bda264b64178257ee2590c8c3fedeee851322a8f03a8eac970ea3c36c3822524

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
Size

4.8MB
MD5

191b51a6c776ae3e80f3d4a4e0fc7c2a
SHA1

99f325838412867a0141c454229fde8de7dc47ae
SHA256

bda264b64178257ee2590c8c3fedeee851322a8f03a8eac970ea3c36c3822524
SHA512

b442c6c3718b3de89afde6e22b0b07c09d4ce3a52d3be92a2b55e0ccfcb9d55023325a30f6996ecb03c2921325358bc662046ba2200e6ec209258ab25020c56f
SSDEEP

49152:Qj8f3jtqiCLg9LK2hIOR+k9jdAsizqxSiZ4K5MZqkL92c6nkdmbD7iIerM1R6ZP6:7rZ4K5M+XD7iIewG+x6xZ14WB2Yyjl

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5100	alg.exe
4244	DiagnosticsHub.StandardCollector.Service.exe
2456	fxssvc.exe
3500	elevation_service.exe
1616	elevation_service.exe
2060	maintenanceservice.exe
1496	msdtc.exe
2168	OSE.EXE
732	PerceptionSimulationService.exe
5056	perfhost.exe
4916	locator.exe
3572	SensorDataService.exe
2848	snmptrap.exe
3500	spectrum.exe
3708	ssh-agent.exe
4844	TieringEngineService.exe
1224	AgentService.exe
3776	vds.exe
3048	vssvc.exe
3096	wbengine.exe
5224	WmiApSrv.exe
5356	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c43deeb6cad6a2b9.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	chrmstp.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{ACF3742B-09B5-421B-BDF2-BEE548AB1938}\chrome_installer.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Crashpad\metadata	chrmstp.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f27e531cfd20db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040e5f81bfd20db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d495091cfd20db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133736885262222283"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007594281cfd20db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e433071cfd20db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012b6ab1cfd20db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
1460	chrome.exe
1460	chrome.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
2560	chrome.exe
2560	chrome.exe
2560	chrome.exe
2560	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1460	chrome.exe
1460	chrome.exe
1460	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4908	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
Token: SeTakeOwnershipPrivilege	980	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
Token: SeAuditPrivilege	2456	fxssvc.exe
Token: SeShutdownPrivilege	1460	chrome.exe
Token: SeCreatePagefilePrivilege	1460	chrome.exe
Token: SeShutdownPrivilege	1460	chrome.exe
Token: SeCreatePagefilePrivilege	1460	chrome.exe
Token: SeShutdownPrivilege	1460	chrome.exe
Token: SeCreatePagefilePrivilege	1460	chrome.exe
Token: SeRestorePrivilege	4844	TieringEngineService.exe
Token: SeManageVolumePrivilege	4844	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1224	AgentService.exe
Token: SeShutdownPrivilege	1460	chrome.exe
Token: SeCreatePagefilePrivilege	1460	chrome.exe
Token: SeBackupPrivilege	3048	vssvc.exe
Token: SeRestorePrivilege	3048	vssvc.exe
Token: SeAuditPrivilege	3048	vssvc.exe
Token: SeBackupPrivilege	3096	wbengine.exe
Token: SeRestorePrivilege	3096	wbengine.exe
Token: SeSecurityPrivilege	3096	wbengine.exe
Token: SeShutdownPrivilege	1460	chrome.exe
Token: SeCreatePagefilePrivilege	1460	chrome.exe
Token: 33	5356	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5356	SearchIndexer.exe
Token: SeShutdownPrivilege	1460	chrome.exe
Token: SeCreatePagefilePrivilege	1460	chrome.exe
Token: SeShutdownPrivilege	1460	chrome.exe
Token: SeCreatePagefilePrivilege	1460	chrome.exe
Token: SeShutdownPrivilege	1460	chrome.exe
Token: SeCreatePagefilePrivilege	1460	chrome.exe
Token: SeShutdownPrivilege	1460	chrome.exe
Token: SeCreatePagefilePrivilege	1460	chrome.exe
Token: SeShutdownPrivilege	1460	chrome.exe
Token: SeCreatePagefilePrivilege	1460	chrome.exe
Token: SeShutdownPrivilege	1460	chrome.exe
Token: SeCreatePagefilePrivilege	1460	chrome.exe
Token: SeShutdownPrivilege	1460	chrome.exe
Token: SeCreatePagefilePrivilege	1460	chrome.exe
Token: SeShutdownPrivilege	1460	chrome.exe
Token: SeCreatePagefilePrivilege	1460	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1460	chrome.exe
1460	chrome.exe
1460	chrome.exe
4056	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 980	4908	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe	84
PID 4908 wrote to memory of 980	4908	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe	84
PID 4908 wrote to memory of 1460	4908	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe	85
PID 4908 wrote to memory of 1460	4908	2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe	85
PID 1460 wrote to memory of 4880	1460	chrome.exe	86
PID 1460 wrote to memory of 4880	1460	chrome.exe	86
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 3984	1460	chrome.exe	91
PID 1460 wrote to memory of 4988	1460	chrome.exe	92
PID 1460 wrote to memory of 4988	1460	chrome.exe	92
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93
PID 1460 wrote to memory of 2700	1460	chrome.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Users\Admin\AppData\Local\Temp\2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x1403b7688,0x1403b7698,0x1403b76a8
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc023acc40,0x7ffc023acc4c,0x7ffc023acc58
    3⤵
    PID:4880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,12190757888654667828,18440907810757087159,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2
    3⤵
    PID:3984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,12190757888654667828,18440907810757087159,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2336 /prefetch:3
    3⤵
    PID:4988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2168,i,12190757888654667828,18440907810757087159,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2344 /prefetch:8
    3⤵
    PID:2700
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3044,i,12190757888654667828,18440907810757087159,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3124 /prefetch:1
    3⤵
    PID:3044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3052,i,12190757888654667828,18440907810757087159,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:1
    3⤵
    PID:3648
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4480,i,12190757888654667828,18440907810757087159,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4440 /prefetch:1
    3⤵
    PID:4596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4316,i,12190757888654667828,18440907810757087159,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2424 /prefetch:8
    3⤵
    PID:1964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4652,i,12190757888654667828,18440907810757087159,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4764 /prefetch:8
    3⤵
    PID:388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4404,i,12190757888654667828,18440907810757087159,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4488 /prefetch:8
    3⤵
    PID:2392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4916,i,12190757888654667828,18440907810757087159,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:8
    3⤵
    PID:4460
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:5828
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff6578a4698,0x7ff6578a46a4,0x7ff6578a46b0
      4⤵
      PID:6116
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:4056
    - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff6578a4698,0x7ff6578a46a4,0x7ff6578a46b0
        5⤵
        Drops file in Program Files directory
        
