ff0f223420113a40f6d3af3f08966a9b1b8bea5045bfce66181967d3630c62e3

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
Size

5.5MB
MD5

2710355b023c442f6826faa283a7d545
SHA1

556bd5a86e81d6b40f004b2cf2d73cd6c319e54e
SHA256

ff0f223420113a40f6d3af3f08966a9b1b8bea5045bfce66181967d3630c62e3
SHA512

0f7d06bdab899ee6191042d7783933f37cdc1df4e1f178438364f9497c8dd4b684a2d537b12cd896d362195ea9847fe4102b8ca867f9c2a9d1edf1cabd476e32
SSDEEP

49152:LEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfP:XAI5pAdVJn9tbnR1VgBVmD8t4C7

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
4644	alg.exe
3684	DiagnosticsHub.StandardCollector.Service.exe
5012	fxssvc.exe
3660	elevation_service.exe
432	maintenanceservice.exe
2676	msdtc.exe
1620	OSE.EXE
1972	PerceptionSimulationService.exe
5096	perfhost.exe
3036	locator.exe
4216	SensorDataService.exe
4424	snmptrap.exe
3000	spectrum.exe
5204	ssh-agent.exe
5436	TieringEngineService.exe
5584	AgentService.exe
5732	vds.exe
5880	vssvc.exe
5992	wbengine.exe
6100	WmiApSrv.exe
5252	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\da2bdf9674f8f84a.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133580629920262396"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2935710e092da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000da00511e092da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d5fe00fe092da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005525c60fe092da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bcec3211e092da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000500ff10fe092da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a9adb0fe092da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
3624	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
6436	chrome.exe
6436	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3176	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeAuditPrivilege	5012	fxssvc.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeRestorePrivilege	5436	TieringEngineService.exe
Token: SeManageVolumePrivilege	5436	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5584	AgentService.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeBackupPrivilege	5880	vssvc.exe
Token: SeRestorePrivilege	5880	vssvc.exe
Token: SeAuditPrivilege	5880	vssvc.exe
Token: SeBackupPrivilege	5992	wbengine.exe
Token: SeRestorePrivilege	5992	wbengine.exe
Token: SeSecurityPrivilege	5992	wbengine.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: 33	5252	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
1164	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 3624	3176	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe	86
PID 3176 wrote to memory of 3624	3176	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe	86
PID 3176 wrote to memory of 5064	3176	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe	88
PID 3176 wrote to memory of 5064	3176	2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe	88
PID 5064 wrote to memory of 3108	5064	chrome.exe	89
PID 5064 wrote to memory of 3108	5064	chrome.exe	89
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 5052	5064	chrome.exe	92
PID 5064 wrote to memory of 3116	5064	chrome.exe	93
PID 5064 wrote to memory of 3116	5064	chrome.exe	93
PID 5064 wrote to memory of 1804	5064	chrome.exe	94
PID 5064 wrote to memory of 1804	5064	chrome.exe	94
PID 5064 wrote to memory of 1804	5064	chrome.exe	94
PID 5064 wrote to memory of 1804	5064	chrome.exe	94
PID 5064 wrote to memory of 1804	5064	chrome.exe	94
PID 5064 wrote to memory of 1804	5064	chrome.exe	94
PID 5064 wrote to memory of 1804	5064	chrome.exe	94
PID 5064 wrote to memory of 1804	5064	chrome.exe	94
PID 5064 wrote to memory of 1804	5064	chrome.exe	94
PID 5064 wrote to memory of 1804	5064	chrome.exe	94
PID 5064 wrote to memory of 1804	5064	chrome.exe	94
PID 5064 wrote to memory of 1804	5064	chrome.exe	94
PID 5064 wrote to memory of 1804	5064	chrome.exe	94
PID 5064 wrote to memory of 1804	5064	chrome.exe	94
PID 5064 wrote to memory of 1804	5064	chrome.exe	94
PID 5064 wrote to memory of 1804	5064	chrome.exe	94
PID 5064 wrote to memory of 1804	5064	chrome.exe	94
PID 5064 wrote to memory of 1804	5064	chrome.exe	94
PID 5064 wrote to memory of 1804	5064	chrome.exe	94
PID 5064 wrote to memory of 1804	5064	chrome.exe	94
PID 5064 wrote to memory of 1804	5064	chrome.exe	94
PID 5064 wrote to memory of 1804	5064	chrome.exe	94
PID 5064 wrote to memory of 1804	5064	chrome.exe	94
PID 5064 wrote to memory of 1804	5064	chrome.exe	94
PID 5064 wrote to memory of 1804	5064	chrome.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Users\Admin\AppData\Local\Temp\2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-20_2710355b023c442f6826faa283a7d545_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e4,0x2dc,0x2d0,0x2e0,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff59d8ab58,0x7fff59d8ab68,0x7fff59d8ab78
    3⤵
    PID:3108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1920,i,3702840786316235032,1996979648609574636,131072 /prefetch:2
    3⤵
    PID:5052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1920,i,3702840786316235032,1996979648609574636,131072 /prefetch:8
    3⤵
    PID:3116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1920,i,3702840786316235032,1996979648609574636,131072 /prefetch:8
    3⤵
    PID:1804
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1920,i,3702840786316235032,1996979648609574636,131072 /prefetch:1
    3⤵
    PID:4544
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1920,i,3702840786316235032,1996979648609574636,131072 /prefetch:1
    3⤵
    PID:4072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4252 --field-trial-handle=1920,i,3702840786316235032,1996979648609574636,131072 /prefetch:1
    3⤵
    PID:2108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3584 --field-trial-handle=1920,i,3702840786316235032,1996979648609574636,131072 /prefetch:8
    3⤵
    PID:60
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4560 --field-trial-handle=1920,i,3702840786316235032,1996979648609574636,131072 /prefetch:8
    3⤵
    PID:4340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=1920,i,3702840786316235032,1996979648609574636,131072 /prefetch:8
    3⤵
    PID:4400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4724 --field-trial-handle=1920,i,3702840786316235032,1996979648609574636,131072 /prefetch:8
    3⤵
    PID:5048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1920,i,3702840786316235032,1996979648609574636,131072 /prefetch:8
    3⤵
    PID:4920
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4488 --field-trial-handle=1920,i,3702840786316235032,1996979648609574636,131072 /prefetch:8
    3⤵
    PID:1392
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:4244
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff673ccae48,0x7ff673ccae58,0x7ff673ccae68
      4⤵
      PID:3136
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:1164
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff673ccae48,0x7ff673ccae58,0x7ff673ccae68
        5⤵
        
