060fa208fc39ea7a5e65b238c12831d08a5ac91f85f97c2c152405b00fe1af4b

Resubmissions

30/03/2025, 21:24

250330-z89v8sxthz 6

30/03/2025, 21:21

250330-z7lr1sxtfv 5

Analysis

max time kernel
351s
max time network
343s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
30/03/2025, 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

onnxruntime.lib
Size

3KB
MD5

4a871b6ef6b29e27d80799e6074e909c
SHA1

f066d869dd27817bb506f135e9759026dff18842
SHA256

060fa208fc39ea7a5e65b238c12831d08a5ac91f85f97c2c152405b00fe1af4b
SHA512

70558269b81c55bd8752dac66452e53337bf25db05c752d07871744e5e5db90a30da84e678a17f5cc89003bcb9c461da052a72feb163043c169fde9185386068

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\p:	SearchIndexer.exe
File opened (read-only)	\??\Q:	SearchIndexer.exe
File opened (read-only)	\??\X:	SearchIndexer.exe
File opened (read-only)	\??\D:	SearchIndexer.exe
File opened (read-only)	\??\H:	SearchIndexer.exe
File opened (read-only)	\??\k:	SearchIndexer.exe
File opened (read-only)	\??\R:	SearchIndexer.exe
File opened (read-only)	\??\t:	SearchIndexer.exe
File opened (read-only)	\??\T:	SearchIndexer.exe
File opened (read-only)	\??\v:	SearchIndexer.exe
File opened (read-only)	\??\y:	SearchIndexer.exe
File opened (read-only)	\??\n:	SearchIndexer.exe
File opened (read-only)	\??\O:	SearchIndexer.exe
File opened (read-only)	\??\K:	SearchIndexer.exe
File opened (read-only)	\??\U:	SearchIndexer.exe
File opened (read-only)	\??\e:	SearchIndexer.exe
File opened (read-only)	\??\i:	SearchIndexer.exe
File opened (read-only)	\??\I:	SearchIndexer.exe
File opened (read-only)	\??\j:	SearchIndexer.exe
File opened (read-only)	\??\r:	SearchIndexer.exe
File opened (read-only)	\??\s:	SearchIndexer.exe
File opened (read-only)	\??\W:	SearchIndexer.exe
File opened (read-only)	\??\S:	SearchIndexer.exe
File opened (read-only)	\??\u:	SearchIndexer.exe
File opened (read-only)	\??\V:	SearchIndexer.exe
File opened (read-only)	\??\Z:	SearchIndexer.exe
File opened (read-only)	\??\G:	SearchIndexer.exe
File opened (read-only)	\??\l:	SearchIndexer.exe
File opened (read-only)	\??\P:	SearchIndexer.exe
File opened (read-only)	\??\q:	SearchIndexer.exe
File opened (read-only)	\??\A:	SearchIndexer.exe
File opened (read-only)	\??\E:	SearchIndexer.exe
File opened (read-only)	\??\g:	SearchIndexer.exe
File opened (read-only)	\??\J:	SearchIndexer.exe
File opened (read-only)	\??\L:	SearchIndexer.exe
File opened (read-only)	\??\m:	SearchIndexer.exe
File opened (read-only)	\??\M:	SearchIndexer.exe
File opened (read-only)	\??\w:	SearchIndexer.exe
File opened (read-only)	\??\a:	SearchIndexer.exe
File opened (read-only)	\??\b:	SearchIndexer.exe
File opened (read-only)	\??\B:	SearchIndexer.exe
File opened (read-only)	\??\h:	SearchIndexer.exe
File opened (read-only)	\??\x:	SearchIndexer.exe
File opened (read-only)	\??\Y:	SearchIndexer.exe
File opened (read-only)	\??\z:	SearchIndexer.exe
File opened (read-only)	\??\F:	SearchIndexer.exe
File opened (read-only)	\??\N:	SearchIndexer.exe
File opened (read-only)	\??\o:	SearchIndexer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2T	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac9bd8aabaa1db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTS\OpenWithList	SearchProtocolHost.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
932	chrome.exe
932	chrome.exe
4928	sdiagnhost.exe
4928	sdiagnhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2372	msdt.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe
Token: SeShutdownPrivilege	5484	chrome.exe
Token: SeCreatePagefilePrivilege	5484	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
2372	msdt.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe
5484	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3888	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5484 wrote to memory of 412	5484	chrome.exe	85
PID 5484 wrote to memory of 412	5484	chrome.exe	85
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 4424	5484	chrome.exe	86
PID 5484 wrote to memory of 2356	5484	chrome.exe	87
PID 5484 wrote to memory of 2356	5484	chrome.exe	87
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88
PID 5484 wrote to memory of 352	5484	chrome.exe	88

