1c3eabc20fcbbc87a7ebf0509c21ca67169453894ee059570cf4465634296ff1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
Size

5.3MB
MD5

2e2b567671fb86b7e5ebc9a1d0c47f60
SHA1

38eb04703704a6ad50168984c22c386594ce63b3
SHA256

1c3eabc20fcbbc87a7ebf0509c21ca67169453894ee059570cf4465634296ff1
SHA512

ea0df4d0dbaf0e67972128f1b6dc6a9be4e85c307aaeb28bb2b0daa39639ef0d6614982efd171e9003aa7e163a993d41d06b7ae84019979cf7430350c394c3fc
SSDEEP

98304:zLXClnwPWrDSkYg5MHKO6HCD2zo47wRGpj3:ClnwPiQg+12zokF9

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3612	alg.exe
3496	DiagnosticsHub.StandardCollector.Service.exe
2160	fxssvc.exe
1716	elevation_service.exe
3036	elevation_service.exe
2584	maintenanceservice.exe
904	msdtc.exe
2392	OSE.EXE
3848	PerceptionSimulationService.exe
4932	perfhost.exe
1216	locator.exe
5036	SensorDataService.exe
4508	snmptrap.exe
4004	spectrum.exe
1404	ssh-agent.exe
4476	TieringEngineService.exe
3928	AgentService.exe
4272	vds.exe
876	vssvc.exe
5156	wbengine.exe
5220	WmiApSrv.exe
5324	SearchIndexer.exe
5124	chrmstp.exe
5508	chrmstp.exe
5704	chrmstp.exe
2364	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cf78d797696f5a03.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000877cca40dd02db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae3fee40dd02db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac8fdd40dd02db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d53e240dd02db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d7ae940dd02db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051fe6e41dd02db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005143b040dd02db01	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2660	chrome.exe
2660	chrome.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
3496	DiagnosticsHub.StandardCollector.Service.exe
3496	DiagnosticsHub.StandardCollector.Service.exe
3496	DiagnosticsHub.StandardCollector.Service.exe
3496	DiagnosticsHub.StandardCollector.Service.exe
3496	DiagnosticsHub.StandardCollector.Service.exe
3496	DiagnosticsHub.StandardCollector.Service.exe
3496	DiagnosticsHub.StandardCollector.Service.exe
6004	chrome.exe
6004	chrome.exe
6004	chrome.exe
6004	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2492	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
Token: SeTakeOwnershipPrivilege	4936	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
Token: SeAuditPrivilege	2160	fxssvc.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeRestorePrivilege	4476	TieringEngineService.exe
Token: SeManageVolumePrivilege	4476	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3928	AgentService.exe
Token: SeBackupPrivilege	876	vssvc.exe
Token: SeRestorePrivilege	876	vssvc.exe
Token: SeAuditPrivilege	876	vssvc.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeBackupPrivilege	5156	wbengine.exe
Token: SeRestorePrivilege	5156	wbengine.exe
Token: SeSecurityPrivilege	5156	wbengine.exe
Token: 33	5324	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe
Token: SeShutdownPrivilege	2660	chrome.exe
Token: SeCreatePagefilePrivilege	2660	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2660	chrome.exe
2660	chrome.exe
2660	chrome.exe
5704	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 4936	2492	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe	83
PID 2492 wrote to memory of 4936	2492	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe	83
PID 2492 wrote to memory of 2660	2492	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe	84
PID 2492 wrote to memory of 2660	2492	2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe	84
PID 2660 wrote to memory of 3332	2660	chrome.exe	85
PID 2660 wrote to memory of 3332	2660	chrome.exe	85
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 1540	2660	chrome.exe	92
PID 2660 wrote to memory of 4016	2660	chrome.exe	93
PID 2660 wrote to memory of 4016	2660	chrome.exe	93
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94
PID 2660 wrote to memory of 2380	2660	chrome.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-09-09_2e2b567671fb86b7e5ebc9a1d0c47f60_cobalt-strike_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=109.0.5414.120 --initial-client-data=0x2d0,0x2d4,0x2d8,0x2ac,0x2dc,0x140431148,0x140431158,0x140431168
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffebbdfcc40,0x7ffebbdfcc4c,0x7ffebbdfcc58
    3⤵
    PID:3332
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,11935607960098312385,10585441866753899881,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1944 /prefetch:2
    3⤵
    PID:1540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,11935607960098312385,10585441866753899881,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2196 /prefetch:3
    3⤵
    PID:4016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,11935607960098312385,10585441866753899881,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2448 /prefetch:8
    3⤵
    PID:2380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,11935607960098312385,10585441866753899881,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2912 /prefetch:1
    3⤵
    PID:1544
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,11935607960098312385,10585441866753899881,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3136 /prefetch:1
    3⤵
    PID:5024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4556,i,11935607960098312385,10585441866753899881,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3760 /prefetch:1
    3⤵
    PID:548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,11935607960098312385,10585441866753899881,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4732 /prefetch:8
    3⤵
    PID:5628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4648,i,11935607960098312385,10585441866753899881,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4936 /prefetch:8
    3⤵
    PID:5864
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5124
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x2c0,0x2c4,0x2c8,0x29c,0x2cc,0x140384698,0x1403846a4,0x1403846b0
      4⤵
      Executes dropped EXE
      PID:5508
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5704
    - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x2c0,0x2c4,0x2c8,0x29c,0x2cc,0x140384698,0x1403846a4,0x1403846b0
        5⤵
        Executes dropped EXE
        