        PID:3852
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 --field-trial-handle=1920,i,3702840786316235032,1996979648609574636,131072 /prefetch:8
    3⤵
    PID:5776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1572 --field-trial-handle=1920,i,3702840786316235032,1996979648609574636,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6436

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4644

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2032

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1260

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3660

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:432

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2676

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1620

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5096

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4216

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4424

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3000

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5300

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5436

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5584

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5732

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5880

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5992

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:6100

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5252
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6092
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bec0c19cf4aeaa206f60cd4acb6bbb2e

SHA1
6ed2d8f76be78664972bd304d514b171afa809d7

SHA256
00774992f210889e2b32bea7271811db50ab153be0b1761a7ef45fce45223c64

SHA512
0e8b5e5a0fb1e750a3c42a5910705ba83cc93e1ca8b4e9d6cc988124ab5e62c59ec6e960e4a930a95321863404d5d1f3d35e03257d051ac66426bb3ae842f18b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
0bf572be8b9b7ee11388bca5b97c6b48

SHA1
1fd520bb3d0bd4d7cf5415c7b1f70426056543ee

SHA256
8535bedd0c3e2733c2ab84e17b936ee6494f1d37bd7598e5ed1965e4ebd8f364

SHA512
9fdc5dc21928bd7b4561ce36123a0924c5c153c0055d2180c5eb15a69d19ae1b2acffdc4fdee13c2889dee63618b9c7bb62859916418e291bf066c029340a066

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
ee39b7c23715900a029719f30d930261

SHA1
844423d2c30542315de26b6f803209cb10e7431d

SHA256
2a4ebfc980016295fcbd4398a444b9c09b25c4e17c01b3e59e75c7db0977aee6

SHA512
e10e6f15453507cbe4bde1ecdb972e71cce5b448ff3cfea113c0152f96b59378fbc8d923bd08cc5148132773e04f563aed9a29131852108a76226aea8723a762

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2b0607cb1aeb5c65a4bf82860b166784

SHA1
ca460678fd76351df50ad0ce2340a08a7b7731bc

SHA256
b837813c7e90c09db22185dad2d2c2a5f66a3512c2c84b290dea07ddf593e1e8

SHA512
20a9cf9a44c50a7056a335844a94befe38fe63224eabf7815048adfbe2d6728ccbfc5814cfd78462d288e22f6b053fb72f41f741979559ae0e032b1573fbba7f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6639ccca24756e0a03ac60555cedd980

