ab681e032fc54b6808984aa0069920e6b96dd23da20098bc42067c20c3aa3b9b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
Size

5.5MB
MD5

b8b95291b6367dc3365d83fd6ad14de3
SHA1

5393917310a1fbee58194ebbc902277769a4c109
SHA256

ab681e032fc54b6808984aa0069920e6b96dd23da20098bc42067c20c3aa3b9b
SHA512

2e526198a1b0af8e06f20a4eb40e82631013394acdc9223bb277be945fffae19eeed7ba73d8d6081159b92330ef1941fb2afcd3ece5022dbcaaf33b401609bfd
SSDEEP

49152:0EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfr:yAI5pAdVJn9tbnR1VgBVmp65tUV

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
3568	alg.exe
4172	DiagnosticsHub.StandardCollector.Service.exe
4788	fxssvc.exe
1276	elevation_service.exe
3340	elevation_service.exe
4696	maintenanceservice.exe
3440	msdtc.exe
4896	OSE.EXE
3392	PerceptionSimulationService.exe
2784	perfhost.exe
396	locator.exe
2136	SensorDataService.exe
3684	snmptrap.exe
4928	spectrum.exe
3660	ssh-agent.exe
2992	TieringEngineService.exe
400	AgentService.exe
372	vds.exe
2376	vssvc.exe
224	wbengine.exe
872	WmiApSrv.exe
4908	SearchIndexer.exe
5888	chrmstp.exe
5980	chrmstp.exe
6116	chrmstp.exe
2744	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 35 IoCs

Processes:

2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exeDiagnosticsHub.StandardCollector.Service.exe2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exemsdtc.exechrome.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e5259b5e7489627c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exechrmstp.exeDiagnosticsHub.StandardCollector.Service.exechrmstp.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	chrmstp.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	chrmstp.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\java.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

Processes:

msdtc.exeDiagnosticsHub.StandardCollector.Service.exe2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exechrome.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea7797d09699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d11bebd09699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133588011857897557"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

chrome.exe2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exeDiagnosticsHub.StandardCollector.Service.exechrome.exe

pid	process
624	chrome.exe
624	chrome.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
2872	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
4172	DiagnosticsHub.StandardCollector.Service.exe
4172	DiagnosticsHub.StandardCollector.Service.exe
4172	DiagnosticsHub.StandardCollector.Service.exe
4172	DiagnosticsHub.StandardCollector.Service.exe
4172	DiagnosticsHub.StandardCollector.Service.exe
4172	DiagnosticsHub.StandardCollector.Service.exe
4172	DiagnosticsHub.StandardCollector.Service.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe
2668	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

624 chrome.exe
624 chrome.exe
624 chrome.exe

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1736	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
Token: SeAuditPrivilege	4788	fxssvc.exe
Token: SeRestorePrivilege	2992	TieringEngineService.exe
Token: SeManageVolumePrivilege	2992	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	400	AgentService.exe
Token: SeBackupPrivilege	2376	vssvc.exe
Token: SeRestorePrivilege	2376	vssvc.exe
Token: SeAuditPrivilege	2376	vssvc.exe
Token: 33	4908	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4908	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4908	SearchIndexer.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

624 chrome.exe
624 chrome.exe
624 chrome.exe
6116 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exechrome.exe

description	pid	process	target process
PID 1736 wrote to memory of 2872	1736	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
PID 1736 wrote to memory of 2872	1736	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
PID 1736 wrote to memory of 624	1736	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe	chrome.exe
PID 1736 wrote to memory of 624	1736	2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe	chrome.exe
PID 624 wrote to memory of 3052	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 3052	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 2196	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 1560	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 1560	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe
PID 624 wrote to memory of 4012	624	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Local\Temp\2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_b8b95291b6367dc3365d83fd6ad14de3_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x29c,0x2a0,0x2e0,0x2dc,0x2ec,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa6d36cc40,0x7ffa6d36cc4c,0x7ffa6d36cc58
3⤵
PID:3052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,1566786347767202969,14771425588173881536,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1900 /prefetch:2
3⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,1566786347767202969,14771425588173881536,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2180 /prefetch:3
3⤵
PID:1560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,1566786347767202969,14771425588173881536,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2476 /prefetch:8
3⤵
PID:4012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2944,i,1566786347767202969,14771425588173881536,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3104 /prefetch:1
3⤵
PID:4064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,1566786347767202969,14771425588173881536,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3156 /prefetch:1
3⤵
PID:4600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4512,i,1566786347767202969,14771425588173881536,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4516 /prefetch:1
3⤵
PID:5156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4744,i,1566786347767202969,14771425588173881536,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4756 /prefetch:8
3⤵
PID:5872