        PID:2364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4400,i,11935607960098312385,10585441866753899881,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4748 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6004

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3612

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3496

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3444

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1716

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3036

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2584

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:904

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2392

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3848

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4932

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1216

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5036

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4508

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4004

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5008

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5156

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5220

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5324
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3880
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
834dbcb22ebdc6850112213158a695e0

SHA1
7d8ffc080da9e47e124aa9c0e615bd8da63f852e

SHA256
c89a9fb9cf45a6a38a3724aca04aff85a8ea094b65b6888a4a7a2e0b4a639589

SHA512
ee40e5d2a1b964c59144ff6d9003182a75882cea17e97a005cc141548915dfaf82bc3675685d346dd1a45177483116b157c28e2ba0d5c085532e6f341b6730bc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
24394a32292f0f29a389666987db29db

SHA1
ebd48cbcc718524f0f1c8b03e93d15f8a384c811

SHA256
711541aa4e5809e5895800829c94a71eadaf91d76c94d9aaeb7d235b1b409361

SHA512
bb2a845082fb7840ec28875bfe7287f108a68d70272d033a68bebe606f59e633ad9f6b579093b43dde8213229889b929a03faf6ec6d1dc608486da7b1080aff1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
56027a13f0ec07f1bef6b0d657d8cda0

SHA1
84a78bc3f308964f11962ec5652c4f76e7f5a7ed

SHA256
5aa628eecd7ecddbea63371c903af303f1340aea554a771802939c1424ea3ac0

SHA512
d25a10ebeb76ae6245761c561e5e4396955492e916796a890c6b99a38a48957bb174d43a9df5dacc5e6c5e9ffeddbb0b72ff58a4cfd05ae91143c04a6c2622ff

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
fb72517bd9fe3d9a68694b98e15379ba

SHA1
069e3eeb1ec5578ba4d1ded4a9bca0d34f79e2f6

SHA256
054ed6695bbf03258160e9b445f27ea076ed27abf82b5fc4912af2a38c2490ba

SHA512
e1c829ca9cf50fcb5e4c590e3f3a3ae93d0ba53e423ddd27c56a3ca642ff63d53120791c99407d8baef40e211a2cd2d5dfbdb87267f6e3b8508080ba1e9f13a4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d48a7fbf961a2fe30cc25af34ecc140a

SHA1
c7aa0b1b5c73b6af2cf46bc91bc72f2377874b98

SHA256
77e2c011cc6d93c9681e682cdbc0d4a1c25ac689673c688a3f24bba0e48513f0

SHA512
3301c2d22773423a57e233633a200630c71f4862ec5531bb527fca25ca49c387f71c0078e5f492091e7338ce93c95b67a21b204ac921a5340f377ba5f85a551b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
dc9e175ec8df89072979020b7b9483e1

SHA1
8b655b7867c87f5625fdd201310fb1805b4c51df

SHA256
601156fda75cc572adbcf1d1087e424ffddfd1efff20d8ad8683ec99f14b1a0d

SHA512
214bc52b25f15824f0dc3c85239f376f75b5a702b559ec56b9fb8d158b14044925964be443ec98cdbcbc15641ffc54705e138b7c00b9a271c734142314af2ae6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
fcb8c04397f41b90a9e56e6e27888bc5

SHA1
932f494ae7a73f01c152f785b7c7e82b5b605814

SHA256
1ec72488d0b501235ae62805fb12f48a5f450b89460b25649929031704932a0e

SHA512
8e152419740c3d6f7e9dee677f3b02673464ba054f7f0b9751ffd3554ea9ef3859447048fb1bba2cc506ea861c6926b10fb525fac399870b8a8f451ffcbb14a6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f7ed41e586aeefd2ca7180e27a344817

