53bd49d14bb027c71fc76f75bc9a644c29e5d858fad284389f4460d0a85f8891

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
Size

3.2MB
MD5

f54f365249b60dcd028fbd5fa266efde
SHA1

cd0b53ee24ca4e208e2ec662ba737a24bfe1d768
SHA256

53bd49d14bb027c71fc76f75bc9a644c29e5d858fad284389f4460d0a85f8891
SHA512

46592072ce3e3c02096fb5740e4d7d0f2ae32437a3586115cbed417d74d4cf71f3403dd618d0d91889a8c898f3dfece00f50a45cc8a1cb1304b18544e2710d5c
SSDEEP

49152:M5k1YCdptya507NUUWn043oHS3fT8YwVq1/xT3DDbw0TUqyE/snji6attJM:CNhS4Yw8yMEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1544	alg.exe
4820	elevation_service.exe
2372	elevation_service.exe
2296	maintenanceservice.exe
4904	OSE.EXE
4996	chrmstp.exe
2360	chrmstp.exe
2964	chrmstp.exe
2296	chrmstp.exe
860	DiagnosticsHub.StandardCollector.Service.exe
4948	fxssvc.exe
2188	msdtc.exe
2824	PerceptionSimulationService.exe
3892	perfhost.exe
5064	locator.exe
1980	SensorDataService.exe
5032	snmptrap.exe
2716	spectrum.exe
1508	ssh-agent.exe
964	TieringEngineService.exe
4128	AgentService.exe
116	vds.exe
4616	vssvc.exe
3200	wbengine.exe
1652	WmiApSrv.exe
4232	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3cb00fd212d07ad8.bin	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d886ae67a489da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000215b0468a489da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d634a67a489da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d99b8367a489da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058f90168a489da01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133570477285393260"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
384	chrome.exe
384	chrome.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
4572	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
5036	chrome.exe
5036	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
384	chrome.exe
384	chrome.exe
384	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3176	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeDebugPrivilege	1544	alg.exe
Token: SeDebugPrivilege	1544	alg.exe
Token: SeDebugPrivilege	1544	alg.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe
Token: SeShutdownPrivilege	384	chrome.exe
Token: SeCreatePagefilePrivilege	384	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
384	chrome.exe
384	chrome.exe
384	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 4572	3176	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe	85
PID 3176 wrote to memory of 4572	3176	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe	85
PID 3176 wrote to memory of 384	3176	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe	88
PID 3176 wrote to memory of 384	3176	2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe	88
PID 384 wrote to memory of 736	384	chrome.exe	89
PID 384 wrote to memory of 736	384	chrome.exe	89
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 4648	384	chrome.exe	93
PID 384 wrote to memory of 3104	384	chrome.exe	94
PID 384 wrote to memory of 3104	384	chrome.exe	94
PID 384 wrote to memory of 2116	384	chrome.exe	95
PID 384 wrote to memory of 2116	384	chrome.exe	95
PID 384 wrote to memory of 2116	384	chrome.exe	95
PID 384 wrote to memory of 2116	384	chrome.exe	95
PID 384 wrote to memory of 2116	384	chrome.exe	95
PID 384 wrote to memory of 2116	384	chrome.exe	95
PID 384 wrote to memory of 2116	384	chrome.exe	95
PID 384 wrote to memory of 2116	384	chrome.exe	95
PID 384 wrote to memory of 2116	384	chrome.exe	95
PID 384 wrote to memory of 2116	384	chrome.exe	95
PID 384 wrote to memory of 2116	384	chrome.exe	95
PID 384 wrote to memory of 2116	384	chrome.exe	95
PID 384 wrote to memory of 2116	384	chrome.exe	95
PID 384 wrote to memory of 2116	384	chrome.exe	95
PID 384 wrote to memory of 2116	384	chrome.exe	95
PID 384 wrote to memory of 2116	384	chrome.exe	95
PID 384 wrote to memory of 2116	384	chrome.exe	95
PID 384 wrote to memory of 2116	384	chrome.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Users\Admin\AppData\Local\Temp\2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-08_f54f365249b60dcd028fbd5fa266efde_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.131 --initial-client-data=0x2c4,0x2c8,0x2d4,0x2d0,0x2d8,0x140221ee0,0x140221ef0,0x140221f00
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff971779758,0x7ff971779768,0x7ff971779778
    3⤵
    PID:736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1880,i,6830770279546834347,9383810547843040506,131072 /prefetch:2
    3⤵
    PID:4648
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1880,i,6830770279546834347,9383810547843040506,131072 /prefetch:8
    3⤵
    PID:3104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1880,i,6830770279546834347,9383810547843040506,131072 /prefetch:8
    3⤵
    PID:2116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2820 --field-trial-handle=1880,i,6830770279546834347,9383810547843040506,131072 /prefetch:1
    3⤵
    PID:3700
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2828 --field-trial-handle=1880,i,6830770279546834347,9383810547843040506,131072 /prefetch:1
    3⤵
    PID:4728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4120 --field-trial-handle=1880,i,6830770279546834347,9383810547843040506,131072 /prefetch:1
    3⤵
    PID:3236
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3840 --field-trial-handle=1880,i,6830770279546834347,9383810547843040506,131072 /prefetch:8
    3⤵
    PID:4320
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4948 --field-trial-handle=1880,i,6830770279546834347,9383810547843040506,131072 /prefetch:8
    3⤵
    PID:1536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5064 --field-trial-handle=1880,i,6830770279546834347,9383810547843040506,131072 /prefetch:8
    3⤵
    PID:5036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5216 --field-trial-handle=1880,i,6830770279546834347,9383810547843040506,131072 /prefetch:8
    3⤵
    PID:4224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5108 --field-trial-handle=1880,i,6830770279546834347,9383810547843040506,131072 /prefetch:8
    3⤵
    PID:3596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 --field-trial-handle=1880,i,6830770279546834347,9383810547843040506,131072 /prefetch:8
    3⤵
    PID:4308
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:4996
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x298,0x290,0x294,0x28c,0x29c,0x1403b7688,0x1403b7698,0x1403b76a8
      4⤵
      Executes dropped EXE
      PID:2360
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      PID:2964
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x298,0x290,0x294,0x28c,0x29c,0x1403b7688,0x1403b7698,0x1403b76a8
        5⤵
        Executes dropped EXE
        
