ecd7c64a034efa7b908301399b3c024e7d709b84b014a0ee938309ac77e786d6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 14:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
Size

4.6MB
MD5

1a75cc01bfbe199fc0f4eedb4f581123
SHA1

070bde265a9d8df7594db19c6a41555bf2c65e5e
SHA256

ecd7c64a034efa7b908301399b3c024e7d709b84b014a0ee938309ac77e786d6
SHA512

e2039cb009abbb3ba67629c06f20453758d9f2b91b3d24b1b10882e3bdbdb26ed1d1e3faaa47e6b915ff35653850c36acd6bb2005acf66e440cf1286dcb2590b
SSDEEP

49152:/RUe99+g7C1zqHd+RlxvzPEWBBzj3TvIIoQDk4qi4A2uVoj0I1v5ghsw7Ozx+olu:mp/z8YBzjzxUzk6xkZzWqMT

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3608	alg.exe
1088	DiagnosticsHub.StandardCollector.Service.exe
448	fxssvc.exe
1624	elevation_service.exe
4232	elevation_service.exe
1732	maintenanceservice.exe
1528	msdtc.exe
2892	OSE.EXE
1148	PerceptionSimulationService.exe
4372	perfhost.exe
2988	locator.exe
1220	SensorDataService.exe
2512	snmptrap.exe
3332	spectrum.exe
2436	ssh-agent.exe
4992	TieringEngineService.exe
4944	AgentService.exe
5112	vds.exe
3624	vssvc.exe
4800	wbengine.exe
4396	WmiApSrv.exe
3104	SearchIndexer.exe
5540	chrmstp.exe
5684	chrmstp.exe
5768	chrmstp.exe
5840	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5876b409234f82a5.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Crashpad\metadata	chrmstp.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99062\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99062\javaws.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133591335336442318"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000923d979b9c9cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4db3e9c9c9cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f179739b9c9cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001207d39b9c9cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8657f9b9c9cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031f0329b9c9cda01	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3900	chrome.exe
3900	chrome.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
1088	DiagnosticsHub.StandardCollector.Service.exe
1088	DiagnosticsHub.StandardCollector.Service.exe
1088	DiagnosticsHub.StandardCollector.Service.exe
1088	DiagnosticsHub.StandardCollector.Service.exe
1088	DiagnosticsHub.StandardCollector.Service.exe
1088	DiagnosticsHub.StandardCollector.Service.exe
1088	DiagnosticsHub.StandardCollector.Service.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3688	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
Token: SeTakeOwnershipPrivilege	4244	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
Token: SeAuditPrivilege	448	fxssvc.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeRestorePrivilege	4992	TieringEngineService.exe
Token: SeManageVolumePrivilege	4992	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4944	AgentService.exe
Token: SeBackupPrivilege	3624	vssvc.exe
Token: SeRestorePrivilege	3624	vssvc.exe
Token: SeAuditPrivilege	3624	vssvc.exe
Token: SeBackupPrivilege	4800	wbengine.exe
Token: SeRestorePrivilege	4800	wbengine.exe
Token: SeSecurityPrivilege	4800	wbengine.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: 33	3104	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3104	SearchIndexer.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
5768	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 4244	3688	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe	83
PID 3688 wrote to memory of 4244	3688	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe	83
PID 3688 wrote to memory of 3900	3688	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe	84
PID 3688 wrote to memory of 3900	3688	2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe	84
PID 3900 wrote to memory of 1264	3900	chrome.exe	85
PID 3900 wrote to memory of 1264	3900	chrome.exe	85
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 2084	3900	chrome.exe	91
PID 3900 wrote to memory of 3192	3900	chrome.exe	92
PID 3900 wrote to memory of 3192	3900	chrome.exe	92
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93
PID 3900 wrote to memory of 2912	3900	chrome.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Users\Admin\AppData\Local\Temp\2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-02_1a75cc01bfbe199fc0f4eedb4f581123_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.92 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb83dccc40,0x7ffb83dccc4c,0x7ffb83dccc58
    3⤵
    PID:1264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,4526307118526097103,14687693755513732488,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1916 /prefetch:2
    3⤵
    PID:2084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,4526307118526097103,14687693755513732488,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2348 /prefetch:3
    3⤵
    PID:3192
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,4526307118526097103,14687693755513732488,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2356 /prefetch:8
    3⤵
    PID:2912
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3028,i,4526307118526097103,14687693755513732488,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3108 /prefetch:1
    3⤵
    PID:2456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3040,i,4526307118526097103,14687693755513732488,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3176 /prefetch:1
    3⤵
    PID:3340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4532,i,4526307118526097103,14687693755513732488,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4476 /prefetch:1
    3⤵
    PID:5236
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4628,i,4526307118526097103,14687693755513732488,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4600 /prefetch:8
    3⤵
    PID:5444
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4616,i,4526307118526097103,14687693755513732488,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4760 /prefetch:8
    3⤵
    PID:5452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4412,i,4526307118526097103,14687693755513732488,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4828 /prefetch:8
    3⤵
    PID:5324
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4740,i,4526307118526097103,14687693755513732488,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4732 /prefetch:8
    3⤵
    PID:5388
- - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5540
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2c0,0x2d0,0x140384698,0x1403846a4,0x1403846b0
      4⤵
      Executes dropped EXE
      PID:5684
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5768
    - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2c0,0x2d0,0x140384698,0x1403846a4,0x1403846b0
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5272,i,4526307118526097103,14687693755513732488,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4600 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3128