SHA1
f94daa100634cb58b195ee98f2112382ce2dcb94

SHA256
7e0d219dd5d17e8bc2e08768d066fbf185a7f5f8274d5328af507f12c27c9688

SHA512
0d39fc71473cb7f0a6b0eb87ea625db791ddf91145ac594b17a5743fbcaaaf066471f02c5246ee17def7ef49aa9f03dabc96f48d3c963805d7ac0abe142368d6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
fffc01c424ec4546562aa87a8b53b579

SHA1
68d338f84f0832c27d02dd8b1500537ef93f7050

SHA256
42094b5476171f41a4f3067e3f63b1a5ac223c2a4ac50eb97a287c60931d15f8

SHA512
5763add7c5bef484a65921a0cce0f349dfe479da172f6782665626aa13a2c5c62dcefc3cbc46ee283c9658927155c45a0923209a41cf3470f2e067bf935b8f87

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e96dfe1aebbd1a2c859377e6ccc50287

SHA1
35ca6a614f68564f4adaaf5c7883193fb0230e1b

SHA256
c438481ba401fe8165e441365d0d5bd93c1fa32325d002ae2efe21c922bdd34d

SHA512
d0f88e74020831cbad33e8a456b3e3943770210bd31d194e5ea1978227fed0fe9b68b0b44a2d3b8375bd0d4bca55d60e4511518e36004599b1fad190f452a0de

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1e9c7023d01a138c559e7c99569cb035

SHA1
d09f619e936c2ae3bfa09f93f75096670b564e85

SHA256
4a2f4338da2ae4759912cf0ef552cf159a7f2d46d7b9a49ef0409c2f291bd359

SHA512
7c9c6d1e4b404ebb2fd09a58a5b1bd6c41eafcc4c75bca076d8e34c03d66c167fe4af5f6a9869d2ee2f76aa75aff166f622ddc733eb21487e97a8de3e940dbb7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d0f0eb7efacead58a1731e1b6d8cb70a

SHA1
ad212bbe08109013f8a13816b5567f37b4fecda0

SHA256
9d20c73584f365f0f95bbcebe1af09c41f51ee18ccae24f999d8e0741da9b804

SHA512
174b3723354fead9d32db572139eac8d8876ab1438b9a6859f6a13098f50877f76f9d5fc5de5253aa6e1df600a9b61d20a07d4c743e3bf9c57e0a68aecb848f3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
64ce4e163141ae2bf2e0c594f7b6332f

SHA1
bb2175b517a9ac83378f08f7dfc7a867a4fc6aeb

SHA256
60537e919f761a77046eb81bca0af300ca8e722a80ff7b4fb4cf1cea01e79cc4

SHA512
39d1da2f6779dc0fa0bd676c953eeb8339a83bab36fcc29d4fff88d8a5233d1e21414a4fa31d64cb4ddb4b1652523aa05195be44e9036da4aa5d8f8868fe468b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
087c16a1fe267aa0f23cb884ff02cbd0

SHA1
e706cf53e37cd4d6fe8d3db87d370522a45d5040

SHA256
b2063daca5721177a9a80e0c41dc6a99fa6c0069bfe049ac34b21a715cd2f90d

SHA512
f48f69be5b99e0edbd00e125ff7327482a9e405fd971363357ebaed732bbc5e507222759e22d2ec70868946934f0eab55791e7523d6a226f9229fb61758d59de

Download Submit
C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
7e5aa4109d15ecfd7c800777bf8536df

SHA1
daf9a682a914271118ffacd309e494b2a85badb0

SHA256
905a21267d0d2781d4b381e80503c5151f9ad33dac3be6dca83f50dfb7cdee02

SHA512
7ff72305ba56d94f76c514667b49683e2f53c308b1313d91d632810823c6a6b2b7ef7313d58fd343b2bc753e875dc7ceea967f8eb5a96b64f4e5bd639a5154eb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
3d3ce2e420205df2a382509be836d17c

SHA1
c96da3fc2ffb60b00c3596bb19975068a1fa89c5

SHA256
3be32e1a2fce77a53701352868e7dbaacae9e1c4952a7d62150f66e205047fb9

SHA512
97226f65799f6206f69675775af99a658d3aad0840f759e0935246662e2604ab3c1fe6a91483ab500cee1f5a46d87fe5b58d65724fa9ef83a058a7f4b9ccfbd5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
9d31102e3d4c620a89ffb3fade3b1999

SHA1
e1ec690f246ec8d9b12a742750dd426c38ed233a

SHA256
ffe8c861fc367f48327752c155572394a4108c8a230a1bf0271f845fa638c771

SHA512
15fbe2f090363aec93eae94c3661ae8cf942d1b8cc8f793e44a5b00c6ce44c1e5545a631c9957351cfdf5625ad797edca56be74f58a7211aa22ed6f8804b4b94