        PID:5188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4840,i,12190757888654667828,18440907810757087159,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4948 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2560

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5100

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5012

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3500

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1616

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2060

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1496

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:732

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5056

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3572

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2848

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3500

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1904

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5224

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5356
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6040
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
977ff03b96fd8ba05fb14990e305a7b7

SHA1
19d3424277aef48b7423784151ac5bc86c46ff22

SHA256
79b1e1201ad510f01e4190179799bbbfd0f3dcf873c43d6965a7c9f1a6205709

SHA512
32c5a917df173881bff6ecc7ec81f299d9ad8dcd4a7d2ffd8cd2933bb0eaf5218141e98decb3e2878d32c2f1520a23d37d0b3f9a4d592c4af66666557372d3ab

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
afaa3523318b7fe92b1dceea0a2d5676

SHA1
1377c92c24fd07e046165741bd8afe962c22d7a5

SHA256
3362fb534ec58f4de25cc94bc19d168dfac5456f4f39dd3a86ee603a972f6421

SHA512
1117fc563453e9cad2299ea9e2b37ed35b2b7674f0a4bc2bef7afe330ce42f04acc00b36213d620187fdf915833b879a41937234a3cc21f356c16c3551643938

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
adbffe9093f82af0feccc80931049205

SHA1
41bf6f53f09316ecb736c35297210796dcb2d5e3

SHA256
27e96896b610f7f73ff2f723ae0f17484fcca6979ec38b9399489079db220a17

SHA512
33abf9f1447cc05c9e8bb0d3df85b36fae094adb6f9cbcb61730d130990d71f52d3249db3eeb885ebc3c8650000d832c5c0ed51f13b60f2b744f5ca435a9233f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
26a68dded37666fc6d52cad7a81e6899

SHA1
b229625e88d3e6e59c3b5ecdf62e3507f9ba1ca8

SHA256
ef9d82b14728c0a1a6c0cfb9c5066687339be899f3ccdb5cd71a5fa2eeee658b

SHA512
79380372a992b9a5c1356f341f6ffc54cc4e94d8da45018394f7316fc4f561862880c4fc41a47dcf045a8d51c936d95939f050ad7ab8c162a27da77e6602a52e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
5fe9ba81e33b5a5012320925163162d2

SHA1
f895e45682e4ecc0a99a278b8611198ea32f73b0

SHA256
516bc766cb9103967d11f25210a2a8d1e1c43f4a12b1cef0103cdaa3e8d2b7d2

SHA512
a89d700574115057ae0eb8da6d80673bf4ec214af3f8f785efbb36db847e54ec6f5ae4a5b1f1d3d0882bcd5c087f0f573cb0f911d5e59b00814e185afe9410c5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
e2823c4ffeb4b313093c02d6f06dd8ad