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3608

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:548

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4232

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1732

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1528

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2892

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1148

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4372

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2988

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1220

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2512

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3332

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:776

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5112

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4396

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3104
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1204
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
eca7012fbf75d493ab977c5aa268248e

SHA1
f2934a4ab69fcc172d680fd67dfd7c434046c3f9

SHA256
d11d1444d710a64513bba924fe65519135b24c59eec33095ef7a7c52fdfcc7df

SHA512
be2b26c3cd93f1af3e09eb6f8d9ae8630fe36e2820be1c8751e1473bede7856b8e9fe89395b14fe85d87a838d767de87fa916e170b01fd779bcc79e6919a7d2b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
599806f6986ec42cce751261a837d1c2

SHA1
9a81ee1595abbd59022d7679301d9eda3fc413b1

SHA256
5658b70e9f7feb0efb44a8c544e0742a48dda5344ce0556676c3af5cdef3f422

SHA512
9f7abe637445493e48ffc545310aa749e83ca3c34ba0d4bc77bd9b70a2979aac5670d590f828f567d9b0d02b2befd93fa494bfd8b200d48c22eabea15cdf938a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
25235b4e6d43a2dfca65980a5bd6ba69

SHA1
054a20fb39954fca79e05901d4314e7ad48309b1

SHA256
333c604d6ace702d613d0ea0c9d63c9d36b3f2bacc034531aa2e6c6e46081fee

SHA512
d21b26d0c20f07d3d9280fdfb4aa542e875346a210cebf59094b0ccd0c6ad4010af2d0294174218101da65c6da844cec1d0daa3fe5f8eeb5924cab3ba49889ed

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
23f0b30cebb8556d0d51d0fed41e2640

SHA1
b7d5d244856b6cbe7606609e014e3ce0dbfe60e4

SHA256
68d9e2250943359e2464726a2e5d6fa5ea08b371ee1082d73d71f055a6b3aa04

SHA512
5f3ba66322d5c14dc95b3875d045a4fb9e7e825e03e9efdd28d3e6bec41ce9cfe500329437ca7e3993bce640824fab1636ff3d8904f225f882e9a44cce5ff38c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0da0240f67256878d8a145a53b74c08d

SHA1
bf2ec6f009b5c3b07e0bc3ef29ef3deb5befd603

SHA256
4da78844483b992d83a3d622ee7c2b75677eac724ca8c1ccfec5fe8ad9f9b957

SHA512
a03f50a349c16ae5fe1ede219d1feb268eb2f27a7b27b61210f5cde2b3d05eefc3595a02aa5e1cd2d5b79cd5488cc14962f871f23f0897964bdd492ae68b7617

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
7f09e540327388b6ca974aa5ae6f4ca9

SHA1
f13d1b946e1403768f0ebf6cfe53b226dbde68eb

SHA256
10205e9ba0bb375f7f0dbcd08a07a02330699b9b3c9c1da1c9078fb8b8068244

SHA512
cbe5bb7bfb66fc2c90ae0a76a053eafbda6ef212325e86005a2a0b44ba2d6490b95f22be328b5d46961133b6b9a8c423469db8d7213cb743cb419aa2c40d755d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
5bd5bf21ec3d1d2b6e7057df0b02320b

SHA1
9d4150c80d4444c8944fe80ce72d02d28d914185

SHA256
46dd3b181d600b078881fdf28cad64a5f7efbdeae90c84d2616018d2ecbadac9

SHA512
9341e99ac0b303eb945fa01b413844cf8442b78bdaf61e5c4a311269a8f857752e7a1fe2c2aa8cb4836e87495f6f9d7e16ea341c8c302caf338a3d0802e54663

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3dc2f5aa4cee05f8bf18608a2714edb9