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\onnxruntime.lib
1⤵
- Modifies registry class
PID:4924

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffebff1dcf8,0x7ffebff1dd04,0x7ffebff1dd10
  2⤵
  PID:412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1900,i,11322846062117188831,14547921919166161628,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2244,i,11322846062117188831,14547921919166161628,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2256 /prefetch:11
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2380,i,11322846062117188831,14547921919166161628,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2296 /prefetch:13
  2⤵
  PID:352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3204,i,11322846062117188831,14547921919166161628,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3268,i,11322846062117188831,14547921919166161628,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:5252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4172,i,11322846062117188831,14547921919166161628,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4212 /prefetch:9
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4644,i,11322846062117188831,14547921919166161628,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4804,i,11322846062117188831,14547921919166161628,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4820 /prefetch:14
  2⤵
  PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4796,i,11322846062117188831,14547921919166161628,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4992 /prefetch:14
  2⤵
  PID:5272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5232,i,11322846062117188831,14547921919166161628,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5248 /prefetch:14
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5456,i,11322846062117188831,14547921919166161628,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5468 /prefetch:14
  2⤵
  PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5576,i,11322846062117188831,14547921919166161628,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5468 /prefetch:14
  2⤵
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5252,i,11322846062117188831,14547921919166161628,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5480 /prefetch:14
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5356,i,11322846062117188831,14547921919166161628,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5808 /prefetch:14
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5796,i,11322846062117188831,14547921919166161628,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5484 /prefetch:14
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=224,i,11322846062117188831,14547921919166161628,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6084 /prefetch:14
  2⤵
  PID:1804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6004,i,11322846062117188831,14547921919166161628,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4992 /prefetch:14
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6036,i,11322846062117188831,14547921919166161628,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5904 /prefetch:14
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=4304,i,11322846062117188831,14547921919166161628,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5924 /prefetch:9
  2⤵
  PID:5612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=872,i,11322846062117188831,14547921919166161628,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4328 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6104,i,11322846062117188831,14547921919166161628,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1512 /prefetch:1
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5656,i,11322846062117188831,14547921919166161628,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5868 /prefetch:14
  2⤵
  PID:2196

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5844

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1540

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:1396

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,
1⤵
PID:3560

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2140

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:3240

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,
1⤵
PID:416
- C:\Windows\System32\msdt.exe
  "C:\Windows\System32\msdt.exe" -skip TRUE -id SearchDiagnostic -ep MainIdxCplLink
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2372

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kgkxj5re\kgkxj5re.cmdline"
  2⤵
  PID:3616
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF3A.tmp" "c:\Users\Admin\AppData\Local\Temp\kgkxj5re\CSCAA2ADB406E0F4E779F487C914A1C1B1.TMP"
    3⤵
    PID:4516

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Enumerates connected drives
PID:3560
- C:\Windows\System32\SearchProtocolHost.exe
  "C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4268
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 828 2744 2756 812 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}
  2⤵
  - Modifies data under HKEY_USERS
  PID:4324
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 828 2732 2716 812 {85EE815A-7738-4808-A14A-3AD87E32A3BF}
  2⤵
  - Modifies data under HKEY_USERS
  PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\352735614\2025033021.000\SearchDiagnostic.debugreport.xml