SHA1
5dc3cdcc90ebe22973fc67ccd9123cb3693eadf3

SHA256
61e2c303a5ed3d1c9bfea5a32b9675897f0c49a79cb8a52b10d447ba9b16a24f

SHA512
55242bdaaf6bb20823b45ae43a1411051193207fb8f27f9741e577a5fcaa0c3b890dd2a50a6481dfd159b143b5b626608830028c56a21dadfb3ef15290ac8822

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
a8524b59d29083d199da1383a4cb8362

SHA1
5cce283d237e27bfa0f57db736e1803bc0311524

SHA256
17f60b73b8397ca9c56dfd4145dc319751873e4ae01b0df2877a87d922b09f40

SHA512
78d4542a4a996f9c7170c40335f7dbd1dbe8e95368f17cd77f932c85f881e2ccf3259ed05e2b1e7c33a1492b39db968734daaee177466b3ea0b934c1a687bd9f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3b544d250f63928a5a289b17e77c38ef

SHA1
db8b802a7fa5931c4603a7ec27704db119bd6536

SHA256
d8c3a3436e89e697670b3c4b33de242304f71aaf04c3fd7fbae8473929a090bc

SHA512
76f0cc4368e5ce8c304ac1abd835ae9d8cadbb6348d033dbe65462cbc390ccd6fb5776a68c45209e5f5e6baa74548e51723e6ac325598706d054facda479592b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
d56b397f11cfb01ab0220789e15d5233

SHA1
83f11ff88ded676dcf3412cee7268b1abd22f43e

SHA256
00cb6b165f9d43e81287f891aa8ff2a82c22070558da26ea5753032e831d41c7

SHA512
2465894b1820bb3153d1d3dbdb0563e79b21fd3cf97614bfab7cb2bf6c8d9c9a5fa8e1c08c916ca3b502914078415701a8ee1681ef52bafecdbe2b5dfd5d394b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7a5d55e855e92272bb855b3fa8a0ebc8

SHA1
4994c65210506050bf4b2e59ec16a1fd549991de

SHA256
edf9291809e16b85502b62b99ae9dff4f847357c3f02cb19f366de0a4a465d72

SHA512
678f2538d3529fd196cd8bd41530805827edd341814604c0e160f0e54e986ad6a6f38a7970177c694161bb6b28fb552ebcc24f008b5261cf29a4387009c8fc79

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b4a44cae9d8eadd4daa2380db9de0202

SHA1
17d597a18e1d688950365732f99b74619bc1c6e5

SHA256
77ac450e08827c6497f69c6d44cb321350cda0f099b62a1638f368c875295a83

SHA512
a0fb8f67f3564aae4209bbc4aabffdd85393f5897214756445af718724a0182350f08e68c78057c269acb8eb5235cd70565c43eea8f1a021cd8624eda33b0f66

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1567eca350b39b2ca8c1c37d470ee2db

SHA1
cf77c181396711e233741de4e0c3a73227e426f4

SHA256
14bb733bb4e116ce0786868aa3c3a95045d78da6757a3f182b5626b5ddd15862

SHA512
6e316c09b6ff8679073632b5be78c0356e484bca5dee2932d60b76d73f5449886cbbdcdf54c0c6f5026a9395f9757a98661640e9b377d3fd60db4594d083f113

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
14a675202fe79d32c4c6634857117187

SHA1
99703fa096e2395b94b67e2619a429206354772b

SHA256
71045b28c9ffef77e78e83f8a4e7b97bb5cae90e8749f9e188b6223623e471e2

SHA512
c05bd41a2ceecc98356993199b99f6bfaa27cf54d471eb3be83bc81f2fab71cf9d68cd0a2250de8ea4f4cebaa14f553592bee9a6927b2bb1c2a13c3be1f0082f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
65382e59aa0d07c4e4dba8c2173c352d

SHA1
210cb159d2f3b6f1baffb74805e581a8929c35c7

SHA256
889b7448aa3a513aec21f99c3c37bbc020375647e5b3432fec429d862e93b7f3

SHA512
908dab963a015ebe7722a64b81d23e253d6c189bd6170c74bf08a16cadedcad0b50a35e90ba45128b15d102452e43d68574b4573ff5c468a29b92258fd93c034

Download Submit
C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
917c8aef0d27452e8c724db252bdda3b

SHA1
3d5264dace677bcc5381a367c21d2fe31b74b0c1

SHA256
63457c8f39efb8a8359621c7b5bd1dd4a78cf3c4c0553a46e8d487f58ec397e3

SHA512
14847571e856282eb052b689ccf4ea2b5803976d53b67c96f2123728974e835e97ae6df9d53940d2a436efa986b485d92a6119900b09d462864529022ab6e4e8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
209944a971f2343e682e9691d5efba81

