ea581c00eb93dd9d7909f9c73d346b0cd42e2d4ec7943a8a0f63fac4218e0e73

Analysis

max time kernel
110s
max time network
107s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13-10-2024 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spacedesk_driver_Win_10_64_v2123.msi
Size

4.7MB
MD5

07db314cd098c23a5c8717f939475cc6
SHA1

a941be961b9b6153ab149a5e0f3297546a2b370b
SHA256

ea581c00eb93dd9d7909f9c73d346b0cd42e2d4ec7943a8a0f63fac4218e0e73
SHA512

111dd03c3db9ce020ae6a8be01dbc6c8eef9d082e79dd47aff839ccc379b73e69b792c98d218acd9eb2430c2d154ca624f8ab9a62ad87e93cf24da09b16b854e
SSDEEP

98304:k5W7SouwDgr37H5QzpEs8WeLf+UkPthDE16bA:Zz8rVApEskLf1G3Dvb

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\SET360F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\spacedeskDriverBus.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\spacedeskDriverAndroidControl.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\SET360F.tmp	DrvInst.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	4328	msiexec.exe
3	4328	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3824e9b7-9b09-ec42-ab34-082c73315647}\spacedeskDriverAndroidUsb.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3824e9b7-9b09-ec42-ab34-082c73315647}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskktminputmouse.inf_amd64_96adfd1912f06435\amd64\spacedeskKtmInput.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05060a7e-2131-ce44-9b83-8b390207adfd}\amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d5f6ef45-795a-cf44-9712-7c2e86a459d9}\SET3360.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2b448eca-6383-5148-8fc1-5fdf8bb8a700}\spacedeskKtmInputmouse.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverandroidcontrol.inf_amd64_c78e51cb686ef158\amd64\spacedeskDriverAndroidControl.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2b448eca-6383-5148-8fc1-5fdf8bb8a700}\spacedeskKtmInputmouse.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverhid.inf_amd64_696ff26a48c2be30\spacedeskDriverHid.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d5f6ef45-795a-cf44-9712-7c2e86a459d9}\spacedeskdisplay.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e4b83e6d-6ec4-ea44-84ed-489285b18a5a}\amd64	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{e4b83e6d-6ec4-ea44-84ed-489285b18a5a}\amd64\SET347B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverbus.inf_amd64_ca14b443f0e19ed5\spacedeskDriverBus.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2b448eca-6383-5148-8fc1-5fdf8bb8a700}\amd64\SET30FE.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{05060a7e-2131-ce44-9b83-8b390207adfd}\SET3218.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{d5f6ef45-795a-cf44-9712-7c2e86a459d9}\SET3350.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdisplay.inf_amd64_3593bb65393d1791\spacedeskdisplay.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7c882364-84e0-a34e-a6d5-6d9634c9ea2b}\amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverandroidusb.inf_amd64_f5bd7a6351e515b7\spacedeskDriverAndroidUsb.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverandroidusb.inf_amd64_f5bd7a6351e515b7\spacedeskDriverAndroidUsb.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05060a7e-2131-ce44-9b83-8b390207adfd}\spacedeskDriverHid.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdisplay.inf_amd64_3593bb65393d1791\amd64\spacedeskDisplayUmode1_0.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f43cc350-e8f0-714a-bdd5-23712eea6240}\SET2E40.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d5f6ef45-795a-cf44-9712-7c2e86a459d9}\SET3350.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverandroidcontrol.inf_amd64_c78e51cb686ef158\spacedeskDriverAndroidControl.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{d5f6ef45-795a-cf44-9712-7c2e86a459d9}\SET3360.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{d5f6ef45-795a-cf44-9712-7c2e86a459d9}\amd64\SET3361.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverbus.inf_amd64_ca14b443f0e19ed5\spacedeskDriverBus.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f43cc350-e8f0-714a-bdd5-23712eea6240}\amd64\spacedeskDriverAndroidControl.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3824e9b7-9b09-ec42-ab34-082c73315647}\SET3035.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2b448eca-6383-5148-8fc1-5fdf8bb8a700}\SET310F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d5f6ef45-795a-cf44-9712-7c2e86a459d9}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e4b83e6d-6ec4-ea44-84ed-489285b18a5a}\SET347A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f43cc350-e8f0-714a-bdd5-23712eea6240}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3824e9b7-9b09-ec42-ab34-082c73315647}\amd64\SET3033.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3824e9b7-9b09-ec42-ab34-082c73315647}\spacedeskDriverAndroidUsb.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdisplay.inf_amd64_3593bb65393d1791\amd64\spacedeskDisplayUmode1_2.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriveraudio.inf_amd64_5f028417c7e42db4\spacedeskDriverAudio.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskktminputmouse.inf_amd64_96adfd1912f06435\spacedeskKtmInputmouse.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05060a7e-2131-ce44-9b83-8b390207adfd}\amd64\spacedeskDriverHid.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7c882364-84e0-a34e-a6d5-6d9634c9ea2b}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f43cc350-e8f0-714a-bdd5-23712eea6240}\SET2E2F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f43cc350-e8f0-714a-bdd5-23712eea6240}\spacedeskDriverAndroidControl.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f43cc350-e8f0-714a-bdd5-23712eea6240}\SET2E40.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f43cc350-e8f0-714a-bdd5-23712eea6240}\amd64\SET2E41.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3824e9b7-9b09-ec42-ab34-082c73315647}\SET3034.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d5f6ef45-795a-cf44-9712-7c2e86a459d9}\amd64\spacedeskDisplayUmode1_0.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d5f6ef45-795a-cf44-9712-7c2e86a459d9}\amd64\spacedeskDisplayUmode1_2.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2b448eca-6383-5148-8fc1-5fdf8bb8a700}\SET310F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d5f6ef45-795a-cf44-9712-7c2e86a459d9}\spacedeskDisplay.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d5f6ef45-795a-cf44-9712-7c2e86a459d9}\amd64\SET3361.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d5f6ef45-795a-cf44-9712-7c2e86a459d9}\amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e4b83e6d-6ec4-ea44-84ed-489285b18a5a}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f43cc350-e8f0-714a-bdd5-23712eea6240}\spacedeskDriverAndroidControl.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f43cc350-e8f0-714a-bdd5-23712eea6240}\amd64\SET2E41.tmp	DrvInst.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverBus.inf	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\amd64\spacedeskDriverBus.sys	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskktminputmouse.cat	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskService.exe	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskConsole.exe	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAndroidControl.cat	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskdriveraudio.cat	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\amd64\spacedeskDriverAudio.sys	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskdriverhid.cat	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\amd64\spacedeskKtmInput.sys	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\SpacedeskSetupCustomAction64.exe	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAndroidUsb.cat	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\amd64\spacedeskDriverAndroidUsb.sys	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\amd64\spacedeskDriverAndroidControl.sys	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAndroidUsb.inf	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskdriverbus.cat	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskktminputmouse.inf	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskServiceTray.exe	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\amd64\spacedeskDisplayUmode1_0.dll	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAndroidControl.inf	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\amd64\spacedeskDisplayUmode1_2.dll	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAudio.inf	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\amd64\spacedeskDriverHid.dll	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverHid.inf	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskdisplay.cat	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskdisplay.inf	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI31BF.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF267E2174278AC719.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2D56.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MSI2D67.tmp
File opened for modification	C:\Windows\INF\setupapi.dev.log	MSI30B5.tmp
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2D67.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2FE9.tmp	msiexec.exe
File opened for modification	C:\Windows\inf\oem9.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI36F6.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MSI352D.tmp
File opened for modification	C:\Windows\Installer\MSI3677.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI3432.tmp	msiexec.exe
File created	C:\Windows\Installer\e582a0b.msi	msiexec.exe
File created	C:\Windows\INF\oem0.PNF	MSI2CAA.tmp
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem7.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI36D5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2CAA.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem6.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\{A3A2D539-4D61-4BCB-9ED4-9C113A5847C5}\installerIcon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\e582a09.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF8A922B4805B7C4E5.TMP	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem7.inf	DrvInst.exe
File created	C:\Windows\inf\oem9.inf	DrvInst.exe
File created	C:\Windows\Installer\{A3A2D539-4D61-4BCB-9ED4-9C113A5847C5}\installerIcon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\{A3A2D539-4D61-4BCB-9ED4-9C113A5847C5}\ShortCutIcon.exe	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA4FCDB838D80FC8A.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2B22.tmp	msiexec.exe
File created	C:\Windows\INF\oem1.PNF	MSI2CAA.tmp
File opened for modification	C:\Windows\inf\oem6.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI32DA.tmp	msiexec.exe
File created	C:\Windows\inf\oem8.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MSI31BF.tmp
File opened for modification	C:\Windows\Installer\MSI30B5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3783.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A3A2D539-4D61-4BCB-9ED4-9C113A5847C5}	msiexec.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MSI3432.tmp
File opened for modification	C:\Windows\Installer\MSI352D.tmp	msiexec.exe
File created	C:\Windows\Installer\{A3A2D539-4D61-4BCB-9ED4-9C113A5847C5}\ShortCutIcon.exe	msiexec.exe
File created	C:\Windows\Installer\e582a09.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\inf\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MSI32DA.tmp
File opened for modification	C:\Windows\inf\oem8.inf	DrvInst.exe
File created	C:\Windows\SystemTemp\~DF2F6E3680307C592B.TMP	msiexec.exe
File created	C:\Windows\INF\oem2.PNF	MSI2CAA.tmp
File opened for modification	C:\Windows\INF\setupapi.dev.log	MSI2FE9.tmp