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5888

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2c0,0x2c4,0x2c8,0x29c,0x2cc,0x140384698,0x1403846a4,0x1403846b0
4⤵
- Executes dropped EXE
PID:5980

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6116

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2bc,0x2c0,0x2c4,0x298,0x2c8,0x140384698,0x1403846a4,0x1403846b0
5⤵
- Executes dropped EXE
PID:2744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5048,i,1566786347767202969,14771425588173881536,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5044 /prefetch:8
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2668

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3568

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:592

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1276

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3340

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4696

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3440

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3392

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2784

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:396

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2136

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3684

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4928

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3660

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2536

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:224

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:872

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5532

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:5560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6136

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
f288ef1d2dcf18dfa8ba67be706175ba

SHA1
61d45dd5434951f9bf5a3e320e70ffcfbc671bbe

SHA256
543813f1c562df9f53f91748f759a07de697745b083eaa458a5accd059e8a2cb

SHA512
1e0566bb6f6e262d3c7fa46428c11ec0a3360f6eec0ffe68f014b292a61b81b4b802b2a26bb1953788146c20a2b9e64226ca7749e8ca3624302e351d056427bb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
3e8d90fe4d92148f6e51c23388a54c3e

SHA1
3c5b844ea7745ca145162767f656c7f2f0c9d21b

SHA256
e4f00d77d7a474da3db8aabebbcd3cdd8f99d6e1e1063b2089bdf769c5a886a1

SHA512
a244fcc62697ccc87c795c3f3abc517ceb133dd2a135124edd0ac190a8209d6d308dfdaed1c4ed97b39032ce2ff0541316df8db9b5e0a14fbe3576e089e5ccd8

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
daeeba9ee99fc22691ddd8e551b8dcd4

SHA1
d89eabaae02d7b4583ebd3495a5e5e1b01200228

SHA256
d2e70e206d6c057a577a3fd75a1cc4b0e5024ae8421cd79383bebeaf1706fc8a

SHA512
162cbe6bff5c34230145d8d01514e4c3553cfc3abf4fef3526780c052bc966ca999d8320dcb8ce5acac75b61e17330a03168e7069b57158883351703a5dac95a

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
48f83c7589dcf3f5d13c96a3036a60ed

SHA1
0938998b4c439e0b1f288fe7025819ea91b47d9a

SHA256
7e7dead76f9bf5ab871cc9c98a362ca76baf0c19983f18f2efb6f189b766e4e2

SHA512
046966ceb756ab8359e8c29579b7870b3559aa3d5f21a5c9e56a46cef5cb3821b58f1ef941b0eb3c6259813687c6401d7f119fe50a590428482ed9faafbc7edb

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
973f3d696219f5d339a489e3260bed5c

SHA1
9720d6b9a447ecafb1c944f7bfc890abb2d55ef0

SHA256
53600bd681d693df6ac141642937785e7a47fea91b26a4cf2f9dd96d4c1ab98a

SHA512
fdbb46ee87e4dd45823e795817bede1aa2255a99de73fa8e25cd0da64eb926036b99cf1927d848bbfb7b882bf90054c95522ac2a6ab962af2fd76442526abaac

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
b9546d6f0ad15cd946461807c207deb7

SHA1
24f165b8d234f0ea589bf215f9747e8bf6a35032

SHA256
c531d0744d02a41ee7c295b363d81ad716dadc3639499313a7b2e380553b3627

SHA512
346fe658773908fb4b784c40e9b4e0aa3612a1431e24b7c1ddfe4cc0de98daab33b2d98bcaff3ddfc125caf63e4379d059f326332f524456b11c2112534a25d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
6c4c9bfb1ff86342654d1327ee8e078a

SHA1
5c3e5a5e5423ce35fa5f983a1b4d72e6d31fdc07

SHA256
19146a61d6ac29a50e51f2249f8c3a3c29346d3383cf077fc12d4bcfa8a32632

SHA512
ee8a2bc6510b1d99c4fdb5e23c95e3fc6b1a549ab7693a6fe652f03dc61d51144a28e1d366d0d0bf1ce6bbf794a517bd7361968c81028a1bf04a02e2b25d39ff

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
18aff575db81f13b562ac986d929c918

SHA1
b03969a58432952cb575b2c680c966383357b08a

SHA256
8d8849c8ba785f8d899848b76753942cd15212ffe0853c5b25d00f25a66a9182

SHA512
6e063403889fe0cf11aa83654f355e0ce101d8223e4ba58f0e7963216d5dbc55e981cbdefb21c29e601ea0966468eb1701d45327a086b3479939a5ca7677b03a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
ed3df94d5ce2057a772cd8c25c11672b

