4abb15c0f226dc9a84e6992401b488edadde0f6c5c68be0152920aebe245f707

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2024 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
Size

5.5MB
MD5

f3ee953ead19323272fc752eb5ae2df3
SHA1

0b66e401a2ee978cf2d89f0dd091d089529f992a
SHA256

4abb15c0f226dc9a84e6992401b488edadde0f6c5c68be0152920aebe245f707
SHA512

d550f35b7b733080b281a4bfae871e6964bfd5cf75dac23d7ae66f7b7fa0458c69e9a31dccd82bd37e6c112fcf98c3650e3738f5817ee227861c87c0978bcd81
SSDEEP

49152:fEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfa:bAI5pAdVJn9tbnR1VgBVmVTjYvH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2320	alg.exe
4080	DiagnosticsHub.StandardCollector.Service.exe
3168	fxssvc.exe
2440	elevation_service.exe
3140	elevation_service.exe
4384	maintenanceservice.exe
2196	msdtc.exe
4384	OSE.EXE
2548	PerceptionSimulationService.exe
5208	perfhost.exe
5356	locator.exe
5472	SensorDataService.exe
5580	snmptrap.exe
5684	spectrum.exe
5816	ssh-agent.exe
5980	TieringEngineService.exe
6104	AgentService.exe
4688	vds.exe
5400	vssvc.exe
2520	wbengine.exe
5896	WmiApSrv.exe
5324	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\24cb45b3b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054fcafca06b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aafcceca06b9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000710f02cd06b9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dfe276cd06b9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be3651cc06b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000caddd3cd06b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133622577472449798"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009cf24cb06b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4364	chrome.exe
4364	chrome.exe
6904	chrome.exe
6904	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3452	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
Token: SeTakeOwnershipPrivilege	5048	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
Token: SeAuditPrivilege	3168	fxssvc.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeRestorePrivilege	5980	TieringEngineService.exe
Token: SeManageVolumePrivilege	5980	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	6104	AgentService.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeBackupPrivilege	5400	vssvc.exe
Token: SeRestorePrivilege	5400	vssvc.exe
Token: SeAuditPrivilege	5400	vssvc.exe
Token: SeBackupPrivilege	2520	wbengine.exe
Token: SeRestorePrivilege	2520	wbengine.exe
Token: SeSecurityPrivilege	2520	wbengine.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: 33	5324	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5324	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 5048	3452	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe	91
PID 3452 wrote to memory of 5048	3452	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe	91
PID 3452 wrote to memory of 4364	3452	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe	92
PID 3452 wrote to memory of 4364	3452	2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe	92
PID 4364 wrote to memory of 1288	4364	chrome.exe	93
PID 4364 wrote to memory of 1288	4364	chrome.exe	93
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 4468	4364	chrome.exe	101
PID 4364 wrote to memory of 1664	4364	chrome.exe	102
PID 4364 wrote to memory of 1664	4364	chrome.exe	102
PID 4364 wrote to memory of 1160	4364	chrome.exe	103
PID 4364 wrote to memory of 1160	4364	chrome.exe	103
PID 4364 wrote to memory of 1160	4364	chrome.exe	103
PID 4364 wrote to memory of 1160	4364	chrome.exe	103
PID 4364 wrote to memory of 1160	4364	chrome.exe	103
PID 4364 wrote to memory of 1160	4364	chrome.exe	103
PID 4364 wrote to memory of 1160	4364	chrome.exe	103
PID 4364 wrote to memory of 1160	4364	chrome.exe	103
PID 4364 wrote to memory of 1160	4364	chrome.exe	103
PID 4364 wrote to memory of 1160	4364	chrome.exe	103
PID 4364 wrote to memory of 1160	4364	chrome.exe	103
PID 4364 wrote to memory of 1160	4364	chrome.exe	103
PID 4364 wrote to memory of 1160	4364	chrome.exe	103
PID 4364 wrote to memory of 1160	4364	chrome.exe	103
PID 4364 wrote to memory of 1160	4364	chrome.exe	103
PID 4364 wrote to memory of 1160	4364	chrome.exe	103
PID 4364 wrote to memory of 1160	4364	chrome.exe	103
PID 4364 wrote to memory of 1160	4364	chrome.exe	103