Executes dropped EXE 15 IoCs

pid	Process
1896	MSI2CAA.tmp
652	MSI2D56.tmp
660	MSI2D67.tmp
2556	MSI2FE9.tmp
2056	MSI30B5.tmp
4972	MSI31BF.tmp
1972	MSI32DA.tmp
2848	MSI3432.tmp
4376	MSI352D.tmp
3268	MSI3677.tmp
2164	spacedeskService.exe
1292	spacedeskServiceTray.exe
1492	MSI36D5.tmp
1152	MSI36F6.tmp
2608	MSI3783.tmp

Loads dropped DLL 1 IoCs

pid	Process
3700	MsiExec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4328	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spacedeskServiceTray.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	MSI3432.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	MSI2D67.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	MSI30B5.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	MSI30B5.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	MSI30B5.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	MSI3432.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	MSI32DA.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	MSI30B5.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	MSI32DA.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	MSI3432.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	MSI352D.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	MSI2D67.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	MSI31BF.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	MSI2D67.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	MSI2D67.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	MSI30B5.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	MSI31BF.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	MSI3432.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	MSI2D67.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	MSI30B5.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	MSI30B5.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	MSI2D67.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	MSI31BF.tmp

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\datronicsoft\v3DDK\RebootRequired = "1"	MSI2CAA.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\935D2A3A16D4BCB4E94DC911A385745C\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\935D2A3A16D4BCB4E94DC911A385745C\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\935D2A3A16D4BCB4E94DC911A385745C\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\935D2A3A16D4BCB4E94DC911A385745C\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B7D4CBC34A6B7014BBE966DEFF93900B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B7D4CBC34A6B7014BBE966DEFF93900B\935D2A3A16D4BCB4E94DC911A385745C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\935D2A3A16D4BCB4E94DC911A385745C\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\935D2A3A16D4BCB4E94DC911A385745C\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\935D2A3A16D4BCB4E94DC911A385745C\PackageCode = "568A507F827DC6D43842139253E4BAC6"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\935D2A3A16D4BCB4E94DC911A385745C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\935D2A3A16D4BCB4E94DC911A385745C\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\935D2A3A16D4BCB4E94DC911A385745C\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\935D2A3A16D4BCB4E94DC911A385745C\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\935D2A3A16D4BCB4E94DC911A385745C\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\935D2A3A16D4BCB4E94DC911A385745C\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\935D2A3A16D4BCB4E94DC911A385745C\SourceList\PackageName = "spacedesk_driver_Win_10_64_v2123.msi"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\935D2A3A16D4BCB4E94DC911A385745C\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\935D2A3A16D4BCB4E94DC911A385745C\ProductName = "spacedesk Windows DRIVER"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\935D2A3A16D4BCB4E94DC911A385745C\Version = "33619991"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\935D2A3A16D4BCB4E94DC911A385745C\ProductIcon = "C:\\Windows\\Installer\\{A3A2D539-4D61-4BCB-9ED4-9C113A5847C5}\\installerIcon.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\935D2A3A16D4BCB4E94DC911A385745C\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\935D2A3A16D4BCB4E94DC911A385745C\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\935D2A3A16D4BCB4E94DC911A385745C	msiexec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3068	msiexec.exe
3068	msiexec.exe
1896	MSI2CAA.tmp
1896	MSI2CAA.tmp
2804	chrome.exe
2804	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4328	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4328	msiexec.exe
Token: SeSecurityPrivilege	3068	msiexec.exe
Token: SeCreateTokenPrivilege	4328	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4328	msiexec.exe
Token: SeLockMemoryPrivilege	4328	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4328	msiexec.exe
Token: SeMachineAccountPrivilege	4328	msiexec.exe
Token: SeTcbPrivilege	4328	msiexec.exe
Token: SeSecurityPrivilege	4328	msiexec.exe
Token: SeTakeOwnershipPrivilege	4328	msiexec.exe
Token: SeLoadDriverPrivilege	4328	msiexec.exe
Token: SeSystemProfilePrivilege	4328	msiexec.exe
Token: SeSystemtimePrivilege	4328	msiexec.exe
Token: SeProfSingleProcessPrivilege	4328	msiexec.exe
Token: SeIncBasePriorityPrivilege	4328	msiexec.exe
Token: SeCreatePagefilePrivilege	4328	msiexec.exe
Token: SeCreatePermanentPrivilege	4328	msiexec.exe
Token: SeBackupPrivilege	4328	msiexec.exe
Token: SeRestorePrivilege	4328	msiexec.exe
Token: SeShutdownPrivilege	4328	msiexec.exe
Token: SeDebugPrivilege	4328	msiexec.exe
Token: SeAuditPrivilege	4328	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4328	msiexec.exe
Token: SeChangeNotifyPrivilege	4328	msiexec.exe
Token: SeRemoteShutdownPrivilege	4328	msiexec.exe
Token: SeUndockPrivilege	4328	msiexec.exe
Token: SeSyncAgentPrivilege	4328	msiexec.exe
Token: SeEnableDelegationPrivilege	4328	msiexec.exe
Token: SeManageVolumePrivilege	4328	msiexec.exe
Token: SeImpersonatePrivilege	4328	msiexec.exe
Token: SeCreateGlobalPrivilege	4328	msiexec.exe
Token: SeCreateTokenPrivilege	4328	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4328	msiexec.exe
Token: SeLockMemoryPrivilege	4328	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4328	msiexec.exe
Token: SeMachineAccountPrivilege	4328	msiexec.exe
Token: SeTcbPrivilege	4328	msiexec.exe
Token: SeSecurityPrivilege	4328	msiexec.exe
Token: SeTakeOwnershipPrivilege	4328	msiexec.exe
Token: SeLoadDriverPrivilege	4328	msiexec.exe
Token: SeSystemProfilePrivilege	4328	msiexec.exe
Token: SeSystemtimePrivilege	4328	msiexec.exe
Token: SeProfSingleProcessPrivilege	4328	msiexec.exe
Token: SeIncBasePriorityPrivilege	4328	msiexec.exe
Token: SeCreatePagefilePrivilege	4328	msiexec.exe
Token: SeCreatePermanentPrivilege	4328	msiexec.exe
Token: SeBackupPrivilege	4328	msiexec.exe
Token: SeRestorePrivilege	4328	msiexec.exe
Token: SeShutdownPrivilege	4328	msiexec.exe
Token: SeDebugPrivilege	4328	msiexec.exe
Token: SeAuditPrivilege	4328	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4328	msiexec.exe
Token: SeChangeNotifyPrivilege	4328	msiexec.exe
Token: SeRemoteShutdownPrivilege	4328	msiexec.exe
Token: SeUndockPrivilege	4328	msiexec.exe
Token: SeSyncAgentPrivilege	4328	msiexec.exe
Token: SeEnableDelegationPrivilege	4328	msiexec.exe
Token: SeManageVolumePrivilege	4328	msiexec.exe
Token: SeImpersonatePrivilege	4328	msiexec.exe
Token: SeCreateGlobalPrivilege	4328	msiexec.exe
Token: SeCreateTokenPrivilege	4328	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4328	msiexec.exe
Token: SeLockMemoryPrivilege	4328	msiexec.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
4328	msiexec.exe
1292	spacedeskServiceTray.exe
1292	spacedeskServiceTray.exe
4328	msiexec.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
1292	spacedeskServiceTray.exe
1292	spacedeskServiceTray.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 3700	3068	msiexec.exe	81
PID 3068 wrote to memory of 3700	3068	msiexec.exe	81
PID 3068 wrote to memory of 3700	3068	msiexec.exe	81
PID 3068 wrote to memory of 2444	3068	msiexec.exe	85
PID 3068 wrote to memory of 2444	3068	msiexec.exe	85
PID 3068 wrote to memory of 1896	3068	msiexec.exe	87
PID 3068 wrote to memory of 1896	3068	msiexec.exe	87
PID 3068 wrote to memory of 652	3068	msiexec.exe	88
PID 3068 wrote to memory of 652	3068	msiexec.exe	88
PID 3068 wrote to memory of 660	3068	msiexec.exe	89
PID 3068 wrote to memory of 660	3068	msiexec.exe	89
PID 2752 wrote to memory of 2252	2752	svchost.exe	91
PID 2752 wrote to memory of 2252	2752	svchost.exe	91
PID 2752 wrote to memory of 4068	2752	svchost.exe	92
PID 2752 wrote to memory of 4068	2752	svchost.exe	92
PID 3068 wrote to memory of 2556	3068	msiexec.exe	93
PID 3068 wrote to memory of 2556	3068	msiexec.exe	93
PID 2752 wrote to memory of 2688	2752	svchost.exe	94
PID 2752 wrote to memory of 2688	2752	svchost.exe	94
PID 3068 wrote to memory of 2056	3068	msiexec.exe	95
PID 3068 wrote to memory of 2056	3068	msiexec.exe	95
PID 2752 wrote to memory of 4548	2752	svchost.exe	96
PID 2752 wrote to memory of 4548	2752	svchost.exe	96
PID 3068 wrote to memory of 4972	3068	msiexec.exe	97
PID 3068 wrote to memory of 4972	3068	msiexec.exe	97
PID 2752 wrote to memory of 3464	2752	svchost.exe	98
PID 2752 wrote to memory of 3464	2752	svchost.exe	98
PID 3068 wrote to memory of 1972	3068	msiexec.exe	99
PID 3068 wrote to memory of 1972	3068	msiexec.exe	99
PID 2752 wrote to memory of 1532	2752	svchost.exe	100
PID 2752 wrote to memory of 1532	2752	svchost.exe	100
PID 3068 wrote to memory of 2848	3068	msiexec.exe	101
PID 3068 wrote to memory of 2848	3068	msiexec.exe	101
PID 2752 wrote to memory of 1764	2752	svchost.exe	102
PID 2752 wrote to memory of 1764	2752	svchost.exe	102
PID 3068 wrote to memory of 4376	3068	msiexec.exe	103
PID 3068 wrote to memory of 4376	3068	msiexec.exe	103
PID 2752 wrote to memory of 3828	2752	svchost.exe	104
PID 2752 wrote to memory of 3828	2752	svchost.exe	104
PID 2752 wrote to memory of 1880	2752	svchost.exe	105
PID 2752 wrote to memory of 1880	2752	svchost.exe	105
PID 3068 wrote to memory of 3268	3068	msiexec.exe	106
PID 3068 wrote to memory of 3268	3068	msiexec.exe	106
PID 2164 wrote to memory of 1292	2164	spacedeskService.exe	108
PID 2164 wrote to memory of 1292	2164	spacedeskService.exe	108
PID 2164 wrote to memory of 1292	2164	spacedeskService.exe	108
PID 3068 wrote to memory of 1492	3068	msiexec.exe	109
PID 3068 wrote to memory of 1492	3068	msiexec.exe	109
PID 3068 wrote to memory of 1152	3068	msiexec.exe	110
PID 3068 wrote to memory of 1152	3068	msiexec.exe	110
PID 3068 wrote to memory of 2608	3068	msiexec.exe	111
PID 3068 wrote to memory of 2608	3068	msiexec.exe	111
PID 2804 wrote to memory of 1348	2804	chrome.exe	117
PID 2804 wrote to memory of 1348	2804	chrome.exe	117
PID 2804 wrote to memory of 3512	2804	chrome.exe	118
PID 2804 wrote to memory of 3512	2804	chrome.exe	118
PID 2804 wrote to memory of 3512	2804	chrome.exe	118
PID 2804 wrote to memory of 3512	2804	chrome.exe	118
PID 2804 wrote to memory of 3512	2804	chrome.exe	118
PID 2804 wrote to memory of 3512	2804	chrome.exe	118
PID 2804 wrote to memory of 3512	2804	chrome.exe	118
PID 2804 wrote to memory of 3512	2804	chrome.exe	118
PID 2804 wrote to memory of 3512	2804	chrome.exe	118
PID 2804 wrote to memory of 3512	2804	chrome.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\spacedesk_driver_Win_10_64_v2123.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4328