SHA1
aa1a505d74341a52a748f2b1c33062884c8af394

SHA256
22269f826ced385af8289d82eb395e5d400bfcbc669a2e0d2dce021569d30dfe

SHA512
d2ac78b36b23127190072d67afb898357bf20cce3928b4f6df5fd49d864d624db469ad2dec58fdb391bf5025e268abf673906209ef75d543e9ad9729a5943eb9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
1a4883bf72bec3eb51e6193ed68584ef

SHA1
3c5fedcde6f19d4842b100096931cb70fd1c5a48

SHA256
adfc8189cf1dc3137b01326e57bffa0798f00a8dfa34d91bd1f357f389e0ee64

SHA512
36e8e13fd39801cfe867583a314757d11c97c41644d7b1c7ac93ceed213bed8e23ca0b18b95eaaed24d0b8d899b0ddbb4f84ff2ddc67250be9cae057f2f651a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b2ce064fde1b88e45cd9343110deb2b1

SHA1
c6d6cbd8c7b577f5e0c7b618275c4af43a01eb4d

SHA256
d918e76454fcf0b67b54e658ca33b6ccbc5c44a3bfa4732731cee34343b1c157

SHA512
a5bfe83398cd0c18b24f489824df20ea02918eb5e5875e25d31c58878a7900f7620a05112ea5d1d4dcc692dd534cd09ea748e05fc2213287e02c11de64c34fa5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
fc6369f2e3a4d5a1db98e19e45222ad1

SHA1
fa153c35983307a41d25d56978ef862623fb8983

SHA256
05673ce7d1be1ce2a022eb8d037fe1682b82e460c9f96103eb6be5b4aa2e3400

SHA512
3d047641ac3e16dd7dfc4c0f5a322367bc2e21aa1c76622fc6e582930a8a36c1345cefc95cb2e33fab6b70d0b355f110fc421f0651f5150000e624d2c04f0347

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ea0e7dedeb0b326f596ddfaa47883bca

SHA1
4ed154293d43864b673c8c67442b135b744470f2

SHA256
cdbd5148229ab0be28f73e4f6722ebe3a824746f138ebc84480362e2e24c0b44

SHA512
1332c6557caa41eb169f732f5b60ee72d39ae23d05bca1cba1e92a9243712bcac41b8e8b45026aff2f0bc81b35457b0bee8e7348a62974954beaa8405079c009

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
113a886abbf1d69ffe50e95745eb8881

SHA1
d5c5336bf4acb63fadc95806e49ca7b35fdb3ce7

SHA256
6a0e52ff063f94faf4749e3de319b82d1c846752425d7fc80a637281ef832260

SHA512
968f5c86ea7620ed9b55a94c9226b04a49cd67b2718c4daa0c4e33e8b55055fa017a0977714b7e6ece9ce89a1b0811132e5c1e1a1ea53333e04a581097855337

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
7532d1aa2c2c4cf72288179e5c55b51f

SHA1
02592d99f4cf3574c29ea678f8ad3212064d5e38

SHA256
f9bde3edf465113d297ee31f1d034178f5d1a7e3be9f85b5e4ce2e9ecc4f771a

SHA512
a8a224d93014c44abb757d42b8c3f94e1838898230fe1211c1f95bebf79d377542584f5cc96da464b844eb8ca565f6662110f0be1b0596ef4c16feb8b82a3a38

Download Submit
C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
83dc51c40db797cdc9a26736f13aff73

SHA1
c62d693a5382d01fe1fe2dca82655890c52d492d

SHA256
5e6fa285fed99271c4136360c6e29dbe489788783c5e2cbe565fe5e6977ded2a

SHA512
56680a4db4d3bb977e947efddbff4a5816aa00db8ba9010e1699abac5d411d180389ce535e92804006804ccfb89304f1bee38b85041114f9b3e33cd5af984306

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
4487d441d3bc1f4dcbed2ba2fb2cc055

SHA1
312451b7dfbeae8b5d667e8b2baa153e3a8639a6

SHA256
18c4a07dd479526742e7635b53372daa9279bc93f02f649ab6981b8ebf9f7a94

SHA512
9786df31961dc65d38894e9cdde5f8c4ba2a4fd69b125608a7e52544d9e2e5d7b43017aaf5f24114d0145f08db898367eef2d2ebe2b5b819d982fd4f0408a0db

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
7652f26d68db62e13df8b15c1af9c680

SHA1
b118e80465c9cfe3e0cfeb166ce0d683c1c21b3c

SHA256
5e7af78034884493dda9af8634734dc70906908c8e687e3fe9ecbf4fd90759c6

SHA512
79ee3311358f07f44c50de68dbfe77eff60569177da839da74f81b20223428e538e7255143d765e56b8ce3ca40c9a071ee8b1525812440561698bbad60f477f7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
6edde681bf5e77d5a8391b4244e23966