SHA1
2ee1e0ca14846ff973b0ea4d99364e3409867ecb

SHA256
1a8d7c86d4a86ca7cc682e69edd33836e37f40e499274dee81e258c9632608a4

SHA512
944814a18eaeacdeccec2bbb62078514b50810c0771e4a90cf322df2e325a5806ca1ca0db15b1f472342227b93202a01492a18179da8ec522cc94177980d8e7a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
b70d628eb35941b5977973e212a34769

SHA1
09ece0a1f920f430252639248af3108e030509d2

SHA256
37ccdbf8aef61079a9026913fbb402e7db8bef67da8a021f33f2ad627e024cc7

SHA512
75696ebc0528ec16544210a0366515907bb0e826bc31145a03db8e6aecbba636483af54e88650bb522bcb928c4efcb23299b156cd1ee101ed814cd72c8ed0ef5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
532b708175189f2d34f4e8da23e304b6

SHA1
fb00494a54a82525fca0dc1bfba74e6d788ffd31

SHA256
5f9675b907fb710ecf11f5978ad867fd4376c76101d33f3cadda18a233fa7657

SHA512
943cb9c5141f725e4434382d335205cc243feabdcf1b8ffd2a60b04247e82823a4a15161f163ee6a1147679f2074c6ccaede8c83c1e8fea59f1a9b3982bbfe44

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
d7a77a1563ad42493fba526e03b02027

SHA1
4bec19615ef40038beedd1b7d2d6eedd2d462ec3

SHA256
a5f897ab8c9ee830e8a0f0da5bb86b5c2505b71be8d67464b8917a7068ac5946

SHA512
bf0c0ab0ae862a111747145431043560ce51154f433c83309713bc4d7906c0002d8c67c24fe9b39c245e028726c0d139d713a365d450f7fd89e1a0fb1c55811c

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\8fff8a73-9f32-4c44-8e94-6993e3008edd.tmp

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
ba705801b49da3fe62ea3237bf598ea9

SHA1
45d76564c0ded01307a634ef126cba818b5c6a4d

SHA256
e22d97762450caa47f0486957ab4f692821c8f14dfee211003756e6724e6f386

SHA512
ba964e825c8f3125688bda199ec5362004fc5f9289ee95178ae17f15b56eee6df06b69aa6c6719bb38706415170eb2b0b34f60284a617b3be07a72ecda912f92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
8f485591e23c14e954e17b312bef5781

SHA1
fb8491c596406dbc1ad697a2d319f97a765ae61d

SHA256
f84dd179f2c05f7cc45ac15905854580478a166f7bbcdf6b7c377824e1f36515

SHA512
b0efed9877fe9c71089245df509bca7857f3bf2c931294263d63cf9188f50ee4d944439eca7fbe5c6b3d2d6c99d0efd222e79c72680479f2528368db39bc1474

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f0f71682a03de65dfd0663f14cf65e3c

SHA1
60b8afed901bfd45c35cbee9acc5aa2b4afb7c71

SHA256
06464de078733178792d66b69647bcea1375542ab2f5c719931c116adafa66c2

SHA512
50f00233d23da137907770cadc36bb846d365eaceb299584b78e504bd58a91b7623a51ee04a02e45ff76e097d5c31de492996fb838e77cb7c9a81733c9966634

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
1b6a876ee687be5b0bce0377c48c857a

SHA1
73d1b447ff684c747f83074d485c6738dd9ab007

SHA256
0d3b800915abf80c1988b3797326bebac78d93aef2e48f97660712253d5dc8b0

SHA512
5e796cabdfde3a9494e66c07e0ff8e33cbed41e160d13b96714a3c807c9ec88cfd8a8058deb934e3d5e84da45825514091cfdece98e45182a303eb99ab66bfe2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
db9149f34c6cfa44d2668a52f26b5b7f

SHA1
f8cd86ce3eed8a75ff72c1e96e815a9031856ae7

SHA256
632789cdfa972eec9efe17d8e2981c0298cf6bd5a7e5dad3cbdcf7bb30f2e47f

SHA512
169b56304747417e0afe6263dd16415d3a64fff1b5318cd4a919005abe49ca213537e85a2f2d2291ea9dc9a48ea31c001e8e09e24f25304ae3c2cfefad715ce9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
989cd279d7fe83ef06d7b839b4276766

