a3b010d7c6e18be04ab4b48fe41116dc5bb4d2d55287ff37e5ce83b3d4630a7a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
Size

5.4MB
MD5

4e6034e26e6b7a1e72000d56cfd5468d
SHA1

f7d85530784c6fa1eac59e5485737f496f010db6
SHA256

a3b010d7c6e18be04ab4b48fe41116dc5bb4d2d55287ff37e5ce83b3d4630a7a
SHA512

66e1edea2f3b40a675f16d64e8a391cd4bb9d9412df0d94f94bbe859299f1d4572cb7e4cf5eb96cd5acd83a31bbb39715ac702b4bd4b201d9668e838bc77bb78
SSDEEP

49152:b0kwIi7c4xZlm5knEtw99Kn/2vim7vgv6m+yyJ/0gbvjy7yY7BHi3u7L/gBUUWLr:HwfhY7g/rLO7yYA3awr341gJD527BWG

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2776	alg.exe
5012	DiagnosticsHub.StandardCollector.Service.exe
4608	fxssvc.exe
3516	elevation_service.exe
2556	elevation_service.exe
3520	maintenanceservice.exe
3216	msdtc.exe
2628	OSE.EXE
1856	PerceptionSimulationService.exe
2504	perfhost.exe
4388	locator.exe
4048	SensorDataService.exe
2124	snmptrap.exe
4540	spectrum.exe
316	ssh-agent.exe
2756	TieringEngineService.exe
5232	AgentService.exe
5324	vds.exe
5400	vssvc.exe
5516	wbengine.exe
5616	WmiApSrv.exe
5712	SearchIndexer.exe
6104	chrmstp.exe
4064	chrmstp.exe
5668	chrmstp.exe
1492	chrmstp.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dab35042240c1bce.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91656\java.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C4DE67E0-347D-4E90-AF69-87B120456F47}\chrome_installer.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004650ded1c515db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee1828d0c515db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133724553255225125"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ee838d2c515db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021ef5ed0c515db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e5361d0c515db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000acd706d2c515db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
4864	chrome.exe
4864	chrome.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2056	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
Token: SeTakeOwnershipPrivilege	2468	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
Token: SeAuditPrivilege	4608	fxssvc.exe
Token: SeRestorePrivilege	2756	TieringEngineService.exe
Token: SeManageVolumePrivilege	2756	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5232	AgentService.exe
Token: SeBackupPrivilege	5400	vssvc.exe
Token: SeRestorePrivilege	5400	vssvc.exe
Token: SeAuditPrivilege	5400	vssvc.exe
Token: SeBackupPrivilege	5516	wbengine.exe
Token: SeRestorePrivilege	5516	wbengine.exe
Token: SeSecurityPrivilege	5516	wbengine.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: 33	5712	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5712	SearchIndexer.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe
Token: SeShutdownPrivilege	4864	chrome.exe
Token: SeCreatePagefilePrivilege	4864	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4864	chrome.exe
4864	chrome.exe
4864	chrome.exe
5668	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2468	2056	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe	89
PID 2056 wrote to memory of 2468	2056	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe	89
PID 2056 wrote to memory of 4864	2056	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe	90
PID 2056 wrote to memory of 4864	2056	2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe	90
PID 4864 wrote to memory of 3488	4864	chrome.exe	91
PID 4864 wrote to memory of 3488	4864	chrome.exe	91
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 4584	4864	chrome.exe	96
PID 4864 wrote to memory of 1644	4864	chrome.exe	97
PID 4864 wrote to memory of 1644	4864	chrome.exe	97
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98
PID 4864 wrote to memory of 1316	4864	chrome.exe	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Local\Temp\2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-10-03_4e6034e26e6b7a1e72000d56cfd5468d_cobalt-strike_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x2d4,0x2d8,0x2dc,0x2a8,0x2e0,0x14044ae48,0x14044ae58,0x14044ae68
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd4,0x108,0x7ffd4bb1cc40,0x7ffd4bb1cc4c,0x7ffd4bb1cc58
    3⤵
    PID:3488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,15830329250863891115,4254163269603908412,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1904 /prefetch:2
    3⤵
    PID:4584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,15830329250863891115,4254163269603908412,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2156 /prefetch:3
    3⤵
    PID:1644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,15830329250863891115,4254163269603908412,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2408 /prefetch:8
    3⤵
    PID:1316
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,15830329250863891115,4254163269603908412,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:1
    3⤵
    PID:5596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3096,i,15830329250863891115,4254163269603908412,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:1
    3⤵
    PID:5644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4484,i,15830329250863891115,4254163269603908412,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4540 /prefetch:1
    3⤵
    PID:6136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4440,i,15830329250863891115,4254163269603908412,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4676 /prefetch:8
    3⤵
    PID:5348
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4368,i,15830329250863891115,4254163269603908412,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4312 /prefetch:8
    3⤵
    PID:5396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4428,i,15830329250863891115,4254163269603908412,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4900 /prefetch:8
    3⤵
    PID:3300
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5052,i,15830329250863891115,4254163269603908412,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5036 /prefetch:8
    3⤵
    PID:5720
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4356,i,15830329250863891115,4254163269603908412,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5012 /prefetch:8
    3⤵
    PID:5740
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4716,i,15830329250863891115,4254163269603908412,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5040 /prefetch:8
    3⤵
    PID:4412
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:6104
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2a4,0x2d0,0x140384698,0x1403846a4,0x1403846b0
      4⤵
      Executes dropped EXE
      PID:4064
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5668
    - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2c0,0x2d0,0x140384698,0x1403846a4,0x1403846b0
        5⤵
        Executes dropped EXE
        