SHA1
9cf925cc15d5a6bc5955e6a4d86fa50f4493965b

SHA256
9fcc7a24170d404a8f22049ed6594ff78ada626541880ece79f6189918a43f30

SHA512
c2e0637757b275c2c09f7296195869cf9cef4a60b7c6389a21ae4045d8b1205524cd1a5eafd2bb45a2bb1554164510b750d49be72221bbd53059f9913d4ac821

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\eed39844-b718-4296-8eab-707b42ded8eb.tmp

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
cb3b7620a0c6dc65ee0e00d24be2cc12

SHA1
0803f1631c6fe38541f882ad1cb11dea68f8a96c

SHA256
e2d5fc09e77042a39d9cf11a7cc82c231c46c5a42c609d44332cce8e059e81b5

SHA512
8b55124bee2c1297f9bf3a57778ddbc7117cf71144e3e03c215db25f498ed17508b243a38b48d3447b61e0281965f6de57724ef2faf5672fa647fbd454fca536

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
8f00956604fd261534689e65531ee2b8

SHA1
5500af0328a55c9469915798622c4439ccfbbb01

SHA256
9b217613d14ac606b484b25e35a6c854d80b13741a58e53ba467ad1a39f89aec

SHA512
a9dc57cbecbfdcb62e6bf902cfce6434f0cd2f7807240d197e640f3459d2f77e43ef5e0d2335e89b84152e17f1fb7f8eb4830859bf9d467acda779e901cfd96e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ea9db40354ea65c20b7fc8c94704c22c

SHA1
9877ba292c54a7294a2d2c98e9d204a50f6697a2

SHA256
6ca4eabb6003f2d4e6d27760fcfbef098ea18833a3537530f188e63395db3059

SHA512
c9b6a2cab93875e7d162c605c6c7460549e8b2b1ce7f9ea9b8ee54ebd91c09475462fe719cfb828c830cfd3577723669643b948b95b5a78734f26362c8747ddb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
151771ee516f0182aab0ab32fc529132

SHA1
aee44a8cac6f73d431157da1a238d6d2ba8b56fc

SHA256
7e735369fb3e920401bf61fbd5610a3d99ae0e10faf394ec2aab335f1d03da56

SHA512
2139fbe482b3ec0965762a66a977db957f1b959261106341de41ac685eead9a20db5c39993622b0041b09ed12ed47b96b7086c9a161d5411ebca36bede4c8f04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
477bfac07d2349c226d43235a969639e

SHA1
f39965be32a44a3c01821414322a6275936dd973

SHA256
a2fd695ff9b5c1f40b949749157b93c6b2b49749829fe9c21774d226c77f0ea3

SHA512
64ca85d066909843062d301ba7486e195cb3dc78cc92bba8ca8b66d1378d2bec36e3bd440343de14dd5adc2d4935a2419b7fbec4c1bfabcd077977f2b7cd8e4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
12c626f07211055ccca2742e8bb494c4

SHA1
72fe864f781eac811573a228bd2d830380049ebf

SHA256
52ada4ec3afbaf89def9dc516d42f3d4d8eeebe7e1ad2422e14a778b03f6e584

SHA512
b043c89a04b0e28f37ae57f196b1e5ee7e4ed4a7d4b0850e07eba768439dcea8e8fa2b2525fce395f68cec9ddb813565ba01e826806d313c74e9b9af285c56c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e8e7f202db1768b071fad74162d0d7a8

SHA1
9709e0206ee59bb66a67f0bab14a64eb889d0b40

SHA256
7b4f285b4a38ddc22524d338574dd207f8231846fb8d582b6cae9cc1dc4ae7df

SHA512
f6589d7cbf9e19355f23eaec1e01e58a1ff4fdf5e4d500c603e42a8f048013ddd3789eedd7d2235f339ddbcc05ce08ebc273b01adf54cc4e70abbfa08d2df615

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
df7b364aba51e6bd9284d60c87cfda66

SHA1
7144b064835149030336e61eec6b11760eff8f72

SHA256
fdaf15f681396001778772bc7bd885edee983605a97a2c60e222bce5af8ab6c0

SHA512
6533d97dcb7c945f36123ba936dd986d00d66a362d838d249f3dbba303c529cfae2d9c04003248245a12e6c9bbc058fa59289e1ac5bb9a8d34a6feac20046c67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a4aebb66fa86fad46883bd3004ca21a4