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Users\Admin\AppData\Local\Temp\2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-07_f3ee953ead19323272fc752eb5ae2df3_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff987d79758,0x7ff987d79768,0x7ff987d79778
    3⤵
    PID:1288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1876,i,5392953853567165811,9342056565706384478,131072 /prefetch:2
    3⤵
    PID:4468
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1876,i,5392953853567165811,9342056565706384478,131072 /prefetch:8
    3⤵
    PID:1664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1876,i,5392953853567165811,9342056565706384478,131072 /prefetch:8
    3⤵
    PID:1160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3208 --field-trial-handle=1876,i,5392953853567165811,9342056565706384478,131072 /prefetch:1
    3⤵
    PID:3856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3240 --field-trial-handle=1876,i,5392953853567165811,9342056565706384478,131072 /prefetch:1
    3⤵
    PID:3836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1876,i,5392953853567165811,9342056565706384478,131072 /prefetch:8
    3⤵
    PID:4828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4768 --field-trial-handle=1876,i,5392953853567165811,9342056565706384478,131072 /prefetch:1
    3⤵
    PID:4980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4924 --field-trial-handle=1876,i,5392953853567165811,9342056565706384478,131072 /prefetch:8
    3⤵
    PID:5176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5036 --field-trial-handle=1876,i,5392953853567165811,9342056565706384478,131072 /prefetch:8
    3⤵
    PID:5196
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1876,i,5392953853567165811,9342056565706384478,131072 /prefetch:8
    3⤵
    PID:5492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4592 --field-trial-handle=1876,i,5392953853567165811,9342056565706384478,131072 /prefetch:8
    3⤵
    PID:3536
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:1948
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6acd27688,0x7ff6acd27698,0x7ff6acd276a8
      4⤵
      PID:6104
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5280
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6acd27688,0x7ff6acd27698,0x7ff6acd276a8
        5⤵
        
        PID:4776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5092 --field-trial-handle=1876,i,5392953853567165811,9342056565706384478,131072 /prefetch:8
    3⤵
    PID:5284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 --field-trial-handle=1876,i,5392953853567165811,9342056565706384478,131072 /prefetch:8
    3⤵
    PID:5748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5104 --field-trial-handle=1876,i,5392953853567165811,9342056565706384478,131072 /prefetch:8
    3⤵
    PID:6140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5488 --field-trial-handle=1876,i,5392953853567165811,9342056565706384478,131072 /prefetch:8
    3⤵
    PID:5644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1804 --field-trial-handle=1876,i,5392953853567165811,9342056565706384478,131072 /prefetch:1
    3⤵
    PID:6932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2316 --field-trial-handle=1876,i,5392953853567165811,9342056565706384478,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6904

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2320

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4360

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3140

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2196

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2548

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5208

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5356

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5472

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5580

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5684

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5956

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5980

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6104

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4688

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5400

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5896

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5324
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5976
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:6256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
10b2d4cb7d475c5643506b0697629915

SHA1
536a7b530b4f3c1706bbfa5094931060d67584e0

SHA256
1e789c4a20307a004ea8f80eb76257d361c0de649421123f371ef9ffe27502ff

SHA512
2a2de50fb972ac1bb263bb8294b56974a191b9ecc552b05a9f4313ac6fee7246bdcd9c96da76ee311c8963f87fb87b619194f4d004f2b6f60e5427d7c838070c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
91f46154abdd96c08f60676a2f59e3ee

SHA1
a35021e70ce91cb3fa80a7a5f621f3f7c6e202c5

SHA256
858bc68be3dea48a717bd451c756d24de36af0514ac3f7937f71fdd196f36b5f

SHA512
25b49af7d63008c456d9ee1523ef5c0e704d4aeb58826c2fc3347cd152ae01d4dc3a913057b9ed7f21b79ad773197820397ecc9cf4cd171d3faec61c1ac224e4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
9dc291db1850b21a80f4d833bd443974

