6392ea6f83f973297e6f045c085d9ba1aa46e13085efbc5219e998142c29d790

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
Size

5.5MB
MD5

52f65d43bc0facdc9dbdc6c6680fad69
SHA1

37e6906b2dc9d480ebe9cf6c4476753b13d221ea
SHA256

6392ea6f83f973297e6f045c085d9ba1aa46e13085efbc5219e998142c29d790
SHA512

3e62a8d97895c051f20d5e854b64eab9157c64cfb28e98baff45a320e8748f5cbaa1cd822494ab4806fed27b5f1737014fbbc3451f9d02d05575109a2ce80b2e
SSDEEP

49152:LEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1cn9tJEUxDG0BYYrLA50IHLGfP:XAI5pAdVen9tbnR1VgBVmmiBSTZL+ld

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
2204	DiagnosticsHub.StandardCollector.Service.exe
788	fxssvc.exe
1740	elevation_service.exe
4696	elevation_service.exe
3792	maintenanceservice.exe
2216	msdtc.exe
4140	OSE.EXE
5140	PerceptionSimulationService.exe
5280	perfhost.exe
5396	locator.exe
5468	SensorDataService.exe
5704	snmptrap.exe
5800	spectrum.exe
5968	ssh-agent.exe
5184	TieringEngineService.exe
5360	AgentService.exe
5524	vds.exe
6076	vssvc.exe
5752	wbengine.exe
436	WmiApSrv.exe
4976	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\733ee14ab3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f09a44fe7b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096f8ac4de7b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c64dc64ee7b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005761f84ee7b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133623541502835132"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a35a84de7b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2180	chrome.exe
2180	chrome.exe
6436	chrome.exe
6436	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3076	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
Token: SeTakeOwnershipPrivilege	2992	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeAuditPrivilege	788	fxssvc.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeRestorePrivilege	5184	TieringEngineService.exe
Token: SeManageVolumePrivilege	5184	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5360	AgentService.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeBackupPrivilege	6076	vssvc.exe
Token: SeRestorePrivilege	6076	vssvc.exe
Token: SeAuditPrivilege	6076	vssvc.exe
Token: SeBackupPrivilege	5752	wbengine.exe
Token: SeRestorePrivilege	5752	wbengine.exe
Token: SeSecurityPrivilege	5752	wbengine.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: 33	4976	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 2992	3076	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe	91
PID 3076 wrote to memory of 2992	3076	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe	91
PID 3076 wrote to memory of 2180	3076	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe	92
PID 3076 wrote to memory of 2180	3076	2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe	92
PID 2180 wrote to memory of 564	2180	chrome.exe	93
PID 2180 wrote to memory of 564	2180	chrome.exe	93
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 3024	2180	chrome.exe	97
PID 2180 wrote to memory of 4268	2180	chrome.exe	98
PID 2180 wrote to memory of 4268	2180	chrome.exe	98
PID 2180 wrote to memory of 440	2180	chrome.exe	100
PID 2180 wrote to memory of 440	2180	chrome.exe	100
PID 2180 wrote to memory of 440	2180	chrome.exe	100
PID 2180 wrote to memory of 440	2180	chrome.exe	100
PID 2180 wrote to memory of 440	2180	chrome.exe	100
PID 2180 wrote to memory of 440	2180	chrome.exe	100
PID 2180 wrote to memory of 440	2180	chrome.exe	100
PID 2180 wrote to memory of 440	2180	chrome.exe	100
PID 2180 wrote to memory of 440	2180	chrome.exe	100
PID 2180 wrote to memory of 440	2180	chrome.exe	100
PID 2180 wrote to memory of 440	2180	chrome.exe	100
PID 2180 wrote to memory of 440	2180	chrome.exe	100
PID 2180 wrote to memory of 440	2180	chrome.exe	100
PID 2180 wrote to memory of 440	2180	chrome.exe	100
PID 2180 wrote to memory of 440	2180	chrome.exe	100
PID 2180 wrote to memory of 440	2180	chrome.exe	100
PID 2180 wrote to memory of 440	2180	chrome.exe	100
PID 2180 wrote to memory of 440	2180	chrome.exe	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Users\Admin\AppData\Local\Temp\2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-08_52f65d43bc0facdc9dbdc6c6680fad69_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e6ac9758,0x7ff9e6ac9768,0x7ff9e6ac9778
    3⤵
    PID:564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1840,i,10005220481150734189,13907752664495582631,131072 /prefetch:2
    3⤵
    PID:3024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1840,i,10005220481150734189,13907752664495582631,131072 /prefetch:8
    3⤵
    PID:4268
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1840,i,10005220481150734189,13907752664495582631,131072 /prefetch:8
    3⤵
    PID:440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3200 --field-trial-handle=1840,i,10005220481150734189,13907752664495582631,131072 /prefetch:1
    3⤵
    PID:3000
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3340 --field-trial-handle=1840,i,10005220481150734189,13907752664495582631,131072 /prefetch:1
    3⤵
    PID:2528
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4504 --field-trial-handle=1840,i,10005220481150734189,13907752664495582631,131072 /prefetch:8
    3⤵
    PID:2960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4812 --field-trial-handle=1840,i,10005220481150734189,13907752664495582631,131072 /prefetch:1
    3⤵
    PID:2176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3732 --field-trial-handle=1840,i,10005220481150734189,13907752664495582631,131072 /prefetch:8
    3⤵
    PID:3912
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4964 --field-trial-handle=1840,i,10005220481150734189,13907752664495582631,131072 /prefetch:8
    3⤵
    PID:4836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1840,i,10005220481150734189,13907752664495582631,131072 /prefetch:8
    3⤵
    PID:5904
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4832 --field-trial-handle=1840,i,10005220481150734189,13907752664495582631,131072 /prefetch:8
    3⤵
    PID:6060
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:4820
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x1e4,0x244,0x7ff7ab927688,0x7ff7ab927698,0x7ff7ab9276a8
      4⤵
      PID:5428
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5532
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7ab927688,0x7ff7ab927698,0x7ff7ab9276a8
        5⤵
        
