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4624

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3184
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5196
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9b95484cf5c1c7980f3073fedb18ebf0

SHA1
bce93311b6ddb3df6b075ea3349429ba3f77c4d2

SHA256
8592d50a3b25ddc7647e479c6310f9308901ed41a715f4525a956c58a0752c72

SHA512
06a58b7651d59aec6ba894d7948f410f543482581af84941ff2aeb2677de117f845629b41385a2fbeb428c01e8366d35a484cdaad822ca962d2803dc192d5e0e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
789d61d03ab1a087f375d6f6f9861fe1

SHA1
bf2b794dab4979b6e0d4336cdc89f3514f1e7231

SHA256
72d31c23591bed6e986154b280c4004228270117e5c962ef62ed8c37a7dbf256

SHA512
96e35bbab60ad79ff44622a8b0ffd9f1fcdc0e7da9267baba0ab6e36df064b3ca7efd21efc466354dfa5ad25568d449ba0169e6c2a10ab8a65dcd8bb244d8040

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
689688124295870e6313e6e0e29cc308

SHA1
85a4acb559d534e5b1ab66e625e870e4da2491cb

SHA256
a662baf44c93bca2b3bee1157c83f72c3d9a9f79463d6c1bd21c728eb0300b68

SHA512
ef2e84c102dccd56bbb870f74bf0b040e4c86ed945fe7747bd3ceef3d173dd66e7b0b45e9256c9cc62bc5bd6a3ceaee0530d3658210ccc92c993611893ac26ad

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e6da5c5425aefc81a575debec20f08ee

SHA1
409c50d3bb8c13fc669221d06ce40b9979925fea

SHA256
b93b9572a03b7b131d4ed67a69c5131e42dd9f33c971c2faf0d261590d3a31d9

SHA512
3ed64777ba60f9a45bd963cbae5dd2adf50e4d0eb9957c9f960815d6fb5d5243a3e983d74ebe26d29b76cb9ba7ddfbb1ea8839fc44098424bb3a4e7284ab1c2e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7b3fc0eab5db9f751e5a16702da63973

SHA1
a3e34ac5260b4d3f3ef18ffd06044687e6e9c3ff

SHA256
dea6326f4d3f93577b2f3a81192976c5d226ea7025a700767c8404d8196c0dad

SHA512
892868ea6e8f698108ba7045edf7d2835e9c4dc17cad1c9cd4c6900317c5989d62aeefe7a54b4acb11525f8da44dc110b23748ff84871347342e2f14c0b027de

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
f83a043a40a4ff29f2913cca72094185

SHA1
39bf86fe81b7572a13ad22b2e1239ac63cad9920

SHA256
d8977b8ebd5e9080da2e09731ff41d862cad0d75fbe882b973bfa0693513fb01

SHA512
e0a180003525382cc434efc139d02be40bab188e29dbdb81091bd1de4f3e3feb9b75e236cdd780c47274496af3f84cc17c9e8bfa287a4db697553a9037f4d5ec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
9a7249c87f34d2e88fcd1df499bcd522

SHA1
3eaffee9863fa117cabcc5840eab2e552314b79b

SHA256
17c284e64931e726e89f88f53f3691951a3a8413d796aa9ef3c489b4f57bd1ee

SHA512
26366600d8fc156a3eacf33478da2a81821a4e9b4e81b3288519f64278013163f7e6ef9e9677d86292f3f1ec4dc8c42eed51c8ce7e16d7c862a498fc0496ed30

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d5281cb4ee17616fda199be2b8ad8d28

SHA1
2f7a13b1a6b7f4cca35213c0bacf70c72b101673

SHA256
52e27df7ecabb9edcd8cd71e68b6a2cdfbf4640d1d196d48c40b5003280ffbe9

SHA512
a78e9e1c767f0094fc2b446a920436eeeb2bf0cf2705d786ce6b4d28a8d3292bda493f6ffad8e64331a35ca03517a8af431cc54f9ad43ecbe1e15e93de8d3bba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
8d54a66565c694c678e63fdca45741b8