        PID:2296
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1880,i,6830770279546834347,9383810547843040506,131072 /prefetch:8
    3⤵
    PID:212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2948 --field-trial-handle=1880,i,6830770279546834347,9383810547843040506,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5036

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2372

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2296

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4904

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:860

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5072

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4948

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2188

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2824

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3892

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5064

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1980

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5032

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2716

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3120

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:964

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:4128

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:4616

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:3200

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1652

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:4232
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2804
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6e33eb327970a567feeffd6ec7aa5268

SHA1
c64711079796106549b1acc24525a86ac3b2c08e

SHA256
33209296d8e306d47d7ce67690e484868f39d357396b0c4e1872fe6c9c297b3f

SHA512
e0696577f24e14f034ee3f9008b5692f30156fbd5e2b0cf5574c4ef20aa92aee7e42bb57a554a478e6a1117fd59bb6115b681b188f5b833b1d543d1202e6d0f3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
e850c3e601bea6b0a886639e37f24efe

SHA1
a0871cff439f1b4766011eb19649adb6c56b78a2

SHA256
ec8436e5fcf594ba29f6fce8e7bace996df35242381a9e4a5f58bef9d81de82d

SHA512
88afc083f70fcdccf06d19d6b4409dd77870747f6abcdc0b6b467b2137308d6094b920b57b039edeb7d8ab8f1d1cd8c3a0e6dae7e057cb396d894353da632b10

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
0ae4f7d703b2c4213373e41c4b7f6215

SHA1
a5e632438d46a18d731d5ec4251b9724cba5c391

SHA256
47505e58c1fe4ce524b2b2cd6e026d28557ae5af0b3a1a8cd6d3a6d283e46737

SHA512
e25decbc324412f2065d12ffeb4f62ef9b30239f45420318f3f049499c4cd73a37ba1d34621bf36bd52b585eedaeb2b753848259c13512b82d6affa52839a4f3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
eb2f6aef098e1bb28646a86dbeb07d8b