        PID:5388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 --field-trial-handle=1840,i,10005220481150734189,13907752664495582631,131072 /prefetch:8
    3⤵
    PID:5736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4504 --field-trial-handle=1840,i,10005220481150734189,13907752664495582631,131072 /prefetch:8
    3⤵
    PID:5856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5368 --field-trial-handle=1840,i,10005220481150734189,13907752664495582631,131072 /prefetch:8
    3⤵
    PID:6068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5520 --field-trial-handle=1840,i,10005220481150734189,13907752664495582631,131072 /prefetch:8
    3⤵
    PID:5200
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4616 --field-trial-handle=1840,i,10005220481150734189,13907752664495582631,131072 /prefetch:1
    3⤵
    PID:6840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2884 --field-trial-handle=1840,i,10005220481150734189,13907752664495582631,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6436

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2204

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4396

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1740

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4696

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3792

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2216

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4140

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5140

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5280

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5396

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5468

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5704

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5800

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4420

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5184

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5360

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5524

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6076

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5752

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:436

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4976
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5732
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 908 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3732 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:6580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
ca037b0684a3d90bda7f31f19355f36e

SHA1
a849c3cd0990cbf7368c7fdba99275d196ce5314

SHA256
7a565ab635a876a80ee207ee4834b014b43e90c9b705834f461f772abf864ac1

SHA512
32dcc761147b240232b6a34737ef1470c6a27b656d1a5794f178caa6a93378ad196e2eb30766938ddfa9e241d96b8d6e7f75547b43dfab3a863fdfd521d9953d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.2MB

MD5
ebe8e714411589bb9566d83d77ad9ced

SHA1
3a92b22db8ee8a3bbc782d78bac75d8f796f817e

SHA256
cc9e914a6c448bf0e742dd5e334bf5846bd85486d02b8e26e5c0098a9414434a

SHA512
8ae062aef35b4b03118078100b6e420be0c39322261a0e072aebcae4b17af2a49b5a3ca4d5c8225c62200a0707c6bf44405736bf01037370fcd5a01c32bcacaf

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
448KB

MD5
11d3453076b2a23c61327a3dfc924b01

SHA1
053de8ad0eefc262ecfe19332d82e97b3edd830b

SHA256
ee638cf3168b1149e80722ecfc958dc235642e3603fd4d2e424920bbec5df2fe

SHA512
e6a57f06ee84a4ad0600ec14164291ff8bddab5c0bad8214425be578a247871be7e21fb82a0222a270f925a0b60bb2e84ebc7f1aeadb3110fa47124e1bfac54f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
1013aceb3ea6336d41bc21c0f2afbb47