SHA1
6e19ea69e3acdafae60df82a6f2986ded4dcbb03

SHA256
2bb23a80f4c10ec632a9d5feaf0dc35df9b9348300be1124ab86705208ace166

SHA512
4f857928ac4afb3fa9cae2da78a90b6fb39fb174750743ac3005a0d67f95fd169b554f434be8387eaada1fcba54737fa55b6b820cc6cacb649ffe1c8016d5197

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
44d652b01622b1e01da6f820857f1239

SHA1
b2fc324a5f0f0d72228a9d0c9de79b9b5433156b

SHA256
dad7511e6cd4d6155ce306c0458ee1a0b72d52af524ff1dd449ab2946f1c831a

SHA512
177316e23fa4d01bb87586212ee35746a22c64127862f1c08c739fbf0df6f2e0122f4c8f6f26095348f541e6ca20e9937c0e7b0c4b8bee082f480cbe49469a4e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9a8d040c842c261189a97878959a44aa

SHA1
9c1b56c3ed9a3d3c6decb836b85466e6b919f6a8

SHA256
6b6d13520832323e3aa1c80c3d5c48e6b875fa07eccf28d8f53d32e1065b8758

SHA512
050fb4d9f58334949e4c6fcf9fc63abd08694c85fe516586646e24281e2911cade31abf8fb3412c97e9035bffd1008ce0f5461cf56f75d493cf47302259c743d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
43f0fa4afc57843234ed80f9c503cad8

SHA1
5830d9df3f2ad488026a9312179ef8ecb79c2f65

SHA256
256ff92f3bf0e8d12195401e5a9a7449ebb18c5d310ffacf2cf289abf6e96885

SHA512
5013655e2b3f70d1905ac3baaaa4878af0e795a5bb810c8e1c78d1ee005e2287149c48813c6ceb4e7802171116cea69d665211e8c5c6a9da71ede931c46e1d99

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
04bfc22542630b948f5b0a279b2a0f80

SHA1
9e9f87bbde45f12b82d82f161d4dbc1f37f5cb63

SHA256
a6d7d8a5822e5166fdd3926c657f350e1d8eb9677c00ee2726d54535e6bbccb7

SHA512
2090c2dc575b510eb986b273734b7f04db587489f3145da1853ba7dc0d3e2435c93bcdf203dad8589247a00e763e5fe51f92fa42dab7dd975bdd4a838709ec7d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
c571a0ede909454410f4d8fcfbe11a4c

SHA1
2f2798e0c0cdf4ff8dec3be7956eaabd46960da7

SHA256
1fa735d00db1e96fddf51fdbfa01e3e4b354d00c0ba219cd9bbdec9e316a994c

SHA512
f0a016a26d2717e7b5df81d10c746bd22d23e95614f260c9afd0f9621de8a31d6f1609b9e8e6a4cef02efade59ba8ba66b853ad21940c292300d19bfb2badd21

Download Submit
C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
ede030b01ceb4d265ee49b6b0f8f79b4

SHA1
f3e107335d3e9e1f15f7b6ad7a39daf37a8b8112

SHA256
e84c90f64895e081602c04af8f3a0a75b3161f22d91690178f4f02944c1dda6c

SHA512
e05082773fd3c1ea7950cbd7a16b72b3ac55e6bd1cf0c1d6295729b53745308f1f04c86711238172dbe729dd1408b8d4a66db1d0d68e1966f281fdd51ce82cfb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
5929a5bd535417790948cdb95a1375b6

SHA1
9ea1484d6462d3e1726a115255e855ac48be715f

SHA256
076cadeb5a1bf3f648affffb48ddc0daa2861c4a32db7712534da171cb58ff24

SHA512
80295f8783430050aa81aa16f096bb7d87168099e4adde95245fa163ac53c09a9e7bee1437e0aa7e4e03043630bdce17056eec124a18c3f50262e968b0532b4a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
0feccb7100a14e7d13d41a5f42259bcb