SHA1
62286b0b8fa51e9efa3d9e395268ae92242f8d92

SHA256
487c7a19fe4ea240d5ebdc61c4cacbf0fc690b6b8f6c15bb42a208a16154a476

SHA512
e2e70d368c91a75012c5a81d0603a9ce68e16e178dad14f34f585930dbf6a4ec19b12a9ea9c879a8229558bb6acad752fa4f4ad83574dc0be52816b14e9a1cfe

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e432c8eb448bf6d88224ad82f29393aa

SHA1
6e95677b52bcaff710b30046a36770ce897a5ff7

SHA256
edd458d41a641b250f4670cbe0be5fef409211b626c9181f702f88cc3eeaec74

SHA512
4230d95407c46311bde847bb3c4c5f6baa0a804372941955786ba8e690473172a963ebde7d5984b3b9aed3e59e0f5a9a2e9e5cece8a69f4b8b2b50a8b15c5fcd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
69acdb609ab1c98cd36bca95753c16a9

SHA1
9df3dd610290f4a77b1c349300b51a4f496437b0

SHA256
0a5b7d525215bcadb2daca78c33c9142933d64775b98b5aa9ecbd454d377a990

SHA512
c6c8719611402f0e0ef4be64af18dd4d2cd5de222a8aef84b34c14170382a47287341a323b66e10c7cb5b3d061da540297ab247d21a74dc9d40c4bdf00fbc045

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
daf1978d4d7e175d4bef52bfc79d0060

SHA1
975f82200ae5d91f1fdb493e278f5689f2323705

SHA256
f79e74ed00e9f8b06d5a86e6f43244f2ce7eea50afb87326ee0c8c55cb9be4a0

SHA512
0e17e249132ef8288ebaf8b818301ac181c713610d717bf176dfb0dfbc6110785222602e72047df2392ffbd93b17a039fdf02cfb3086d31b0916fb2a65aea14a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
059d5c361d72cf8baeca379484724b30

SHA1
405c5e1dd108588df5e050f24b8facdd5ed7c8ac

SHA256
4f01e6a65c5f1a18bb96dc6a19fb94481a822d541410d769ad3556ce9566f9fe

SHA512
20c571d402e241de252d739d5746f61d995de9832b0a4800f56e6ab0be54ba4e1d76acf1ff06dcbf7412ed8e3b89200f00f46ca97b94bec8f9688ff6aaea6038

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
0f53d1fc542849405c23893a5ccde6c9

SHA1
0bc1b60e4cbb4633273040d399077c1c3fa74c4b

SHA256
42ee73f5847ffd210f18e35a0ab894a70e6a3d35e1918ca28ce861b4605358d2

SHA512
9f69a1c7cb6d1a59440a18b0baa0caa11987b35ee0b026c0edb2c9e7575139eeab4902f96d8614624a3f7e19c68bee6dbbdf5426803342baf6ed54a8cdb889e1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
20af42b084199693b32529fd96b7c6cb

SHA1
b4076ade481466b096755813c8ab2dd8a60d5377

SHA256
8795aaa5b0adfc98992f82f2a3b8f7a9debabc00523d3acd5fa34cc95d7a1dc9

SHA512
c248f0bc86a8fb12aca77c8700665a1e8c92dd1fcad7f68a049f1905fc8a0817869fdffe9abfa218d45b7c928e9783c69a513d5ad179d3649722afb38f5b96a8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a2223fd3a444b0958ffd1cb3cc27e9c6

SHA1
fd13df654b3dd87c904d98c09d67e350c31eb55d

SHA256
7c52da422df2c9d2d28d4f66115ed5fc0cf32b17ad8f96e421104da936c64d73

SHA512
329bbaae5bcc616713a3a0027811d039471f853603537f10e6343872dbce603624660f3ba8567c35fcabe61bfcd3b36975fbdb4d4a4ea6d6cf25811838a020da

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f0c364bb26b806752325793aff776a4a

SHA1
e28ac34b0a91d766a0d033bbbe78bd4a13568636

SHA256
f5001bdb486afc48579f02ac0074d4268a0de68dc00bd8a889f5fb916f0092c9

SHA512
3ce22ce8ca79a773d83518f721eaae37561bc532517b64c567112ee3dd5e7514a47fdb7933dd8d69a5c0ea1a1522adc685ac5bd04cb5b44bb5cfbfe266f4e09a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
cbe294f77e6f76f23c684526d861ae68