        PID:1492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4768,i,15830329250863891115,4254163269603908412,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5320 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5036

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2776

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2740

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3516

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2556

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3520

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3216

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2628

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1856

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2504

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4388

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4048

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2124

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4540

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1704

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5232

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5400

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5516

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5616

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5712
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5652
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3036,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4252 /prefetch:8
1⤵
PID:5636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe

Filesize
2.2MB

MD5
d8246adc77a0633125ea9ef2531556f8

SHA1
d6d379e7e48b35ab5eee94e6e85b1599a63aeea4

SHA256
ef2d3585a11332c5a5490d732544fa801e813c5bf1713aed5ddd506505ebafe1

SHA512
0d400f2170a1441babd234c139b4be18cd5f1fbeeec22249b11bbf56ecd57ee2941af812810e1023868be54cc4de6a64bb6aa08d4c2f8fb92365b36c27355dcc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
4e289eed45ae83b52d04c9aed060b5ea

SHA1
81b80c872da17eeba4c4075eae7471f36ee4b184

SHA256
b622360e049bed5c590acf388038d5b2fad90ff49b361de7b3ab9327caead0ba

SHA512
db401244e7fefc7d5b7b9cf85492e275d2056fd7b3da1a3609da9c11d538f20de6080b84c17e48fd16365ff9f6340d1498b3ca7ac7acd85ff26fb03e6e7edef1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
662745cf389e70cf71d72d8f1778c6f3

SHA1
a3414eab83bee565772ea7274ab384ec7a18d6f1

SHA256
af53b437ddcc0177532bcb64ce9ba53151e80284f937d28a53621c90b0105bff

SHA512
d62071a0a66605a5614a22921a0ba6c3c3cb2b9b52f0d2a634d4e7dfda809e84c5af24fca9b9417e7bed12d06795bfddc72cb8cef3d7ede8c3c4e92256084fff

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
61a1b43b5b53bb12a12eb3dcd6abf145

SHA1
5c530997cc8c85b2424dd54628ca28d688fa7c75

SHA256
8b9404d6486ebdbdb81d7fdcc943d5eadb4fd21eae32f33d982a250d145b56aa

SHA512
3b810da29b8359e2e94d0678f066939ed3c1592fd0be2ca315dd2e29c382b8d763129427cf3c57d9f2aed66dd0bb47f4b6084875f79c8dece9d9462a855aa1b8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
423a73ac50cadbb40671cc573e8590cd

SHA1
492bf922fe8058a68b07641b242dbad518b8e965

SHA256
3cd3e0f24db974d798e7755cc6d65101c930f7c7128cd9e4379a24cb2986325b

SHA512
595918bdb96d80feac79dd75e69f6de49a2b5a7504472cd18ba5e34b75bd7f4e3f74d4fae4c6330de4acdfde43efc107716679f86fcbc7c025870a162b1722ef

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
a1a794c4f0284b2d02edf2121fc0b97c