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 13440B500DD826B0D9E46433E21C82C9 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3700
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2444
- C:\Windows\Installer\MSI2CAA.tmp
  "C:\Windows\Installer\MSI2CAA.tmp" -preInstallCheck_W10
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1896
- C:\Windows\Installer\MSI2D56.tmp
  "C:\Windows\Installer\MSI2D56.tmp" -qWaveCheck
  2⤵
  - Executes dropped EXE
  PID:652
- C:\Windows\Installer\MSI2D67.tmp
  "C:\Windows\Installer\MSI2D67.tmp" -install_android_control,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:660
- C:\Windows\Installer\MSI2FE9.tmp
  "C:\Windows\Installer\MSI2FE9.tmp" -install_android_usb,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  PID:2556
- C:\Windows\Installer\MSI30B5.tmp
  "C:\Windows\Installer\MSI30B5.tmp" -install_ktm,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:2056
- C:\Windows\Installer\MSI31BF.tmp
  "C:\Windows\Installer\MSI31BF.tmp" -install_hid,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:4972
- C:\Windows\Installer\MSI32DA.tmp
  "C:\Windows\Installer\MSI32DA.tmp" -install_iddcx,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\,0
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:1972
- C:\Windows\Installer\MSI3432.tmp
  "C:\Windows\Installer\MSI3432.tmp" -install_audio,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:2848
- C:\Windows\Installer\MSI352D.tmp
  "C:\Windows\Installer\MSI352D.tmp" -install_bus,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:4376
- C:\Windows\Installer\MSI3677.tmp
  "C:\Windows\Installer\MSI3677.tmp" -install_server,C:\Program Files\datronicsoft\spacedesk\
  2⤵
  - Executes dropped EXE
  PID:3268
- C:\Windows\Installer\MSI36D5.tmp
  "C:\Windows\Installer\MSI36D5.tmp" -openFirewall,C:\Program Files\datronicsoft\spacedesk\
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\Installer\MSI36F6.tmp
  "C:\Windows\Installer\MSI36F6.tmp" -spacedeskProgramFilesDelete,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\Installer\MSI3783.tmp
  "C:\Windows\Installer\MSI3783.tmp" -otherFirewallCheck
  2⤵
  - Executes dropped EXE
  PID:2608

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{365f967b-e105-674d-805c-ebb1c2c119b5}\spacedeskDriverAndroidControl.inf" "9" "44282f7e3" "0000000000000148" "WinSta0\Default" "00000000000000B4" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2252
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "1" "ROOT\SPACEDESK_ANDROID_CONTROL\0000" "C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverandroidcontrol.inf_amd64_c78e51cb686ef158\spacedeskdriverandroidcontrol.inf" "oem3.inf:*:*:1.0.452.9:ROOT\VID_DATRONICSOFT_PID_SPACEDESK_DRIVER_USB_ANDROID_0001," "44282f7e3" "0000000000000148" "13d9"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:4068
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAndroidUsb.inf" "9" "4c4c2d17b" "00000000000000F0" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2688
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{8e1ce7b4-5c09-db4b-98e0-832cad04fde6}\spacedeskKtmInputmouse.inf" "9" "431da1b7b" "0000000000000160" "WinSta0\Default" "0000000000000174" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4548
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5a67485f-04ca-f441-85d2-2f70c3f2a851}\spacedeskDriverHid.inf" "9" "4427793e7" "0000000000000174" "WinSta0\Default" "0000000000000148" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3464
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{eadb35c7-16c5-0647-a45f-c12056d2d016}\spacedeskdisplay.inf" "9" "442436977" "0000000000000188" "WinSta0\Default" "0000000000000174" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:1532
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{ea8ccd0c-3481-d140-b1f3-b7caa76d7bfa}\spacedeskDriverAudio.inf" "9" "447268673" "0000000000000174" "WinSta0\Default" "0000000000000148" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:1764
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{a0a3d9c8-345b-f641-b790-2c3a75d924c8}\spacedeskDriverBus.inf" "9" "4522ade83" "0000000000000188" "WinSta0\Default" "00000000000000F0" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3828
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "1" "ROOT\SPACEDESK_VIRTUAL_BUS\0000" "C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverbus.inf_amd64_ca14b443f0e19ed5\spacedeskdriverbus.inf" "oem9.inf:*:*:1.0.458.44:Root\VID_DATRONICSOFT_PID_SPACEDESK_VIRTUAL_BUS_0001," "4522ade83" "0000000000000188" "13d9"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:1880

C:\Program Files\datronicsoft\spacedesk\spacedeskService.exe
"C:\Program Files\datronicsoft\spacedesk\spacedeskService.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Program Files\datronicsoft\spacedesk\spacedeskServiceTray.exe
  This is spacedesk Service calling.
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1292

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8c83cc40,0x7ffd8c83cc4c,0x7ffd8c83cc58
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1704,i,14073979362579844273,9865713863064524445,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1728 /prefetch:2
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1896,i,14073979362579844273,9865713863064524445,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1940 /prefetch:3
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2152,i,14073979362579844273,9865713863064524445,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2168 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,14073979362579844273,9865713863064524445,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,14073979362579844273,9865713863064524445,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,14073979362579844273,9865713863064524445,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4572,i,14073979362579844273,9865713863064524445,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:8
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4576,i,14073979362579844273,9865713863064524445,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4820,i,14073979362579844273,9865713863064524445,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3384,i,14073979362579844273,9865713863064524445,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3372 /prefetch:8
  2⤵
  PID:908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3368,i,14073979362579844273,9865713863064524445,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4616 /prefetch:8
  2⤵
  PID:4936