SHA1
99f00337b795cc27ec14ed8898532d46185e0760

SHA256
c913c99fe9d872f4c20bbad744a9230c1445025a034b0131d07b4ffef84981d0

SHA512
7ebd9d93072f9fd8c2a18567e29d001385ed8f7e1968fca769456d4439c6b93b7d9c720796231b7e337155a170b014cba29fbb5fa4681463f5aac7e6a60b8a41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
103cdd0b976f635ff92ff121a03a91e5

SHA1
25c6f7729d18db858435b230c7cc7c51ea7e8697

SHA256
cd0aef0ef2b2a64c5a7cca0b3111a23996bdab1023ce1f2e16d39c3c808eb3f1

SHA512
d1d5db0ea7f13caf0e95b31b232291f9d8bf2fc577cf2e693cf776646def5a5d1bb883ae5dc831f0d8dfe1b81e3341a46c27967965c75afc0e3c5d5206196e9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5c52a38565f41bee09eaafae32f2043a

SHA1
89a73543a1f027c1f916d67f3056ee74d85af08f

SHA256
d00281edf7cf457d831531748e3adfe7b91c8fbc6d26edc0b564fe28665097c2

SHA512
319535a86f3c0c84061c28581ec7abe43c5e8983a2677b64e7de0d5017f33aec0a3323d35d04124d0bc1215fc9e5a071de23de3670bd621b817eee150b5e8041

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
815ceffa9a6decbf8a115e77bdb6ada4

SHA1
2ffdeba1b7490506de587291318e03a2dd87c919

SHA256
7c387a7d77100f9860d99402db4cf7d9f19dd017b164c70382eb2736dc90b83a

SHA512
ca1de90d53c284efa12f567140cb8869058ee14bea0c0bb5e75ad5a58c07b96d577a300651d50a811c60221a9a70aec0a4bb1c1a11bc1738e722238e9186572b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4156e73d9baf8f31a9b0619486db1d04

SHA1
0338e831c627ad37d7abe8acf89a9d639214ea30

SHA256
57317dab2076c8e0dbb5786676f162b2af49a33d80ecba81b72b0ae450531558

SHA512
95b365e5b23b8159e600b61ae156125405f1bc2dcd4f746d2dcc14ff5b9af90457c2b26fe8145bfb48d54ecc274673d132483b5cf09635d2b06aa65652af3310

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fb8d8faf1186ff3b37fd974d2c7b74ff

SHA1
c862ce8c4b99a3c06608d6ee8eabafac045e7fb1

SHA256
fac776d09a93af4193dd95ce7459a3bc3bb941b5b76387f72008a7075b0d6f09

SHA512
73cae171e06fe87af7b9d9bca2772e758ca99039d4d2a40d380aec7575d670cd403637e1dd059819159af58b76148307589625bb8d8ef9e73c1997d7d9ce4a40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
cf4b6e93cc15dbe3108333fdff058f97

SHA1
d2720f2aa473f81a5cfdecd62366a88365df9169

SHA256
400006defd711417b58ad05607a4ff829d0b136c1651a007d6a42e912f1fb800

SHA512
eceb57ea4f45e2778127d47c78c5f6500d9ed6bf293d13e642bd57c72af62d48a9a87d842a52faec43c9e426f2aee05d98e93f13d44c9099a1795bd0a7defd61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
33145f14c7e4c8cf5d65f67b3892f5a0

SHA1
8087e1d925c13f24d4a40107adf5cab584810081

SHA256
ba2c1976d7ac14853f56be0716f83e6c914b74062a5ad38a7c3f1b797760634a

SHA512
9f79b01cdbf7d48251b899117b841bc6e10c1ac76fc4529b929f6da23d25492bbfb8a9263069baf203c4b9811a5480f96512e359972904148dbc646194a4e488

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fe134432de9179500bcccd441adc10a4

SHA1
9fd0d5c377806def64b5b3b89e63b2146d683dde

SHA256
660507a9a51732c473876aa0a6a6a601dc54dc2ede1c0b5d9d7c0d52dbff72e2

SHA512
2b82b2fa6c441de39e6e5fc4c69bd498e9340f9157242f2b23972b374aa9fbd10619533e045877deb31d0b71079d6f88441870b4ea0e29b297f8045742e2450c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57b4b9.TMP

Filesize
1KB

MD5
b2347e6653f3ab6da1255a848f85a025

SHA1
7688b4ecc62a62f746a2ef28052203b73f05d16a

SHA256
1357ff2c71dd75bae01d301998d7519acbaccb18fb05981853a00ed8b17ec68d

SHA512
86ac0a47d3736ef7ab90004b2e0269a383c2532b39adf02094445f9b9893edc9ec48d6a07107d16b0ee7decb1b02abee6dd94f79811799cd7095cb3d8a87c418

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
63f57e8f2de2fe043ecdb50ec53a4314