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
47c12454b1eedbefc560dbd5c02cd1ff

SHA1
b93bbc6e5876ba00c4215de5758477bf1e95192c

SHA256
1108dd25ad831fc2f5d91375528ff95c1dbf4f9b83af8f27f96d752c266405a7

SHA512
3d00ff8de8d4d89470d31b0d300fcb07fede18b161f82e509c2bc53ec167499bd0905d795b5a2203fb358a37ef0dbd881a216a7bbbed3277c8525d2496cff459

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
a2cf91612c1929db3918720742806367

SHA1
0d421576fb2ce637711f7b16ef5672b23fc77f2e

SHA256
af13504a76088dd580da924de1eefd55137ed6866c20f72d9256d93a46a4f2aa

SHA512
b537155db822a2b05b99f60296ecaf9826777dc8e59567100083d469a3781c92a68a89f5ba677ace10511a6c784bb71982afa4894f95989946a1a92b2f952342

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
4fe9cad6d4f86d193add742dead64994

SHA1
c5599586d7dffc8b83b5c292f18bd24dce816001

SHA256
0301009d1e79891477357ea7e83bda30ed615f8f080107e311f59013a9383c18

SHA512
8e6dcae8ab535b9fbd616c321116c94aaa63246edfb5900f64eb13edfef83dc76078a37ba9be5c17ca45104263d5edba619824f155f54077c089a9065f18a802

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\abda64b8-bb00-4d90-8061-d69761026de3.tmp

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
45161a2d8657b0f1e79c07b9982ec0a6

SHA1
d124dc1b13f7bd3b740ee1b041b9636cf9754f31

SHA256
f5aa2752e09e44fad7b2e1ce154fe8838f08e56b04ee8b76e5656512cd5e0de5

SHA512
494186706adf746eee2823b524693045a610e2e58cb47ee7559c3196ad42c8c6b337c31766fe97c89d110733becfd1d1c0706af1381110d99ad2a205aa18eae8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
4d0b785620eab4f39b2914bf9c6d5b40

SHA1
9eae8653e17f0d7b99855773b8fdf053793f6024

SHA256
dbc273c26d561d63bf4b6fd603e0ec130b81b1dc84a844d133642879bc505e01

SHA512
43e81545e0d2efa0eee85833b479d303536944efbf35056fbb2ca0066e213441acec14fc2d5034a5738d403b91279b4cde8c42182c7a06f074e9b96e9dd02ab0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
eb942bdb6305f3315f94ae3c05f48dbb

SHA1
7674299d7f21d68d74ebbcb1de993f2c99ea6a1a

SHA256
e306a68470836c921619dbbd8ec7c697a25625402fc95add71250d41231787dc

SHA512
1509991d75b19506b3c4fbee4b75b5caee8e5f1ec7c810d4cbe21ef9ffc32b472851c25da616fcf8cdd9a4b4e57bc5625eafa3d1803f2e41c888d449a2972c4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7417216d8086f037a442124b14cb2ebc

SHA1
f6bd1bd39f48dfa5c5d02ebf366f40d8ed41a6e3

SHA256
8665bb1b9dd09eaab6499d336fb6a3aae4a1b7dee77b9c24052191a231cd95ce

SHA512
9b7d6991e003dd6db1aad497b78c62cc0c4cec8dce5a0e987e06cf4fb856b37fcd1ce49d1ba1e26455b6d0075c6a4ab55078baf20eeeb28d152c72407737a718

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
36c0d62d4e2e5e9468b25aa13c3efd10

SHA1
5f5a30d110c7d96a374d6189940e6ff1a71bb2e8

SHA256
650a8d2254ac138e5940f657dd42798b90c730df2a09323848e483751ba23de1

SHA512
85777271fc5d30570029f2f61974a0f6945bba051b02ad8716fde655bf1256bf4dd4399887685284b53c58a074d2c672356a0c263c21fa46971f36c6fa231185

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
764874e975672fca00fda4700fa7158f

SHA1
bae5885385428dea1d85866b57f05069fa08fd80

SHA256
4ea5885a817579c7b3af384fdf9590a6887eea16c3846b633b80ebc9432f9c72

SHA512
252cb6b892d7ec42ad4a237aa9fabfa4dae46496617bb88608b57178a68208c1cc9e27b5461e885fa0bb53967622ea83a300ee7f8ad516f15a9aced09ce59045

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6c60184c9c84a1e78514fd2836fe92d5