SHA1
86434eda807dfe661bf7c8724232d6fb19685e5c

SHA256
af93365c0e07d8f30c144df793948449cd5f1260d687a08d58edaaa866143ce7

SHA512
2bfcc245cd4ef7f7406cfeaf0f167e5be7679faf2edc649d1267ba0dacdbffedc135290e5d6d086bd3b8fe93bc327605c6729bee6e5a5fb131a9f865aeeb25bf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
9d927fb78e7e0acfd9ff0598e503c1de

SHA1
1a941c0bcb3109283c13a4f20120b7fdd87b17cc

SHA256
af82869fb213c670a7675900ba8cc57194caea7d7684446cdf4719cbd35cd549

SHA512
43c5d295d7fa9b0cf86e872b2e06ac7a79c88b4e98ba330a1022d3c4a85d46c65cc40f99635d3d1fc608f779d03f90802cbd4a9e8f396933d08896c3a7429289

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
5f1958839c74ffdab8b86e994b1a5aad

SHA1
e5e2d7141673cdaca897415fc687516c06047a0a

SHA256
b322337e96d036a4608f45a270e9cdb3e0ce7d16d01a0f83cc267f23e7982e74

SHA512
d80934133936fa99235b0f34252b159648ff02d61bcca4d7481ee0141826fc935f73cc2b8b1e74b41db1ae47cd33e68e79b543d20ca31f956b2d4ab1eb703d8e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
de7f9306dd7e4122135661bcac5d4059

SHA1
73f050099715e19a47c2fab29a7ab11958003057

SHA256
05489902c58d9a2e8350c2623bec4bc469362e9f4d0e40f8a49bed180f826cf2

SHA512
d60352424dbbcb2bcf9615f17b521de4db355db3f598593cc2681862940568b75fc37004e8eac009b173c085ef176d915cc91f2e4ef5006d1af99ab7fff8d522

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
01efabcb3bcd18a2abd4ca01296f9132

SHA1
5d06983cf6e6998c46664cf3d4e58d2df5fa402a

SHA256
12ac3ee222862c889d74936adb592c890e7feaf9e6f4ae2951791276d521c3f5

SHA512
2df6a321640e83633ffb8a0bd2fe570ff8552e66504152a0ab24de0fb63aba34dc04ef30022b9fc0a053a55b249f578e3794a737d4bfb19bef136cc44aa6c1e1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
c72b94bb750b71a754acce6c5a920a29

SHA1
e3ceb068507afaac9674e09fa5f899ec1b2ba90e

SHA256
29e0d9a29890465728312c112a77cd854ff091622572f46b94a04d233874901a

SHA512
7cd5b4870e80199d75a1422515f0ea0d1918c161bb12622c48714e1e1591a502a83acec1178da482199b6b088e2b6c04b0321fd7dfbc2d7f4547333944d03a2a

Download Submit
C:\Program Files\Crashpad\settings.dat
Filesize
40B

MD5
21051c2d2b882db5fd154d892912f80e

SHA1
efd828e31a80c5bfc0eeacce5e107bcbfcb4ac45

SHA256
bd26b7fc11b6811a1569980ded3004fd57ad9de98942460f30db817694b879ad

SHA512
5b8f81ce088beee3e198a65294d026952265795ce9d8bdd8b598a241905c14ba89110cafa9bb4b9af1d97c188b91149d6084ef7bf3b4cba320d6a39722f8f44e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
d99ded46f0006d686ba19fda2e2d0c16

SHA1
08c2a9131c91dc5267acdfa84d5db0f3c7e3ee2c

SHA256
517cef7ac3e508811c6792924a0e601a6b410737f148756733f6a7991d5ff271

SHA512
d6079deb63f81b68cc169b67b8a95aaf3aa2a340d3f7bd8fdbd3543be09cd917b185bb684e5ca1f80a848c8a441805a70268eee20870d9ff4c77c66cb7924443

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
a891534469da78b80f2bac19566dc074

SHA1
0911437e42f63c01da6f6b0b3d355d4d5cfd460f

SHA256
6085e65016fac5157ce69a6f748bf9e77fead7a0c878cd7e6737026cd47ae2ee

SHA512
82a3bd3bc1cde9eccb4c8ac20538db94aa3be49eb45b2ea877a24439de29daaefdc888c06926c0c48d6f5a41adf8084054ced88831f61e63caa90cebf2a59067