SHA1
c3b599f9ab147992c0d5498e9af541c77ef1d585

SHA256
63481a02be1a0e13c887f227a8a2aa9b10a3e6bb4da03983382aa96cdb99e3ba

SHA512
726c93054eda5be32c5bbc836fcb16832505fa57d184c044bf3e340f5665ee6e450852c50be3ed68b12fb43b331f8f2d00278f5b26177226bb2989efea2ae1f7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b9468274c5962e792a71210c7f74cd5a

SHA1
f9dfd09d7d5f5f8cad744ab07ffb5789231cf294

SHA256
3bf1cee1c7b3d6b081973300b9a01e4bdd06f869b232d3d8c3f9ac9471bbf7f9

SHA512
be79f9747246f0f771f6771b3b9c78cbda6ebed2439ea3b1debddd6d517913e9691475627ba355ef2767354993693750cfb4bfb07275a238c007b01047c4be9d

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\fbfcb217-498e-49ca-b433-4712707fcaea.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2bc4ca1c9d67c75e3a87e2756432ea04

SHA1
121be054eeb4109e007629a3413a45c63b31e7be

SHA256
afef3e50f2a940e93b0bf2af2e007b515e40d433cea132e839e310fe92e8e84d

SHA512
fac5e44288bd3dcbdeefeeff1f4ce3d38f66450b90c81a443f93da8d9faf9e5cc3c533507db73e59974693496a2f632e40783a224aeb8b974a418fd5d37544eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
1f835aee366c785761a2985533910904

SHA1
49428f41eba070397412884d7b77b2765b4c707f

SHA256
2eb30a574238c7e16e0c7a1daf15401efa5b06ea2040eb1b06c99d33164308a4

SHA512
483aa0badb820f9a4ff1015eab565146e9879db78bc07bcb6c934d0f0e7a1155c3098b3aa9faaeb0072a15d69d8fdd842495500a18360c5d81f9ef7fe0229ffc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
562891c419d65f098434ff62b8a4b8a4

SHA1
449e49858a80fae66a23ed86acd897bdfc04938d

SHA256
5a33c2dda7a6eff8128c2c137be737dbb9dab3218061f9356d3e4eb7ac96d192

SHA512
d3809a839cff3c1de153f685807d8abc35f3e78f7e53a57d38292ea58387037741d8bc762eeb9ca03ba7be5e204a6e2bd6e7ff1f1f12b198389c955722ad3e9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
afec7086279ea65df0b86f12b4b61210

SHA1
39feeb0c84413891d4a461c569c1eb00e9e4847c

SHA256
3bbc60a8dfd621d9d39d4b4b4af772d119ffc4c78616fc0c9bffc86ecd750b90

SHA512
cc468992a9ee26483519d0142c5a2a9fe216e56b22027bced4a10f21e6c0e21da8520a9db4cb6fb28bf4129909e9294dacd7669ac3215fff9243d3b9c61dec2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
c97159a56f0e801bc16ead5cd2de172a

SHA1
f9a62944468d47397af039d50ce03828f5f516ff

SHA256
843888b78bd93db805a041140b4e66515db8480e14a4f55fb1f28b1d343bb543

SHA512
9a0f971cba0331a0de5aaac975cf2b1999bcb9554736604514dc4ac0a2ab85e006068497b7e28fdd77c1300703e54cbfeaba5c7f5608ef5228c38ee03cfd62a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
74ab7b2629f578abe1e20b45dda0cee3

SHA1
e0b7b54093f7e81b534a8ad9865907afaae7cdc4

SHA256
f2d22a216b71a899d5441019d30e161c4bdf71d00100d2137531a9cd8b03cb8e

SHA512
69235320317e575e80b4597fd53fd7b5163e9ae0acd70608c0c47c496f5364acd7ff77fd58978186a9b494ce1291467b595409cbee4d3ffadb5c68e075a6c424

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe583a45.TMP

Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
b856d61eb71d5f655d2ff599912e85b7

SHA1
e217d52d333be09cf0705414a36ebd18fd6c2610

SHA256
82f61007826a8fbe6d88a9a247f773e3204edb8414e28943d84f25963544123b

SHA512
d04e1abf01157f36d45e5a297aee9a74a7702308364c34bc1d2b03995923022b6910acac23af28d77548806037499458199943c528da00367caae235c1d2e24a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
185a08de2e84d91c61de51b853fbe60b