Filesize
22KB

MD5
806baf369bbc6c44db69d0d83b9c79e9

SHA1
748f60a12981d31f226c613f1db043e1ed0d7fdc

SHA256
341d9d124ad40189f71ddeda7fc4b69d00c9c4035d4b0b8e11da5375504fbb74

SHA512
b7cc3f1eb0b3105054916806990b448d525dc7699308799f12dcbbf8d1743f2b64b71d28417998037f017fdbbe950b59b2a97a108af2caa8fd7817aabab19c44

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\352735614\2025033021.000\results.xsl

Filesize
47KB

MD5
90df783c6d95859f3a420cb6af1bafe1

SHA1
3fe1e63ca5efc0822fc3a4ae862557238aa22f78

SHA256
06db605b5969c93747313e6409ea84bdd8b7e1731b7e6e3656329d77bcf51093

SHA512
e5dcbb7d8f42eabf42966fccee11c3d3e3f965ecc7a4d9e4ecd0382a31c4e8afea931564b1c6931f6d7e6b3650dc01a4a1971e317dab6c1f03932c6b6b7d399f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\4840c290-78bc-41f4-b45f-bc33015516c3.tmp

Filesize
80KB

MD5
d6ebc5f6e2d53244a3ee0f59629f8d3e

SHA1
a9f4d08e54fe561ea885d2359e7c055f74817f86

SHA256
115ddb241b7052291ef99a6b03b8579297958317866e77d841786d0081987919

SHA512
7cfedb1ae85d59f9bfad8494f911805c892277612a0daa0f1f8b7d327719e88551ab5e3fd996601c0986fd0c612a60c1b7360ef4698b14fca149248718871518

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
44232c79cc91f2f1c83124d4364fe8fe

SHA1
8ea777a3c23812c2784090859808e2060fc7ec5e

SHA256
d39d792b49a72bebc7bf977d43e5707114a8f2808a2c5be5e40306843cb9cbe3

SHA512
06177742cd7404b90dd0f29c335ae743b69c32599ca216d70fa0c2eb9daf7c72ec33e4e50762c961533aa030fe0fa327dcbc07cf01e6b4d99a294e755a0234df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
4098ebed827f415c8098f60f53719cc0

SHA1
9f3a9dccbcc3cccaeff19d039a7d99a5ec79aab1

SHA256
6764412edb65f781d567224480a5fea3d6d421a32f8872bdb4a2c10a435226de

SHA512
ee3bf5a42072068801cebeffaa3a09ea018d31be1a1991a029da9d6ee85914379d3d682f73dc5110e541ad54081cbb966a7051951628ed8c67460fc8abd44fb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
73bf5f560a71483a94f7905187f45117

SHA1
b330a6f12dcca6dbe99e2a52c2d4ea01db612e41

SHA256
0b4081d4e554527c7065cbc3ef0bcda567526a8e0302c5588d932355bcb88a77

SHA512
003cad46c91e5e9a2fc9ed5274a6711f7645b3e597def1513257ad629b7260d9b41eb3070b834599ab1d58c03009fa29f857385285f621742904fc7d03e4a2ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
cacba0d59252f91a5932ae4a29c2d421

SHA1
5de2ecf6fb970d19c355d7ea9bfef47c64dfb965

SHA256
187be1532d1bdd99234f6561d86213e463b8e1e0db5157036fd9fa4172d6f1cb

SHA512
5fdb52fe2240d00cf03c590533983ae1d444b80985640a9ae7b7ad72393e91db9925d27f3f483cc59ebcf5da8074f0eeeb21c1bf9ea2be97c45cc14202209797

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d2334bd437fdf8a866915bc4097df3f9

SHA1
a7c16e5b04d47d56732c0ec7ec7543ffce8f2f96

SHA256
b4ff491405c9d5bbd432c0899df0fa6b482c19d1408cf61a9f365e8e1a98edb6

SHA512
5c40fabe9536eaed63ec237957f59671863e451ad9b2c7df8e539d62a8b98615498684c36133280b10c2403d18b84490eb18f77adf886171f9e9afddc6cdc19c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b7deae3404c7ea875ae7d0bcc2d07266