SHA1
bed576c4fdd655d2cbb3c7d7ba59e7d4ce24f43d

SHA256
0ead825642d08adbae0005b1c936d13c2cd8039d5d5f9466539e938cd119ab20

SHA512
b17a12508b7d617b87bbb74be6c209df55d83db366acf71c2595f4164ccb07a2e7b0c16025da927dee6407ca1edd7228d91a80de3af1ffeb93a8e0d33d08661b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
df6ac759eb3040ae737b2b251b3b300f

SHA1
1b5b62f306f63513f849af467fa6c35a3d314af4

SHA256
6b850469353eba5532d81f9b9ee489fb4a4a59899e4a95df1277ebc700671237

SHA512
60d63e1cbf7a19f3d01b08cd370dae0ad79d5ebd8923924eae21c3aa5f434d273c98f694a67f0bf7e923b127d9042b12ceb7a9e35069d1b5208f2def1a46752f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a76768632f285bc34ecf9390e614dde7

SHA1
746b2b0323b579fe4d63132000f54f0c50dc6bf4

SHA256
dedf84d97d4d9f6371a8419c82f14cc8530e5d4bb255c5fc49777b763e714e63

SHA512
314c29d16fb747562e167ef5e7c37984efd0b2fb79931b5b13e2f93cdf4b32c75c39bb545d9f0a8127650a47d88d820fd0c71f21ae993e60ea13cc6f391549f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
1a7c83745a80c8bd6a432c5641338e63

SHA1
e0ebee69fa50e0f898f7f14115548d4912737ca7

SHA256
61dbe2e577f3bc1cd786077ecb123bc42dbe7d92334887bdff3800ff7f7eaec9

SHA512
cd156462781591f6db69700287f4ab12aec664d27a54510d03116d3cea102270ad5b8cd96c987d8df9ecc2b0f1b72d6361222e639b6583697bef59087cef2f72

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e36dc635d3262b1997acb52acb5e3d6f

SHA1
4f93180dffe0a576093bcc722e03bd0214c2a13c

SHA256
9070a4d590bee9777f27f419a9754d59f35285c3caf44a2ff37a8e66ba55fbf4

SHA512
1ee2dbb01c57ce77d0be5331288e9c9b716a3c10cf1f60611a1c865ba48afb678b07d8c7e679b2e582e5dbe467a681d67da8b18ae74b8cd06d82dfc2e816f9f8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ef96cb36b98d7936336b700328128a8a

SHA1
b6b438441222415b03b4d44d022679d4dc44bde7

SHA256
cd98af9333b3864da710e9cc323345d310b8469f3b0a9ff83d52b96b5dc4a37f

SHA512
f95e7637775a61ba3c829f88a1c68c188857495f4ccdae9e13837feaae6c4fdc0bdc63707d75ab3ae86f60c506599c0bd267dd064d5deb07fda6b17fdad94137

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7a8e3ff0276f389badc6138ed54d7d29

SHA1
7ad50b61002be4232adb08fbbe32be0c64f6e9a5

SHA256
9287f92335a11b10dc8e34de9a7e3751300b22074af8c6cdd21c5ca379d5ff43

SHA512
3879dd5a33dc038b76e5208beff1809da80a8fc20937b40d14be481229d3b0acf346e5686c650d537baca153db38f087f62e721023591d6e57bed47a9417a38c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
6fbe661f5dba885650492e479fd7a2be

SHA1
e1950743cc6a5f7b8116290bb6ab98c699af26be

SHA256
cbf357a1a49bb3f9d56de259b8022ff3ce44a3c2c109d9fe2e4450f1a7ef3e88

SHA512
1bc6c84c018423dd335a87cdc2a7974db9e5fa5fda0f38b45e3605142990eda8f054858ff4cc469f5ca3b5455b0b50c1ae203388a5d7175a833c8d7ea892072b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
8181bfae33f3998298a8faf8a969c81d

SHA1
aec96fd4f8c3f1f99bbb6f0d108c56968d1b2a32

SHA256
ad5230b9a5fce039db773051ada82c104929c234247d1495d78d881d02be323d

SHA512
6935b92cc6eaa95b6d99a486f779020957a6e165da78b3524902924d6f3c2619500f05f98027537752acae7b155523b0d7d32dfdc14bdbf92f7baf65793e1873

Download Submit
C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
26430bd3b9092308c6435cef3c582a04