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
409bc6a8af4b3d9e7fad27ee0cbfc934

SHA1
440bcb85621eacbae5589d0a38346c5ca44f7c35

SHA256
62408fb8b01a860873b1dca1fe26062d95b185d92881ed6a1e8a678446a01c4f

SHA512
bd20f1b4e39dbf3e29cd8e7d41735e48ccc149e34120b9406873e32214a4f95a546b3728b5a2a0fd12dd88776cd8b96193692f44bdc801b46dae9a23cb9b92e7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
767009dee886d932729c691ca92d1a50

SHA1
d3e63c8d7a87bedf1e444d7accf8aa3bbdbe0696

SHA256
29b52fa6a23f25026755f2edd5b43dc2b024d151a3ed7c0a6d2dba7afad41d35

SHA512
c7bb829ca953af8b5f39df04514050322dd64dac6ca58e9f5f80b287430929178c8f7e66faaae7c21cc1585ab77c46aa28de3337166122def34881411b21a500

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
8729c58ad2526e3743aeb12e23987603

SHA1
36b11b29e7c0cee40653ed0c6354f7b752c5e191

SHA256
261686798200c1f6a9fe1af0ce110282a6d38a7d2bc451a767ffbe75763a063b

SHA512
fed2c551a6e91751a3b1bd65169292a49dd534eeef072fb2fd553270c02596c4ffb4253282ea41c0163c539145514e94afe1fb6c40b6e2d448e2ef2fe0efa85f

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\4f34e338-6220-49f5-a451-f232dce3a6ea.tmp
Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
ba532703e19656215950ecf1d2024f5b

SHA1
748a245d3f9234b85c6ba4f34ad4d087a43df151

SHA256
64894a9e1a00da5548e7bc94e9ae421d8cbe12605244004caa51f2fd108b183f

SHA512
bc36cd3321db995f07f42dd25232252ef30ecb89d8801d5ac591b6f050d6203f841168aa4c76a0173de0979110de6fc30676665aa1c90b473981eed6b96b14a5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
f4eeabfd65851ce8e905c339668c05c7

SHA1
f9171d604c2086138d61d1f4613ce21ea4ea62bc

SHA256
54d9cab6515d19a6ad15b68521f99139b87b40e799c76806d50175d1bebef1e8

SHA512
41fb18a3ae472d7d136c9b48626750f5f462f4de3f6d1bc6a8d55f60baed0988300aeb17562d952b57e7e3f04349410e21ba72677033f9cea161ca9432324cb5

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
6d877ef2c0050495670395856933010b

SHA1
bb8159c9dcc212af7f6691cb322518cf59eb6858

SHA256
74ad295083875234e066977f2d08bf257d826a5542a07e994944a2c55c995391

SHA512
7d349fc5ff92b7df8a730745fc59fd4489fe3d17f2148d44583cae24e014096314908a97cb806bf0cbfa017b804d4adc683bb9d8642ea4866e8bcfa66a94318b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
2d18321b28f6d7d83a5bc35d15aae5ea

SHA1
673378227d44f57e0488f78733848c8d26ee6a67

SHA256
a52b31730394d9d9e8fbc13be5e1e9c09e791d2069a9e5a200b82326afb6fa96

SHA512
b90579db59cee667d12187f55497423495fbf9904eaba9d84636bf3fc47a1fb1a3e09a455f316916d230b0a3bacf4d7b313fb5db6bd3c530d415d8b9f6430a1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
Filesize
649B

MD5
fd4b4eb80f7b6f9452a1af98bba90fd6

SHA1
084ff418fb368d4cd6e53eed4e458f03dab996a8

SHA256
58600b9436cc2ef906e601186a46d20d2e861d98d9d58b31517858dc5362f49f

SHA512
0e8f1c44bc0d2f4ea7171c07f02f98f12a40aa39f03b93bfad9bd41fe6d9acb082241f2ff7a0472075ecec310ebff4fb48472e327fe36397ec4126f7369e6711

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
cb117117e84adf03a3da1fec612cdc1e

SHA1
bf2af88757d6103b4670a51c3ae368b2f9c7a979

SHA256
4b1446ec35f00486a064581fe39a3f4cf3bbb12aa6eb804d7fb24b52a127c902

SHA512
a109dfbb4aa45fa03fc04c770614c9982503c761fd88c77e1f4a950eaabcacad226af25108f116945705daba23c38573bbb9c163aa4381eb16020301b891701b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
10b1e63930e78808fb6d5eafb33d5718