SHA1
7c47d013c6805456a6f8c0a57742db273fc2a6dc

SHA256
f33eedbde993915f1ac1de6d97a821f406fcb09f12b579716aa5379d8989e682

SHA512
8d066a2603ec5584838535d03752b1138baa1b2ff689c5f59fc3717a42e9235c13c3b8dcea94ad4502de9f50e38f7baa3c5fedc640b352005e64df52b3fc6de9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
3787d7cc3dfdda2f599552ea570dd3dd

SHA1
b633519db9623f9bb71ffb984dfb8207ea0a8ba4

SHA256
dda5f445d9c97176b29aa322a070012d1bf72d00c002259eab1db578b71dfb40

SHA512
dacd19f9ace06e99c6e7b6d4716daaae080b0af2ab652d973396052328f24f7124f2c8b1d06a35a08aa21db52c83a74ee84cf5b6cead64e8e075f493863e0cc0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
eac8e5ee236936853159c510868c1d6e

SHA1
422f6d9d7e7f272dedd4aaf6f940ca8e61bdc295

SHA256
f66f0dbb061479c24f7ba615c2a2ffc16e3db1cae8ce7c8ea81accfd27213e22

SHA512
55bbc13110380bd27508051b00830dcc86d74fb56f70063f0540a4a15e12337946a295d846a78d99407b55c736594b9da96031a472948eb9eeba6264920d1723

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
96244715efbf793181a951bd41e446d0

SHA1
2886d66964886b7d03cc670ae01da3255573725d

SHA256
e27e71804af0cf3f156809def777c61f5efbe8a1ae42f704ef08475af145211d

SHA512
94f42856de8c7358eb0bccffa77a266403e57ff783676c6e020c2e464ce18d9f3a399ec8170883262bafd63efbbbadaa3c0d1b1000e265abc6e60f858fed0248

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
8a3c62c3a12e041b89faa2963d1b398c

SHA1
1629406ada92a4f1d8cb855b52abcbf54de3c413

SHA256
f4f56316d37631008944ed78172434c357ef661a1a1228a6a54290d8f4b91ecb

SHA512
d8be7d163b06f4e4f8397e61c82dce62c8f9fe9f73ae4e69d304851c34deed312fa36cce4e6f9a508f18eea6503f0b6a0289345994ac3b731c96c7aa4583a0e9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
fe03d74a005d7fc69add9b49c3aba03f

SHA1
d4da3f184e4bb032fce63eef0a3d24cd9b6c6d56

SHA256
6e025f236bf8c61cbd2ad6d5bec4697c04ad110694ed84b48c2b393c718b363a

SHA512
c2d4a58ea217ff5d390d6069e711773b715577baf0413ac8c64b57e265075d0f502ca41b4d0c140524f12af10854d6d492c02d8a504a74879c9f2300f293b2fa

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\a3ee9526-a76f-4f22-8a41-5f2b46cea4bf.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
b2fcb2fa1e55f8511612ec22aae5afd8

SHA1
5ee579c466604a928b8dd66baa4a39bf3573fa45

SHA256
7837bcdafe13eaa4f23e850a1c46ebab3cc4488d334dd6245af23a64f69287fd

SHA512
0b16bd5de959b8ba68027d6072644b11037f1d0c112accd82b3d9d2848e6a78f21bbeed94eb48ac8f5923c87cb10e19d59c67a436d6dff66594f4f3439fb4602

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
99cc49358cfa3628888247c84b312722

SHA1
72df90d4341e204b5d695a65f8f0575d75d6d342

SHA256
570055b300595d9bee19cd486aec73f2e432043cc1a510b5075bc55da6b32757

SHA512
1b3f0129c396f2e582b6e1316e622f9faf71776e5878c95e71a961e4851f9aa90b651f0e3c3d406602c79f377776df5c8353578f44673359088ba16998fd614d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6fae7eeedbcb04144b32d16ed75481b0