SHA1
6b8a07a6e7b3d46e6ca74c925b1f043f2c4cab08

SHA256
e3a5b2d9e05d45c5035100ab2283e2b19969059447fd2cc9f5fe978e758bf3b2

SHA512
328372470de47d885c73bd5c3a9708c9e6d43f5fd9cc0c6598aa923c803250922d285a52bd8982ae6932a12eebc374dc343e760f963e48f30c1a62dd9e6b2e9e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
cc557ca8173b30bc696dfe5c10b21acd

SHA1
d33fba7888b1fe5aef257f0519d7726cba1e1dbd

SHA256
4bca7823530e888408cd84dfea5512b1ef88e23fec4e2fb173bef220765d8964

SHA512
85f8e11788467a8455606de8087dd8ab5a5c147e1e3416ea81951c1539c222c1f44170768fbd61efdec34f6938ac3fa30f5441d8773f2ee1c9d7e40d9faa0745

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
4baa0c383eafae9177feeca1ca40e677

SHA1
eea5315b5b5cfa1f50e200fb0a09f2d80f0216de

SHA256
eb19ddcd6c893459be982a3874160c31dfc77fa3172251208da793aa2a0b14e4

SHA512
5981be5ca6701f712852a9fb6f90885eca988fa932af44017a1642679af3325627b61326df88148da79281f6b429b491524bbbb2ca17fa7669d49477a44d16f0

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\6caafd1e-b8d4-429c-836f-400a2738b037.tmp

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f710e4fd5f9a06ac4cbe62f8a5fe63d9

SHA1
4b08ed85fd065d5b6945ffff425953175e519a0f

SHA256
75c961fc30508efe8601ac42f588557e4eeed0e82ab2b9f7600191c4872ae7e1

SHA512
3b2a950f535376af348db36355ff3cebd28e4dee578f610109cba055e9720e72be024ddbc99eaa932f09a07743bac5887f617f22ca0f4c67e878d5542e70db7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
4fd2e1e0ee89ab2efcf64b13813dfb57

SHA1
f1469469ac1884f002fbe3cba1d8be88cfdf39af

SHA256
b94064c9e6abef05638da45947d0760325acfec963626406aa73bdeb3f3e77a6

SHA512
f28e540f5e356191f33a7e5cb091d9e6fcafac73a94e87d6b96823ff9cd8d914ed319cb3ad1ea76a5e788b7637826b6b5fa6b3a6c96f24353c0c44f9ce0b00cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
fef8836e5d892c511f1a4b06986daf1e

SHA1
4eb6ff18d520d179d0f62dc3113977dba6c801e1

SHA256
d1f8998d9650ed63957acf15047424d8c5e8820a577268d5e373b331465bda74

SHA512
30408f3426959d693fd20704d7f471b34b42839763faaa940dd5c7690082138b4f21454b3221a399128b22d70c0b74052a7656509e0df380adec08456174af49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
08d715dc2db17809530cde687de701ad

SHA1
a2e50f1a6f9add67879eebd1c0ab279aa5bfc098

SHA256
7cd0c16745326c54893434af0809880abc04d6b6d42ced5f7e92cb8f17a4a097

SHA512
eedf7c4daebea23cf547e2fe085f93fec711029df742bb9d874988042b38d4cf4ce6433ab4d77c7c8c2462e8628824fa2b804b462340453ca0aeef5b7e81e90c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
d0221bc1da94cf5fcac6e80c3a28a0aa

SHA1
0432a49ba540816d5242f4ecaedac384cb0d965f

SHA256
19f47249d90ce767110c305ff1150fe2fbae54a901023b76eaff652ec9caa6fd

SHA512
2762b2d12d98f550df662c81951a05af1c863cb8c0b4f434fe170c290aa9e8be372af02cd2cdadb621578dc7e802bee7133ee27792c5154240ec33cab7b17e1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7ed48da80579f910544e315ab7bb34e3

SHA1
0116e36246cd05d0b79c6f28ee307c2c17109622

SHA256
7741ea8bf9ab151034dacef6b1fa461f55f3a59e6f02bfefae7e43195617d4cb

SHA512
8076a5a21b8d7f4a4c9e58ec3f58144d0239258e97bd2bf9bfa9e79432cee04c715d58464997075497547a6409b1dd46879b2c1835c077a76de845a0a1f57d77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
de92f00884373e27aa061b06f6ea54ab