SHA1
0af032ed7eb0844bf7ea18450200b5ba77ac4a90

SHA256
7ef22e9bfea0d589f67c8b9267939cd21b18423dd4b97a280505a9f1204e53ef

SHA512
3ed5aa0f24c49bdee67a4b874e215ac217bf406d8d628cccad8290415ffec249cf8e9584fcfbe014196deea0c403094d353af61e4d8a75d515412acb2f2ff1ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
faead5faf34c117aad6b25aac994fbbe

SHA1
44fa4faa6c01258a47f9b42f74ce5bbd26382e9f

SHA256
2cdab38c17dcf14f639e67d75900f8988e55c7b0b7522490d2830e8c15cdf112

SHA512
946944eb0e019b4ed504fd8297c508a74d243109bd309e1bb5afc6d301c9160c585b52d93d59343e39efb56ecfa79d4ed7b2f1d2b9274f7206c554379e795632

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e4213f77aa6735624a45c0c637740ff9

SHA1
7e4abd86c632c19ef20aa1c2f97d2a44c629a795

SHA256
427692b5169d34d6d0c7959a996dd96c3b6d619800b321aeb875e35e81414f1e

SHA512
bf87574a744e019f88989da6e43d3ae7961efa18e5e719896b8595b682e0524b6cf3662412ce3f3649f32b34c92d31a054325bb4af6d68579adafc8cc131bc43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1c270f7be0319619975237a6bda176fc

SHA1
b303557fad3a1e45f3a5b3669d093d92efbda877

SHA256
a5dc244db012e3f75981d820f83400717d1cf2dc6932f6f8f7f18c0b8f876723

SHA512
71c3cd46ff048196adb6f773faf546e4aef834b79a8688c155d723756508b2afa07480c18623a3c4ea4c8b7b18d194f8005585fe527fefa03f44d51982d7b259

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1ccaf58f85e5c82767bbb2b76af2f6b4

SHA1
0bed824b37e6a44ff1d397a98ea08ab89c48f0ec

SHA256
9760f28ccd4b403857785c3311b19fe7753a1335987f51a0580a593ba2142885

SHA512
43422ae5ecd63428af10b410c1001c09fb78b617eea8a37a8105905fd3951806a9a631acab6628ad3240aeaa5e5e1888df9548f36c4cc6b33f4b973f0678127f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6929e193075fc0b5cb330e008ed5d981

SHA1
6b99244d173344ee31119ee012d8db9a757d50b1

SHA256
9e21968ed51d598eb289a131bc15251de593b64769aafd2eb7a6f2f9fdebdd8b

SHA512
ed39fb951471fd1cb1a33e606829f823395e6e81952852d4843f519aef9e69a94d57d1febabc585d589d025fad71a227e4003a80628d280ae1fc046581b999ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b2a48f6393be0975076c0cec79215d4d

SHA1
575487ed3bb76f833f4db5ade5580113d3027f82

SHA256
57191f93cbcf22582fe187205461fc29965344fb593d9bc72d21e063f652d267

SHA512
4854f5466c0de3c0d688d591d77b4d929f9fb7ac5309bfb534562f8f9d77d0ed0e44e0b4b1bf4888fe52b48c5eae9cf14880645c3b33072258c78c4a3b8f045a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
80386fda60bc087f121654e1863ef59c

SHA1
94632f6e181ab3e0351c49b68513c29de68d940b

SHA256
c8f777876fa96288ab87d280cff9e11650b1ef7178841b87ade10c88259b32b7

SHA512
7fa9ac28886a50073324970ac567b717d81a234afc85b0c1fd54dc92d499ab5f32d6e5198201a73f6a2d16b39f05683adae1a524cc9ecbc32c442e04a003afa4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57614a.TMP

Filesize
1KB

MD5
115721e2f85c58cfdb41a3acbad25a98

SHA1
7e177ad3d977e38da3731e6423dc2d6e49a0fe31

SHA256
4c705cba00a15431f11b5c5fef9fc14bad973da6d5be8046e08cf8b7430c3c64

SHA512
9749866c16c46db00f8da0bd79472a6b29cb62159605c6e9c6365186a2f3cac56efbcd872d8fa8307d6605d2bddaebac86ec72e7fb6dbce906a8696186df427b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
71a47a6a24a6ee44ac1334a47261b7b1

SHA1
45a8c943689b887352449ffa03a3ca6213583b0a

SHA256
6d631d89981dd623ee086d705ab5f8aa43d1fb02e498c1701f232c59b0a44d1e

SHA512
b9757eb58afd13fc5a9e862031af41a4960bea4cd27cd1a0edbed8c7db58f8899443d705e6bf4159651da449937d9ce2e1e9396b31625e48b34ce6391b19b5d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
01f49429457a8e274c18ec88e76268ce