SHA1
a3d533bdfb12a0481fa17a82c955f5811593c3f9

SHA256
631a81ca5abfb740336a0ac1cb4038c3bd8dcdf1a6cca97ee05edba1b214cc82

SHA512
ad305a9f938b1247c86ede03c2bfca88969ea9ffe2a4f395d54d69306991006db29f3af777df41465404df4d0d6a77088bf40d6e59dbb01f82a13ad15f8410a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
1b2e29506939a11b7787ee3c12371dae

SHA1
7c8fb7f2cf08911eba93139423ec0cb97e481bd6

SHA256
3c9223ca8885642ff67325a940fa2d294c5e3b4f58e0f0552cf7bd3e51795785

SHA512
c12867df735a0fdf99d636cde6c9c2721f2e587774769b7050bfeceec8d31d5a8e50401e0b1e124b3a9e039546fffacaa9d784d27c59eacd380eaba3c6ff13ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
18856bb63ae46687a38668e0942bc6ae

SHA1
4dd4dbe129d9bb8f08beab34b7f83add47552fc0

SHA256
c67313c38d13ac6c3aa0d91d5f4c5292bbda5802c241004b15fc8eb49133bfdc

SHA512
c4a6b84da08fa6392c617052e2e9136f5c3ea743cc07f235361d8c7bca433a0dd7497fd4a46aeae1356d44575f6a3116c1607cd6b2595745f9455495a1a98e76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
e5e271edf2886b526c729802ac5cbc96

SHA1
51285d47f5988de01ad41290e00881221e1250f9

SHA256
e3b507c6586a14bb2498815a3160ada13eed48319c2ebc600140be14979687e6

SHA512
cd355030fff9a22178a0a2e1ea603bb597c0a7218e4cdd9abd845615a8e66b2a55618ef191189325da940f0b6235bd3dfb56c9bc9da1fdc44485bc8e15d6b2f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
a9a68d4cd2cbaebca5ce9b3d193d287d

SHA1
98a0d10c31fcf02b2033566a1609cc4a6657c37a

SHA256
0590183d9cac7b09ef78db0491f6af61944f4e9e9af0c77a173fb381d985c145

SHA512
4f13901bd4ed4c81b6295df7b2c7dbb0e77c8d5629f2725a011783309e7e3678a785b3153a195b4ceba3885ea143409e8d35383a895aa69ec25ccd1109d69c45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577511.TMP

Filesize
2KB

MD5
9789813c7b351abcd4b4cc4821874f82

SHA1
3c3839cb1e6fcbd66f3c6dfc092f3aa49c057c03

SHA256
899961eb96b3c34c8a0b0bed8f6e6d81c5979592af5cc0144590b71e394bf7b2

SHA512
9c8dce395a863812d3b050b5068e97301309e46ae0c69f6ee0f8539f3dd453d269bfe4865d4afc6a8518e4b85ac49f8901fc937ca19da27a1e5bd178e3774a76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
1847c74ac615ac25ecab19809dc21091

SHA1
1fc134069e678779e6b440d8dd42c0539ab080bb

SHA256
26bc08c46507b6665d2203763d0f318a8a563458a1a5676a5d5b8cb6259b2700

SHA512
14bbb370d9ca34be32a556c19f54b34175bd6640cc1a415883d229a79bec8705fb386cf3a247b00030c462ad8b620d5f249c47c820b477a948e68b7be0c1fc03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
bb0f4f4b9e9708b07daf24783f701aba

SHA1
ac04fadf5f51175fc2286b30051efaa7cc43fcb5

SHA256
2195473300f230b14fdeceac5ddaec4e55023e796183ab5d6854af2d947e20f0

SHA512
e8bc8ec161b5fa570b113c20102c63b7428407e4dfa38f6a1af0681115cfcf8531477ce53c21c87ab8379b63102d2b669e518742771ed694299f3b34c1f74b90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
9138f286c66fc96cbd1ef8b0b1187791

SHA1
0c61169f21dde172ed9648b9eabc49c1f06c7110

SHA256
f7b32a03946ea276d6211d133345f185f1d4f4c49f8c9443aca920fea23d53f6

SHA512
7d218c12074a047f28864d5da34d5f44ffea05d7a575e8feb43008cec115b3fe14b494df543d9e72ee5efba6431e02cf9f3ce76bd50be9dbd148ec7f06ebb32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
de22bdc1cb3d600c81d1bdeae32f33b7