SHA1
e362ec526360a4dfc0f2d00e12a503e6655c5d1e

SHA256
6a9dbbc05fb76e1e506fd88805f159e623b9abecf7f1f35f7a0c1100a3b357e6

SHA512
41bc8ee62137f9698fcda080ebe3142fa064e3ab0d23e5c610539a55136647e86e1d1dd3e253c334db5aeed1a3a43a51c87c64c72c5bbe59aa3f27261722bc39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
64ba209766b93910391a798d277fa03f

SHA1
181ffc1bf94985454e7265ac0ce49e2d32b9619b

SHA256
eb8db711d0b666644076b53e2ff6709738c35c29341c26f94137d6c12ee77043

SHA512
9a04faee44ef18797d98c453e41d4e63369dd050edafd8371a5b3bebe43f8b1e2eb85ca5cfb0a5bd9107d660950c3870ce6da48d616b6425d10668fc2f48fdb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d838375a0014d9b6aedcc0d479c3a212

SHA1
47594a3c537ec4d906e4baa2548afa727f649178

SHA256
6c352856d76a0d5ea4e302f64db4f1f0e6ebfb5137fdc15d2df8660b0c970380

SHA512
297a5317f4c1a8045e3624e56b760a001fc6d43812ad6160bfa23e8b9c33595424bbd80eaf30d2a292f31d81c09cdc19ac4d65e0905fb4e81bbf8adcab128cdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c24a2e106e9a2fda81db50c069e438ba

SHA1
061ea24913652066477542486b53176c1fa57a35

SHA256
e35bd4bf416e76c78fcd79a2adfbb4c7d88dce1a0d10079e6239a404004ad5b6

SHA512
2e56aa796908316385e2448a98f5fafb8171e08f092d45a7d0886e5a6fd309c34fbae8179c3ace5a4c33406d8c7e919ddcfb94ed465c7c74c01e5b3a8639df67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe587c8e.TMP

Filesize
1KB

MD5
ff7c98ffddcec6a9ef665790cb07fd18

SHA1
889b8ee97ca86a7fbbce53983c65870f91d33bee

SHA256
89d2f6c02c6a429492c59038301f756138620f64ffdb9b523cab2d1d42eb4b92

SHA512
1f84f42966b3f86fc7b03652e5faa084ef7a481d5f2e39939aa109bf59f8ca8fcb091f149a0cabaceeafa3d9d1edd4b65354afa1b24ca889ec2986a88b397d8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
13f8361f23cb862d4aba8633a51bf789

SHA1
61e5684fbed280bbf66dc873566a396cb473167f

SHA256
387cee7bd22aaaf3e17790f050828bc1020373679724c34c2441721f459517e3

SHA512
d3c1d5ba2cb71e948eac87396dc4d5ef7373e928dc09bd9d394f58b16c34382cb3c6a005262b81ccceca467ed363aff486e15373122abf3292b8c52ef71a9091

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
2efb915e71207773a6aefe30e1f23dd7

SHA1
f3d13a82acda6261447564514b344240f4ff0372

SHA256
f6698e85837520107529495e985c1c1918480e2d31f2a26c3c5c39ba838bc910

SHA512
9ea8f5b0791dd980ca3872a24f65ab97a5c81bae95d37ef9feafe78573ec3fcbb4621ec9ce7db399e11a7d23dbcbc89db1a3f1af80ce00ef6c289e9d377aba5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
210KB

MD5
28af5f2b2a14f1e43af1e2ed985d883a

SHA1
83a48b020eba08df2cdf320826fdd8777f0fd2f8

SHA256
d8ac0f7b7b1b729b0ba9865f86c3111fef156d2a12b965a47e84ee4bd1c76283

SHA512
70f0715e847581e49475ab4048e88ba899285cb42febd3b4bb8488ef20d8f5e54d145b09f732bd5f3741503fe87b1b3cfa358901825e3cdfe234c69e8edcf96d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
210KB

MD5
3b54f27db1bb133ad8476e057c3cc7e6

SHA1
03db772f466df5eb5cb6e0b12f837999ad35a78c

SHA256
8b88a6c00d79669a331c140c45f3b7fb78668d8a9e5796fb08562f945e6e7404

SHA512
553985543a3b97211e971b2bffac8521885415dda84c24180cb60006247ce2b64f7d9f3384236d952ac1dc9b0d7c31689d845d170977e12ac398fd2c4781e8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
3e6904f5571b610796927bf2b378d4cc