SHA1
d0c4a94230f0c36cb854f333ec2a6a107e5fcb92

SHA256
d858645d37cd5f5a5264e40ba25aede9fcf1fa55aff5a09aa5e2c930ed83b66e

SHA512
dd51be8d416215cf5af672ef61c80068e89decfed8538d41b6a371966ca81cc94f9399ad78290a883a71eb95de3094654de84428ba090401ae08ed428c090b87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
0f909866552315c26ba7c42955569191

SHA1
0df6914e744ba6e721d0703035bcd29cdbde48d6

SHA256
0ec243c19f2e4894211b8a4dc0e9bb4197a9e1325392c0e3978067e80d5920ad

SHA512
523cc38b8c1d43822bda0d44f6250dc98769584fef4fe105a9b372a0ee749de056d598b7375baa073ca1cc56084288e68e09fc927182b3ebaeda096c8dd944ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
271dfabcdb626d88003b2057a01cefd8

SHA1
659fcdbe0f391b59f0505326651ce7a4dd6d9926

SHA256
a1d7bcf80c84f61c6246a86ff51be2ce59a4df8254090a83fe78e791689af186

SHA512
843ad94ad455682071673dbe34d32e17155059e09764134c9004993a3cd8a37397dd641e8aa269c8cf684d8a41a45cbe94a77bb6229996916cbf507236664d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
da223aa9ce190fc6309f080e8e437d3d

SHA1
ece382ea75f18d745b4672c20d9783f11a918af3

SHA256
bd14102b9b00d53f3cf7d1cde1e840e089aeec2c8be7bef440bd4b92a6a86e97

SHA512
6f26648fa9868b2de8f80de5477a4de8a381733af8e29301973b07841b4d20a61a3053a59e3349dc18747be6b360d2dcb2fcd39679a8b5a6420e2cb96b0707cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
1855d63506cfbc885ab3f91fcd460ff3

SHA1
bae09e893ea3b9bbaecbf590942d974697942a81

SHA256
e155d7f32bc53500d84df70f66b618ba5adf46bf808aa76d7061d6aa209adf19

SHA512
05ee02a76fd9391d40c3a3a6b1e30aa628b7449832a8ae6fa12e547517a9b0f6c056773bf4c4e14b31447f6d19e8c7d941bbfd5bee738bf4cbbe827b569bb7bc

Download Submit
C:\Users\Admin\AppData\Roaming\c43deeb6cad6a2b9.bin

Filesize
12KB

MD5
1ed9b5921da094a4d285abf7ac962bf4

SHA1
f8207a9cca3b04bfe17539ebfb8ea0f9fe0ecf02

SHA256
7efc7f223f15987f3f0f6365fddcfd409480306f1ba2647d2108db1119022d7f

SHA512
19b17e8dae6448a5ad63716fbe3c400f42c1074fd1df92e36667f13e8947fb61906acca72987491e9b81a5d1201147cdb7ea769fe0ff2ca3b9ee0c7812d35957

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
e38ddda958af08b3f527682f1cfe7379

SHA1
efc01083ddda21229abefda96a5f4d42b4de82bc

SHA256
8c9185c8ca2e6ec9740d7540fe254fca64f073633462c3143ebf35e8542152e1

SHA512
16a90d740b65092e6c4980800fc113457bc4cf734444dece00bc37b45c739b6f95b2a2e322deeb73883b2ffc9208c46d66e5ecee4c6c1f20aed7c827d6073b00

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a22a090ddfa6fac8e4071a2211d6a34c

SHA1
6d75ba22cc5fdef46b12851798c469785264dfae

SHA256
9187ee8469b23d6f047a9dd3179a9050e0d448a962a28a442413773cebb36598

SHA512
350905f32d263063ae7609dab62f417843b61ad3a9b6e81811112b641f5a8db6fbab1bc3844abea21d05ab9f019a935e9db5fd0bff9ef02a74e48f48dd353315

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
8b4f8ee081dfb95cf7249575a15acaaf

SHA1
dd68c855e9a0fb01c327b3643f66339aae6532a6

SHA256
d2e5351e7747b7f50eb7ba3e712af1378621c734ab3adb71ba0afa4d36e360d4

SHA512
132f34cf58d38ec59f91d2fa33efffaca51803f8c3f9b3ea59c5eab4fa7b079ea31c527170989b4155a65c1bc8093c4fa4403574d66bd2e655d7ade0a7dc84d2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ab073bb1ce768d3f9f5bea4b3aaed221

SHA1
e4d38391284e302c29650709f739a2a2b46ccc0a

SHA256
5028edb3186a0ea816287fb2360226e8403b18b95f2f251c9ddc23c910ca45a7

SHA512
0193953e29939ad44aa5fddf3afd3d73378367a8e882a4533659a0090550805ec95cba5c9e4d2169c1c925b89dfbe06c7a13df56c9505602ae0d5ea39b862ecf