SHA1
0522c98c5715a8ea29230c2dab50c185defdea45

SHA256
7786a9510b8181ecc501b3ec7afb8324e39c1fc65e79eba2512b635ec07ad532

SHA512
26d5b9cf3b536688dcd78a9046628f9528d4c6fb59bfcf2531faf270ba238e6d7a2457ba6a17c1685b3844f2bbbb6b436a8320a8f11e8be1c38a83d21a3aa86a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
db87723c86f6e544a91d6747913fcf15

SHA1
5795505c09883e4b2867e8c76c3f75e106521a39

SHA256
b368277770c182c97f8f45bcd5ad28f7f734ea08f28153c07acfd55e33f554ef

SHA512
191484c127485d7381710c8f8a9ffa4190fd5a6c279aa0099abd6535de9d3905aa9fa50e2ed15c63b7bf05b8b5658e3b18e395fe03b06d64a7cd3349ccc4ef4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
af73dbae70f9e5946fdfe482aa16d0dd

SHA1
de9e2cd99c0c99cc3766bc1435537bb61e50b1e9

SHA256
301bf4ad460e5be3874545029aeac495139bc60a90bd0877da8d5b79c1ad31b8

SHA512
41252037c04c799679ef2fa937c98193c67455603bf19e9950d8f11e261e8294fc624d3cc55d5a538d1d1882a547140fd65e53b5810dd6f76ab3d011dc9e0b42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d64ce7d0ac663f92552cee82f6c98076

SHA1
ae2e71f2f80ba7e6a2bb980ae554a09018ed3f49

SHA256
ff5f672e65f6f416fe6a7c593a9509319563d0397455448ed0cbb02bb41721fb

SHA512
d57bbc30b65bfeaabd6b1965ca1fb731a40f54373bac33441e76ad12cea3b2e49a7ca8e4d4a488f5b95eabcc42daec735961594aee34f5d1cb5509b32e8efa63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0e0793dc528f897df0a1b09d6f0e929d

SHA1
6d8c88dad95b7dec47da42e8148a67114f86f918

SHA256
8356026c3a0636fd70036c5e0d04285e2eaa6ef003d18904e6ad61e46163c6c4

SHA512
32b4320a4acdd8d450aa3d320d8152723bbce7083d885fcc997aeec66e59af19465aa55f22c47f903eddedb9e07c42b63d35421940c2658f4bd6d24ba7c5130d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57dcf2.TMP

Filesize
1KB

MD5
b77390e666804d2d4b63ee7d333869de

SHA1
bef199c56bdd8befde72369097fb517cae3e5653

SHA256
3ab6d2b4d9d99f7da257f2693bb90b05f5fc8a9bf6b1b718a4f080780df2a4c7

SHA512
915a5ba9fcfd7da0c355f4ceea7c23603176263f92d5d8ff9955785e79121e5c1c4dd222133c65e778b2f0dfe6dcbcbf5fda5622859c9b37832447a68fb0305e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
714eb54466d97add6160e126c8cc1ccb

SHA1
f36abac56f89587989d604ec06e45874527fb9ec

SHA256
b33e2f52ebd3ce545d80a3d6613150c17d0d653374da7e1fe115cbfecaa34b3e

SHA512
ebba0b9b5bb57f1cba0f655bc206b409f9959784526b7183503d3b443878ce527cc0fd419e7f117ea052774f0431a7b5fad32c0c94b93775785664ccb0d7066a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\aaa39d64-33c3-4168-9012-7b09463d6ff6.tmp

Filesize
649B

MD5
36137d54b60da54e5dbc03f9492ef93e

SHA1
6b8d6ab375ab5c57dc0aa8c87dee02a42896c908

SHA256
962b2f796143ab6aa8a5f50300f875f36dfd343a8f50449eb13785bdc8f49a15

SHA512
3ecd38c6c72cc64cc7c5a648c0d8c0794e428fc549ab4948af33f3484c3aef451f5c3b892741a9966f7e2d977fadf1248e504bc2562ae76b3b8ba93d826f45d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
2848f9e3e4ebd61ac0492ebd8cf7cdfe

SHA1
a7551fcf89fd0f00da0138fb7d57ac35149cdc8d

SHA256
2ef1b61de6861300415930a9244c1e3d82a7128342897248d31bd55ce75a9a54

SHA512
9e026e741363ce1876c4a626bde43069a6a299d059785d490c84a53446f20ab4e267be77410614d06b035623fad0aea30df8833ea83f85a650883dda4246a927

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
9689f8dca27721613a2e0d95913e6a64