SHA1
96866fa1cd242ed054a145f9e59e842083d9999a

SHA256
a3c6f7411393f2733c29c1e0ec699e744f7ab4b56cf49bdc14c03eb92740ec7f

SHA512
c7c8af827c3abec4c6137359e8883e13e5df9a5a78028f3b0e864970a8823dcf277bf35c4cf47ff2891fb7dc67df48b41c121fa6d784b39ba762cfbca78dc12d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
d0c0a4bb802f1140794a1fb13b0be74e

SHA1
ec9860a347166e7068e468f190941118af715d29

SHA256
96d31a799e3e6f76b925cbf771122c8acd83c41d890dbbe5f79233fef9b13353

SHA512
6ae7cc94b5ed893777d3c4c56cf5e6a0de0ef4a8371f8675f4b9ead929d5f8e61f0ce6b26950cda74e0d60d6f34125b201f2ccfdb6dc0fc73c6e6e19c8a501b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
85cfc13b6779a099d53221876df3b9e0

SHA1
08becf601c986c2e9f979f9143bbbcb7b48540ed

SHA256
bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3

SHA512
b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ed1b5b7fd33bd0d934169f01480b39da

SHA1
f97acfc2cec3378ce22e1e88cbd1d5a5c552c1e7

SHA256
82d63d7e7a9ae82074bda1d77d1877f6418d25e00e865cdc1abe4d94cd16c0e8

SHA512
6932401c414f005cc252306d166fab98c26d10c59697256945ca481fbf5cb3931ec046fa7a711a63eade48d47aaf6fa12ee932b820fb157f61a647218a42f5b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
6e29cc30120a640985cedc7d0a92355f

SHA1
e1b6a957c6dbb9888eed705e245797414e819d18

SHA256
094a784e03b7c5c2c2bc655f3ad2a12fd9da0a83a7ef75e068f6de85268d3f14

SHA512
7f6971179516e26b6d237e0e74f0cf79ef8a2fbcdc46fe595943c89bdac09734429c581a48fc7b30acc9b7741c1542d2c9eae36a9fcd9c8266973562b5b0b45e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
083ef6d08a2c4e2c7b388676dd231821

SHA1
a37d9186ee3e08ec5afdddee1cdf15bc6efb40c3

SHA256
1e4e877c9d144d2237c7582c976dfbd24981bec1fa3f14f9fc6c164b8ccd52c8

SHA512
da64ae0b45d7b3fca2fa57467712b72ed2aecf69bee89f45bafd757a762a69e2e75a4b790489b3ecf6d981ecbf96dd551698d7d6716f23d7bd817d56614ec93e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
a9faed15a0c670cc949a7c29a572da52

SHA1
9cc5729c16627bbb031c727f00f3d2a1c68cd0f8

SHA256
119602459116595cc86862affd968d50aba05d5fcb561188739f704e54ac59c3

SHA512
4e3c6659d5bedc9827f44c6c8ef2b82128ee66366448b00f259b17061c9c9581252aaba4da87610e0cff287cf5f9412b48a569e7ed78946ec171008454969658

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
1cf69ecc44b75d60b28fd3aa02f1d9ea

SHA1
c4918736748de05a8bf1f5facd86cba0e9c5c988

SHA256
1cef83f7f50a30a7dc82361909c56590e1c447fe102e1c0c7618e7192456eeca

SHA512
b717f378bae4e6ebd949a80b2c1a9007650a0bda6bb81229bbff12603178a9f7952ae0d57423880500742a0ce722b7ebe53c486144d6b6b326f19b314f37d697

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
cfde8de4a193d03ebb1dbe05eea99850

SHA1
dfbcf67319d1eb0e53274f3c2d066116e73815d5

SHA256
6673836b6c8d3599769cdd9ba7e61c2203fce9ac21d4f404a1474a6ae235b12e

SHA512
85043dfe6a2591fcdb75a9c52e1a816af5f6c30e959b0485c1d9ed2323d66a20acc3f37ec0c81965d5315f7908ad47d497ec9473ec61ea2c6f834f22bd73f8d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5830ee.TMP

Filesize
2KB

MD5
04695aadffdaf28b5be826d27d48721a

SHA1
ce79df7c80926a86b0e1a922a05bcab16c7620c4

SHA256
0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51

SHA512
aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
c4a2e4a8e3815e54c1c74c4dafe95f1b