SHA1
4e0e5c3635efb0ae44d13ac9cb5542fc47253d4f

SHA256
de549a3206aab4ba3b87ed258a9d25040ae18d71d833fc055f67e72fb10d7daf

SHA512
d02ce9cfdfd88b1d2a219ad7e0d031d5e15ca2a98463f35577b3cd97b0e252815d8814530aebca1fb2040cb8d8ceaab3214594486ab73c80864d6f84b4ab89c4

Download Submit
C:\Users\Admin\AppData\Roaming\3cb00fd212d07ad8.bin

Filesize
12KB

MD5
c0a7349056e5e4f98f09f219ccc9bf4c

SHA1
3b9b58124a27995b8d51a3c20f81ea39102905ba

SHA256
d3e26d58d3e7119dbe5ad8a8d8be98969390cdd1654b76c5aef4c273093b30d8

SHA512
59738ff3a6b3ab8a63c69949e4593857601314671431dffd7d2321b08e6452f52252a5cf8d883a1b1795c56178062992603d8ab63f7bad4cdfb0c6576311598f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
42bdf45741cbb2d9ed0ca7d0b070dac9

SHA1
f334a82232e18ad65479d301d88a9d4b8b5d1eb4

SHA256
bd1147274a9816c392cb1d20a3774547898ab324949847d57f8871575ea5e7db

SHA512
6406f21edbfddb41654dae8727422ba098672595622a2f63215ca9ce3d93a765b12d0cce176c3002c89368c2d3eb1b24c797375938e738d63fb17f959994a636

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ac2ecee52eb08c5f11d8aab00d7a7508

SHA1
4b6d40169cd55a7d80f1d9740a0e22f27bda60c2

SHA256
ea383f6fa88be01b072b16aa3b2d2d2e74c34fc1d6f9c8c04d4e07390d5ab1c1

SHA512
7fbb2078d8e5cf5bf99ada04a7acd7a8363ec0e8c670b9bbb418db93902e566a294f1ebfc02444107f4822714d4534115186dfcbd023817f7d110bbbf71b3fc5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
4bc1a23db783003cffbb46e2b37bb8a7

SHA1
3614525571ae78fe4a9163e18cad4d84019d7f54

SHA256
5389a005170c9cb8efca2628e8a268b8863365352e5874dfc68eb81e4a025c65

SHA512
9a7d058af86bd09745109b787cb242f67692e92530ae70e344d95b9ce268572b9f358662fac9e72ab1068478a4a0c15854e4c47684c1fcf53aa9018366f72153

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
eff1d1a74fcfd9f1e2e0700d385681b8

SHA1
3f865b2f76ee06032bedd89c616575856de0473b

SHA256
ae9e6315e5631a6152184aac1b58a1510de0b68a8c4f632eaacff64c68b85039

SHA512
8bd11cc349453d2f1330c8be95687207738320518f42bb098fb97c530dfb648dd6ece0fe7c4d59cc52934e30e04f706466f4d919a4d0aa1581af8b83cc86d72e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
2d255f2e6306c19d7d246f5da5a0add6

SHA1
608ce6415ad69631daf1432063b7cad8ec4fde46

SHA256
ce0eac1c7e4203a10a5a98095400627539a4aad678682fc983b55bc2771cf4ca

SHA512
c3dbfa3414d8812a67a142421af5fb74da9bfb9484362e228f15f6fe9d1b7bfaa13d4378ff98e53db392d1bfad39fef33bce6e9e8332752f3d51e430fe0ce9ad

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
f5540be19e232df03e6b27ee9f0114a6

SHA1
c561333e80b2cfa4e841087f7a99e668d6f69bb6

SHA256
7fac3c9cae5e0c6c0d99c6e8b776e0a3acb49439e7e37b9f6fb1e44498093525

SHA512
db0d14ca70d33f2d34dcf1529d10ce075e125e825762ef067294ed690d4b5169078256f1fbe170c9bf7d7f88d42f5c09b93607e9e9a526662d13ff0881855996

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
aa457fdecb2343d08b79f624a464c1c8