SHA1
683e9e654739cfdcba10f0e693efad0aff861e6c

SHA256
fffd7a0b4f59b2cdfdd6871ead5e57d5749441d1bec1e5434a147b6e2e2acd1c

SHA512
030246bf3bd7d8d254ff683c8740eeb4167fbc150f82d0856fa8e02d472d2d9065193db0fe13d341b2d377e4838a01f923328a945c0faf8dbbf0206893790539

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
07290e54e66587260987ac33bfd058ed

SHA1
a9ef6b803b4623fe169c519ef507ab74ccfd107f

SHA256
61b53034c4e786af44779b1daff781a18ad2e5845269c4702400b99208b70059

SHA512
0e3d49b18e1aa7f420b6d6538290c528f5acd1c281639e0ce4bf31482fb947d0f777ec2c4439256fc4f1983cc0cd002dff3f98b497dc634b3c163608167a3a96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9b2a90ac7e39a55489bebf0e6b3e4133

SHA1
3c7b98e72d15ab3ed8a86c8724ff8c3378596451

SHA256
44f427b5a7310d1d3fc1b85214fa8d02164b8c113aa5c751df82786c9e7c0ab0

SHA512
70bc4bbadbead81d4d5e7362b731da6c11ea5c781f3e9dd8de5261394a63170c7fa3f1ebc870683217d261a4a433d5a70b9dec8d6004849247b097e0e06aeaee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
57398997a03c823ed7e314439348b090

SHA1
f03da653dbb8367fc1a025b25464ed1c91bb5f4b

SHA256
b99c5d1e403f0f748fbb3112c89c608e04f71ac0d06b37cb5e4f568070dbfba7

SHA512
d9832a65aa895e2dbcccf5bf430a8cc918a1d1e9f0dfd9740f1a16ea693d0cd066f394efbbbd8cad2de53c80a16fd770638c2e21957626a361ff3be62091ee2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
499106702b7e9c991b8918c4a9f96c06

SHA1
bf4d90eb6ea2bea74082b3d4001e031c517d40d4

SHA256
cf650d3f07b261b150b084af964e218ee0b9dd5e7a9c0b2944eec40f0348d206

SHA512
3325c43eace12a89255bf06befbb07cb16310a947cd694c8e1c2d158e5b0ad7391d4f6a51318e3be17a4c9d1d08c8ea9a47317b1a55c88ca6d3adea9a2d11743

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
38373f6f028ae64543e5fddb5481929d

SHA1
7d6403b9a8da2478aaa090343d5fcba291f539d8

SHA256
0baa1769ea15ba2d818a67e1f7e38fcf8a6e20a777b8d4c593033cf5f15a885c

SHA512
0571c622a39d977153d5247ade27bdbfe33405e5eaf6ba9853bb745af6a9bda192fe81464ab4174d3ff84517d54659d08f4b353760da90d251f02a9cfd8da0c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3ee0a38db0609b9bc3028e0e702f250d

SHA1
3bde6f0a685d5e5be8bba9342e74b55e76d897ca

SHA256
ec33751bbeea4f3baf9e250d47b4e8c13c6fa9c4dd29d5d80fed1ccd8f403b1e

SHA512
9d75d23269f9fa3793c5bc58bf653db589dc89c5fdf9de19724054c7babacbcef01f6a655daecd16929ec7838c4dd1a8f0e2a23bcedf839e5b61abfdcd87361a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
aed75fa5f19e20397834c23ce092d754

SHA1
2cd0b1f39cdeb3ee40f4a5599ba9518e9f524ee5

SHA256
96b277b612f7658587b23272d69d3b81e7a228f6dfed801266f05cf596ef4e58

SHA512
2d3eba8264bda44143ffe3fbe9c9adab81ebad100df45a8aa6036227746009e752ff8527448a22dfdec22719a137d25ac27b33c1b07901317b9fe894c5aada69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c63ad94c373ca1efac3dbdbf11c02634