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4328

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2228
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  PID:4516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1820 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b2a9108-acf2-40de-9b50-73acf5ee107a} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" gpu
    3⤵
    PID:2892
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2372 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ada32653-780b-403b-8767-3cb6fda1be73} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" socket
    3⤵
    PID:4160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3188 -childID 1 -isForBrowser -prefsHandle 3180 -prefMapHandle 3176 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10594c5a-c5e6-4ae4-834b-102d97d7b32a} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:1536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3648 -childID 2 -isForBrowser -prefsHandle 3640 -prefMapHandle 3636 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6c623c3-559a-4148-bbc0-ba78afc081ac} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4720 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4588 -prefMapHandle 4584 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ccc3f62-4890-4a25-9467-4bc679e6073c} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" utility
    3⤵
    PID:5408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3748 -childID 3 -isForBrowser -prefsHandle 3760 -prefMapHandle 5052 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f683df12-6b26-4c1b-ba25-58b3d7bf10dd} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4172 -childID 4 -isForBrowser -prefsHandle 3656 -prefMapHandle 4832 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23a775fc-6f8b-4407-98a0-ddee0b4dd699} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5220 -childID 5 -isForBrowser -prefsHandle 5300 -prefMapHandle 5296 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55e55a55-d394-47ca-a1bc-fa91e0262dcc} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 6 -isForBrowser -prefsHandle 5408 -prefMapHandle 5412 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11682d21-4555-4793-acac-4645c53c38f4} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5680 -childID 7 -isForBrowser -prefsHandle 5600 -prefMapHandle 5604 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b630bb86-4651-4491-8646-02fb62c01a3f} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5828 -childID 8 -isForBrowser -prefsHandle 5488 -prefMapHandle 5396 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddc266f4-45ce-4c08-aad0-7d46518953ab} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6072 -childID 9 -isForBrowser -prefsHandle 5992 -prefMapHandle 6000 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e1ee76a-d6fd-4ac3-8e42-477348d94315} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6196 -childID 10 -isForBrowser -prefsHandle 6272 -prefMapHandle 6268 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {360320a3-b762-49cd-993e-56afc9f74352} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6168 -childID 11 -isForBrowser -prefsHandle 6408 -prefMapHandle 6412 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d529e8a-cef4-4a26-ab65-2455ff0dc5a3} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6600 -childID 12 -isForBrowser -prefsHandle 6676 -prefMapHandle 6672 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9d32df2-114b-48bc-8a31-d61b90b080fb} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6816 -childID 13 -isForBrowser -prefsHandle 6580 -prefMapHandle 6584 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98c1c304-e491-49ba-9bc6-db30dd822d41} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6984 -childID 14 -isForBrowser -prefsHandle 7060 -prefMapHandle 7056 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d30daa3-f9a0-4177-ae3b-672e661f6e22} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7152 -childID 15 -isForBrowser -prefsHandle 7160 -prefMapHandle 7164 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {752fa745-c2d3-43c5-b389-95c26f2cea03} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7348 -childID 16 -isForBrowser -prefsHandle 7356 -prefMapHandle 7360 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {050e8070-787f-43cc-b7c7-18182a079031} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6984 -childID 17 -isForBrowser -prefsHandle 7564 -prefMapHandle 7568 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d321244a-9261-4948-82fb-abde869a1bfd} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7764 -childID 18 -isForBrowser -prefsHandle 7776 -prefMapHandle 7720 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1bc4273-ff73-4566-bb23-0dd86c42e385} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7956 -childID 19 -isForBrowser -prefsHandle 7968 -prefMapHandle 7912 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e40a485-603c-44f3-89e4-9a369f313eb0} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8116 -childID 20 -isForBrowser -prefsHandle 8124 -prefMapHandle 8128 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fcc2726-9ebf-458c-b231-7be357155b23} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8312 -childID 21 -isForBrowser -prefsHandle 8320 -prefMapHandle 8324 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4dd773c-c861-4fa4-8c76-8d5c105224c5} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8464 -childID 22 -isForBrowser -prefsHandle 8420 -prefMapHandle 3380 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71b0a6c3-79f3-4f08-ae62-63c4be794f7f} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8628 -childID 23 -isForBrowser -prefsHandle 8636 -prefMapHandle 8640 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39ee6da0-3fe3-4620-8551-e77730aa0d01} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8844 -childID 24 -isForBrowser -prefsHandle 8920 -prefMapHandle 8916 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdf36963-7b6f-45ac-95d4-815fff8964cf} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9068 -childID 25 -isForBrowser -prefsHandle 8808 -prefMapHandle 8816 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37997f73-64fe-4a86-b938-cde812b4aa90} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6048
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9228 -childID 26 -isForBrowser -prefsHandle 9236 -prefMapHandle 9240 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {565d5f94-f376-48b0-8eb8-b3ab1ab9345f} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9576 -childID 27 -isForBrowser -prefsHandle 9496 -prefMapHandle 9504 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {580527ef-4229-47d0-a2cf-7bde0ca29404} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9480 -childID 28 -isForBrowser -prefsHandle 9708 -prefMapHandle 9712 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b1ad3d1-19bd-479b-9810-57b2fcafa67b} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9896 -childID 29 -isForBrowser -prefsHandle 9908 -prefMapHandle 9852 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc2117b3-9734-40a7-af8a-5407267203c6} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10076 -childID 30 -isForBrowser -prefsHandle 10084 -prefMapHandle 10088 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be33372d-a9aa-4b27-8045-98518ceb721b} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:3736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10272 -childID 31 -isForBrowser -prefsHandle 10280 -prefMapHandle 10284 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bce2ae2c-3e37-430d-a7e3-93384fcfb14c} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:1436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10464 -childID 32 -isForBrowser -prefsHandle 10472 -prefMapHandle 10476 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1aebf55-9e68-4112-a978-5df725da6a46} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:1384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10684 -childID 33 -isForBrowser -prefsHandle 10692 -prefMapHandle 10696 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a11b5bfe-be21-4c3f-a748-1a6208dc7067} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10876 -childID 34 -isForBrowser -prefsHandle 10956 -prefMapHandle 10952 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22a770f7-0337-4088-ae78-f20d3d132b8e} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11080 -childID 35 -isForBrowser -prefsHandle 11088 -prefMapHandle 11092 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22dd37e3-2046-4324-a0b1-26db6f1deacf} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11308 -childID 36 -isForBrowser -prefsHandle 11388 -prefMapHandle 11384 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a7817ef-9a92-47ce-b7a0-82b3e4bf2185} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11532 -childID 37 -isForBrowser -prefsHandle 11608 -prefMapHandle 11604 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57bc5754-7f09-4940-b892-db0fb8e764fb} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11724 -childID 38 -isForBrowser -prefsHandle 11800 -prefMapHandle 11796 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89212f95-23ff-48b9-a75f-4130c582c0aa} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11824 -childID 39 -isForBrowser -prefsHandle 11984 -prefMapHandle 11980 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d47d15c-2db8-43ef-867e-d5ee97991335} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12204 -childID 40 -isForBrowser -prefsHandle 12124 -prefMapHandle 12132 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96b5019e-83a9-4504-a16c-f98f656e1fb2} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12304 -childID 41 -isForBrowser -prefsHandle 12312 -prefMapHandle 12316 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21aebdea-1a08-4217-961c-3fcc82a87b04} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12604 -childID 42 -isForBrowser -prefsHandle 12524 -prefMapHandle 12528 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93d704c5-e864-4c73-a959-27c8d4520222} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12304 -childID 43 -isForBrowser -prefsHandle 12740 -prefMapHandle 12748 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62d862ce-6594-4f5c-b1b8-729629d40744} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:2596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12932 -childID 44 -isForBrowser -prefsHandle 12944 -prefMapHandle 12888 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74af16ab-446c-4f6f-9465-9442582b4658} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13092 -childID 45 -isForBrowser -prefsHandle 13100 -prefMapHandle 13104 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75535ee3-dcb3-474e-9bfb-6aac6a196eb8} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13288 -childID 46 -isForBrowser -prefsHandle 13296 -prefMapHandle 13300 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1231c91-69fd-41e7-9ec4-04f9618e93c1} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:4680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13488 -childID 47 -isForBrowser -prefsHandle 13492 -prefMapHandle 13496 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23452b85-06c6-44e1-8256-f77a45657870} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13700 -childID 48 -isForBrowser -prefsHandle 13656 -prefMapHandle 13472 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ca025fd-beeb-47c9-88e2-f08470f2ef49} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13864 -childID 49 -isForBrowser -prefsHandle 13872 -prefMapHandle 13876 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b94a28d-78dc-4a89-8125-deafd863bc80} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14144 -childID 50 -isForBrowser -prefsHandle 14064 -prefMapHandle 14068 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3eb15ab-7097-4244-9786-e97def885859} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14268 -childID 51 -isForBrowser -prefsHandle 14276 -prefMapHandle 14280 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dfd6e83e-e8ae-43d1-8853-55e29a31e556} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14444 -childID 52 -isForBrowser -prefsHandle 14452 -prefMapHandle 14456 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80bd1ed7-d2b8-4da5-91ab-59ff98a9932b} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14668 -childID 53 -isForBrowser -prefsHandle 14680 -prefMapHandle 14624 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4629fed-f088-4d65-b5fb-26314d5fd96e} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14828 -childID 54 -isForBrowser -prefsHandle 14836 -prefMapHandle 14840 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c77166b7-5c45-4c8e-b8e1-9868151ac9f8} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=15020 -childID 55 -isForBrowser -prefsHandle 15028 -prefMapHandle 15032 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11ffd042-822f-4d7c-aec6-675bd4c66698} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14648 -childID 56 -isForBrowser -prefsHandle 15236 -prefMapHandle 15240 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ba99cc3-c46b-41fe-997a-f1e74ceada36} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=15420 -childID 57 -isForBrowser -prefsHandle 15500 -prefMapHandle 15496 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c441ec1-e274-4742-be74-dd9e24f42abe} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=15624 -childID 58 -isForBrowser -prefsHandle 15700 -prefMapHandle 15696 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aaad9a9b-33c0-430b-a3c5-64bb1d1f0b5d} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=15888 -childID 59 -isForBrowser -prefsHandle 15808 -prefMapHandle 15816 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e20632b3-f473-40fb-9950-bf05d9f83d1d} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:3284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5480 -childID 60 -isForBrowser -prefsHandle 15608 -prefMapHandle 15624 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c16db764-5c56-4be4-abdb-54735e6547d1} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:4448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=16056 -childID 61 -isForBrowser -prefsHandle 16064 -prefMapHandle 16072 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5330e142-63b2-4d22-a74f-23a7c2801ba5} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:1148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=16224 -childID 62 -isForBrowser -prefsHandle 5656 -prefMapHandle 5660 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf250327-9e9e-43ec-9811-1de734870bc1} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=16300 -childID 63 -isForBrowser -prefsHandle 16380 -prefMapHandle 16376 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca3c4927-737c-46ce-afd3-c91f87e17799} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=16484 -childID 64 -isForBrowser -prefsHandle 16492 -prefMapHandle 16496 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01b8cf65-7444-49c1-8198-4b5f42b7f50b} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=16684 -childID 65 -isForBrowser -prefsHandle 16692 -prefMapHandle 16696 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2de55653-2283-46bc-aed9-f826ea5420d3} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=16868 -childID 66 -isForBrowser -prefsHandle 16876 -prefMapHandle 16880 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0452a752-6f63-4c91-834e-87376c39a023} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=17080 -childID 67 -isForBrowser -prefsHandle 6876 -prefMapHandle 6872 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ed64392-8b25-400c-8e5d-0c39866298c4} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6672 -childID 68 -isForBrowser -prefsHandle 17224 -prefMapHandle 17232 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0bb469a8-6b43-46ed-be52-ad8c3c8f2a7c} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:5800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=17380 -childID 69 -isForBrowser -prefsHandle 17388 -prefMapHandle 17392 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {defb77c8-8c07-4677-a7d5-a2bec7430c8b} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=17560 -childID 70 -isForBrowser -prefsHandle 17604 -prefMapHandle 17612 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {853d05e6-e5cf-4b40-9a2f-cbf203a7e4a1} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=17852 -childID 71 -isForBrowser -prefsHandle 17772 -prefMapHandle 17776 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5226fe6e-f6a8-4acb-98a8-9b77ce5bb0d8} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=17988 -childID 72 -isForBrowser -prefsHandle 17940 -prefMapHandle 17756 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40e5b804-b1f9-4ff7-a61e-71a65426f3c2} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=18164 -childID 73 -isForBrowser -prefsHandle 18088 -prefMapHandle 18092 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {acc775cd-0c8b-49a7-8fe6-b73232b4168f} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=18304 -childID 74 -isForBrowser -prefsHandle 18316 -prefMapHandle 18260 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1c65006-f388-48b6-896b-52a01cbb513c} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=18468 -childID 75 -isForBrowser -prefsHandle 18476 -prefMapHandle 18480 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fc915ab-aa10-4f32-8cb3-3901aef731fb} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=18692 -childID 76 -isForBrowser -prefsHandle 18704 -prefMapHandle 18648 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {803c477c-5693-4d8b-afd2-c7d7b6aaa43c} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=18852 -childID 77 -isForBrowser -prefsHandle 18860 -prefMapHandle 18864 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fc9649b-fd2b-4063-bc04-e1fc4a96d634} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=19072 -childID 78 -isForBrowser -prefsHandle 18992 -prefMapHandle 19000 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31600378-e2ce-42fa-9e11-75bc19e75653} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=19264 -childID 79 -isForBrowser -prefsHandle 19184 -prefMapHandle 19192 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b0dfa8d-cd26-40a7-8df7-dc68be53f9ca} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=19404 -childID 80 -isForBrowser -prefsHandle 19072 -prefMapHandle 19088 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25811980-bbc2-43e1-9b73-5a1fe321f9e0} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=19556 -childID 81 -isForBrowser -prefsHandle 19564 -prefMapHandle 19568 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f401a82a-66db-487c-878f-e05b8942a0ba} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=19772 -childID 82 -isForBrowser -prefsHandle 19848 -prefMapHandle 19844 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdc95d65-7403-4fb7-8915-4fbff1b35028} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=19904 -childID 83 -isForBrowser -prefsHandle 19916 -prefMapHandle 19860 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebc99f0a-879d-47c6-99d9-90f0bf6372ce} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=20064 -childID 84 -isForBrowser -prefsHandle 20072 -prefMapHandle 20076 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a09d14c-5327-4c99-a845-2d4bbacb752f} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=20220 -childID 85 -isForBrowser -prefsHandle 20232 -prefMapHandle 20176 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5afbd119-5a32-4d42-921c-1ed8ff163164} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=20380 -childID 86 -isForBrowser -prefsHandle 20388 -prefMapHandle 20392 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddc7e982-2f76-428d-956c-52fcd71a2f5a} 4516 "\\.\pipe\gecko-crash-server-pipe.4516" tab
    3⤵
    PID:6368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e582a0a.rbs