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
b81e1309212f2cc1e5800f4c2a77c141

SHA1
db6b8a89a7f4b4a2f633b13611185816584c92bd

SHA256
ede44dc9cb5cc9be8a8e52514926f3d3e8d4ea624f947e8ba9d91f46adb7e830

SHA512
266ff6e74c3a34ba2c1d3c0beace769673d1bad5667239c933d3d1d2a6a208a593f9ac6d786bae009bf7c324798594b1d6cbe310f254f20ab72ab060ab28a58e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
ef2992f67c95c342bd642407dc97314d

SHA1
b149e6fa465b75cb2b17df44c3997fd79519e94c

SHA256
4bfa8d13a2b86ec939cf286bb3022025cc96b2515ed23e56876f4df650c14ace

SHA512
77b1e6a15d146b738ea6341829b7e868ff93a2e0d4d7bc2ab8166f0b8b79dc83727021502ae43a77451009b77cbba9246ab42843714527a51e3eba6a0aad4fe7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
da7185a01a18ad46279984827780ca9f

SHA1
1f7848cdf2ca742d730e5ea13440a7ce9ef3bbc7

SHA256
536b847a21ba617e1f60563ab1332b2faecca643bb2899f74e33b7bc02e12ccd

SHA512
cb9d49521642b02787a95f92ea31bd609668852432fd8d3987ec27603bea2457e36b5f85959bf2d20de90ff064ff19fb56bf686dbcb1be240dedc61c54c5c518

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
00d1d583b65a8c50752e3a94aca397a3

SHA1
f0b451e12d76ce680478c6be0657d19ef0ddcd8e

SHA256
9d2ef60b29c628726d9866edcbfb3175fe1c832f49c5ad35d3fd4cd182cc9df0

SHA512
c0b1dea525d6c09f924d3064015f7f02b586e0cf15396f0a918890348f7850114c1eeb6fa8109e4ecf21e37d46c759aaec7e9d744a070dd2956cb2f29ea7ce79

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5d1ccd6d5f2a051b9a70248657b526da

SHA1
8f3e2390ac429f5f02f9dc20a56178b1f9dc5b70

SHA256
5f82eb1878e62950eb9a03161acd1e0140dca2de04db002854155d75276378cf

SHA512
29a7e050ac30631a13f2356cf02528a96f27c5c686a7877cdb3360b0f581e5a2ee1dd440e5dd4798ec1370d680e0a1b0c5b84923c4f8628f1349c8c5eb55e1e5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6271363d207a1a60bfe7381706217115

SHA1
dffdf0975531871e595dc711f0c31df6395727ec

SHA256
b2657c73c7179b250dd398c220405de8320b7f7395a045a25ab806b782ca99d8

SHA512
b4c1e2f1557c8b0f71d8e0488690520c4f437b1f4c872be47c8ccff157d216c89cba63a9c7cb3f07163df05655d8dbd7655ac6c41fca1d9caff8aa0c3c34774f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
f95b102a1d607f3d51a93e26ebce5f5c

SHA1
882aa0c0c6ce014b77bd5ed9c65e660bb7147770

SHA256
97994923a38c2596d208a905876955899a1ef5e60604b28c1aac2a635389376d

SHA512
fa51da3a41129c1d8da63bf4e0a52212899e45dd40b161d5520903fcff56ab56ea77fe84f7acc5d5095d21005ab7d5a9e3ea2f5062eab71c698b62aa8d116b4a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fdeb80c67ea96f836bd9f9dfda09a901

SHA1
7cb3a0e13ca3a88aa387e83ac239988ec2d4de7e

SHA256
c67c5794b3ae5fb5a0e8bff6b246ca4031d60560937a3d28cc92ddd1c8538fd6

SHA512
785ea8b29a1c85a9275b85473cd266d6df6591840e40d61bb7f24c709afecf4060ffe0b3a8eec7462cc17de117f33b91eb38efb60a173070ab97460e6995b84a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
b6a9557e8acb4da0b60caa19432dae2e

SHA1
66d3960594eead256d11d06c797ea840e7d45071

SHA256
4e9d8b4fbb6dd2ad2ba353f0d9fa6dbecf0309bdc78e0a58d1fc0f7307ecfdb2

SHA512
394e0da655a2703659b9d7e1b6d5c2a0d0774bcfa5e2f0fea15577a4a54f5822af5862cac4ed16ab800bc5b2cc011c773beaad7776c601a208416057002da45a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
57e10f5036a5dbd392d48dd278c963d9