SHA1
c56d2f31210ed0168fd08a0b0311d9064ae4a24f

SHA256
58560657aa547066e2520699e32daa86750626ff0c1c3cdf1991b91c7682452b

SHA512
1b6a128364269b2a430a9ab63a6a42c4a16581eafe45aecd11dfea4eb40dd8f0acf00563709bbd5b1e77e1da081dfded83e2d309b157e96eb0c025fd3807abb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
2ba97617d09ea34e7b22299031defb12

SHA1
9a01804d5070a2b9e4181c176a862dee8476e3f0

SHA256
09733585f342e5ddaddb5cfd292fc8e35aa7b2efe930ac5ba3a4e7f512ab55ce

SHA512
5155b539da8e654f330894225840b535e05d1975a266d440d3822a99bc7416b2ad81de3181fefe3a48a8f15c42bbb00b178d1d691c2077ee5a6adecbbf1c1876

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
270ec4b1cd38976ba6730d2ee2d6c340

SHA1
b95c93cd4d716460e564a99888df5555aa846e28

SHA256
16b815d17178d250d62339c50a2391349033e98f5422f7e7537c5f99fabcee05

SHA512
16eae2821ec156321c6b0165916aaeedfb714ec807240bde2c76fd02d1cd9c627e3729b42fd382cc083c2c725d50ef52ad1242dbe33263c63f27495191ef4b75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
180f821d2e36c4ad149605ab40d0e5f9

SHA1
c5c1c863113b7566bb7db7eb1c7595509168b981

SHA256
9b1bcc3b3c0760de22577b65d3eb96f115b6827c151bcf8ad4afd0636670f04f

SHA512
1ee0b9b8f2e0ac5326f356bc2738469b17d724ecb5dc48e55c35840b105c2b0ea3ac730233f2f8aeb4de64df82b78e3017809ac7081bc15bb6846ca91750e880

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
efedaca7dc2670c9c9c9c96054ef2833

SHA1
114d61fdb26d78acbf3f231b6525ae1a8dbba8fb

SHA256
84925ec65e202fe32690799c1808039f34190d6615bc5a9121cdc6a0b1835662

SHA512
74b60b649c9a8acf7524891b0ca9b8c841bd24b6d5508936a2a1f3497698e0c07a15cb1c03104ac8e839291704e044f88293811306f1c7b377527bdf48dc64b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
f90bea3a0083e6fb9bf742909cb39ce2

SHA1
bb2ef950e9103f5f017917e4ff877accd5cc2f9b

SHA256
231630a4825fc17b706755880781ab526085f47621a15bc0cd987b24ded22bc7

SHA512
264625bedb2579fbb2f81a897ee57bba652bf02c72e0b652224c3bf5685a86d451387e5cbc42f17df362d84bd31b93063c2526916d19c03040cc61560087e4c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
1ba5e828b9b5e4fd3754698963c38f0e

SHA1
c5344b1cbab6518be44791540b5e81ecaa8ae34a

SHA256
2f69eff4d2c1b56460010dfc423788142d13a9bdca72d2f6039efd91faf5418f

SHA512
7d821b18fdf2a7bc3478d2f71d38f629c0d58d73c50192ed243ffff2ab8b92894689d177558ecbb30c77864daab6a0ba0616865b4703add8cc152eb6fed9f11c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
cf2c3d6d845a474a1ad63effe3153eed

SHA1
45bb672297ab18821759bc75fe8fb2dc319d5bab

SHA256
b365eed0a543571f6f68595bba45355efe4dfa733171b220c280289fe0b2cf7e

SHA512
4d040b7a7cebf22dd71248b3c44527204f5678d4a1c94bfddc74ef344a9f916ce44672decde63b1126c40d0285556dd4d4ed308bc10a54170b8e6aa7c91ca407

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
da309183ae94a99e624e4ab9b1ec9470

SHA1
881c18b099387958d3089dae567ca51c770e2119

SHA256
577a958f4126cadcfbe1af6f44cb008fe1624039fefd4aeeaaf5b58b6d6e597f

SHA512
f1776a2bac8c3a5e8c42a73a6760b416f9e71545b90138520a62837dc8af58997d560027fcd5ae128842b5eba9d702351870e3fc0a52b022ffd3f4c88a96e277

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576ff0.TMP
Filesize
1KB

MD5
d8c020453a9745d3cb6e966101a2171d

SHA1
599f394ce1fdfc46c360ccc073892dc2dc98eb4a

SHA256
f739329dcdf0bc11443f2eb18f48b5f721183d20e9269cd2ed983d35021db35a

SHA512
9001b06ed627273807c8cbb383febb231f52bf813074896f4f6a7ab20ccb0463ca135f36524934e4586bd872877a8a128f60db53d1591ec8a166d4bfe0894723