SHA1
92407b2b83dcc6b8b8212fc71d4a4069e63bf161

SHA256
d906fc89f7538531d83c6a5aa074a9103a7b3247e06d847b5a1baacb08cdb9b6

SHA512
0e46f1d394504f1a2ac0fc181c6446e487af95b8a4bc26ce557c20dda3260ab3bedd1092924f0d8306ce0301e89b0f99c9df7f7464f6038486155597fbbe29b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
b483a5eb5ddb2d435e08cbb0c14d3f13

SHA1
490e28a7dc609e3c4691a07ce5069b3c4dc0a46c

SHA256
4c202bb0bf608d3302c752a4e1748803ffe3c06952bf9dfbedb9d180bf9ee8b0

SHA512
277a01dc65952c42f01638fc73316bf3752849e7e642977430ccfb13e7c930d1215d512d1218796cd09b8ee6df450930071865050917b1d7aff5ace3179dab8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
272KB

MD5
9b8d6fc4cd2218db82e0df19cbb16fb4

SHA1
1a4b85b80b9a640c8f43124b3148f1cf1aed8bd6

SHA256
b2204feb3b6da185a106b1a3e9a015c43deeee7ae18d0478ab4edcc574913f02

SHA512
1a0784b5e9398850d6bb09fc94df23c89af6655ac94214fbc5185ace232617ca367b8df386e088ff1bc3794fdcb1205a7c035df13754f00ce58fd55603c5c53d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
4KB

MD5
0a49baddf24d3d69127c4f823f8ba73e

SHA1
4eec2dded3ce9ce4d645ee08a7dbe26a13c3d509

SHA256
1427dab26bd134ce5601d672af474dc1e591cd28a2e0d08c6521db3c9a0b4078

SHA512
105aad6c9ce6eb93f7f57c9220c82e2e01a376481bfc61b714569067a62728fb71bf4dc0dbf664d56cbfa4693dca07ffbc7d0a2705c44e8344a91d97b15ef784

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
52adc67a4ba566969b13a268e7aa18d4

SHA1
09a33ece1847b8d18a2a033b346326c84c15da2c

SHA256
e7c2cdec69a4f164eece300e7ae5eeae83591459b7084aaa119f27144fb0e364

SHA512
6324a7fa2bcd937692f2d82d8c5191f161c4a72f294b2da359ec8f498d33f31876d0a4b1f78d9efd69aa56856f3d09bd47660e218ec266162fca6fc92fcf5e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f675946a-8492-477d-8947-e298d453c209.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2180_369142132\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\733ee14ab3e2edcd.bin

Filesize
12KB

MD5
d364d4ba8e3dbf0b34961d093e51f924

SHA1
9b180695e1b6f9179c31902ce2000549f012cfa2

SHA256
412ca4547e144febc7539df40809aa4d7d171b30ca9b95f7bd37e28c4ef2408b

SHA512
cf19cbf8e074d25f0aaa8eb97d6b8e543723da8c9b1479859ffe2b8631de9133e4413f8df02c9a5c7961460820022ad565ba227dfd4b2839a98f25c64950022b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
4b9eac5c32cb035dd3d458ad79a9eda4

SHA1
2cef82b0399dc682e8fa8b34e1ea78ddaa99b9e6

SHA256
0961bc607f9a9e0062252f5e1b7c22845c9189438f017f9da2be588322ca9acc

SHA512
4662c8bb2d7af50b15356a962b09339ad48f22b856e078f892cd3457d2df584944163ea137a71c4534497d6d39bb7b7bd60f6414c4e1fb5b13a77a53a27b0017

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
38b077ad21f76a81e57bb0729c827b6a

SHA1
e0695d47bfd1438d3cb8e2737f6ad11540564f9b

SHA256
b24136a9fa934db457e5c52411d692e1fd56ab4dda654327bdc33efe9fae384a

SHA512
f6eed8d219a346a625d578e4e6a00aec2bad5f384c48cf222d8f55837324cbde9636714922284149fea1794fae8ed019cb806c4aea665641c7869d7a09b43421

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
0d695dc82cf92bd548ff4bf9c3249940

SHA1
24e9861d351c3c7b8923b2a4ab5d734d14f2c464

SHA256
4161b8cf667adf7614247737aad119a616312f3c1afba5967e8505dc50ef305b

SHA512
6ad3a6d0d3d88750ba7077b7f0d47773c5e6609128c4bc6699e56299c6459ec11ac62a93cb5004470fe1e9b2fc0758d5412b0cc54068744a0cd59e98a3f95865

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6dce2490411c85b353113990427242ef