SHA1
86a25111e21621e921f9956eb833c0a0b91950e3

SHA256
ea57d4b714024119031a08546ba056044756b34e2929acab80607fa6696557c1

SHA512
516157bfda85a6bf48dee7bec385d560b8fbc3695e426c2872e98d8638c1dcbb6878e9e1c393910cdf4cfc6b0dbc3ebb4521150963c9f96dafe66a100ada8b63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
272KB

MD5
511068e72285795e79917b214bcb4278

SHA1
a4c063f521ddf4e16b2f94ec9245f0c3bd9a2ea6

SHA256
7360aa5ec8bd00c6b5bb5b44ca0c0a6818cc300d9f1be924921cdc16ea8e57cd

SHA512
7ba84c1f58409c67dd29807f6bd7cc161e86e92025b39cb512bd0f428493a45886ecedfe70134fa28398de232f250b5bec19eb093e8d0a2fb8a4705ddbb3ec32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
4KB

MD5
994dfbc9c0db6b43afff7cd4cb7508ce

SHA1
e86ccfa203373fc491879e133f5b45ddb0135b4c

SHA256
5e930f115cd00ac349b75626d3acec54cea2e44813c1ed89eca9aa48a79a32a2

SHA512
6e53492382a8e05a85147ad151ae856cb6960e3460873e1e1b8d4d8a7d066de9bf584825e0f630f7ed282a763b8ed253f4100adcc1b9da278b8bc25b519bcb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
581ddc3d71abc17539533adf06a7b63b

SHA1
e09b8f950dc57e642cd6fc269cd67c6bc245550f

SHA256
56cdfe665b21e4d44cac9f7f0ee990d692c53992bde1a0f57cdab7327c683f38

SHA512
b5976cbd3d98bc09f286b009e1c674c914977baefedca9bd3447afb454c234aa2a88fd383f6508bc36957873189ba5cebd6386dc895843cb1d3398ed666ca800

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4364_97460009\0be096e9-9796-4bba-b981-21306f81723e.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4364_97460009\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\24cb45b3b3e2edcd.bin

Filesize
12KB

MD5
f85276b0701169000d57570d375a1cfa

SHA1
607c63ca7860251b61095528b0fff6276e76991b

SHA256
b0e375685afb75b781130d87191807c730ef0fedb236c156d18c39e81e75a837

SHA512
9188ef2c5493881f00362f81f2eb913bd6bbab3beb93c3ffbe949e91337a312c2890ccfc7add7a2f737884d51dbf043c79f92d807c0207ddefc800e4ed6dc9b2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
0423f781ed9345f91c454a6e4e5da54c

SHA1
3cf2f962c772f86e87155fb557712250477ee5ca

SHA256
be021a3b8fa176669a94c1693c3781b264fd113ea81487b41f8c26306254b3a4

SHA512
0ab95ed066440a598ca3ded68b547630f096b823be9e7a691541b65178946cde47a9dd63e587f6b97033bdd775330efb94fd3f018318a77cbf3f1143f2bfb57b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4678a33397e74ac1ad6be08e46facf1f

SHA1
1ab812903e12e4531375c092ca478bc762762d5e

SHA256
fd8076b6bad7762b619da658b5de1e10582e6362037d98e0bf2b4857686b5373

SHA512
94b45a81eaf67eb86ad9e29ad9473fb78a22b721cb46cce86f6ed641aa68fd10c5351c645ed46d67abc461acd6ded74df5066f573fa76e9ce52a223dd07cc7a9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
936c1f714406b9142ed42998a4ce46e4

SHA1
4bbd55548eb5b506a342e5a7280cdc6c4a832fb4

SHA256
b387ad5c0d539ba60e1dc54bc9cbd2f7117d68af5472936ed0dc56610db2ab31

SHA512
08e96a2400b3214295afa3f483f03132fef699a9b7bf70b06b4d15f9e72ae00eb81c919f57e38dad127dcc67fe1ddb334d4b365483981b8c11568017ac82b1ac

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
68703b16f7d07f18db2788c0345c57ec