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
77KB

MD5
99e1bd27592e50080651a86072ccc5ee

SHA1
387af047f1106604e1359501dbe8906521acb981

SHA256
5d85333cc80c6527fda7ce03b4436ea7b634ef6805b1ace977a443e31ca8b0f2

SHA512
308f5af1e9f09877be475f5f232e80fe66e933ee9358fdc95e51f31c9a72b9ae4392028f42594696bf3726e27f55123f0e39169e158d260ac10f0445f69d348c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
77KB

MD5
67f35ba65ba3488d82cda349729dcc08

SHA1
ab82afd8c1fb61e6ecf02cd7a36cfbf8009207ca

SHA256
ba030421ff492ad98228e19863fe67c303a93310c7df518c16004619bf068d6d

SHA512
861f0d2d1eec4f1555065be04614c7331f2f8b7f0fe8a0b60060dd2d958d71f918414369053dddcb373a137f9603f78222df1d31c278821d793b524983b3f9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
9a367c40a5a841e0b2a075fd0c8444ea

SHA1
d199d7de6bd9e5b7a25000d903326fa0c8a266c2

SHA256
aac11a39a40e98dd08d29031ef57daa19a9be77e217e3c1891e31de6dcea051c

SHA512
e208d5c650be1cfbb1162c84e3c731d29480009653fe92511c0fecdb33691ea7ae4da9ecea5ab490e00e1ca331416a4b2b4d2425bcd8874e798218f2f7407e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
234aaba2e52a8cdddc6284f9786c2126

SHA1
cfc7681a04675cd23371b713d985b3d04dc3179c

SHA256
6bb63d18bca0c169f747f7c757bdcaef96ba13b0d2d1ac1e72c233dd00549a19

SHA512
abf8e3da599d764cad6d79c8d40619d50709ed592910411c89735af5af270df7624e5dea921eac863891e8afc29fd7868818e653abc483f5c4daa3b715bb3cee

Download Submit
C:\Users\Admin\AppData\Roaming\e5259b5e7489627c.bin
Filesize
12KB

MD5
ca58b559d9edf7475d92ec5b15367423

SHA1
a95d2afe690a272063bc3dd9a8cec552015f95e7

SHA256
5271487f8fdcfedacf72d324e135523f7918762c9c0bc354d8673e31d8818248

SHA512
af0c685318919aeba0d416c471c19c7674d1f15f75c7b26cd6625216ab9d8d3a21d511f551d224d633dca7f6e70ab807b80551140bfa0a14bd1745e553914415

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
4448a996048e8b711e3c3bdf92fdc1bc

SHA1
c97053e2670e862e30fca6e7d748d227157ed2e5

SHA256
3e95223caecd7aa7152bb7cb3f548fa96a6ea7788e0f3a7a62369e332ce0d257

SHA512
f5996f95dd0f459563ea5aa571fce4103ae5db9bb457416aad16d7b3a43761af7db2b1625bf3b37099da482173621585ae4cf7ff8f0dac255c371247a5919882

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
d62b0b7bd32961c62a56b7455e947100

SHA1
95a246e969881d93605559b062a24d5be4ce5241

SHA256
bf8f077794443fa22158c2b49f0bed497d7fea471ce861c3886ac663be3bfb7d

SHA512
2bb86efce4342e5f6a66066dc9e615558c552fb198e7a1e88472ea87a2702554bfa22c28e67da4f63b38be53f65490f0056a2c4eb6ddfc1e1c172e07ef1d2960

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
ff9dd17e6191a1f02a2452a047d809e1

SHA1
bc4a792b9cc9b38299d37acbf7f1245ca468cc62

SHA256
37ba2f533d5e270ed63d706826cc27f4f2cc6b6e91170f2b20d064cbc06ef35b

SHA512
c3f23773f3d35727ee08bf8eb68f4fe152de6f8a88b8180e6ab1ec42bacfeadee6912cc5e4505376f994785c0e005085565b761a9b362fbeab1c91a3fab8a34c

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
4ec266ee1fcbcaa45f7c56f470557c05

SHA1
86f12cb96876b21c47ad1427772e7038a90eb540

SHA256
a06f9267fa5d9063f9a208a95ce55e48149af9809095e48545d79ff8b0ecc1c8

SHA512
0b259d4b5dfcbee4ae89fa1c4d8d270cd45f563bbe40726d7578cb5014d0aae9133c4fb332dba1cc9f1d072d8afb230360c0ff38cc5a0d97b52921f7c1997002