SHA1
549f012d62e369671b74f4e3f2e9d515609b62d9

SHA256
d44e9cd3a3bac4b43fd3a428b2a079dafeb3c3b3c58429c971ca793803dd3c96

SHA512
c5d3d70cfd7995e255b71e5e1aa96711ca0e5b48cfc5148ebe1d72bfa315559410b939bada0812687b6296f3b9ca48924d367ced83a5d56f792c138204cfe348

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
734fcd477c864b93ffa13ebde0d07f7e

SHA1
87ed3a56eb94cf46a87eb0b3d081c5132c748b41

SHA256
68e8209f7dbf597eb016c54dfbddb7d2033a6aea88e9ec90af61bd217d65fb32

SHA512
28d3dcd08daea1a719fdf1e5aa7c5e5c2586266d9b5c1651d39ff3c64ee63f4bbdb95f8d42fd28541cd0ed1481dca7d22a20069d1a0983ed2d91f6216276f4cc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
21ae669c046f228c628071fbc96c12e3

SHA1
ca323fa4004098f7a1007b98d075a9552cd6694b

SHA256
c377ce3f75ee45b778fb4b993e24cc8f58bf148b4d998e72797901507a032e2f

SHA512
66fbe21b9b173acdb3c339c358ca7cc5038c0eeacad882687581ea374b8722a6e7edaf442fe183c56196e54ab017761d729ce93c349c419f01b5eed03a77fc63

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
ca0ab26f9b8482733199fd4fcec3cdb4

SHA1
93bf8dc976aa10531d6d069c16074def5427f212

SHA256
d27a666348e5baf6f3c230658a68b896b5ad25511207a446f58daebf2b74ddfb

SHA512
06f8bfd8191bda34c150adba9c84a7fff5de55967a2a943c7ec51693cb3776b592eeab9f8227b3b9a81c66d2a733843f179323dc9bf096f2fc9895220ab744c7

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\e6e3355c-095c-45ed-80c1-1d9cd8051f36.tmp

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
5e1af6e168516e330fd423c91912f04e

SHA1
bafdc5bc29aa0c6bcf8f7d4999b64cda1250d929

SHA256
f55d89dde111b70a6ce0167b52ea529ae6e9f334b86ce07bd9611586c166db06

SHA512
ab52cdd2201609bbe1c50a14231627d80176a73ed47a9d2736c3bb97e8bba38b0efe07ae3932e0e726954e40a1703504ebc4e38f7c282c17377b7c9a1a95cf5f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
8c10675b496e1be8e39be95c6f43d19e

SHA1
582e2e1c5d510ee83c42ceddaf70f7779c90ace2

SHA256
fda758ad8ac9738f1ff7626f64b33e7dacc922668305b626297e552acdb67993

SHA512
a329e0abb25e644be133a8783df334476e2d0e411ad59e28453b31fb89a1a6491ed33e1a1b6ff2ad3e169ccf8e2a64e5bdafc0c989ecee9b692f754ed424a949

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
8443833de2902fb02c86c846d732af84

SHA1
1ec619adbd182f18925bc38a333a548033d82c46

SHA256
973d5f5d1fef1a275b7a31bdf41d1d62181de8cd5796ca1be0a2f201633d3026

SHA512
0134bcec90cf79714fc69f3b4aa87f1e79d4be0fb2995c841f479c851ece54b7ea6f51f8878e9fab70425a1efbff089377406460bee893363467f6ad3c0cd9a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
abaf3b81ba981032b7d51d9a7e03ef90

SHA1
25000b6e29e808ffed349c166ba7275e0bfff16a

SHA256
c75cf00dd620f395aad60f6f1c45385ea77f5e867ab9e803d486b1d07781f61d

SHA512
06ccdf9d7df6c771e38ee0f2873a604c5ed7f26d39db566b3fcd5486ae6549d8ea7024911f640eacf607e32bfd9ec817f178293e3af9cbf2fa6aa227fda19bd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f48c125882ccb4b80933b46e1aeb1cdc