SHA1
520e9847ce069aa2a2a571e08414c158b7b38231

SHA256
4f900d8737ba86ae8faa0d209a5f1345d4cac1c92d46cafc8cc22d3a6402ba93

SHA512
96e709bac8d1f1a2ffb55ffc6498b6958900957a5b19604933fdd44ebe76811252dcd7124d3a995f5187c5a11a7d83faa85297c13bb81dd92836d6cbc8c641d8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
8bb67c5889bad3a0e921f76ecc74961d

SHA1
fa8d990b1a6b550f619de1f6ffe70f6f29570bc7

SHA256
1273397c47ae2c7daf4f9fc8daf2a64043777399513aecb88cb725db14cfe8ad

SHA512
2e937adec8ed3176a283ec3c63d0fc70a7fe521a73cf32a8cbd2c51c95d661dd5dff8f8f02e52a416b56d30255ac3910407af46ceb807ad8b7007217f1ed6a19

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
2083f6ee23b3d4f88180c2a7c1faee01

SHA1
7599c7af3b99f1c99e6ce8700d5ceaf6e69d0e62

SHA256
dbe37008f970811369e58c071de611e12301809701747e4c6abd39acabf6dc95

SHA512
fac14ea978dff8d0ba9c60a1f3ff09d9f3cdc7ea623cd3cabd0de7b2c71b708e8e9db1b2ceeec78e81fdc3a4551926bb0c76fbbc343bddb52f748a6d2a833b23

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
b95b1ef26939076831bb15ff768fb268

SHA1
748da24471bec158010a7e0917ed360bcc847f58

SHA256
4b7f039840297a07789d205569e23e504236a2e20d6900e3c679dd48b92c71c2

SHA512
2c496bd969063446cabb44f790934c316fcfec650098df7727476cf49662ddb5566bf1cfb7a3eb6ffa2c6d8a616bde163bba97387c9cee0c1c7ae14838302e05

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
573fb899f0bfbb76143864820942edc1

SHA1
055ea52d52f0c263448f993f48d95c34a72c1dfc

SHA256
c5ac006d9bea3a45207cab892b7902f27cd88055c4e344d983dbe513aadd0b36

SHA512
ee1740c041e6714f676a47cd9d75c3fe9869cad579abd52d122b3176c69b4755b586d86312ece0aa41fdc00359d1d486ff5f3a051cd2602012a221e31fd71c92

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
692a0f71d8bc353d6ad9f3a02e8b6d22

SHA1
3e55adcd1d0b9fc1a77bec5a2dc2c0e413e672ce

SHA256
12e6b1b579cb8bfc111f729aee28c92e56550d54f9ba6c33da8f15817dcc1887

SHA512
f0cafbfdd698356319638824363eb4ff45125ecc553f43caa991e7c6a7d7b8175ae832852c28987bce50576876d804b700d51ae779da866a0d4fd11bb4556bd5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
dd51f83826706c84717cb0c69176009c

SHA1
ea3cb964e1a43b7f066c97ae71dd04b099a19c40

SHA256
a0a4a62209816e6dfed90db3ac66fde7894dbed0e738e79608f11f938ceca049

SHA512
90ac36329f6838efd09bf2b493de8ad451174f03e46703860c6a278c9cb27b5128b404d6f8e96a33dc412dd5549730ebbddfd66b9ee6a1401430df034c0c63c7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
9c7f6c2779b6559b8ed0fd046b94d5c7

SHA1
39ad80a47438420bcb9103021af5379ab877f10e

SHA256
44f1db1aaedf3af3d6fbd4c38a9496e04a0adf6bb74b8fbe2fdb1d1847e892bf

SHA512
f0db1f2cae14f33f40cb612c4dbda3fa879c0ef24d4d41a7c6f680990b4bacc05ac089f0ccf0ba660a52ebdfe337b26ae7c4550b9ac06b204bc23677792c6218

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0f213040a6c7c5d96c764135173f55f1

SHA1
2abe3af38fe335f0ea7df329912a1674cf60b105

SHA256
79f8a014d601b5524c4bc4eb42924d54a9fda799dd1ff331c61ac207ab19276f

SHA512
d1e5ad9ebdffcfd21c2cb770a2f1ee437e0832f66acea8413241c9fefb0b0cb72d6309c4a90571091d23d328eda60a1c2ad0e8ac6ff896da8acb50248138e930