Filesize
536KB

MD5
bbd0193c1e8cd318540505aabb4247fc

SHA1
54f5f751fc869c2d54e24572dab46f1a7a411b64

SHA256
4ffbeae7dfa4e7131776c011539e522ca6c6823a164e1a4711a9f8db21211a3e

SHA512
8c7801e3f0a5ab0cf1005dd2e9ee56806e75c3a88c7bb8a8eaf31b9e5b5e10ab6f9e3bd7a71840139a83bc6f3e77b12f8aaa4d5adec3854f5d1e7fb2c2427a35

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\amd64\spacedeskDisplayUmode1_0.dll

Filesize
131KB

MD5
aac0755b365b10b101e822ecdd2dca98

SHA1
0d1335eeb0d5b46341a82b9ec21f20a4fd026c5e

SHA256
b21e27815ef27a3935454c7eebf6fccaef830214536185eedaff6764325d51fe

SHA512
4dedb016ec16ee4e40e34424755be8ec32005ebbc708fd2764e8a1992821e2130c77dc90ec8b53493275a4ec6416a97792f899c6db7d442fceb3ef28f12c5b3f

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\amd64\spacedeskDisplayUmode1_2.dll

Filesize
131KB

MD5
b4289c261f55bbe5265507895093c85b

SHA1
0f52a1a05ce85ac4664735ad5b8cd0e23e838423

SHA256
22e9bf1a067f67ec35dd62cd1b29d49acd1e9325d6a4805e4c88f96016b30c91

SHA512
f05daccc3e8ea724e160376a9e62d5c85f263bcd0f392c349414b86bbd06db75b5faef5cf44df7b946b20b35218c1b701b028760383e8e00c7c6be961dcbeace

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\amd64\spacedeskDriverAndroidControl.sys

Filesize
51KB

MD5
3c4582ccc12d41c6ddcb8bebc3ffb62e

SHA1
799a3809b91768d081b994ae1e98fa548275de71

SHA256
d7c80666182b9e9418f24dac56f05dfe53bd28d37f7764572e2bc325d96054fa

SHA512
abd3265fc3e5c16167befe800d755678e2d4ac3008ae03c51f1c251a23e250be9bd72e05f1d10727edcd0334eed6c3f4ba76852a37a9d47fb93c9a97854dbb9d

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\amd64\spacedeskDriverAndroidUsb.sys

Filesize
42KB

MD5
242f5cd519d0497129c9d8ca22e127eb

SHA1
1854b58cca948918f8e26864e727318482675e7f

SHA256
46585160227ef5c164a7005693ff0927f3048bbc57309f0061aaa5bca0e83038

SHA512
1f24b08e8c3c274638620ff6cb2de753fa56bf9c70adbb15ebe20ab0a09149d28be402795588c537c97075b3f5f960d0486e0df678f45875eb845ab9fdcc4e36

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\amd64\spacedeskDriverAudio.sys

Filesize
135KB

MD5
330c31805c9e2f8b594f79b7d8c63cd7

SHA1
af865cda469126d0f7208f92d8e5dd30331810d1

SHA256
ff09c098f44679fc668a10a837ca9de8f57d986c26bdec73513c7df58b06b800

SHA512
e23d5a1f1fbf75e5565dcf91555a025fb416bcee739b1c83d56c3f015668971b6422673ece28f2f4086b66d3bf1dbe3c00629cd2514c44459793581d03c1bbe2

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\amd64\spacedeskDriverHid.dll

Filesize
97KB

MD5
5095a2b55a1b7831a558ab8990e9801b

SHA1
bd157677e737b7238dee44d6405c4d6c36a5862d

SHA256
80e4565cca358710288c7bbc6a3287cbc03e61cf682eeadeb30d72e24b417224

SHA512
c5a6f1a81722297ca745cdd9bd74d86daf8d75f6bc5156f24d6647eeece0cdb0c00c0c77cfc75bb4d553a449e36ca1da77dbebf2d3ffc6b457d42ac00cda019a

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\amd64\spacedeskKtmInput.sys

Filesize
41KB

MD5
fad80e5e02e03e48609c852a489f6cd3

SHA1
b711d9025e0b6f6567d1407d65d7f67daca292a5

SHA256
398582f8456f404653129df83d04b40f85c6b61cf213c86b75766cf77d323386

SHA512
fcc2bac894faae66c28168775bb97d75a708443bb4000c64e74ca21a3c357215f6a7bd626bbdbc090e6a55eec707de2faa7e7631129d3d4ed196fc6804033c06