SHA1
31a6ed3f28a83ac03be6867c6aa312298d338077

SHA256
2ac92efcc2a57e443d1d2c6a70e7878fc35b9f463e2991a62cb4207f199bb623

SHA512
769154067d9ef6361f38925a63e685a955e34082929578acae6b1e344a3bdf03e92436f462b3ebed0f83b4f5ca34180dff79373ab35046516329f04946ebd7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
76ff938f7d309cc2943387281e9799b1

SHA1
a70123a3696463c728fcfa83de26b9a6daf9ea1f

SHA256
dcf0463d96a28f0bddba20d674fac44a0b1516fd97b6551a063ae23df59e6190

SHA512
0525e45d6ee69c6f1ed2c59bc59ece51eb7567874941493b75eb883ab15bb4319acdd18e2bf5fbcff90785ee2c1519d52b92226797e4d9dd46651b9492051177

Download Submit
C:\Users\Admin\AppData\Roaming\dab35042240c1bce.bin

Filesize
12KB

MD5
353e3f095f33f7504c9ffcac2251f08d

SHA1
ad5a0fa37d30a0beaf7429ae48afbe030b7bb5af

SHA256
1b3b47df369689c661e48d0c99f557ccdcd99201cec1cedb8e024b4a918d887d

SHA512
ff7ba2c2d8e3607777bb33c9146cb39df3e6265fcd47e4f925e69e53762e4abbd3a59f270eef225d73e3864543e90ee3ede24666e2342ac11986a6b333c2e466

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
7cd873b3162af1868ef1c90117ef7381

SHA1
d328e1492d1533d680e2dee6c7c667e64bf6ea01

SHA256
9d8922a715d0dc54ae2e869df2901003e24e8887f5a540f100e34c703b730799

SHA512
09f99e5daa41dbfdb94dc62a2efa08d30ec131adbf8a2df79c219414063252b2a5aceac4b4f8e03e818493c31e50d53295d31d3a8548e7d6d6f8751a1b4e6bcb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4861a154b87d4ad2e015bcfccb0184b8

SHA1
f3e469dc6fe9038473c47fd5b33d33afcc2d51d8

SHA256
14645c0117c4a3948f8f74fd0210eb4e4a080c33f24bbbdb7f7b4e00c66398fa

SHA512
b0c2a8bcfd6f91430258e55a332e49581618e147b96dbde61cfc8cd48abda62d9097c604f09867c8faa620acf7544041e246edd14d597ec12731eaffa4a82084

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
7b930a75dbb92e02afda80a2ab96a14e

SHA1
7eddb5e07b46ffd3d804a751f7c1b81204236f00

SHA256
225a9a723ad0d6ff08212373a86920e9f1d47e3b738cbf0ab2bcb231987445b3

SHA512
ee5bfc11cb5261f7d6b97208dc557e196102b18bccad1b04d2078eab3163b8eaf598d116f87d6ab1842b3554d5da96415ddb279942d610aedb2444874a72aad8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8f3cfa2bc8445173ded17580c21ed0e6

SHA1
2c011c63a3dc859ead446f8d3438abd1228d43da

SHA256
59dd20bb19739f615ad92a6e7c2b41dfa96d9771483c2bce63a807c7ff7cc90c

SHA512
cbf8d4aec057cc0bfedf73788d73f4a82d8e3a4874979e7a45455ae39a608bad61c2421804db10ff1003c7eec6de48fe8f3fad817c13413e23c2491d6189fe07

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
4bd49e2ef76925b779768e1edd34e01a

SHA1
0c7bacde590697619dc2f0653ffe64c163276689

SHA256
dece21a0dbd047c170d678e08e5e0df6422a733c80dde730757f9a33e20c81d6

SHA512
887f70f74424f131621af8c98fd0d2358fb0bf700aad24e9c2878b9030278626eb9a9b3e18d3942c733ecc12653e80a21666206926c739133e0d4da7ca444d7c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
1a133e7086594d6df15db4f015dacd69

SHA1
b0db4d7ef2aa1af5749357be539579cc03d5436d

SHA256
98cc02ae766f0c40fac96a83e5be338356a37c6ad66b84b634940ae4d24c2e98

SHA512
66e821628dcc4b031a8c315c2124bc6a93b446ced60a7b5af4ffbf10e40ac28f31609a24201353a8252c5b3ad0c3c2e7357355728fe0cd2cba8f9c263047888c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
64da3373d3db6b0bd71e7354741b12a5