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
9849b90138c09bcbd6b90e42d7387689

SHA1
edd334509316dbe5a18cf2d7973029d990d02ef1

SHA256
205cd014f6847e1352fd4fed0983d539d9819301153aa12047793f7f60a0fc0a

SHA512
4b7bc7484c407be6b547a7a58f049bd60a7d68ca1280409f5e66fdec67bba2c23c9acdd60a83a7a38e5322ff7095dc1f504ad1187df818fb1d2459adf4e8f5d2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
72da7c1a122e2faee5283e2fe6f133f1

SHA1
f1ad3c3943f983707dff055366c20c6b9245f463

SHA256
be4c62ebc31f59cfd84f3b5e76a70c08e5924c4b224dd5d96417582b32e5e7c6

SHA512
99c144ab0f9c1bfeadcb681f306a4cc2c76acdd9de39dbb820ea2dc1459c88d5658ac6ff3c35b1c25f0ee7e23d4128aee15bdc29c92d8d521f81051e2242aa53

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
c04842a2488d743c6fc817a17c6ac64d

SHA1
da2297579c28ef2d7f7a3aa9bf9cc6dd8b7e47c4

SHA256
b9e1fb4ff86c4dcd620771835976c4bd06d9f9d483fa7e321d3c2b2bfd26cb99

SHA512
fb74520f05e53e21ce55733d4306f3086c46e8a71b6dffb015c405e28d956c13cce634722efa88edcf02ab1410e1a0d1a96cc4cc3fdb45c1b3a7f87bbff291d3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ae9c72981c5445eb7e9c78a9e0ef0f7f

SHA1
97807f9f3244087c038f4b60de97d5a1ee84ca44

SHA256
572e6959c64d32b04e7aa8e67651adf461f03209319a8a6a70cca1bc6f41ffa9

SHA512
a0318ff9bb62bcec2e9b877c82958fb00fad8c8c58901ac16538b2605727afbc5249319bd8d1f94bd45a864748fb2b356c8480733a141257b9b198de93e4bb49

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
6487c5e0b25734c1fd6e1e1e82e45013

SHA1
796d0add5b67d880d895cb395bda7226c6d2dcf6

SHA256
a84793f4707934cb66ee274ec2a3dc234f34f088fc0bd23c1cb809cd2418931e

SHA512
96397e9ed38fc6e82d69371bc8c0f19020541024c758278f08fbe53117f0dad43950ac0eaf14055f3e481d70bad371a2b6553791958995c1f57af447409c37ae

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9564ea17b38dca01a0c3d3580f534375

SHA1
b5fd4b6ec7f8d85058095d8c18c0f4bedbbf87d4

SHA256
80256fff7efa0bb51720f72f26d57f79c34f77d5555368220e9a099a5fb490cd

SHA512
304874563036705b0521ee4aeb588dbbebb0339d01746f0d427cba487360c836d3f31a74b575526388f061221387b8e77a66721ec291bea51b99746e50e6f73d

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
memory/2196-124-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2196-249-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2320-37-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2320-168-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2320-28-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2320-38-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2440-75-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2440-127-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2440-69-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2440-77-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2520-846-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2520-299-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2548-155-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2548-278-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3140-91-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3140-83-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3140-226-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3140-89-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3168-78-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/3168-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3168-65-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/3168-80-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3168-59-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/3452-36-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3452-21-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3452-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3452-14-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3452-6-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4080-44-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4080-174-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4080-53-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4080-45-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4384-121-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4384-107-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4384-264-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4384-116-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4384-148-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4688-265-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4688-826-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5048-10-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/5048-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5048-147-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5048-17-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/5208-290-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5208-169-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5324-358-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5324-982-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5356-304-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5356-175-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5400-833-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5400-279-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5472-348-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5472-565-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5472-197-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5580-518-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5580-203-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5684-588-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5684-222-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5816-637-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5816-227-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5896-305-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5896-979-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5980-238-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5980-782-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/6104-258-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/6104-262-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download