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\spacedeskDisplay.cat

Filesize
13KB

MD5
415e5e4431a915feb045f14a9dc41199

SHA1
28769c2178c0a827e982a25e8bc544f1cb10a41c

SHA256
25dccd3096e0394ed72c71416022f126b63e9c396f6832f3e70f63d3134608e4

SHA512
605e831deaf79ace015457c071b2545c7383ae8be5bce305d47116565f7427aca07278e7556436b20330838bf1575f91a1b9daf1ae57b14a5dffc74ad266675a

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\spacedeskDriverAndroidControl.cat

Filesize
12KB

MD5
71832827d1b1780b3151c6c1a75dace0

SHA1
dca0d64d9cc14d31c52d4cbf45653796ed935373

SHA256
6d638c3d97337d40f9d7863913e1bd588064a697475ddb43949d4924d4364835

SHA512
cf99c7314dc16abb13d7cbb948654be6b70a0e9baeebece5bb887362f0f2ddfef3e165e578b11606ea9ecb63b1f24760787f464b96d38212cac8192809f203ba

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\spacedeskDriverAndroidUsb.cat

Filesize
12KB

MD5
06d3d57965a43836abc68b7ea95d9f81

SHA1
2c3bebf703e6c8c79918ea6b2db9f35546fe5670

SHA256
13cd508b1e6cd8ad6e13adef666e391ac1b1be627aceadc15e2335390885cfbf

SHA512
799c15ad5e76363c96b5c5b0265fe0e9574ac30491acec5e8c323dd4a416b4c82ff28652227ca353904cb00e84f4e2865122e5356047c00585c1f59aef0f0e8a

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\spacedeskDriverHid.cat

Filesize
12KB

MD5
b6264f45c48cf007079dab66a0817025

SHA1
033f03ff29eebe1ca7fca1112fa5c1bf1358e00d

SHA256
c90188d91977544ea6bb213d6b7b648a313a8b751b41799b6b9ef89d661b9567

SHA512
f35e78482c98f6400063ab09621fe856634caa46513dfec84924f7415c2b132faac097b9ec433ed390e72c86c897048d3deb0af4d9e814b7405363b1baa58c97

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\spacedeskKtmInputmouse.cat

Filesize
12KB

MD5
42a4ed6e6b94e1b74e9c5538ea3af0b4

SHA1
b394e9f6c9cde7985a86c87ab2823641f32c8eea

SHA256
6d363492a43aa06bf2e5ee919c3a1d4cdd4de1ae6eca0c6d94cedd0490d1e530

SHA512
5d9620a8f7c6b7033ead1e99ef74976c6fec066d56e5ba51abfbb616b93c970e73961aae8511656779a36d6c799363f1cf57eec889bb06223077a304a9f8848a

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\spacedeskdriveraudio.cat

Filesize
15KB

MD5
710ee13c1f6ba72e25414ee4bff1e993

SHA1
50993cf17f397fe7f8b06df7af50b750781b76da

SHA256
34ffd8509dc23002d2d1dd9c1fef27ae8cd14bac5a99db73d427314c46c5ae8c

SHA512
4034b3eb2c2b03ba05f7215eba863c87a87f79389d55a3ac481b87256c21af2938d08d4549d089264e06e44e5d56eea21e1167331db32f4c602823487bd0c721

Download Submit
C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAndroidControl.inf

Filesize
3KB

MD5
b53adfc1d7f2a50f2964aefb0319ec28

SHA1
e3d1e97cc0c1e3654ead6a79b0cbb45daf415c00

SHA256
97238c12c44025580e4393f0b4e9f0d7e08d85f4b4496fd905e3cd99501b9a0b

SHA512
87f7886d85eba57c8546669bc1d3e72563e7cbb3bd65948d2274866dc3a451512dcd8c389e9117286e2e1bf5141d2a8ea67677d6872d5485e507611d7b8d03eb

Download Submit
C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAndroidUsb.inf

Filesize
4KB

MD5
a72d5e569094dedbeb0527254d90ff7b

SHA1
1199188d064d3bc8e4569a5793aba4a6e362e4c1

SHA256
cb73077aea0dbc48d46fbf270578654b3fff83d5c017d89f1a6ffe5d168b2cc5

SHA512
7b5a3a597823348c23d7a230dcd86c1aee9d19223869d3d4d74bd60f44881b0fd5ae6d27e9c1952952eee3a8845c3ed424c1a10d09750f423ce6e9e9766a8bb7

Download Submit
C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAudio.inf

Filesize
20KB

MD5
23e653a98b3ebfb5a474a30c0fb7f770

SHA1
8e9f5b638451379a5706df066e11657c484ae160

SHA256
6f1ea7acb6c668695d64cfe3d4323eaa6e997702b9ccb588e32d8e8156c5ed4b

SHA512
16d8acc399c92e94066b2e14a64e468363fb3e47e13b9cbe9da033ba085cf7054b8db57457ba1e1b437f0c5239a12e21a23070fce6bab9035d1f25f546f3c9b6

Download Submit
C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverHid.inf

Filesize
6KB

MD5
7ededd3c7eab082b9ddc718b7db642e6

SHA1
53be30a1f2892ef54bbee533aad022cdb3b32d55

SHA256
a99a951bd2ef1362f5d2700fb5c2f326ed3def7a31824718d46bb802b83a07c0

SHA512
ff50e4a65bfd26e482367b620c13150c9bb0d95661627e0cd8494980d0ed0bee26586feffd5c7871527999d3c1356ad85119ddc66bcb0503890576264146adcf

Download Submit
C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskKtmInputmouse.inf

Filesize
2KB

MD5
c8e701ea27a2a1d0abc8bfa99509c5c4

SHA1
b3bd4debbd0ae0499a9da6867c83014f7328753d

SHA256
bfd53b3c4e0bbbda52a631f882eafb946d62c50ae6f8df0f446984b64eb5b474

SHA512
7dcc00c31c952d84858c34354214f738f58e1d20698a2f33ba5692b6ceda41e0dec78923739427392cbe14c7114dc73a0d89429727661b86fab21a260a335bef

Download Submit
C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskdisplay.inf

Filesize
4KB

MD5
1f36ca35a470d519e08e7ffb8546b1c9

SHA1
6a29182e1202c4f66d1b0f88ffa4a78691efec16

SHA256
52375be5a196f4c2d9ffe8287d1b24591447726859d9316789d1459feeb58356

SHA512
d5f4888acad5d7649c29dd1d9ea74a86ac65f721e87af6b52456f63e0c5e2ac591626ff0ab283188d8206f91bf12158cf1a6123fc8434e777b23b5665c70175e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_74F67001B3C2D533D99B6A2860970A04

Filesize
727B

MD5
483abead45512cd5744adb3731d2ca20

SHA1
3a94cc6571426f1dff1b821442fd3945a08df8dc

SHA256
4d57728572f72ef541cd5f0199933eadf214a46b2ab1657bb34ff2562b907762

SHA512
0f279b084f39eeecef2a50bb3ea54f85ab5d082d64a60fb32c1591d64af6ad7ec99ddff20af0fdf54552a429b3c4c58a502e8fd981515c90e76d6949913c2349

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
6186e955e7800eb4dd85333d7497cd94

SHA1
cefe7841d358696c9f9233ba8c64d550dadfb4f7

SHA256
c4363b0227093fbe797ee2943f96e6c2d013029acbfac8c61b4007693dcf8dae

SHA512
d766bc2a42708c3ecf1f2a07c96f83034e475ba93c1ecb7d9e5b75f04d9f86d6b898d52572178893bed05462edc7dbe246992a28a0fa2c85be9986f22c03e98e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_74F67001B3C2D533D99B6A2860970A04

Filesize
404B

MD5
64c6342dc57abf8c539837510f36a2aa

SHA1
64bdde08a41285798fe13897ea8b41621affc40b

SHA256
710f57522efce2a28dcb11fc80cd31efb7deaf3f94cf08ac640311f3ae6c5962

SHA512
5dc93cd1eaa710623cb7a90c88fb262f45ee1792aee40fc2800c980944a5078fad91c3660c3aad430aed9d6c72d4bb8ecb177ccadee3cab37ef13f90c8fc8586

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
a5811bde892a7edc816ea5ac51674011

SHA1
abc344b00c7f88c44b0005bbec3895813df4b68c

SHA256
b585d8c45bedda9fdbb21f73d8c1fbce5635bc104cc2fbb0b7ba75a0bdd22e0c

SHA512
38c60d453a955863cc4ba5d3f8e5285f0ddd08b5260da6bcfbb09b14c1d87824d90430ef90269c4e29ce9c75b7a27478a3c0b9280bf1f2aa73e4a1977f54810e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
dbf4fd249795bf193026c0d4d2bc6a5d

SHA1
347d75d381c9a4e15601f00c0b742d24c3f887cf

SHA256
7a7ab9f10ee6c5f13a2818d056f88b5447dc5acd49a871fe4a145515096c78aa

SHA512
aec511aec278bec082a9a413cb809ab08291d2bbc33a76cabf78730d8e336c64059cacdc0d3b04d0ad64e9fa5d6d9b7303a16ef861142b79e1eed40f41cf15c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
281d9953a09230dfef949ffb5747989b

SHA1
33fa4d319b8a7d0179b6817d609c363b29011021

SHA256
77cd50427adaf3a483a09448d72f9e0d4bbd5df2a1b1bf28fffbd544b4ea8505

SHA512
c2631204aa01a41c8f413495241e98a7036f978a163bb8b69d097e29543f5b8244df622217adfa773337c1232bd3b6a09ba113709f9457f09dd7eb3cf6c2d633