SHA1
f5f9858a58cda34540f3d5e72b39ab4d81dcdaef

SHA256
ab7d50d29013d8886df1e9f582cfe1bbf6adac633acacd7e55e2bd4eb95b94ce

SHA512
75e15f4646d4b859874fe6e960514a142dd894bfa7a8ff2e2612c6e7a2f006de3af9e7fa07127fdb816811d96c16f0b54a141d1372474ae8b84535de840364ac

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
b61f8c3cc22ad448aefbec3ae9bc6cef

SHA1
a2980d85fdef363f0979be3924a5768dd3533530

SHA256
32c9542c061745fecc36b76965156cdb92251c3259a8237bf0a64d165602d5a7

SHA512
1837e172e973230538d2d89f0394e887331666c341caee085923da6ab259f7562cf3469942830a76476ecd70c8262a1df51b8b568fa5aea6df320bd23cb96a9d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
95ac1e2843102346d5eddb3ff6af0e16

SHA1
e8672a03b23170d62fdc6c61658eee438f2cc186

SHA256
2949bf5f0ccbd3a16847194b709c10e62a1aa31f73fe2fbf391a234aa98ac705

SHA512
ea16b2706c43da10896e309d7229fb4c44e03262f26e0a88db25d705eee2fe09ad35ee65ae2ecc36d889418d043d69bb180da3dceedafea521bd6ae6388259ef

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
7cc2c138b94efeaeaa31579fb1d32676

SHA1
6c637e6d6cce601cbff4eef4eb984ee36cad36c5

SHA256
b604778f76ff8ed23f6785129b488add60ed10e54fbba6a37f8dbd322708c080

SHA512
a6f1ce186b5a2846a76736778002f61882943838ca2d8f92db0e2cd3ce2ed014fcf0f7e2c5a238f791478601879ed89b8199b67fe8cb5a3acb1f5cc7e42c5d0b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
492596c0db197bbf5f0f9aa566cf9683

SHA1
2fb7fc29d5cea3f71d02844c42bacee6686b8d79

SHA256
f539f68d5b1ccccaf68d67fca28f79cc328c2f2cd395cfdb14dd32483a5df6c0

SHA512
bd055362f859d95b902609876349427d7daac234e238a2fbca95aaae8a6028bda4d0517905089d936bdfdaf1daad1ed5537d2f0481265bc8c27e8c146e9eecf0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3435bc6968d2dee3aba2cce00366647f

SHA1
03a139056b94db1b616fa47966ecd6bb7c8d13b5

SHA256
5f299de0ad89c8719c07c6c9982e7b90650e647cac05e6027f132876f3ed75ab

SHA512
deeea901caabb5f8cb362a08744c809583dd63ac08c39243967760ce7a4b47081395347ddcf6ff195f214be500af2754c273649b941f55132603fcc1bca1efa9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
576KB

MD5
f8488d92ac2a9a38afd915ccaf3ccb66

SHA1
1af631ba9bbaf2ad9742a9f638992421e9b3049a

SHA256
3013c47580c03305434d4da0c767aaadbf23d337da0a5d65f40544449e2683bf

SHA512
fdf0f016e05976b0e89b314f8ba73b31ca62eb9066051484d021fdc11d510b891abfdb8307bfa2575605d83f80e27db8af4eb313f0bb839ca46e546796144494

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6fbbb1bd1d34c2449126c4caafe4c25d

SHA1
b86e6616f07d4e7507ea1788aaf2a821110ca07f

SHA256
0d4b361ad0314f0bbef126b7e645ad3a0b71e18e534428a297a2b8704edd9c96

SHA512
8948c0d1d593385ae01cea752bb9a625db4fa729de6098e764861834ceda68d49bdec48e3889315cd93dad7b98adf4bdf6f5e1c3b8b825a3e1aeb36620739bd5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
32b7bd641b71ace69b7bc3baeb3ac9cd

SHA1
41ac0cce7ae667fe1119fb25e67db6f76bb3151c

SHA256
1d9c350efb1ce576e94507356b3a92e191d988941fa412081d8263a465620d09

SHA512
04637f49c3c5ccb9ed4f7af46e257e95695f3e84c5c57de23246df2e4b8f2f658b8c259b7a2e23579724db8fe597242a63862ae0982d12b3a2a31db21335a494

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c16154445cb2ffe6c90df24dfb3ae9e4