SHA1
fc48f3cb1556a2e3c384dfe1e92a2786af4369e7

SHA256
1354150895a64706e983d31a9a9fdf093585e009bfee9d0fe7ba918d5d892bef

SHA512
3e09abd82bf6633b2b29f46ea8d37bb5f44a209d2a607d70b3dab44de70512de6ef638138bc9a98e2eaa1ec112382e6066459ba940073ea57626da2903ad815b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
77b753982faa6c0ef467abc4ea2f0d6b

SHA1
49a267b91214ed18af2d5d5f34ed44df36cb4fcd

SHA256
6e0286a210197c6ec8a0b3e758869febef82952cc98c81b38e150266bf1eac6c

SHA512
5251c1c5fcb16a5068ebcff8d51fb0da6d39a0888047451265be4b7ef511f3cc90de98b2ea4f53268a2e694a4943187204f128df1a5625a4261d6f8033c5c7e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
6ef2a27533699f928adee1e98aa9a058

SHA1
c0ddac03a5a2cffb842d5562e2f9130928a5574a

SHA256
9c6d6a5e5af165e92e92abcddfb78261e93dc333e6c737a1943831d8e71ddb47

SHA512
b61e0d5158acd479579f57682a3a83a0ddf42ad05cc521c101fd89e35c1988e0cf5c0b0ffce5fb30af847558c45013d8ce65009c275d3be838a38ab5ff9b949a

Download Submit
C:\Users\Admin\AppData\Roaming\cf78d797696f5a03.bin

Filesize
12KB

MD5
267f49d83c151bcb39a5f3b683cb1182

SHA1
9a9b1863ebb49db4861e2897b00ef24545ee810b

SHA256
a57952408150b0bcf012df20c08f4591a60e48d1257eaf08902ec074064ef1a1

SHA512
919681633fdc86acbf22956e0fe623eaba322a824c5c74d1f2a4584359ac9db53995975f52e1fce8d32880c9ecd14316811443017eef3645cab815a2a13d5c41

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
5af54bca33b4bf4e988b4c6ce9c521e1

SHA1
0fc6e881031e931c7caeea53ad9001f7af14957b

SHA256
f84e44f5df63b43ed5352617bcc5c0e7ba3e062b360160c0a70fd2b34cd3d99c

SHA512
e40a8b7631c6e84cb16f6b5b4e122d5947f75093ababd79134569295d7e51cac58952998bd0c3f71b928510735c53dcda542760f65c6b6ce221716c5e04c6d62

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3fde39df6f06ee7d218c6960add315cb

SHA1
9488b37469cee13594f1ef8a26ac21540d0dca63

SHA256
89c0e26c589aabf252f3edd2b7e66aa0efcf3cf4aa656a593afd11593c9f0b10

SHA512
11e22f08ab8bbe3632f18594418e0319f0b8a3bd83708873e1398b9b0886e35e950afcbf1c806b447c0beb732d8988c71afc2221fb74e805573581a2da49cc55

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
39cc2d7ec5f84e4c9a0c71a11b82661a

SHA1
a6fa64d06b5446a7f3bd08361fca0c86463cae52

SHA256
0441994a1a7f7bf8b0c48d22a2ffe85dcb40c3c5d4891f909147de6e2deb79b9

SHA512
07da0ad5b68750750d9fc9de06f0da1ee48e8a083fd0bd7ee4d5e61571bb2874cc5834c4cce04b89690060db3999ee8ee0bb08f24a6f040649a018b3571a7938

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f5625f323de2fe8470adba7346db5f27

SHA1
35dc4d9bc5ffa36a80c43aff074a8d58f9aff979

SHA256
7a4a874744b9b2a3ce5ce24dc1eef9821bce35d97369f5fe6604231711273d55

SHA512
60e935db7522b496b6cca2ac05a6b7f783e0d3bdd27c2317daca2ce258a452df800c181aa8a769db1eb14c9d0b5e0307e8dbde5bed785864e9a5506accc6fb69

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
02dea3cb5b3c0578b4a146950c11b7e6

SHA1
b409c5b3f456611bd5ef7bba9dcf8cdee11921a8

SHA256
6a8b7c7bcc17c898a4a9b204cefca6da58590cdf81cabb0fbfcab9aa6aba4c9b

SHA512
c0457435d2dc44b726eec49c9d1916ef47f3d269eef3728a319de7d1e9ece22ac312a4e7c44c2dfb8b99c12bddaec563a5d3b2987b87e00e30acee0e8e0c399a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
f8b36cfc9a6cb79d46136260d026ca67

SHA1
d648abd466c5e82a49be24d6ccc7c0e755ad4214

SHA256
a37dacebfeaecdab3d86ef3fa73d708793516fc849368479e5acf691b046a064

SHA512
c6c472b10ea56a707090976bfb712df69a9628f38ab0b3e8f67c1d6c72cb726feba20316fbd01361f7d19414cefda53af1297c22feba42cebeb00382c544d15c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
366e982c75e82a37343317fb7eb37cff