SHA1
1a65ae1c1d4bed04b0a9296f67e0947db239149f

SHA256
b09ceb633ffd233dfda1cdeee8d08d7a93ab90ac8ed501f7b2b7ef0e88e9bbf6

SHA512
6040e9db645ca6c30eee7c92baa4418a21e73419198f34dfd585330f3fb4f39b5d823546955bb8aa2bbf9807078cc2b03557d4aa9dddc53f7b19e3707f10b177

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
417ffa68aa4ac89c992224e8ae77d8d2

SHA1
bbf2feacf816ce48c237c5b84932064559eb02d3

SHA256
b33fa4b01f7cd86a5bb4c394e6bdcd62b82645bbd4e49f5e7e46d964cf69745e

SHA512
2ec4e9bcb25081a1c820dbf76a8020cb2310ddcf4e654b68650a34d76443261b4a90b6e28d8dc38567fa158f487d51f2476a89aa66f48a2b673aa0e803c5fb82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
4d5115af4e6f6064592b1d620c931bed

SHA1
26e2efe2082660a6c0697ff36e76a06c45cf0873

SHA256
156f6367c7464edf913a754f4cd3fab0ce041adcb8c25b915f2aa27d0a66c398

SHA512
a7a0d74bd20ee9454e536172c0b5ed6da044d0cc9260c28eaede1ec58c6f17f2bb26855519df0fb117ef3cebe3b9df665c5134f15e984e7993da07743ecacc5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e119.TMP

Filesize
48B

MD5
25b60e94b9fbe4bc99fa0c4df10d0949

SHA1
f549c36b6676c2bfc98578d01d1374fc4855c119

SHA256
31ac36d53466679d1afe92a3270080e881350b1d4789f6ce7f860fd8e254b7a5

SHA512
7ee3c5daec36b29028a50bdf0ffd135320c464db317c6b9bee84a786d85977c64a65a785c6c834c9473ed07b539069d07811b4a35548b9730d9125493a041993

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
67ec20be0253987143ed42fdd9d89202

SHA1
4900dee8d48be9179b73423414bd788e3d6b3879

SHA256
2eb71b174f23fe835380f07cbe613d41f722421b748dedf225cb4b769df9bdf7

SHA512
3c2a6a0f6a7b0a75dcdc80c223d66008f349514a214596ab745cfff9a3e5a8d4b25285d15eef2c1f1a6418f2c7f7a866f2c6e8054901770c157fe7106813f928

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
156KB

MD5
aca849417b31f4683d39d2a25cccfc05

SHA1
7a36aefdba03a9172aa89f875159f8203b0e586a

SHA256
9f31c91fcc45f9308d13b42c7937eb085473c66d40bb042d179314167f868a74

SHA512
5a7de404e069c1f1c316af09fa9310ea87feab22d73f50b066b4e13f1ff5ba6a22897f568dd86f3db27e208805e84df017634c5308343967cc4263a53c975a04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
751972ae24a2a27f072228eb886bbe7c

SHA1
1dd0a1657610dd8ffdd920f31cedf8ae659fb0c1

SHA256
7835ded813874f79bbaccbdbba14899b313c890178445ec8c177905e3d325723

SHA512
9d2a90e010290eb06c8a43964f800c4c6322667529a05155c1e2f701a564d7e0a1d8a53d98720b6a3515e8fe44e06ece48bb94cc1765fa569ba1bf09954f5739

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\d01e1aa2-36b4-4071-bbf5-9d8430d48957.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBF3A.tmp

Filesize
1KB

MD5
fbd361c712f410f093ced05d676f3064

SHA1
78100b35efd8f882b70d21b42bb951f725c7748e

SHA256
bad6dd6424eb3271d1444ecea586d77e4bdfb089b5b7b4d7dafa8032d8573356

SHA512
f0b27773f6a30177a341b5d18e27f3f2668bc26134d66fa4094e9e1078a478ed111069aac69997e4b10aeea959108a1adb6d2b8ca0954b9ba831fcb6a93fd7b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hnrfnztx.nnc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgkxj5re\kgkxj5re.dll