SHA1
a3252b0e7ac9cd3578d349338d2836e7772fc496

SHA256
078a381cc073b096c09702affadc03697628afcab121b4cc928fb7042c74cd73

SHA512
e7ab7121351a0bd8d93d8e177ea4432df15b2eef2059fd411c4ce9d6a09ff42118bf7636656172c406a39dc1579286063d4152631c91bae3c8c8e66ae139a0ae

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f2580a66c5fe90700dbb164394d7501c

SHA1
fe640adabef9ae27c39666608bb5f96cc41fbe3f

SHA256
defac5d6eb13d35ba608a11f4466f8ad5df725ea205cb93eb102e186e573ca14

SHA512
f19105827f7048df940cd0356a562e7b6af214b1bf47c2d41ed05334dadc40443ecc733d75be9882aac4ec88bb52e0c9107f0ec901389a070c2e2f96578be058

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
61c8f1a951fc8ce69648c73f68682f1f

SHA1
d87af64b59063b60c0d069a8b69090c7919ef893

SHA256
da082e548ecf65ea820c7808414ee3ee662756accf413a9acd67e9e173d5295a

SHA512
f10f39689a097a46ce987ccd6a5b893e1a63e219569d40d291a8fd62ce621d4c9605ef4bf816b2b2cf250f36d2482ffcc73ad8667bda55a90bccf4d333e82ef0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
585006984b53fb56ffff4717f45b5937

SHA1
50454547d7b11871d943c9df9ea5b05038d9e3c1

SHA256
10bb86f7ef81f962eeaac7747d2c0a47c8348e4f1f8375f31da4e0a98fdf58b8

SHA512
69e3a06bebd74c16463324389f2ad37b91a8dfcab903cba3522c7bfc01922fbaf0b0d84876bc2e4226192fd76e8df58e4ca1832746c401348e606d3ddf0d5e9f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
3bf514f5b9043b9731915876ddd5b037

SHA1
85b4d4309f0aa7db5649b71c0b7ea6c9a2652709

SHA256
75b7e1f490927d1e1e09393d61d8a9ca5db603aacf593b7262a64aa681d8ddfa

SHA512
b061625dfd5ab25810010a8c17740cbbd1b707f676e00965e7d8381f877304007ae5c4a30a2b6ef094c9d9019292204d92ff7fc3185ac3a9cf4c16cb1fe33e5c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d821f8cf6ec7ec3df157aa97fba14044

SHA1
d3b425ce75f3559e392788e93fa3d1aa54e824a6

SHA256
ad3b360ea1a6cc47ff369cc753a2d7cd1cc295839ecf36781fd5ae3d2f227758

SHA512
32387bb66d3531ea5158276f20c5822a43a019991a458bea9b8c0a59feb6ad955eb5d0659c861170cd99213eea2fc04f5cb1a84ac4e4862c34e9d6bd8cb74981

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
450bbcde83bfc78c5829acbfaa2c441f

SHA1
f61630fa376d62a86dd0fc949c6438c950b9cfae

SHA256
eb712df86b3cdbca64d311eea1dad4ab99d4a257875926322df870f6a2bae65a

SHA512
738bb5afbb95d88c8c2b16d8ad2260657c02caac66ab8fcf2790a9909d25e2eeb434fc24ded86f24f29a645bfd21c5d012b9fa8ad86b43eaf9fb395261b049be

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
4014dc0b20d12712f5fae5edce97d99c

SHA1
6bcfb64d18f9091e7ed46107d2a2a5572e8e024a

SHA256
75189d999ddd3b5352cebc9f1f2a16905e7ea7c28c53a90db21dea890f1e2cdb

SHA512
d4b73f9130a6a67693ee71ec99c9799aba62dcca943951882c7cb84386ad72d42eded71a77191fe47b41e1c54de8f5e6a50ca241ce70ea0411a03c359a5b87bb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
c99bcce377b7b3caf04214059b948179