SHA1
763782eb44fcc209b99bcd1a935b3f1e61ad829f

SHA256
d6a187122556a31836eb7a15e10329f882fb288ac38c0f06a4cd48133227eb45

SHA512
37bb0a4550f7be1a359316909afbcd8a05074fcb0e9ef280e08fd5a12364564c2fd494418d8317a9e4e82ddebe5891d946008001c28f12328fe487e5bd7c0605

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
98b6baf9d11e86e4e31406397be8bbc9

SHA1
10c6c1330670908f793e75a7b96ef9cc3035f3e6

SHA256
fb930dd92698f6cb83032a4fd80540d6658bfae73e1ff23292269f97ee703216

SHA512
979a2aec0e02f3ab9a1616f22355c3117f3258877069913bb3239e8ced23c2232fea8c02cd190535d7f037f8ddceb091df9731b35e7cfb211e75b67c1e032c90

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8d303871fe25b096b0d63ded1571b0f5

SHA1
118a625764446f76611c4d28065f07386518ad33

SHA256
6d137d82821771e4e4f8cad0979f0e2bed2ae25d380414999614d8d2d76362c4

SHA512
010a4e629e53fed73d26bd0504f3f014193f8d4e35d48efcd200fd207d31316adafc25d501f1a28b01373bdb4409b76e0316c2e04f273f63a72a529c964ce3f8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8819b289423763214d24fb58b265fd4f

SHA1
deead7f8f364b9c3b489d9cd1be3f5d4bdb6c99d

SHA256
91cf30d0d3f8a30d1f3087f5f19431cffe3af88f6d380308d92df9c1b74a3aa3

SHA512
bfdfd6274b125e456b28e4b1bdd5686d9127f2f4cd7b8c9b782a4b223c2b0f09c9694889fa594bb650083081b1fc09c8c1baa6184ea832b00e1b0279e4a2082a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
2ce5b4fbaa904f4b3a730f9ba9a8116f

SHA1
0206046479e2005a7015897155f3c7cec918a261

SHA256
b2d8091fde9905dcd880995d87a0b41ee13dd72a5e065841e4a650dc092ff79c

SHA512
ca060e64859330ada70a39077328c7ff58ead770ae8c7940cc0f31c5f4c804e40b623c43f2caa407ac955c2e59a1b3c75b32f78b9f982c9f685158692b1f88a3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
30b4e9eb436bcf38ee06ee1f48a94d78

SHA1
035beea0a686545e5b5b54211ebe3643d188fab1

SHA256
2377ec122083e5e3dfa1046bb153fee33889c5c6ed8563951d833535a35ce252

SHA512
0f7b3b651a826c89b9ef589cc7124c520751eb1cc27e72beac5efb3d4b9d4a0703ae69921363f052e2018b8b39a82469f1e604cbfaeb8e113af4aa79331df934

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
16b3506983c894cba94aedff9a4b5ad4

SHA1
f70f46f8ef5806608bbe5c8384b2067e7057602d

SHA256
02a63ffe612892892f637d68482b18589242fc6483bf7001b70e410eb59a1bbb

SHA512
caba7ba7bb78ffcc5b62c7fdf468f917b9f8601df2189af1fb44f5d7de0cfa367e079546117d1e3cdc8d6f9b7d8f15ff0469fe14f48154a4caad2fd394a419ba

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
b610197c84b87e83780bd57f8c0adba9

SHA1
5b7eb9ebb9747708828a848476baf1e7f5ee8282

SHA256
7609d6d426dd043affd88aa61714083523692511740d27f182f112ed95ab351a

SHA512
1788a7710be8f6c84d011deb2cf747b69219901a0ad4bab3d80228fc65d266057b6e51a620e2069bfad728929b30101e7458877a1b7a5522bcf76ebff01002a4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
e025bf29545fb049d978415c96aed08f

SHA1
38e9cb0128f14f8ff969fb1d544c703ef75cae85

SHA256
b775e17628893063942a90bfe14ae04dfa0f8989d7526fb1f2743c5744169979

SHA512
541cfffa31daefe53cd7ec0f5e2c3e2284ea386339c2f0b3247ff68b229ab48b630f83c5ca298510050f76481dbe156b8a071855b6e4d9ef946f745629b4260a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7b72f09c76394d8adbcb9019ea4620f3