Filesize
7KB

MD5
d9b33012df52b967a7e63d64a7dc4f47

SHA1
c5c224432ee51518962810aa565e82bfe87123ae

SHA256
e2650f112999b8dfc592e850b208c7ef19383021cb9a3ab7dc4ee94f385bce4a

SHA512
84c498987b006f7f1661cd63d47593683674414c3c81d03c3654981e23d5f38170ff0d4e7df1c14aa6b55ee4d851776eab702cb704d2d1e2441cdd9d7d0cbb05

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5484_2066306568\2ae7f699-03e4-440b-8659-efda3910fcf8.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Windows\TEMP\SDIAG_45feaee7-0ca3-44b1-912e-35b02e95f145\CL_Utility.ps1

Filesize
20KB

MD5
1173d06163023bac8a1ea0a4af28a3b3

SHA1
8bf13ff0a368869b8738b9e76b535f7b9fb0b2a8

SHA256
3304a9cc067893e7dfaffa5736919a60ae3a4315b6fec849ee78749d03293d6c

SHA512
dd2c314a5c9e50971c3556e2f066a5d32aa4b6ceb0a80eba19ede987962fe035ddcf9a641d67a256765a7c888990ef9ae66eedfafde0da2cc4b733078927afe5

Download Submit
C:\Windows\TEMP\SDIAG_45feaee7-0ca3-44b1-912e-35b02e95f145\RS_StartIndexingService.ps1

Filesize
548B

MD5
bee0e781fd1d15c9655351e895d83b57

SHA1
e7c78d9d7be5dd7143463c59df670791d2bdbf75

SHA256
7427b56e830c07b384d9db51c1e1b2c6dcd7f9add44b1f87c43106701eb6bd23

SHA512
f3889a65783ba3ba12f17a8e7956c848fc0b8e8e620d4b81b4698f9e4560586358d303a171e11110841bc962521ff29c7b63db184b6a33d87c8907c5b0eea4eb

Download Submit
C:\Windows\TEMP\SDIAG_45feaee7-0ca3-44b1-912e-35b02e95f145\TS_CheckPermissions.ps1

Filesize
2KB

MD5
b2600e4d733b92f79370faa2ab00944e

SHA1
4ab735b8d7afc733111856b51a814fa661dfebc7

SHA256
c9ba0a243d584a373b63be4db08e884f6eb806670479ba55fc7496a4295be5fc

SHA512
c6a8e81c15e0ffcc0bbd9b672e0521b7528bd8a83e9fb23270a586562e1228d909f3f9e3fa9b0348a6d88356cab737066085133491048484a7dae5aa781c06da

Download Submit
C:\Windows\TEMP\SDIAG_45feaee7-0ca3-44b1-912e-35b02e95f145\TS_FilterHostCrashing.ps1

Filesize
913B

MD5
74dc6611ecdd7f0d4038a1cd32ad0e94

SHA1
d6505f7e6a1739b1ea3e7fee48281dcd5f86b812

SHA256
c5250dedba4642742eedc65a3b63f912de7590743f191e44464b106034be91bc

SHA512
e767167802800b4e700716b663dc088b4485b9ebedd7c4f35ecbb716940e7ce9e591993b7e9c3bf1e0a1e20db83373a64a87d12e9c9895cf1db0515cd79181cf

Download Submit
C:\Windows\TEMP\SDIAG_45feaee7-0ca3-44b1-912e-35b02e95f145\TS_ForcedShutdownInRecovery.ps1

Filesize
945B

MD5
2fde7756bb963c60a89a51f68b7bfff4

SHA1
f87a0ead228dd93678d1f8719ddc1b25ac1d7c86

SHA256
2715e3a85955bcb75d4bb0a500981583897b2f6b660214a73a9ad6880eeefa86

SHA512
fc4f514b50d36996906135473bdfae66d6ae7da93533997f8f65c086e03e769325f1438ed673e16871de48f8e6530374c2b005494e6de27167815549a6f8ffbc

Download Submit
C:\Windows\TEMP\SDIAG_45feaee7-0ca3-44b1-912e-35b02e95f145\TS_ForcedShutdownNoCorruption.ps1