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
49d983fe15752596bf5fc91325757e84

SHA1
69d6f5381f8fec89e5d38439b2542d044d5462b5

SHA256
fa156fcddee41023e66954b90ebbdbfa9469c1b0a6b5f9bc570a5efc534e12c5

SHA512
9df2d8e5292a0e8817000ddf7c3e9b9b45b9d03d43c5ec7da2d50da98db625e68a21f6fadd86355a54c6d8b177faafaa2b1e9e14e99c1659fe60a7ef5c8c5109

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
748e2d4a19bda947720badc40627497d

SHA1
89cc12620e48b4a9b8c70ff4dd6bc2130ea71a62

SHA256
261c0f01a5dd6192795a528dd4a7277e8b473675090381697a86bf553c285a97

SHA512
c4b3f122646eb1f8f62c674a126e3d99deb5470f304b1b8a8c9b96fc232d59030793aba9661fe5f29e40bceed039fc6fb9df24d3f0a2e9b56487a3550a85899b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
bbec7c2ed6788634951a118235f39494

SHA1
bbbfd14f03d892106fa055c406c8f9eeb9c8e7a6

SHA256
0cb27e7e379c76d6951cebfdf8fd1b647ba7cd3022244cea6eee570eb97d59b3

SHA512
7ca19b7387c021275fe1a8a14c85354e3c8fad3172b70d08babcde244dab41316178c61ce4b0efda4d0c1f9d31569faa03b484735971235ecae3a4c7439a8a93

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
0ebd6fcac5af83f47788a48617e599e9

SHA1
1aaff04f932f2277419a369cbff83200f36a9d1f

SHA256
b9fde9ced1b505f7fab48bf7e58413ee582731bc17728ae7f81990f065428121

SHA512
77635c368d0a128458b8fd0ec8f1e28c03a00e019ab072618fc6a5d73e150161922800345de8cfda6e105e5656ffc555cd9989219d83877b36731e9905db5fe6

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
f31d504931859c85d7b6c97e00b60af5

SHA1
10743f849b7b6072871d1adbcd79318ccdc6a132

SHA256
69db7270445957007cf62d906cc576c8af4ab087f1be7cb76c900bd1dfb98196

SHA512
111d501ab961cca7d711132496953013693149490c2e5d2953346e1d8d5a126851b3893d8d87567a5d8a07ae80410f98dcf6bbb6bb9b82499f8aa5b156fa6a1b

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
e8d7fe333a28c280642bdffa019bf79b

SHA1
99b6552c5f8e66ee9760a991c7903e830a5a1a2b

SHA256
67a405b819c981a2a6db04e4dd17be4c7e9fe0f94bf8bffdae0194ef0f5510de

SHA512
40be028d012ce07f3703ead13d5c0938dd529460e3ef89eddd0459bad53a6eda86a2a3eea29e0738c46a9cd135193b4aafcbe9195a6131c3e7c7d362ac397043

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
abb657a6b5afd04b7fbf723a0064f408

SHA1
3bed9d1a9a2920ddf4a963c7bdae3f080c93a901

SHA256
01d3d1f7268a2ead8e49acf614b79438273c653df3c317849e5318fe154708fa

SHA512
07898b0c6276666123552f0691496e7076fa1f89110c4fc3630d9427b442f432131755eef08282d133b0da77d21a1c49c4a8db5ddeaefdafa0e11b69fde9a5c9

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
a6c0524088cc1c9f30b3acf109c2ea36

SHA1
3b35f28bda3ac7a2298d975dc76583f082f9fec4

SHA256
6ae9ccf3d4c90e34bde1a740f76ef521f03b95a737c8203924ba0e7c4817bd69

SHA512
9fb292a4c4137888465958c2e45a96c8c0e97e5df01b99051d3c397be0ffa355f4486ca0407652c89ec0c7f60b5f349739f90f2f7315e3b02c3e83667aacf86d

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
3cefe260b59e80ac5592d1d3d0f7874a

SHA1
2256244e040adfccc382dacf324498accd002f1f

SHA256
b6dba972f893b2e1f749692eb8f096943c6498d01eab48f9c1393042a8bf13a8

SHA512
9653b3634fd792cab00e068259797724fb4f147427ba823d453d8db81469d21cab73964edeedfb9be89bb76f26e69afc066aac7cd05186ab2fc8e90339ef6658

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
b289235417d2d5955ec43d0a0e8c88d7