SHA1
8b0325694d8ae39cfc3bd65374d824768b10a9d7

SHA256
0f830383dd5465d7a0683b0ce0de91825be5c5f291e7d2051d2acd1930c3b992

SHA512
6a79f57d1a84f833e0799aab7e899023adff12156d41dd39dca21d2c93bfe515b4e9dae7e6e0a5054d2e7aa126626f937a6516af0a08dc8ee03652bad5bfa743

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
36a56fb5ac1f8b6489e4ce43f9d911b5

SHA1
805aa98a54edee1b1be6a85aabc3e7c3fe543f81

SHA256
386bd970eb31ad58c776bfb7fafd5902ad20c065edd6f972573709525aa7b6aa

SHA512
e20eb990b03c1fdba3878cbebbc31533d73b55ab3e830c0fc767bb505bf34f847848bcc84b0c099b725a2b90eaae921882b887611079909771266d0cf7b75b8d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2a258733b50fe4a034e737becc28062e

SHA1
825be07f67c4138dac4d82cb7cac4825f896cb9b

SHA256
104aa4cfd065a4dabcadbdfe4e3566e48d1220be5b0a2830995d4de9a051c134

SHA512
0d656f1b92a20e1f1728f8e42f0b214bf68c7b85f18d4ab503c170a1e546b2d021c501dc25e0588083b9f356dbdc7f96f7aabdbc6720df18751a31c164236728

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6b8441fdfedb421f6ac120b4f24711d1

SHA1
34c7895d23f3a20efbd07aecf234bb66c7ba1536

SHA256
4c776015b209b0cdd20653ab861c64a31e05018169bd3f657d351ef8e162955b

SHA512
23402abf02087179961086c362538b7add13100b70c671d2c61fdbb3a0672c845c7db176c9f748385d3f582e4d2f736a6d739a02160b6598aab000cd149d019a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
6665ae31785a4abb2df34db1f60f8bda

SHA1
a7f30a3deb5664f7b66662b3e292ad08f3e4ad47

SHA256
28281c2880039739301725b011cc0d1a25ba3e37a94a114b66ad4d31eff7878c

SHA512
672fb35827d02ee4e0c5a79cc05cee938a0c0497ea9549643abab2dca0c0b399034305b22188844dc90e21578e98dcd553684d43d235edc1273a0ba05b71c1e9

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
0825f1a35c34c57741f36dbb53d47d54

SHA1
756026a7881e960c89d1ba4a90cbbbec03ee2f0b

SHA256
9e370d65bd33081a0fe686e0aed81ac8d1d3e40eeef8c412f29099e944418ee9

SHA512
54fa3c7f149944c9d2f7b953f6c8dfcd56685919e68d55485722236591a311a4d114a0a287683945b23d5aa9992790549da89f8f7f70f51c3bce179a326dc58a

Download Submit
memory/876-201-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/876-473-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/904-117-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1216-153-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/1216-217-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/1404-393-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1404-187-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1716-60-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1716-58-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1716-52-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1716-160-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2160-63-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2160-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2364-431-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/2364-530-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/2392-98-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2392-118-0x0000000140000000-0x00000001401A4000-memory.dmp

Filesize
1.6MB

Download
memory/2392-104-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2492-28-0x0000000140000000-0x0000000140561000-memory.dmp

Filesize
5.4MB

Download
memory/2492-9-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2492-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2492-26-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2492-8-0x0000000140000000-0x0000000140561000-memory.dmp

Filesize
5.4MB

Download
memory/2584-88-0x0000000140000000-0x00000001401A4000-memory.dmp

Filesize
1.6MB

Download
memory/2584-91-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2584-86-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2584-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2584-93-0x0000000140000000-0x00000001401A4000-memory.dmp

Filesize
1.6MB

Download
memory/3036-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3036-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3036-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3036-65-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3496-152-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/3496-43-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3496-38-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3496-36-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/3612-34-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3612-135-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3848-200-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/3848-120-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/3848-125-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/3928-195-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3928-193-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4004-367-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4004-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4272-422-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4272-197-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4476-396-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/4476-190-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/4508-289-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/4508-163-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/4932-136-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4932-213-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4936-12-0x0000000002000000-0x0000000002060000-memory.dmp

Filesize
384KB

Download
memory/4936-111-0x0000000140000000-0x0000000140561000-memory.dmp

Filesize
5.4MB

Download
memory/4936-21-0x0000000140000000-0x0000000140561000-memory.dmp

Filesize
5.4MB

Download
memory/4936-18-0x0000000002000000-0x0000000002060000-memory.dmp

Filesize
384KB

Download
memory/5036-222-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5036-156-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5036-518-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5124-456-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5124-394-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5156-214-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5156-497-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5220-501-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/5220-219-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/5324-223-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5324-517-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5508-524-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5508-406-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5704-419-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5704-445-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download