Filesize
962B

MD5
33644f44671fdf33ef12a7d62c250953

SHA1
6ece575fb78f0ae00eb9b1da20efad462fe43fea

SHA256
e8090f2529580c00f1731f7729eecdda468ab3cf74c333380664a028260cdef3

SHA512
183fdafc60d55562ea765eff333826ffc28a80ccc4845c6a48043fb91ecf74a2f930720225bc51120fceef667756d15a9e43c4c226a69c6cc544cc9ba23cd792

Download Submit
C:\Windows\TEMP\SDIAG_45feaee7-0ca3-44b1-912e-35b02e95f145\TS_IndexingService.ps1

Filesize
1KB

MD5
2c9b766ab087bde9ed5110161e69d18f

SHA1
841396507a55e08ea4922a160d84cdbc97fb581c

SHA256
ed8db194ce2537e63c9284f8d363cd0571f33469cbaa9b3e856ca10fa30e3e07

SHA512
98eced864ea9379e899373e026e4acf0dbabfc97afce3abd3c9517f0ea324c453ce2d939796ff357e497e8f204aa7468e18a034ccb2572939c3cd22f1ae0c767

Download Submit
C:\Windows\TEMP\SDIAG_45feaee7-0ca3-44b1-912e-35b02e95f145\TS_IndexingServiceCrashing.ps1

Filesize
909B

MD5
8c5c6e6ee29132025d6f694593ad589b

SHA1
dd3973ad144aaaee98424a09a1e88001e4fc489f

SHA256
f2ec258da3cf74991292d99b2095e3b256a0b6a10795e4c447e0ec21d6be44a8

SHA512
f8476e0de9dc2d0802ccaa51a4f40b7b92646b08a7b3ab6516f6ab8569cb849858036bfdc2435df13f92dfe49a0f2b77cae866eb976c32f77152c99604399634

Download Submit
C:\Windows\TEMP\SDIAG_45feaee7-0ca3-44b1-912e-35b02e95f145\TS_ProtocolHostCrashing.ps1

Filesize
931B

MD5
54645b0f355de9378f1a1781fd36cba8

SHA1
27d019305bc8759235eade5fa72518e76ad26e1a

SHA256
7d16cb850f7ea651b29661b7aed037fa003e4f33265fe78545222b349a0fdeb4

SHA512
b7feabf2ba494d059bb232705198da3155793c181317f04a16ebdd56094bc6d1d88ba4858746851dfa27ed8dc8370a4870671a92a4ebcd34416e83f4bc1969fd

Download Submit
C:\Windows\TEMP\SDIAG_45feaee7-0ca3-44b1-912e-35b02e95f145\TS_SearchApp.ps1

Filesize
926B

MD5
92e6671071de3ccce626e72b785c877a

SHA1
631e3490881c4d70635e7a6c1afc637c3810edb5

SHA256
c1f74e45e75c3f07ee042b0504bd81f5425cf4423f987d302cc2b16917d19e83

SHA512
406286b6a66d09c4256e787fcf8125495de659c53a87fabe19bcbb4633fc4195ac0783a04ba35acc1b0ca14e5dc8330181b5d79f7b84e7021a32c837b0a36275

Download Submit
C:\Windows\TEMP\SDIAG_45feaee7-0ca3-44b1-912e-35b02e95f145\en-US\CL_LocalizationData.psd1

Filesize
5KB

MD5
c88bcca356a16e897353ee8dc7c851f7

SHA1
edd7e9360620cb45536931fcaad0acb2950a5f49

SHA256
e8d07b2de2d97002aca0ed4e813ab448f79a4e67c75876ee137eb6bacc8ea3a1

SHA512
4d8401b514e6ea97671b8905a84a7f20fd6918f93f1f0e7d9a654d999ce2606e7398401a8508e8141e02ceeb2d68a76962f38e4742912576a1a9ab9c368dd5cf

Download Submit
C:\Windows\Temp\SDIAG_45feaee7-0ca3-44b1-912e-35b02e95f145\DiagPackage.dll