SHA1
76f54df3f4a850cbf6f8f4f3a6e2f60e52fc957b

SHA256
3d897295f2fe189ae3d78d308affed3f73426195c39f505bf45c480decedae39

SHA512
047f1e21ad5c6fd7c520cebcd9ecdde895a828f22c59117683482f5b5e33f7cc75a095addf248c64e0fc1c956fb74a2fb5e2598061e07574d05b76ffc40fb1f0

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
e508e1c78c3abc987b65dbfb1c9f6e3e

SHA1
cf096f6c9ef95fe081252771edc94c2edb5cb619

SHA256
8eaf46ab34500f21b674f41d8dd0db841699dabbb807b418f1122bcb2cb42c16

SHA512
214ef18a963821893c54a78b212477888ba179d26d23303f5041af0be2f40b1300fbce67f1dbbb507c56f9c20751786134bf8ef8ea839acb7724df5cc1af37aa

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
d28a9d36e6ca7ec1066b5eb261f05408

SHA1
5a06191b2a632b3232a249c102141112a4991bb8

SHA256
f8c5e25af321c5d7b509e784106beae4ba5ba283bda727161684a9965b6c3937

SHA512
52ddbbfd6a8114aaf8699882ffcfe81d0bfce859e026a58ccaf7268c60966956811a0a1822f7e4151e799400a9656db5e5ffe424cf7168268f5f529d29e2fd86

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
416012c26a4699468547a22838b0b0fd

SHA1
6a1f06b441e235d7fff445646d5ba31ab1254c19

SHA256
b48547f2a0935b20eb28c879d9357a964f8d9e976f395e80370b9c0069950bf5

SHA512
cfc81282df38aa40310a32ce887a5e26da6b58dc4f367def686c681f196d70b66d850837be9b45cfcbf68fc2cff2562d33a81a1c7eefef2d5c43b1c0cbf7a775

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
8d7f7bfc43505ef5f94bce105c81d671

SHA1
9e3c3f5aed98ccc0c62019dd73ce51e49d2b16cf

SHA256
52f5e59e97fe256e3daf24e48f67a89f14f6c4aeffb6c156fadf776288e86daf

SHA512
392825fc2381d9a25b77453ff1f50eb40c75d90e29df1fff7dc95941bc93567ef42c65ec15eaffa2f1cfd7dace2256f205c783578d76c7c6eff053912642914e

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
ce88c0e62696f9b39c64cf5ac33517dc

SHA1
1bbfc962eed0c5cf4b949f1607ab5c5ce300bbbe

SHA256
7c7b7b09b8e36e96347faae78ca362846a6518a923f24665ea4f0662d2bee32e

SHA512
7e2cefc742c047a5c0af83bf2a97b6714e0b44ed00a6c808550800117df1e7870f1db82c0f229d57d0c36f5162cce3ef6494ef826b7787878c5584963c4e96ee

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
0cd3c79830f97fe7c11dda0516deb8b8

SHA1
338c4ddd8dba99e026ca67237b477bc9ed7146a7

SHA256
1187b6745e4490442f18b21d5185265fc633d32e199ed6395ed9dca453a07f3a

SHA512
03e1d09161bb225b2ab549a36f5589b3abe98020ddb63db95097ef8cf8e4799d42331665d14e6bf9c3c57da3d01ddd2fe2e8cd7dacf1a9461ec7ad31c8a634ef

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
b157c584caae59939313756f939d5332

SHA1
97759458584b08646304084ff0f3a87ab8b34d70

SHA256
f84fbc98dd83eaaeda25e663b96a29a67d89145f6e962281486a500ad17bc23a

SHA512
92472171d139f1e4eed05a96025c5af61982482715ef82822face570b89af4d1bf029631233dfd16dfe758420d3e67ba3fd2f2e143fc8f76c0a61b12e312b0da

Download Submit
\??\pipe\crashpad_624_SGCZHJZBIKKRRGJM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/224-234-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/372-232-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/396-226-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/400-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/872-235-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/872-603-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1276-56-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1276-50-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1276-341-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1276-221-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1736-10-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1736-6-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/1736-23-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/1736-44-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1736-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/2136-227-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2136-486-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2376-233-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2744-617-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/2744-456-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/2784-225-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2872-501-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2872-12-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/2872-27-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2872-18-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/2992-231-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3340-220-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3340-602-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3340-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3340-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3392-224-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3392-98-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/3440-222-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3568-35-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3568-502-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3660-230-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3684-228-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4172-36-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4172-29-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4172-505-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4172-38-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4696-77-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4696-71-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4696-81-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4696-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4788-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4896-94-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4896-223-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4896-88-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4908-604-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4908-236-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4928-229-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5888-419-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5888-483-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5980-616-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5980-422-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6116-434-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6116-472-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download