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e2d53128c4b632d7b5ac7583e700878e

SHA1
6042a03c9f0aff351f23c7dbbf5650babcb02472

SHA256
ac7415c092d886e2dcda0104c91a9d049d88e6acde1d0940b3a731c8a5ee347c

SHA512
4faf2968e699341a5d5da82ee5f51c9d7b289e3a40ef028b766eb403191726e343395e203bdb3dcef41a0ad3a402f4087aa23048b0f0123bfeb6de9baab5d47d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
615365d0b292982380941d9d9144040f

SHA1
d6bda17592899baa1c11ec16470924cbbc9a88ec

SHA256
5c50adc04925e471847d182e335a13e38e458060a4db19932b4604d58574914d

SHA512
c327c47ea6bdabbabcdfcc3f370f00a73d17f2e258e4122e52cb91610cc1d3397d02eb51697444fa5445e30b10b1e7752d3e87a8698fd8820ef16bc49d919178

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
232cf9afeb9b1971ce26563b2d8fb256

SHA1
432543d9d6737b08f1fbc36413b7084ae86387f8

SHA256
5ff6cb39955bbc460033e2beaf5a9bbd4dc1a4b5f6384ae06232097ceda71879

SHA512
758d920e7ee989f80e309889ae194f070df7892a9a7ae2cba0002215e024e7e7fa7aa26b9dc37b2baefedad737e2e82c1c93b07659b04aaefa68c6bf2f0dad0a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jj59r4xg.default-release\activity-stream.discovery_stream.json.tmp

Filesize
19KB

MD5
3d4e01b5a06d580451b14678601e8881

SHA1
a4a1cf7973d54017459630499aa29da1cdc53287

SHA256
745d83f46c10dceba73bd8df620b5425caf62099cc5ceab9e1cae958b7b0c8a3

SHA512
133f9d4baedd459bc6a0c574cb7dd85ab33f91106dfbdd270b63ca74b0d051d7f67b22e73722558810a0be40ae63e1ec575b4cc6295bd124e9bbe40bab6a9303

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\bf7f482b-a614-40e8-9092-c13e70477690.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICBFB.tmp

Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
204521f240b1190cdacba3e2a55b978a

SHA1
e74af7bf0913a6c2b4821c7fcd3af47c7e2161c5

SHA256
be7b135a5207e40c84c9b18dcfad19baee78f6896854a4ad3698e5fb035de1f8

SHA512
2d5b79baf6cc11855acb9ba274d9e0b1ab1b1e826411a879042e831c2b14eb14bfd4f9c8d5d90c8b580412c0fd0d1be2c7c00ab9ba9324874573c50699f0fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
26e316a9ea1181fd7e1f24d54d0cd170

SHA1
3aa52e34623fe4cfbbf239a61c6bec738973087a

SHA256
a3e803bdb3a11fc228642b4d2adf684e4da60a6ec3a88e98c2e73d9d507633d2

SHA512
312bcb3ad19715d9050c5d3bc1fe3e7c10073c03744098e45c54eeddd9f7b087acd4183d8b89879843e7ac8b55a6d7ed49977af95bf1af2914a95bbea2e02089

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
f5eb4ca978a7eb42d96162cfe36c2a8b

SHA1
c921224611642bafb5b2eca5a33f8d57df86e7fc

SHA256
8de5804c210b3cfad19a7863e1de344cf0c3d52064c998830d0c454f137e2c54

SHA512
6121c77970b5d3421678c79332c29b714e46ba4f7d518e899ff4edcd3ea5ebd2b5b6d527f60489217b4db1aae42cee6c668217d725bfec2404816d7213a91b81

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
6c2b024f2c124e582bfb6ff4d3073482

SHA1
c3dd47c723ad7709bbfad686c8572421611ff2ad

SHA256
4c928277e0a1b5957c66edebaf28a7757e6fee3bc7d242da688f30310057e88f

SHA512
4317886e331916fb2d1f2639b0657630701e44e8380c41b9055bdb7967b369606f197a15bc21d5fd88888827a8ffe2d7c18aec8f97e71cbc1679422a1789ed27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\1d6790ac-de9c-4d96-a75f-2d5a7f341e5b

Filesize
25KB

MD5
5ffb641e71ee00e39d4414478029d49a

SHA1
b4b6041e4d35721924a0e93b5a67d374772fdabb

SHA256
740682a2045550c6f717d7f12cfa47fddcf556d3a46c3374533416d99e10b8a0

SHA512
12133751a46b0ac793329ded80ea7f08e04af1048cda3717e4d2b352043215f73039d3a1ba9529775cc6e4d1b2f33f8369d3626c4b469ac0eec13cf1cb94af9e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\6e347b43-2a2d-42a6-9296-fdddd12cf430

Filesize
982B

MD5
0aaa3637e3bf62af2a10d3de4bdab5a1

SHA1
e39811c3a0f822775d11710188d4db648e4ba7de

SHA256
07cae2eecb5ec25771e290a9d3c5b4d0c1fb7ddbffb32a74af0d58897bbfcc65

SHA512
13a2e1d749baf8b88f0cf3d092eec46887a7938ab56de87eaffa23f649d981048f12d9b334835e1474eaeb660e277bec16e09a5b05192b4a60bb3ffb5653c757

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\87219c76-67ef-4838-bb76-94c5cb63d0dd

Filesize
671B

MD5
3bb6cc7a2d2a0b3a12cd34473643b051

SHA1
9246b701f7b12d03c5ba8c7a215aa984a6db5ab2

SHA256
af0aa4748545658fd4f36663de8e50b6749a63b06b182d2e08c3747113323252

SHA512
ca2436aa917ea19e01265b9461e72a35f5c480390559d422d94ef4e0faea28aa24c0b349b6338c4808f8d2f0a2edc0e364f38e635c1ae23deaee874e561ddb06

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\prefs-1.js

Filesize
11KB

MD5
dc97df4340d1a06678e338c4722ababc

SHA1
e6be91c9d9a81c387ecd0b118e809d594c554fd6

SHA256
0642d3201b0999b112fa207a726ea295a5bb73d7d0d5e0feaaf7c0659fa20b5a

SHA512
beca8559b72b387f936b30ddf7105fbc12c0d3f78f15b75e5f478a9797b62bfbce6b11de85101a00902f6fa2e0da930a4a3289dae285707fd5d16b4e5fc3908c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\prefs.js

Filesize
11KB

MD5
d2b951e64d6fc0c99f4a68543d038c5e

SHA1
10a9378212575faa479551bd8752a44f54fce683

SHA256
8117a993b081f7abc78b2ac8fad1849ad0f4464b8a233bfc63945e0f21c7d37a

SHA512
a038cb0826a0abe3dd492cc6a056b61b8b0fc445c7be3148db4554edf2a8549a344e8a891ecbb974b49f8e25f672e7f8db2f24caafd7bb5174bef72b1952fece

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
10KB

MD5
ca711733598163e0ca3ce733b34bc33d

SHA1
25146a3989deb8d29aebbe03fe66d8c50b487b2e

SHA256
8651038438b1abdd4dcaca129580e5a8072ba249000f91ffbf3c1f3b9a7512b4

SHA512
4b925320a9f92de6110644b48e4c8eb9568ea956eefd1ca875b7f4c6b0ba73dd52680ff3f5ca7b87c65c2551acdaada3aea6c8968d023d209580393ca5d28410

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
10KB

MD5
8d25ed1e14b1f7e6fe3319374d1099c0

SHA1
a041e02789db25b9f8b2b05492ed37c13d8a7584

SHA256
3bbab4bc6415a662a50793e84e1e8fbbc34b506cf20568451748baed6fbbcc93

SHA512
33009db7043d73a925876b25f56efc1494c150c3cb660fac5a7236d853a934d5ac6bc6e01bea0c0ac5f9c0f43ca267e32f33cf5aee2fe2058fe09cf4046fbf90

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
11KB

MD5
69f9c91912dd09f589654ec833016f6b

SHA1
cc82263c9057bf029f5ac2db04cfedb7bae0d4e5

SHA256
7c180aa3c464dc42bc75d9aa73114fa935101be5e21b56565cf0baf86e81c7ee

SHA512
07b3966e1842797b1d8711d53d2efaa34db2407bc6a7c02c8255f06b7953b99120361035637de1da407f7aaec7320e2f6a9eed4614dcab1ad38909b2deee0538

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
11KB

MD5
3b5897fe055fc704c6a21fd10822e092

SHA1
4ded01253f6bfa94582b37d2b99b560212232e68

SHA256
ded285e84ec0e1248b956cf5b58f5786c85b33d0d0715da7471f032eec5f176e

SHA512
41ab908015362c3bff9220bb7701450e7eef6527693abef6f0de8265950898688958373cf79a55b46785997c64e83b507dc798f603f0442ed107c1434ad9baaa

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
12KB

MD5
73b13f9b97078410d5d5ddb07c925567

SHA1
1354207b01c81a5ae8345cc69ace4968c8edf8b8

SHA256
773b7aa63d76f244571677b91c34e15e2114196791cc3a4e69cf655fe344e94d

SHA512
4090baead05e28dea39399051cc06a159f8b6442e4329bb3afebb8817c0c17e0dd4326ddf0361d066967c8c1c4d39a122521bb0d306964ecb99d1a88ce108726