Filesize
88KB

MD5
901dbc7aa324836845b957d9c3868978

SHA1
cb82f741d23bba36fa3239b06014dab36caa2826

SHA256
17dfa7a99648a78519f32f8fc34c61474542cf61a7f0d6563e5870099922c228

SHA512
5ada8303bc1501b9af9fc3c7b9f6dfc626bd8b1d7ac56e56a70cba9998b8632d4c3ac301465ed5127265c69c71ab5b45b78d310cb0ba431b3705d2b2f6f8a268

Download Submit
C:\Windows\Temp\SDIAG_45feaee7-0ca3-44b1-912e-35b02e95f145\en-US\DiagPackage.dll.mui

Filesize
10KB

MD5
b06942b6dab39c611163bdb232b5d8b2

SHA1
4e222f61b477b0d901e15e9652ecd780fdb72318

SHA256
62b7009e794d7f0c2e3b4935cea103be2614c8d70e020deb109ec9efb02656a4

SHA512
8428647b7df071c1156ca2ebb9a90fe450d925665a6ebce3ddb6fd31ec5240b27c72e1e57e33f298b8b1b7d327836599603903b291f4386c0b2cc4f5de240e46

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kgkxj5re\CSCAA2ADB406E0F4E779F487C914A1C1B1.TMP

Filesize
652B

MD5
1d166a17a38842c6940dbc7a2039bc8b

SHA1
19e15cde313080d6a56d29a34c655d106b413a42

SHA256
6deee8041d0e2d626a76636d3d472aee6c0e58d232482a3fdf363eebdd1a0cc4

SHA512
3a41643edcac15d5337757fe725834ff74931d7c542139178eba937d7746253e316cb12fbd038b0255ad3808bafda2bfe8766a66d3fb5a27fb2562149b0c9b32

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kgkxj5re\kgkxj5re.0.cs

Filesize
10KB

MD5
0eea33b69db62360738c8964db492126

SHA1
2f8eb272a91cf56452751b93b626c0f23b2e2838

SHA256
8e876c825da65dcce9f002ea31df537981c848ccb2fd404dc8922e135964404f

SHA512
1f442c08d7ee78e4bbd488449e5dbdaa341b992093727ee62664fdae01828e9d606290834ef329297771710e810ead559c03ceda73798de9e2ec372a0bebb793

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kgkxj5re\kgkxj5re.cmdline

Filesize
369B

MD5
710a3c3dd5c63e311fe4fb116a7b980e

SHA1
37141475a55895aceffb0f82269e87ee6f655a60

SHA256
78918506fd06947a59e4616811171af48edbeedb5b0c03021c44cb25e74ec888

SHA512
eb81ca0f9aaac654777d39665624ab0ade250820ff05f83ef30b88b3c33d304a0398c59672aba263b414801c4851e666610c61ed4d45947d1fa06bc566c20aa4

Download Submit
memory/3560-857-0x000001204FD40000-0x000001204FD50000-memory.dmp

Filesize
64KB

Download
memory/3560-874-0x000001204FE50000-0x000001204FE60000-memory.dmp

Filesize
64KB

Download
memory/3560-889-0x0000012058530000-0x0000012058538000-memory.dmp

Filesize
32KB

Download
memory/3560-893-0x0000012059720000-0x0000012059728000-memory.dmp

Filesize
32KB

Download
memory/3560-894-0x0000012059710000-0x0000012059711000-memory.dmp

Filesize
4KB

Download
memory/3560-896-0x0000012059710000-0x0000012059718000-memory.dmp

Filesize
32KB

Download
memory/4324-913-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-914-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-903-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-902-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-904-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-900-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-912-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-911-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-910-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-909-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-908-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-907-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-906-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-905-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-915-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-901-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-916-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-919-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-918-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-917-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-920-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-925-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-924-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-923-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-922-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-921-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-899-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4324-898-0x000002145CDD0000-0x000002145CDE0000-memory.dmp

Filesize
64KB

Download
memory/4928-831-0x000001D3E2470000-0x000001D3E2492000-memory.dmp

Filesize
136KB

Download
memory/4928-851-0x000001D3E27E0000-0x000001D3E27E8000-memory.dmp

Filesize
32KB

Download