SHA1
ffa83e1bffc27d263db12f5e29a1ea6b99cbefcd

SHA256
278b6e13f9e17875f6559ebfb7cdec8eb6def57e72d90b6c9d3d55083b35c652

SHA512
1cbb6ecb4a024fe7f91bdbd84643ec297e01210e3d8151c56db146f5aa9eaf9beb82f116fc139ec75d782123757ab38b3d27bfd36592eaff484fdf85fbdcdaba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
352B

MD5
d54c5e0c9e4fccf345f17b1cd78d6199

SHA1
caf290fc91c6ed3f52aec4ef2914d0bd45db6db5

SHA256
be75c27c6b53825384bb09e1613bd5cc357c7415f0e48c263d6a4e7dfdc7e4db

SHA512
97c0f6212d02bd18295d7bb983bf3e94739aabb8461147922f34bc47ca41298d6244dec6edd25ab5b414151c6c32a24efb5884a36cad91e4926fffbf72100bd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e61c67337e058a80ef02b6b91f2d442b

SHA1
2c108d80cef28cea7fb19bf2e3878dfdd7d17353

SHA256
0789cc8373226bc6876286ea46a535b0272563eb3e5a1a9cb339c867e7d7e304

SHA512
67fb0fef93253df77c4a8ac9184706a6de4b70ecc03cba51b5395ed32220ae76487f7322fd3841ca565714612630821c39a818f4903da75149441a7268a4da6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
189a2068c0b376123c401a8d869e37cf

SHA1
34344e8828d63bb838b043ca792982c6baef4d29

SHA256
e75149e665658216f31f28be2a869ec9f19a7fd367069cab8bddc99c9a5243a8

SHA512
3314a35e1807b28f5f04c3e3607f0afb115dbe412883fdcb1e176803ed24d4bce19a81b622d86d31991b3de8889360cbc3882efe49c998c9d2e075d26fbd557d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7257682bf31e4e32210dd2885cf6bab4

SHA1
34cc0740e80567babd119fe66505338e710a11b5

SHA256
a60614a74b3421b5565ba506f03c126e314109c5bfff93f8a4125b815e1d4cff

SHA512
b064ba42fb4bde6f233147be060a8846da4df7e170192dc91ade2abb495a4c5219dbf4fb6420af91f861ba5a50268c10cdfb7c7928d3630003f559ab9cd32264

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
246f87411c74f50d8e0557ad6f8a1ffb

SHA1
72a020a2a74e614f64ecd578da6f3ce48ae56a32

SHA256
3ef240ec29091bf0de0b88e1d01c4318049b70f8fac081399f29da54a1c5ab40

SHA512
8824350b71aeb8b886288ad51dc7eb9e5dc2f2a272c2dd394a3fbc41a9f55d8c8021123899e9cb710e8122258a3e460157c9329d4399a58705031382a07aca6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
76a70130a14ec3f1656cfeb002f36bd1

SHA1
3c4e9823329be8a9389e2ee8ec12af8b857d347d

SHA256
3f7f31b343716ce58fd38df7d6c25dfd3dafe627542e5c609fe1d220d3d83679

SHA512
94b78714f9e3df546f4e88443a019e814c47dff4d5e9c2d81c640307bd00f683a883c26a04bbdb5f5ae656c154191df25b04e71bbc3f6d52b841f5e949d00836

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d8312e716345ff2810778c7d7fa07406

SHA1
3fa2015e852df7fbd8bf226f04c9e046dd208125

SHA256
0a18db6ed449c3ec5278ea5962380abf3b7477f89a7f3b4ef87c83e17b843b17

SHA512
8ec3ef42d2c6f46cfec9174c9d2499183a60f6386367a839332b0ec65fb851a7cc1063b7a34077760ad077724f50283a5353dd627a1391eb9e3b171ee390a48f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6cdb212c8f3aac33326558ae31e87416

SHA1
1d6e86172f19ff29f542770f32e0a624fe343e5b

SHA256
0b402a199a8f038bf36b13859fb3f6cebe69a2b3c3bd58768ba3e6a29bdc8683

SHA512
145989072233cc35e30ee00626a9a45f47bc1d5ecb7e532a9b14d9c44971357f4c48093bd92c3caa9b534b749043748065c9697e3829667b7c360cad6f769abc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
649084a61e8a88c75a9cb498b78f4753