SHA1
faacf04e7ecaac9c6efcb21bea2a06a666703d4e

SHA256
1c8e88376f9b45dac436e80150a12f90c8f05d78898c12236f7377e597511c18

SHA512
5d61d0a3d3d7942a1ffd53f7d6f6802611b6ef7a86cb970897dffadae4b39dc94fef5b64f192b110d2099f206f09f747ffe12054b807e3aed1dc4a69bcdef94e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
882c868d218be2652273826bb104fde2

SHA1
bcdef5bcbd93da0f673b214f85dd3c0d242193f0

SHA256
f165b45be8b4a0e2c7947125cc26b4a5786ddc4a24fa342635b88b41d37dcc6f

SHA512
ba82d485fdee11b412426ef5b8d1d944616a6f3fbe9f057f16d1d680378d7e369340ae9926a62dad0f103a6a9f231fba34aebe5e46800b1966eb1a9ec138727e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
344c57641d55c0f2c1a6b134be735522

SHA1
f7de1346aea5f63088363f18c7e401425a7169b6

SHA256
f5f9d3004bbe04c1ccdae93f88396c65c196940bb4675d698aefe199cc5ba82f

SHA512
19b24fe7852f24dda5dccd03fcaf3aaa7d9bd4cea9d69749b218a5090aed108767ea6f2f3acf0fb19c3a42da67c1d7837d24e6520403d0e1c0186f61da675f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
820b84d7b9441c62805b01ef94c4fcc5

SHA1
b350389e586762067e7a7223bec2a557d7a1db30

SHA256
f4ab84d2a59eb69fa06b2209d72814ef07f2e6aaa152c2758013a0e76cf8526a

SHA512
401ba50e29b1fe63f3cb19cfca1d97235a953a8b984e8f562d7ff57513d9c3db2442d00ab88e78e0f192b13a212b48b2384cdccab3c45b0e313a2b403de66af2

Download Submit
C:\Users\Admin\AppData\Roaming\5876b409234f82a5.bin

Filesize
12KB

MD5
4b5d7802f9242343dd0b94ad78aaccce

SHA1
ad8ca2cd1fc19133eb6db6985870d7930e27505d

SHA256
3ae4362426f915dc7e3f76dd05a4cdc6dd02fb01dbe4de17c7b3998a20ce7cd8

SHA512
d043e82f1ca09ffb4e5943dea5256c34ba5f8b8d7801e3c163f53143e8f72b90b807850bfbc2802154019c815d294865a530b16c80e38964cd0cd9e7fd26077b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
32dd29eedbf4bc56d4b4863a437e74aa

SHA1
176d1caf5841b78423eeb6b150efb950b52c1e5c

SHA256
8649d3bf1a55a837cf6454819525818715b9c9c492ad1e104dbcbcdd628b5a8d

SHA512
ab3ed7aee49c1c0e6093adc9d2f7e01b80fffc076b911ea4b1e1f06fea06f54900f363b22a8ed6754f100a395b1632371f6c56a53123c6ae98bee25ad6dd2bde

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
caf68a4b4e2a3690090af01c21588eff

SHA1
4b8c568998b03cb634a5b31e2e2defe1b60924fc

SHA256
ebac2c6ff7d88435b2d0ed64027bca54235cee28d3049b6580969156560fa06c

SHA512
84a087227744fd50898f611dc0196fdc8834763ce69fec4f0974cb3138f108c626c89aa83e3b3591dd86e229cecabd615f50a33654cbc68112ac1deb2d51bb85

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
97b890ad96c5c7ad03780979d7ae4b13

SHA1
1aeb7325ece49dd4f2e9c7ac4a6c19dc5a4d7978

SHA256
f6c541fa462e81d16fa188ffe56405a749d7610a2e2f0606b9f47c4cf5ace53e

SHA512
97a371955137be7948a48dbe15818eea1deb8833526c11f4ff378fe647427401cfe011267c6bd0cfb6cf16844f0503933688357bcb2243cefa2a6344d95fa4b6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f883efbbf32554b7e7a975764a34a0a4

SHA1
0bf6b1891de7bef0b737305a3e288755d138f0de

SHA256
b78235bce29bc4beb7afb24fbea3d68eadca6a37b1a074ae29ddc7eec5cb1813

SHA512
7be4628a9415479f68b68847efa4d477a799d264bf45df5350fbcf3e1ae41ea79c02421c617080e9753a9f76cdb619d9a253a665b57f18cc68e807cc18390597

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
7d024bc73f14fff0f09783347b2e6690