SHA1
7b036c2171d7c72d4803ee00b59559c736ad6917

SHA256
b3295ce8354302d9b9ead952dca3dceed407aab3e032665c3d5243a31efdb5a3

SHA512
3b02cd4120321f7a21d60a51a87120a6fb10db4243347d088c508548f72d2c6df501ff0e46fd9f44f5485cfde983216d1e3a4beaac70b4eacd509d5b3111a018

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
185a0ab749c123ec6ed562e953099e6a

SHA1
16d91d1cec1160af5dd861ebd0150febb59be597

SHA256
35e0b88b25c2931815b4527ed7f0ff2d6c769d3f5e40b7fb4ec3426b71e801d7

SHA512
bb4fae1f91809e82b99d32c78ec12b8879f846303819b769ade15ccfbd09333f07fb248f0a1c04bdaf57d9e2d307152f6f7afdcc35c826112fb9299561bb8ef4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ff83ce8eec35ccf0668a4bf8873521ab

SHA1
cd546f3712a37f721ed14336a62d5a954cfae072

SHA256
9acdfed30778b9ae466f5ccf68af50576f356561f6962c0ee37cf8c7c9829455

SHA512
d0ec6a9d7e0b8beb1ee109a6c513f25b0944360e9c2771c9462750a5864a26813674297f853eaa2c9e030b2f6e53708e65a4260acc3218cd5d80baa523c9ba6f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
621f6472e579320cb67c8b269921ea45

SHA1
7c9a1010346c21d51c337387e7bdd3ab91c4c907

SHA256
26d72f949567c454f9ca8e9903d18fc30bfbd082ae5b874825866e4e8e5869ed

SHA512
2cc5b6efbadedae097b2c8d461f94cefb1ab7f7c0687cb8c4dc9bca041e08199c1d8ea602db34e292b321ca4f57b2e8a5423d89614b0d4618e711bfebf50ab8f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
62371448bff5dc13cffe5d4c8a7a04aa

SHA1
5a1967eb4f6950515719087ada2b3d4aa97e200d

SHA256
7b6d9ba59731e54b07b09b101f1677f6618cb7fe362d832953abbd8606134d5d

SHA512
9656a501965859a656103ebb32ee2cd56c3046e65b3b73d40fae4a3f887b53eb63134c71b24d383471bd5f2405ed387f19ee37c7fa5892a822996854cad8b8ac

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ce9f8c95133c63701f4c70d1252aa1d0

SHA1
8fc6170fd4b6ee81229353dd82e085e1d37b4618

SHA256
846e0de89d488a36e248a4edb3cd7b5ac3b523c23249f3699a3939dd130c13b7

SHA512
880a15514c961d2742716db0f98ff4148d15f8684f0d507684e5b781b573212ec52f922ee52900797aad013a5670922b2afa1a771b8080aad09b25e2027c4e05

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
ef6e480377446c640dc5a49c8be9c6c6

SHA1
32ddd35ff804bd2e2306e98a79189d9a4a4844de

SHA256
d08ffd85b969a1a11e2f0bdf64ae79af57220318920da74353123e8635cb2518

SHA512
825561b5be3f7ea374da768058fedbe760611e343628a3508500d93fb5801b8034b88a3c2d3eac6fec54f8eecd940da602329b1af47e6d21874bbb844a489b29

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
053c9a6381b9ebc5fc59e4200d2371fd

SHA1
355396dd0f35c0c68bff0d876bc11bd864597647

SHA256
e8cbe205c5e0b5465f2c6d83bd7bef7fc601ff6a9842e2e837d1b184278545c9

SHA512
87037a7e8455111ab2ee10b423f8549807754c96b2ba88d3d4e4cf267b8c1f99a1f0bb287015102ecb10b472f93756f36378092b8d1af687ac18a63c15f2af41

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
848a8ba1b2db438300bbea3a84acc9ba

SHA1
28c82dad057e871c923cc610bfefd7713055dff0

SHA256
875500b32804027955f498b5a11f065cae4056694f01d5ceda515b52bd16cd7f

SHA512
7d1d056ac92fd916eef3f2b69375435a26f98f29ec9c4982cfb5a7ab71d76a7a71566733f203b88529fed3cc3e898179db89e975d95d19b0a72d49f5155ba24a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c7f19a25d0fa22174da58dff627e9497