SHA1
2bd863037c26bc54d066e7dcf2f03a9a07a3c1b2

SHA256
6a21e6880720e103b9af96ab1bb9244f0916d5db243ea4f8d7df2d51683808fa

SHA512
046a940e10445b383e77bdf7141f2270266a413a3b27411d685a56b5753bcbc911c288763065a36087dc6777766dafd779da84332107ee0981cdb6c83e12101e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57afe7.TMP

Filesize
1KB

MD5
ff1dbe8cfa92dd34d9bf9119c785a6ee

SHA1
d818c31bd420325232e69ec64ad9c8f3331bfc96

SHA256
675798f0351377aedc7fc5c3b5c50515d97921d4b527785acfdc375885196431

SHA512
8a11baedd653bb52aa87db761b99c675f472e56e53c84ab2207f4f5261198c40a7d7fbab2baff10b2c5ddd3efbd49ced5a8b5b01fd7a003dc4e22b8c3162cc97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
4a5b6c6ba7dbaa3b23d52229daf097e4

SHA1
b4b2b9dbb978787364c7ef582173f787366471cd

SHA256
b9547beb91840904516b4925da9de76b47c092eb8bce89424f2e0890fe4352e4

SHA512
fe9c997ee93ffe3edbe84560522b10aa3ac71db295b1a00a2e5297dfbbb39257dd9969f0f5f4fb48c467ea30cdd2a2d4bd0e5452fcd6e80d1017b7555f7767c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
913c2ffa9271d146cd7358513b5d61a1

SHA1
ccd30c56dde7b1ff951ab915dc89a785c02fa0fd

SHA256
46efbcc5c5d6e2fc8d2a34fb5ad554204060d52f7a53a2819a026de9d2b83705

SHA512
29114e5cde42c284a112ef7d2d79a36e65c8d0cd187c7cfc500dbe3086dafa710e8f86111306b809d82321c4486c1384913988c1929183eeb52c40e729a54509

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
17f915801206a202c7d66d021e41e7f5

SHA1
8e8ad5a6e6016a10a260f9ee5e4878648475143f

SHA256
05a12c349dbe8ce35f2d331d7c95443b38495356db8caf3457542211eef5e32b

SHA512
b2e34b3efb6ec4c405f136449652a35328e764b76b9e193ce75907ff71d6e26187a2199db302b00b7cdf1c60112c70790c12d9619ac629306f701718ed574aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
890ff28b7830606aa0907423fc9d996f

SHA1
82ec44038adfe284dec59c87e25bd8bce5cf37ab

SHA256
833045053b4fa728657a9f8d8d36f879338cae50d667d9f7039263bcb44ee19c

SHA512
894ea8ee3dc09b9a3731017321c6474e36c05637ddd5366dc25b45ec039cae4d6f1e49fe3964319785ac59478be98565a6b5831eaebf27a631e7515be030042f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
8da1fcb606e39ce3c62bf01223bcc341

SHA1
0ed7a41b7f844c1f6fba87dc466f04288ab2dc70

SHA256
3cd8b4b9dedaed212a7362955c91ef8a338cb46b8b3c1b2bcb86e5c3c6ae8e6b

SHA512
f31268e6a818cdb94bf8c7aa7b084d26235ab1931c6097302f4f699ac5c9faeb4c84dc8ff457ce93109dfee614f6a24394d379e357fc4eb1f080ed388ada8ad0

Download Submit
C:\Users\Admin\AppData\Roaming\ed1fe4204521e136.bin

Filesize
12KB

MD5
fe6dabed910920eec164221d1f5c2aa4

SHA1
cf5013a68534f09b125b3fd760deefbf83d9a5ea

SHA256
3e5dfb0fd7fcf46f872159c3b797b7d44f9377d173e65c1b27702be94d2371c3

SHA512
93c4f74e74f82b4fc17e2c893c1d406fe686c70593c42278e2d30851c0ae8e5e701cd51e7a4abed3b479383279e23494f27b9a039c89dc8fa88dc28be17baf49