SHA1
5b0349a6766de07c2aa92437974d156cf43ed86e

SHA256
75214d0447a16cac65e6a251cab4978a8c4cad1e446f980ca06ff646520c9d0b

SHA512
a2f7983149756a3da8748c9a524d3b7937b9a16b93801a0a05d3a8ca9b42ca2c7f3b8e76f23e940ff651c4e56990a4f0ae20c17e7c7faac0eaea44090b2c29bc

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
0b6e57587876c9f7b87b2135e6259871

SHA1
ec51e3379424be5e3bf778f46b20e16a1b469286

SHA256
a49eb5adcf25cdce81a69b7e4b3f9b2fe9e36327272906143413ff66c7a11cab

SHA512
e594bde581251d1c53dd4bf9560fc76af713ab8bf56d5fb9431bdd13b87ac03416f599d533e1a031bb3597857b53790602399a4543d29b5df6196700118ef504

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
5de10c3254a05c5157507dc8c10935ab

SHA1
b423bd593d9e6bf767b5715b253dcaf05bee8dbf

SHA256
c39b97a5c729b9cc8425e46958700336cc54b3a07229892395a36267dee6a81f

SHA512
05d1402049687dce7d87c23b4251bfa231bea0eaa5b9943d6281fecc9e550a1417145b0d8fc8da267b55f6cc5361e47a6a559cdcea4c490a2d5cf354d2d6aacd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9d0df069ea9e0360c906664c1e750910

SHA1
cb99fa1f2eb9fd2fe3f89d797363783856f0c2d5

SHA256
309976aed8374234d8c6f9de8c115fd0bec6bb1e2506ac554adf28ae32176e44

SHA512
7787908dd1c2c98728e36e2dfccfbcbcd416b192ec476390250b42936591dc148c0ceea887350400e6cefe0402ea7cfa60278095a2658a7aab10dd2fe640f8eb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f63b9d05d2c6af7090ef061b1f41c8b2

SHA1
04382fdefb822fb3bfa7392897d4e30d49b22590

SHA256
dedef3bef549d2e4b24044605a885739a10d2ad94d809b7030757e681c6d3014

SHA512
afc2ea5d455e3d2986ea7551fc8e02667718e725b7e0bd187335368976da1878223457509e756952df51ea594e43954941740576089abcd9a6cc17a5e8c60be8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
47fcb637c8bff60e4fc703e050281260

SHA1
2b15cebf0f531b9a33c0381f982a4277781c943c

SHA256
d327cd13133a2fbd328e97f7850b3c1b249a39c9befc4c4dcafa4df3a40e2057

SHA512
d162d1577dbe406d145d3ba712b77f308b97162d2fcdefaa920d410e0ca9a59063d4ce14ffd5bde3a16106c8799e088c17327d12ba6b763ee47defa1df6f6d4e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
804280364cc3fb74d9aeecc5899c200a

SHA1
f095201837ff44544591700a82ec5d3f741867b6

SHA256
c4a3246354ebf9c84c174c91dcd4abc749d65959b3990fb3a12c9ad25827ba05

SHA512
4dc44d89eada7a1fd621abb20d48a1a98053fbd51b082c92c99a42fdd1643cadbc32214497f9d21c50d7beeef40a79fe7088935314e3267f66fd96f989cd8749

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8b78f9121b100c9a3b7ff33be7cef190

SHA1
6b984d0acfbff74dae45bea675bf331c094479ad

SHA256
4d2327d1d99427692a3a4afbd085f70d810fc92dcff9fefc21a324292fe1256a

SHA512
c04986faee9a0cf7fc36e0a3236ea8971ecc309f31279fbf321726da9a3b34e1bec8a929ddebee6f3467af1db57c41e2b1adb65e7e97adf1ac03e3a2d414ae99

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
279024f52085304642818a0bfd9ffc7b

SHA1
85fcc2eb25a10eb7035a1006353ee84dbfdfc6bb

SHA256
ded884f65da49502378852f4aec93a5f021a48d7080b816b5cefe62062ea166a

SHA512
5f393f75ab4e8196aa1098d177ce632a1362e2a5e6184dabffd7b4e237c6ccebccc91ce97935ff37634e3c77ee94fcb9925750246f825bc57a64fb35c0d638b1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
caaa3ba8850ed1600ef09c008c5b1213

SHA1
c29ac24d1febaebc2eacfeb2a02e9737fe03353c

SHA256
fe7b801f4855d5c01853e481292d8f8b8843cdb3f4ba852ca4a5a6d2e30b6a2c

SHA512
e37a2f762c8ad64e4b7a4138fad1d4221c72bf3957274a52da509b85ac6370fc19908e71a6dac9defec8ef7cc2800b31439b7c3b3188c9b30612b2035cf787a4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
8405c1a93cad635607ea81d67f6e2693