SHA1
9eeae835be5591a3f9e5be98c146e7479c820c98

SHA256
b46de60722b0649453d707b9ddd7a44cc59eaa685468f21128c9892a1583a8bf

SHA512
767a766dad7eb7c668c3c61d8dcd724eba0a5650b724080340ba73360a1d301afe9354c30a86cfd6d96b653b46a27c349a33868d8559c06c0bb1cf8acfb645c7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
82f06f8a2fb579c206389b1571ee8af2

SHA1
4900ebac8e47f525800e414b3d2ec5438cd4dab5

SHA256
44962f9f83761fcf5445936458155e34e74d761b3f88b93c455ad117e5887907

SHA512
0978b02bb92cd447f5d7d25da428d11130b7fb2f34c69d251c03fb4c3270d26bb31e8165f08890a1c827aadc8ca9d70a4a19ba6594f31ea1372a2a176e208d47

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
62ea23634d500e45e2da45c27c79b2b6

SHA1
028d076fe8bd28df7c2d57beb560ac96e6f6eeda

SHA256
058b16c85edac57f7602e607acfe0421764e3c39cf8da06a0c7a3319acdd7748

SHA512
be95f31de69de6119804fdb27eb7af29dc990a4919ae841ee73d9210c5bafb39289ae15ff44c42c23c0db1019c908e142049c61e7d2daa8f1f74bc8428de61cd

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
15855aa92ff1d5849d54b3189e326f43

SHA1
a09639cdddb1c2fddde9b10bf9cab1d80a3f14c3

SHA256
06fdfc24b0c7e6e8a8590e89d593f2585f1e6b4e7942389d3c58cb7c23a18f40

SHA512
ed8d5b601ff671e98012fec01065e93ea36f47c157fa885f96290d41cd6cdbba9710977ae2d8f2d7d9c2e81f9eaffb1c75720458f830e523c0140c7279193731

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
974417e87d8206d5ae7324a42c88da90

SHA1
8e5f3a504e0ed4dbcb4356e9af141ad51bc999ae

SHA256
93b4408c603fd9f23ed17f633ee4eaa08557015396b149b18955d09072dd6b0f

SHA512
fda5fb802fa086d22345b4d1b5089b85a76ea53232fd421af06eb5cbbc2fd6a50649cd281bdbc333d0160ca79e57e55be92929e5687a1a611c0f03f465abd9e6

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
d94b547923ab293a78926a3fa9745980

SHA1
e161824ea4ca082fdc9e17258ff1e1664bba67e7

SHA256
4810c5de4f8a790d9b8e8e9edaabd076d6938327d52a7b797fceebbe9fcf435b

SHA512
cf42bcd6fc6546e37c6564998deb4b2802b184cb90a603aab8ee17666b18421728ef317a0fb19cd4bb557d3fcc4a08d8108457e03cd3095b81e3164e358b6b3a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.1MB

MD5
b178fa441b73247b5f1fe62412aa187d

SHA1
84cb42ee247f57c43caef5244cc80cefffcbb99c

SHA256
415c4b783e12e7d7a0182ddc9c18e61f8c92fad1f41e30ebcc3a5cfc7a9c4cc6

SHA512
05e2e2432be259fed62ae47cae29f02ac6692222168db2eb5e0fdf9f729ba38b0b00b736667e2fc9944c1ea00f61674637c3eaeeb451ecf3f1f7fa67a1b61022

Download Submit
memory/316-220-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/316-495-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1492-605-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/1492-769-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/1856-261-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1856-158-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2056-8-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2056-0-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/2056-36-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2056-9-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/2056-22-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/2124-195-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2124-431-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2468-110-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2468-18-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2468-12-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2468-20-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2504-281-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2504-161-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2556-84-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2556-219-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/2556-96-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/2556-90-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2628-141-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2628-257-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2756-518-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2756-231-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2776-157-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2776-40-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2776-26-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2776-32-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3216-242-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/3216-123-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/3516-465-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3516-74-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3516-80-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3516-73-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3516-206-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3520-121-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/3520-102-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3520-111-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4048-306-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4048-183-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4048-591-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4064-750-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/4064-575-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/4388-293-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/4388-172-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/4540-207-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4540-462-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4608-69-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4608-95-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4608-63-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4608-92-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4608-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5012-54-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5012-53-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/5012-45-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5232-243-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5232-247-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5324-258-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5324-552-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5400-270-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5400-566-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5516-579-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5516-282-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5616-294-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/5616-596-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/5668-593-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5668-624-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5712-307-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5712-619-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/6104-635-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6104-565-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download