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
c7e7244bad9229255569e952615d5137

SHA1
e7bf67f5927943694a32b88e17effbe51a2da4fa

SHA256
eb2bd89d37b0ea1dee340c187f293cf625f6849c07dc52f0bd4e03534be28516

SHA512
0ebf7b482cb2338894baf08f3013452cd221875fbc959ee11913ac42dd1a510fef751cd4f438ef3526f71342559c364baafde0fda2f1e0fa2cf4b33344b31793

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
27eab7d659f0727b20feb580dd5ecb6a

SHA1
23e6be90a9f8c56907427b590c5ebdcfc38311a9

SHA256
ab3edc6d8562f2efb44731de3fe3a921133a3e1ed0bc9abbd86d81cf9e42de7e

SHA512
80e3f5e22286593271f42123977e4ed36d8363019064408b43466a8c8f4e198924a312eef77ed43edb00ef34eefe5eb995af3cee49fcf8df2c4b81a7c71b17ac

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
18e9d9f366834703cf920a46101781d7

SHA1
173ae09468d26b0df66d9fd9bda2f5eb636d2c40

SHA256
d6fb7f0c0f8669288ed4bb61c9d3b3398664eeac27433588fc3f2d8bcb85f1f9

SHA512
7037347d908cc3e4cc64d814b0a8ad97b77b625772e6e980987c353b89237c3153ffd255f987920d28e24797b6d21eb0663aa37851ee09e11902062b35f86c4c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6c637a52be28f5b61d5e98ba620f20f1

SHA1
383a628ff8952480dca6ce3df800135e961bcb03

SHA256
06c4883dead1f5a3ea254ee43b6eb7a192181ac06d5805b450f506c09da535d3

SHA512
5873cdd0d411df9f6fc527273055be528de0778ce171287fe7c606d1bd575626867bc54d345aa00e47e5caf87e689ce5def36695ecd5ffd33d3ddaf4b542b098

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
56448e81484953ea723c825ba740fac5

SHA1
ee480f8a85afd02cf5d5ba0b30444d74c3203191

SHA256
ca596e581351eb7f89da75723f3a7eb0b345187357938caac75d8a6ebff8a15d

SHA512
03aac5c69421d6bea77ecec941b9bc5475caaf02774110817d2ca3dc91e5cbcba051ab383cf9d4db98dd91e099733591b713589a28ecbcb43ea51e97e9060a20

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
882ef8c7d27a66b1a68a6b04abf9bb94

SHA1
a39599ae2309802634a17e0996c0075f0c6fbe49

SHA256
8b025c374ad4cbef801451bda35326fc1ba8c58b75e9225bc248159267dc0ef3

SHA512
17a889876228c71b83aaaead145872168d70bab246eb442ec18d2ce6091877ce7d07993ce29b4bad426f66d1de14aee659fbb5929e1ea7b5dcc7cacce0c17184

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
f1bef4ee6803b157715b62b908c38597

SHA1
3462f8f2b5d5c10db51130ee73247044918b2673

SHA256
55ac484d1ad09675ec1b07c3f219c2303a1634639657b82e230d13f1300e64ef

SHA512
c7191606283ba9cff5ffabcc0ad4f5bda73ec7e2fb7459827f2e260ed49e76fbe8abbd38c76bbafda29dac8095b449c08497ce236ecefe0d8a4cf5612fd584b8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
05df238f8a9722032a1b7ea7a31d5f2e

SHA1
6778ec04938c77f95915761eaaf2d3c97e08e988

SHA256
3ffa7c0e00683cccf277d19bac6f6e8588988441c5258ebe84abc4f18983c682

SHA512
9b1be698588076b181dbb2d9435f530f762deea9a872367eb83a7351ac2cd681a386bad6aa1f10f6156cdc211d0cb15de2e5ca5411451dbfe97c4294c6c03d47

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c0a01772b25edd43af47f14d5c6eaf75