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
12KB

MD5
c5b0d2b6dbf25d185f1cffdf8192592b

SHA1
743fe0c2159e80757b2e1683d1640a3223516364

SHA256
c82075cbe9d47b6c50191ba7cee8b4414d4a2fc0b9d6d2eb212d700052d8bfff

SHA512
9c8b350b4b145ae44c2733675a4c4197cad4fd0f15e7b410b6f5590b398b23c669c0bd2b11491f9ef36080417c177e78a643dbada7ceb92cb6b51aab8beb3914

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
567B

MD5
b40ad1c6f356df84c6a72777fb03a0eb

SHA1
1294091a766c13a5de2840c683c84a216b0c7d36

SHA256
a9ed6dccaf009cc9f5768a3a0cb1ed8db665a9577b30308c0dac22115d10220b

SHA512
f186653ed20853e2989d93de35cf81384fc0fbb825c8d27de71a5d0dbcfef378b4427c81e36d771dfa8162a73a15be2c48dac36832928982e24f8a868d57ab19

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
13KB

MD5
fabf8d7fc91b5fdbe727e510ae17cb94

SHA1
a712842178b94c0205d390ab4c20eae9e8cd2ae2

SHA256
9c543072eb6b598f168d66073bd3fd27182fca5b9e5af242c4366a72e4bf3a99

SHA512
7a5368ea6886ebf27ef6dbd4587ba95cba5e962b95d47826f0144b0a20cd708704193ce7d27ed113cafd6dc7e5c40a128689220d9503e97c2e293f96916877a9

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
7KB

MD5
b1d094e74553177ed1eea0446c6b68d8

SHA1
70376df0f33068ae7e87e5b4813e7911b1a00397

SHA256
1c005c013c4b7fc24f686e5e12a3ac9d01515a97fee0e7ce247484174f618d84

SHA512
c85f0ff37ee090e57e72c62c566c324b9ea91867bd841da5a287db4b3097c682087eec6fa14a0f279b5fec03c847d8a993a05d2cd5779ea00d089b39e7f1826b

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
9KB

MD5
cd775a32db16ad6aaa6ed6da48610bef

SHA1
19fc77c866c886e47b6f8ff84fe87b0ed36ec85c

SHA256
5e1866e18518e981f36f58a1da5999f2213ba958778137a5a7cd8f74f880fd8a

SHA512
fc671ab681c78b9290f45326fac3205b2792f109de5f98791255e0943918bff6eb816e2dc5acaa0e172c097197bbec179dca9096dec76749596c00a6a7a84df2

Download Submit
C:\Windows\INF\oem0.PNF

Filesize
5KB

MD5
6ae31aea52111f10f4a65884020440fc

SHA1
a7c9c2eacd728dc7efeeaa6d810a6959cba457db

SHA256
2dafb2d7142f160a0c7a8a9f4ba0a0e6393324717563438c6e3e6d3ec8784529

SHA512
da1c300c64ca23237be64bac9428f088f13d0d23e366dd22303b0b866309419d3a3ee4cc2e82f4b3f80add2769063d3b3b43bec8c881f39a94bea382bc5546dd

Download Submit
C:\Windows\INF\oem1.PNF

Filesize
5KB

MD5
f3b7061127498f2b3fce8152d51048e9

SHA1
06bb0a804417cd9da5c53353eb49851003bc944d

SHA256
ffcff11b8cd9e4fe6198fb40139ec04f7a71cab94f2c4fe9e664c992e1cbc1a2

SHA512
0a9bd9c4e38088e1c53ff701408640172946b0a7f336546b6cbe40661584910d92d6a22d7e958fe18ba6fd8592a604e616911cb04389018a844af82541f7bb8e

Download Submit
C:\Windows\INF\oem2.PNF

Filesize
6KB

MD5
7d82396d5458653f7ec7b8d556f43395

SHA1
4f65bd14c724f6bfdcd6e3230fe21a6ed5d580e0

SHA256
88d1cc7d355fbbf1d4856ef3b220c4d9cc4204acbd4aa5c73fe1fc63801197bf

SHA512
8dbf920c005ea48078538a2ee2df92b12cc4f136b6b47a68b404e1fae3dedf3869528c7ea3939798415159161da5c78f82f33492b56ab7301b97c825320b6bf3

Download Submit
C:\Windows\Installer\MSI2CAA.tmp

Filesize
520KB

MD5
68acd2351e6949f8cd8e0d104d8c98ae

SHA1
80472c7a2f1e064f1b9f44961c1a578b486b1d5e

SHA256
87f35a243bc73a2d5ac7098170280edd12dae0d16ff2754b2a445bed43be0e97

SHA512
ec17af162bbb72aa4fdb260e6cae9f82f4ba3a4d298d479c3b7849726a71c66500aacb26697ad49703eb125ae1ede126ea045e664dd26dfc12b9210708ea043f

Download Submit
C:\Windows\Installer\e582a09.msi

Filesize
4.7MB

MD5
07db314cd098c23a5c8717f939475cc6

SHA1
a941be961b9b6153ab149a5e0f3297546a2b370b

SHA256
ea581c00eb93dd9d7909f9c73d346b0cd42e2d4ec7943a8a0f63fac4218e0e73

SHA512
111dd03c3db9ce020ae6a8be01dbc6c8eef9d082e79dd47aff839ccc379b73e69b792c98d218acd9eb2430c2d154ca624f8ab9a62ad87e93cf24da09b16b854e

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
107KB

MD5
dbebd953f9a0367402593b481fb5e656

SHA1
38a12b044b0b8d0a2ff7b7beab97e63dae6a71f5

SHA256
6fa33103a3dec690f3760f4d7f8483840839ff00d2ab150d8513c6b8cf6e6c7f

SHA512
ea7034ac54be9b984c548459a9be558adb9708f497823f69d170549f8d8e7353756793cd000dfedadffa66a4d484971d56b293bc13862bdc5450088e6d96fc53

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
107KB

MD5
32497d20181fdf62141274605a5f7ac8

SHA1
0f20bcf0bce4dda95e805746910d7ad84b485d0d

SHA256
07f8b35eb78bc2d74d210d321775e90dbc932e9fd8ff9aae48af69bc8525dda1

SHA512
987cd4db27684ce4c6ac264700a5fc1fceffa94299b021810d205e0c454d3a473128657a43f58ede97af9d1b34e0219e7611980e8f7265204e2b69e11e3e04bf

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
107KB

MD5
f825a2788257504c716acbc483306285

SHA1
2fcc31635a1ca20f806e2564e2242fb5e16a5489

SHA256
d1c80a7c85721f8ba2b77796363f22f18321b3d7ff85d998c9450ce259f2806f

SHA512
78c885888872f0ced7d719fa5bfa6278c3ed14ec67db897c6fb4272185de71a592598ffdf992dfae508abe7c1b4c95db5f11ae3551cc5ede26692c8c48c4ba59

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
107KB

MD5
20f1ba917d6190120ec9bd66673b5ec9

SHA1
e3d15a0e37b3b6caca89d3734ac395c8d96aa65f

SHA256
50fcf0e3661a2a52b9e70cdcb46f2a1163c8f75b230de808f41bc52036ea278d

SHA512
17f3947b48ea4b3e4189bcff6860e83db1f038c94f88b9cc5e6d831cb524d6e952e45f401eb2b8a94f7e93be624de96e46d0be581cd6a18969cff1fbb1f75f26

Download Submit
C:\Windows\System32\DriverStore\Temp\{7c882364-84e0-a34e-a6d5-6d9634c9ea2b}\SET3573.tmp

Filesize
12KB

MD5
5747983b712f99603683edb0bce3c4ef

SHA1
f22a7d7c5fca1a353e2b0d6d8a2bbfc10d16c61e

SHA256
0f9c5c969fd680e52e6750058df68808549085ea550d33018ddf99fe8b7b1d83

SHA512
a4f7e061f03e7c82516c2cf54de20fb97778971f35edb8947b64659011f19fb09fb5a65d03ded53fe4c6871f89e1af92ef9e53412581c88dbf55c463b32834f0

Download Submit
C:\Windows\System32\DriverStore\Temp\{7c882364-84e0-a34e-a6d5-6d9634c9ea2b}\SET3574.tmp

Filesize
2KB

MD5
4153bdce0ab3a238428c88b5623d6a49

SHA1
1657de3701a48d68a69ccea11f3d9472b9172e0a

SHA256
245d1786b39286c3571d624fee8296ffda32447b7ce0b057eff46030af576d04

SHA512
1b08a7f4961307ad08b76f4346473dd22e46b2f032ab87ce68c6b7136f642086b947011be66be3ba4aa45fd50329d8c5aa469913749f5d2981a2b32b8e487cf0

Download Submit
C:\Windows\System32\DriverStore\Temp\{7c882364-84e0-a34e-a6d5-6d9634c9ea2b}\amd64\SET3584.tmp

Filesize
111KB

MD5
dc40736dbf01cb855baa23b928bbee8a

SHA1
3e18926378474b19d3c18c4fb5ae8581becd5d0a

SHA256
030874d25d59724b2034cd76f474055be17ceea6dc0c8accf58143be85872cfc

SHA512
a2abe91f727753ad59ad7f665747275b4bec443d33ae8d76d976dfad0adca1c8e539e4469e7a2f8a948191003310fe85e5acd034b22e60b9437c6745d9b341b0

Download Submit