SHA1
e30883c4a4cac0ab41e34f7324e57cf02a78926d

SHA256
d756af1e9ba0d9834519d9a942b1ee5c59dd1f38d156b8fe19eeb13adf28d055

SHA512
127f4f7a681ba82b333754ae02a3e7e79cb4ad1b76f16b2b96a9d6dd089296c4b2222a8db6b0b2ffcf32b39e3d19eb6c50ac27c617642060456d7ee9804c1ce6

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
da6eff5ce36dcdcd44eafb301521844c

SHA1
2f0a94ed9fcede7be2a5115021c7bff3e7b391df

SHA256
c8bfd29f0667d6dfc35e49a706b060a89b5794dfa79f8f211464b96cdeb5ff1a

SHA512
d809b651fb4a969be8318dd3fe0f645aa50e67a9fcffc6681204728d224b399af39fa6c0441d76c6ba47c8db05d8a2c5ba764484339cb82f7daa9f67c2020221

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
ac1ca3bb678b951da8701db7294a709a

SHA1
a336eaab63df56a200300bd58e3c70d59a2a8998

SHA256
66c43f70ba5530de9b7f77d81aa1a7c3e6c7fb381626f38279447fad5410b68c

SHA512
6cc35f4d30941af9be41f6d31c6efe1d111ebabc7b64f71533d0cd70e6594d9bdda3713add796ede2bf2f2f36d8d2b4115506aebc9ec8bf30adadb210ccbc594

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
7bff76986dfa87752c62ec2351479309

SHA1
efd812f239dbcbe16c2c7fc9116f4f24a0965258

SHA256
cbdec9ded2465b9964c77e3a310804d7bada57153c7da639bed7dba8a4c8af98

SHA512
ec691b4dca9b13a0e2c572f595cafbeb1c4b9fbdb6f1f06dac264c455ddb481c081a25282ea2aea7c395a16ee2d99dec23af23b1ece375dfc75f876eb2b71db6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7b8997cbb6d6fae76830ecb20fa27ebb

SHA1
716b3b248302378e67f724c5de5c371006b63aeb

SHA256
025c54997fd11194937490eddb948e7a029ccffe01d29c85c7feeb7e52fd6d1a

SHA512
77e20753e2dfc883ff738f1cc1c1d2cd10c5b2353701842f988b2c3402de0699314c2e4a0db836c0d7bff5c9eb840284837b57d38125f683453c9f00e99500da

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
824e0b621e3144af1123a5efba32cdd6

SHA1
f0b40d62b0ce8cb0e7928aa683c3cd5276793110

SHA256
55ace9316f66df4f7676d9501a6080b518b09490012489f143b7364527f8ff27

SHA512
2a53bf1ed3acb33b7b737a482e007be05cf7ac2032babb53ee20e02ae7b60cf00629a35c9f88bbeae38a9e9e4999e2a911c1b747591d2fa0a6ea0ddcd3921939

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
1.8MB

MD5
7149ea9e914b0dddcd9b05eb4bca2435

SHA1
768c9c7c5e2cae043fc4d74afe4103e3a70846d9

SHA256
2b3919bbbc6ea9fec8167c64e3c7f3cd8a210e26073b7d2d58c433b7d53e6fc5

SHA512
993efe789dea5356853b0567cd61af7259774a7679e040e760cf97c4bbe135e1d75787d160369251aea10cf10a4db1387e032f4587a6ab61712f843e7e6284f9

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0e1a0df5323f02fa141b11070035f203

SHA1
4662c48107aebe02429f78dc0ab4328f88ea9e8f

SHA256
169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7

SHA512
5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

Download Submit
memory/436-786-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/436-425-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/788-88-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/788-68-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/788-85-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/788-62-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/788-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1740-84-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1740-78-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1740-80-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1740-82-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1740-72-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2204-41-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2204-32-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2204-40-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2216-258-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2216-117-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2992-18-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2992-16-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2992-139-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2992-10-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/3076-20-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/3076-6-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/3076-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3076-26-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3076-1-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/3792-108-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3792-113-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3792-115-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/3792-102-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3792-111-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/4140-141-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4140-284-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4696-91-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4696-217-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4696-97-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4696-99-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4976-439-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4976-812-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5140-147-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/5140-298-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/5184-255-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/5184-719-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/5280-368-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/5280-161-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/5360-267-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5360-283-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5396-178-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/5396-419-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/5468-545-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5468-438-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5468-189-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5524-287-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5524-756-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5704-193-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/5704-520-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/5752-783-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5752-380-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5800-667-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5800-204-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5968-699-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5968-218-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/6076-780-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6076-299-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download