SHA1
4a94d1f1c185f61b80dbf8d289026616a309e18c

SHA256
d0cc84563c370d282a2e8e062123924e8cdd97b78983f14a6e3868d026cd0c21

SHA512
6cb257a51bc347359a714229277e034d7cc5e55b3c46eb77c76c28ce3cacf145797e20a0f6e0a8b931b0e42ac42bc77139f756cf511c5dc765e352c13870e8b9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
338b7d9319d3a7ac5505ab823eecd96e

SHA1
357b6fe234d072eabbc5eebf216d80cf764c384b

SHA256
3afa52c3b66a3e97df1ad8cd308b5ec16cd25af92a73090f96c3d3f65e0ffff7

SHA512
946fe9b50709512686d53b1b5cfa2e651b3fafc6d676bf1ff8d062df35e9c03350c4d5d8f449a9aa69d83b8ef7357368a7c34d257447f2d55345a29c1233f504

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5a67705e51aa331229ba04b8ebc5d557

SHA1
aa80c7a79afb1dcc93e14233b843c4784e3c62e2

SHA256
5eff41bca5a63342277d5a3079e42aed721829ba538a0a89390757bc1ecebe6f

SHA512
d44b92caac5b117ea4192627a9cf83398a28dc015c1d9a6fa36b9f3fd2a504326ba372277009778ddd52141732431fa4b2e0d4c1a2a1b8a3a95959e4dbc57ba2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
18814f8ec81551b24b45790c3be6a4fc

SHA1
8cadda17a0b6023a38e9e44ff18df14c3d9741ff

SHA256
91973566ab822a17d07f795b8a323b1ff496ded16d3cd35301dcf43f5159a87b

SHA512
14783933f142f1b9b901fc4debfad46e7dd1655e1250010e8288fc6a5507d6e98a47162545f40e454b4c402b10261e097657649f2b986ba4b4a9b9c67e1aad6e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e0ff3fc7f5c8369d3928067d9994fe7e

SHA1
a6ec180a3fc14a182188ad1ec2267b39c64ef9df

SHA256
f829181e751e8a52d4b98213d6db78aed02c28b5cb2069bee71a436593e61feb

SHA512
b3d213caffec9f42a8d098011d61ab1c30ce43911546269d66597f31af85bd783e29512cbd92f162ace6a9b0a948844b7331b4127d6157cdb71f1cd57efcb3e4

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3462db66ca863cab44320b55e23f219f

SHA1
1f0cdc7113c4e02563edc3099ae72b9c6bc3da59

SHA256
f89e2194e8eeb4764f023895b07bb030578c6afd8614f210915ae9ee76611fd8

SHA512
55428b916931dfc71835310abc187a6acc99fbb0ba63e409a965c59f32229c1d8a40766f682cd77706aca40326511e6b384d9c16a9e750930b16711029b71a16

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.8MB

MD5
c3c7b4e3ea088419eaf2c492f2f83d66

SHA1
fa85875d268b16ae4ec5865167c90ea7e050bf9e

SHA256
dfc3c37c7d3eaf59246af3c6358c6f89af507aaf4532820c9d4494ef75d5e6c5

SHA512
d3c6e37030dcb03336399bbdca9de8905d49aae897339d1b705e4d7f490fdd894365ec349a9572e0103229f966457ee1bd02a2fc4198eb91e902bc35d844c86a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
9bbcf0968b1bba3b1226c451ab0c98b0

SHA1
aaacf2e045c5f5b796cab6e4d8ae8b2b73b0c1f9

SHA256
5b9fb9ac98d73fc726e367379be4e84b36d08b065def52a0fb0d7615d3b6194b

SHA512
17f6702f394105deec90963259dc29231dd725f457a08927c9043f81d51a4569562292add043413f23166a10b8485e20f302d8e475c9510703fdf5e55d10873e

Download Submit
memory/732-166-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/732-285-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/980-11-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/980-111-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/980-19-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/980-20-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1224-258-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1224-270-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1496-130-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/1496-257-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/1616-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1616-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1616-91-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1616-92-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2060-122-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/2060-112-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/2060-102-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2168-144-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/2168-278-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/2456-97-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2456-95-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/2456-63-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/2456-69-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/2456-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2848-416-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2848-208-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/3048-292-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3048-579-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3096-583-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3096-298-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3500-81-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3500-230-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3500-518-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3500-80-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3500-149-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3500-74-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3572-191-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3572-582-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3572-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3708-235-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3708-536-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3776-281-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3776-573-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4244-46-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4244-55-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4244-54-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/4844-555-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/4844-254-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/4908-29-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/4908-0-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4908-22-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4908-8-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/4908-6-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4916-179-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4916-319-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/5056-297-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/5056-168-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/5100-39-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/5100-40-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/5100-31-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/5100-165-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/5224-320-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/5224-584-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/5356-325-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5356-590-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download