SHA1
6f785788a8c94ecfa2f576779d35f53a52369afa

SHA256
4d1a5c20e6b866ec0346fed6e1c1d8dfe082ea7370901716c61fab1475ad8132

SHA512
d2fb13ee9ada20b870f45dbc9fde63582256c976f9214ce05096475cffc58bd24ae55d2b41601bb729388c97ea89f0cadac5c44af0c6e489b7d89870fd095df9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a9d1f4c80283d08b71866f2afcd3809b

SHA1
306ebc445eea9141d963ab315bd1848d95b5f9d4

SHA256
74408d600aab628cc2e2884ccb3f52d777bdb9ab8fd8b6f14542164a53dc51d5

SHA512
d54410ca43bba9233581f4a03149cfcc86de8d97906b2ac686220439720bca4dc7c39330e7960e9ba4be04762139aae5ff97259728594c6669ff38dbc5998b8e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
4f54216d8cb9cdb97d948125f555b2b8

SHA1
64bc99945e47453d9b01ce11b0a41e5e721d3414

SHA256
e42abd0a5100f1ba0dba6a49c733ba0a91f3d006432f74b6ded6fee98d775b18

SHA512
9bb8a6a2b6ab4de86fe5a3e01b8ab275af2250323d134192bb6bb21e0a7bdcaa4a33f005d5e9a97157a6f3b0392b8ef7bd7a2c295c6988f96bcb4358e0cab9b6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ce5a09941b9e1431e7c5f19e71469bb0

SHA1
e690c042167b42ea6bbfb54b9f5aff76b65c472c

SHA256
31d6d28f2d9d00c2fae7977ef64c2b6f9f87e09278b2bc6fa0d1f6d5288a6626

SHA512
0b742d4894dd42faa174d1c9c5e2ab75c97a555cff7af9e4a0c8d94c3462f8c78257c8c3089e8445db210c7b237c44cc97e37e7305d84678702900909571eb0c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
f458b6c6fbf6b6cff85e3a6f470ae256

SHA1
33549063e2250ccfd8f12b7e36d14bd8ab3b519a

SHA256
f5727ea2a5bba872f7f735111049d1ca5d92248e28f926a532f4a4df761e0009

SHA512
94232358732ef9b447d4815a3d8a16373cffc06a6749db2fdb92010e98f20f0ebea8016fa762e5df747072cf31d2448bc0f2b46a44cbb1ac9bd5ade281a73471

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
9bfcff3a01acfb6a228bef34d052c598

SHA1
912af769d76ee799572552cfebed9bd7252cf5b7

SHA256
c6b8738bc71fa5dcfa8e43cbd310d471f2d3c64bf73e1a62d928a58c59b29226

SHA512
8e14072782920e57facfe38e8875191cd9c22bf12e73251e6a4cc4d7fb31b275e3688ef7b914cb76171c7a9bbd68a6d5c27a2bc3e3e12b8aea4ec97889134282

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
04775045986f16170fb6e6cc96427cf5

SHA1
789ced72c4c46359bae664c44580e87ec37c637c

SHA256
fb1e78be1d12c04eca7b278803f956ec8b94f746fb3c1902cc4edbf48b3e44e5

SHA512
6e1cb007151a17217ddcf64fd39f0c834ee0c29ce3e0bb712c033362d65ad19161cdb8a8063c157bba9a67ab61b8a80372cbac4a322e1d781d278124214475f5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
46d48ac236e5336117d887159f1fbb91

SHA1
545395b73ef68c4b05731969ac1017df9eb4d8bd

SHA256
97949f519a7b605c103ec102d859d5c3781299e49b8f1e69489e49c4ac70742a

SHA512
827f1fd68e17eb793c64f6ec8361b5a2fda96862b4b272896ba81b51304f01ce954ccedb5e7b93f49f5fb37a294b60e8491a96c4d83bbd1806140380ef262594

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
3447fcae71a069991a2fede0b3f9ad99