SHA1
d2a8657e1ef5ad85c69f5daa25b99df2fc9aff1a

SHA256
aa3c47dedcd0b7fa9f95d17d3d5393c7a0419b8cd2177de56407e6bc3d91c8a4

SHA512
e6d16cbd3e5bccdb5f46e24d70fe4862dc2c4982dd3c20e3093ae61fa3235e550d0ac7d7028cfcf991cf63905e6ec365e50cfbd1529a15436ec1bf4213b47218

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
74a57725009bf459d83c8e32beaac476

SHA1
cc6531415d284db3160eb829d72069655799fb61

SHA256
22f0f1b8e4310ded181821e225a2b3bfaf656f60bf90580eeff08a8faa65cf71

SHA512
cb2e6b51e4bbd5513700d98bf96d7baa4947ef6ceb05311dc716e3e74f908b9ef615c4a6c56a02ed04c35eca93ecc76852e2713203a1ca5af1e28ffe32d5b816

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
884390e3b5f96b942fd727b0f98396b9

SHA1
315ec47a9e33abf4e27bdc158d90e8dcc2d82fb8

SHA256
19fc2f4353f001b24131eb95cd12551e9eba4f17aa0ca0b0d585a5a28c1f156d

SHA512
c335f94516b17a209c4351add054bd45c8197628046a5b9754790ad88ab5e1a44a79de4a6d391e4eca62e501f3fd095ff72566ed94b7ec902a485d3a1d2b221e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7273e2d58e4b7e7143655cc708e0ee7c

SHA1
56aea3f2c6ef76630bd482fa9b403e3a16c36595

SHA256
6e971c7bc846358efc1b6152bfc1515bc32d2cffdee8e0842d6441368a51ee74

SHA512
ffc84ecdac41e2a10211e59ba709d0d35601dd0b92c28ba15949330e5bddb708fd6076db843201ba56a76677e84059d96ef015040e6cf8a30d5aaee14efa660b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
96570c57f9f09c68e6657f55278fae04

SHA1
f4df8b2e5f5dcd6067cd0eb26ef077bc6ce15f55

SHA256
9badfe706af815c320d9f4db0f5fe5f2d37d2cfc0531a7dd579370ec6f25911d

SHA512
8fad5320976c42d2110dc036ff2296f80ccdda5424683b256902512f6ed205fae72f33706799ba83eec0bd95ba27ac8c0ba8adb6832c0f23156ff8e0bb505eed

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
04ee9686d4e6b5d7c7628d13c5f7ab24

SHA1
a1af4d98306fac29cf30f4e1b16f3c4e25892ad1

SHA256
7ab7d998cf42c80f1d45a9ef12b6c4b26ed3c9058120f41a4c8744051d5af569

SHA512
534f7b22e039517456dd5e0cd2ae240cf708dad02af01640d32214e09961f05d419d647304cfe760096a6fadeebf610b3aabcc7f35c9f35fd2002d7a43a4d3b7

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
6e3b1729700155d0357c4c6ebe7065b7

SHA1
5945964e478e30f9f57a34155622f89a1e4fd775

SHA256
41a30c21f60473404ac9390b7ac458edb41f5e27983c43cdaec1829f029aac42

SHA512
f5b724ad586aac325bc5b6ed990c2cdae5afca31b21978c7132f2b7b7ebcaa558a6c115f4d39a856aafea5d87f7fbf1d443d6b6079292c086293994f24ea79dc

Download Submit
memory/448-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/448-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1088-35-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1088-44-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1088-43-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1148-143-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1148-119-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/1220-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1220-512-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1528-105-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1624-56-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1624-59-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1624-133-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1732-87-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1732-92-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1732-89-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1732-85-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1732-79-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/2436-206-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2512-204-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2892-653-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2892-114-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2892-108-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2892-107-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2988-149-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3104-213-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3104-658-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3332-205-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3608-423-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3608-30-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3624-210-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3688-0-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3688-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3688-28-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3688-6-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4232-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4232-74-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4232-460-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4232-76-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4244-203-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4244-12-0x0000000002010000-0x0000000002070000-memory.dmp

Filesize
384KB

Download
memory/4244-17-0x0000000002010000-0x0000000002070000-memory.dmp

Filesize
384KB

Download
memory/4244-25-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4372-654-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4372-142-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4396-657-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4396-212-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4800-211-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4944-179-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4992-208-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/5112-209-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5540-485-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5540-427-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5684-437-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5684-668-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5768-474-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5768-449-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5840-669-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5840-461-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download