SHA1
f698e26d62673f4d1ac91f332234d63064e4a1ec

SHA256
7e6fb12a1ddf654a3fbc15f8f99f3fd26c8f5ec1166431c36e11594f16722fe6

SHA512
2ce29aa3df4f114a6cf3cc3691592f63cbdde054dfa9b19dec95b59e5faa1f311a2b6d7b2d98a0ca706a0cad97d04b83bab4b7b89420ed46e9129077e676664b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
1ad282058f95a4ae4a29111f2a2315f8

SHA1
6a5bc63b034cd17098eb4177ce2d61db7b87a2df

SHA256
b05a13c4313ebebddbf73553219a690170af1d4262e6566e6646320b1e8c41ea

SHA512
8f0dca8c7b7a35f88edfeba82289e17608a1f716c97c5c2e8c18cb435edf744c7843d94f0bcf845bf6b242e516537dab07de4696f5d132ec677b710376b3f731

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d65dc694edec46f85d1d672807d0185d

SHA1
71ed5873489168810f1b787f2e90e004167d103b

SHA256
4719f982e9451d64f7044d2848eba9bcfc3b4ef3ccfbe3e41964decbe9ac3327

SHA512
6ee8160d1f9d6464d40f292abc0c70a870e2734bc1b2f7ebcae6783afe6729c61a6de9e876553b18843eda0f43158c63e6abccfe2c8a47e16bc84724dbf751d3

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
a57e00e7b64144dba402c6db0f7ad149

SHA1
51a33fa8f038784838ba3a6c0fd16cfccf49de55

SHA256
26345f4eaae9348eb9da6a4c6101dc723a2cd58c0f15d93f5c1ee628b6957fd2

SHA512
a9d626fbae4b1da4d41e75520ebb2eee98cd2a4b9dfdf5f264e574b61f1acbf34c0bca6b1d3e1212ce37c8935a50817c47539b03030e1665a7dcc3a18dffa739

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
70801bb4bea5f6ffb7fbb23f2a5a3ead

SHA1
a72adb35010f0e3c056810f10e5077289252b5a3

SHA256
acd9c3ec6a8cdf8260deb825d6161e02d0d11e0f687aae3dfd768e5057b9c94d

SHA512
302d2e59f91c477182661fd2a779544a14a288b2f4e998d682709e5d40555360b7e7b4736c93fea0cc1b94d3442f00d8c3386733477fa761c2ca8e0eef4d1c6e

Download Submit
memory/860-439-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/860-508-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/860-513-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/860-447-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/964-576-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/964-569-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1508-553-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/1508-564-0x0000000000E50000-0x0000000000EB0000-memory.dmp

Filesize
384KB

Download
memory/1544-260-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/1544-16-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1544-28-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1544-18-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/1980-579-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1980-515-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1980-522-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/2188-468-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2188-477-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2188-534-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2296-410-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/2296-95-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/2296-319-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/2296-98-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/2296-109-0x0000000140000000-0x00000001401A4000-memory.dmp

Filesize
1.6MB

Download
memory/2296-84-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/2296-94-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/2296-326-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2296-85-0x0000000140000000-0x00000001401A4000-memory.dmp

Filesize
1.6MB

Download
memory/2360-406-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/2360-409-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2360-276-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/2360-283-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2372-73-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2372-57-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2372-290-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2372-56-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2716-548-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2716-539-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2824-547-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/2824-482-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/2824-492-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/2964-313-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/2964-334-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/2964-292-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/2964-335-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/3176-8-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3176-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3176-1-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/3176-37-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/3176-35-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3892-496-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/3892-562-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/4128-581-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4572-13-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/4572-116-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/4572-29-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/4572-12-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/4820-51-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4820-43-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4820-90-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4820-87-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4904-114-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4904-103-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/4904-102-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4904-391-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/4948-451-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4948-460-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4948-466-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4948-465-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4996-262-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/4996-261-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/4996-366-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/4996-269-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/4996-365-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/5032-535-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5032-527-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/5064-566-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/5064-500-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/5064-509-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download