SHA1
bc1809a8ac7dff90026c427a90b3fc68da883bf3

SHA256
719bc6426be9c262aa8a642f1ddc48ddc7f8db3ca0d41bbb4be35c8ee0f92a99

SHA512
7c167954b03a2da47835b5be48da00c1c1a1abfe006885a9f1c1406887dca60772afef6eb91bcd52fbfe451d1402c416ef885001db2038eceeccf9c9f269c8f0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
dbfa6e5c871243efa883c58d75de225d

SHA1
89b7990c7c1ab3063155bbaf09d45215cee963c9

SHA256
2f297de3ea9ef5dee04cf5c4aff6b4d62598e3dec4789e67f111f16f57039cdd

SHA512
7016da40eb08cd83f33e683c8abfbb62a9e8dce7c25c96496300594c1158f3ac2b9b7a5dd4a9e1c90622219de21cb858131bac65150472d1020478f560cff86f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2ce7f33424c1ee07aa14323f55020bdb

SHA1
8f27d5ef63c7c8bab594cf8cffb11d3c8c5f7457

SHA256
9901d448ba6f5289f6ad223dd6b3fb8c3897793a3c64d52b5b177cd239806d0b

SHA512
aa3932b624bef19c1720243418255b2174ce040825b9889ede04579f44ac1e0214f315be354616f4a9c9766995fbcc4df74bc9ef23d58bd0b7f0b6329dfcc07d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
c4b7225f6ca656b09d8707019e7a86bc

SHA1
3ccf921ca8dfaea23e7ec13941c8a88d0f9083d2

SHA256
2a887e89ff8b137c07f60636c2c2a00ebaa6de4097ae514685844e628201b4ad

SHA512
ed72375461327db997b41df7e8891bcbbd9e243ffdf0d97152c6130be52841aae807169bc10039eb50f86f17af7f0379ca1008e7ac36a0d156e95fb0efbf1cae

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
0c1200a810e4f944f13e4b657bfebfb8

SHA1
149ffd4176a2b2c9b91620e04eeae9af2a81af8e

SHA256
7a5a65d36e4b860e190821e542f5da658b300ba746daa49b393268b0dd29984c

SHA512
2ecbb3217dc06334068b0f6c9b1b6149109183de060dfe76468b4504a07149705ad09a72a9a1b87db44bb6ea6fdeb837157b430c973a7146fdde94dd789ab57f

Download Submit
memory/60-181-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/60-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/60-62-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/60-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/316-180-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/316-410-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/540-155-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/540-375-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/728-569-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/728-138-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/728-208-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/848-58-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/848-51-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/848-472-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/848-154-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/848-167-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/848-200-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/848-57-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/912-41-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/912-35-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/912-45-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1100-81-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1100-80-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1100-74-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1100-87-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1100-85-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1104-101-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1104-95-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1104-104-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1104-191-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1432-452-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1432-192-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1572-195-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1572-117-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1572-109-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1976-125-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1976-199-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2024-186-0x0000000140000000-0x0000000140153000-memory.dmp

Filesize
1.3MB

Download
memory/2024-91-0x0000000140000000-0x0000000140153000-memory.dmp

Filesize
1.3MB

Download
memory/2124-187-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2124-189-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2488-90-0x0000000140000000-0x000000014048F000-memory.dmp

Filesize
4.6MB

Download
memory/2488-17-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/2488-11-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/2488-21-0x0000000140000000-0x000000014048F000-memory.dmp

Filesize
4.6MB

Download
memory/3060-31-0x0000000140000000-0x000000014048F000-memory.dmp

Filesize
4.6MB

Download
memory/3060-0-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3060-9-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3060-8-0x0000000140000000-0x000000014048F000-memory.dmp

Filesize
4.6MB

Download
memory/3132-464-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3132-196-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3184-506-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3184-209-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3188-291-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3188-142-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3260-203-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3260-135-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3880-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3880-71-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4120-418-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4120-183-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4568-29-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4568-124-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4624-502-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/4624-204-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/5132-597-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5132-467-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5156-453-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5156-481-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5472-419-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5472-492-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5632-591-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5632-439-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download