SHA1
507b6bff2a5653a609aacaa6d0bb0a27319b2443

SHA256
924a191d139ad20ccb931eec06bace490d1a499929303b33b393e757c87f2558

SHA512
713b33e813a009121b8716b6c4d76a0ff4c66722657228d5c260f9cb3e39009e32692e2fe6cbbb493e7ef9f4aab9c2c2cabc057543ca53992b3ef4122d951cbe

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
91afdc85f64095111a77aadf3e08b8af

SHA1
39b4378dbf266c85bcdab19669ff4c94eda01fd1

SHA256
427c0ab9c53197c83b57c8c30eddbd83cd4c45c8e6b1b588f6cb255b3c8c7722

SHA512
8d91c5e51008120263017faa63f4a1505b609bb6c9fbea42b837903f58152b1fae458bf4e327bcab0661c3f40dfa275792761ef9e93aa727bc60408eda40bf82

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
722ac3019ef7c1cdc560a7370dea489c

SHA1
f263a2b8912531f0b312bebcc15e4260d9aa8498

SHA256
b5c8a8afef0f1d75c768853ae2b0ef565a8ad5af247e375ec01a295a3e4da1d3

SHA512
27908b4744dafc6d5ea1645725c1d5a26b2c1ace6756ad531803196082696a9990d23569707139fa755e301fd3527402c9121246b52fdce14bb8539a736fb7cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3320f213c0d9d7043171dbf8d34ab47d

SHA1
7c9cd67a1be73c94aa24e67051939368a429396e

SHA256
bb3e62e85dfe06b722e15c7bdcd3310d1047d3f302367c4b3a9348b7a70dc6f0

SHA512
bdca565230fc5bfecaf6eb8073113865f27f00c1d0f48346fe4ba075f04477233e1d7ec4d9776a3fb5372f7ead94b3f8bba0398c0702ce7844716ffd6ad0f905

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
d8607868b23ef147de2653bb1d02d69d

SHA1
962d49a9c66845ecdb2eab703a87b8d8016f4d41

SHA256
0d0da4f9f71dfbfbff54914741a779c7fcf4c9acc8e604d1add0e19280bac914

SHA512
396543101c41b9f1dea2a1c7925d57008949d2bb3fe04f02cd34d162a1b6e6c54f8296d54437652a02e914ac1de2b7c72665c84bda2fe20aeb3dca41010427c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
69afb29b7cc291e9852148ff95ef90e7

SHA1
121489fb34a44af26999a92a19573e8343272321

SHA256
0e771213b5a088d11e813b51b94f7c09e69276113898832ce469b51ba231933c

SHA512
e65d9b083d993a68983c360f057c2b7e210b93125e45fb980d5b3bdb083d71f14ab7e71e632e642972df8ed21c7711713ffed0fd1facc25c595ca10d0b1e3109

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
53e5a90fd482dfb8c93c9ae31a3b5e4e

SHA1
169ce26acf6a87e6eb5a4cfc5f9cdbe492416a87

SHA256
38fa7f5bcb15f67a9b3c81edd5baed2a4bec159d4beb6d3b4c698751d2009910

SHA512
8db1acbdc7730e66d082c933711649ad02a68542c9f2fb6e7d7e04d384a871326060414f4c69cc7804a67f9aaf3524e74316f4cb18146185f3e31de50b800bc1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
edf623d7c5614337a1929d8b54f13f5d

SHA1
e364859108afbf8305a0c08da9c417d6e9e84166

SHA256
049bb0749a75cdff25a188561abc3140dadb2cc94701c52d39779e8a26bd3bba

SHA512
148c529109b48cc7c00f0e56f1acb8bcba24bc9ce6708a48b0900048c99791e543f704e713e80a51010337b9a973dfd584174a3ee814d5bf30e759470cca7b41

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
56258ff577ce3f08a48ec8f41a1d18ea

SHA1
1de1d784c754399d61bfa87549988c270d40ad6f

SHA256
862789f989de15d172ba80425825c5e872a27d6cac552755b695852389484366

SHA512
f0b374846bc3c029d86db6f05bb6e7316630ef5c2fa9d3c0790a0ef1676fa7698c5d04fa33a30716188ffec2e60c7d6834934a933f711776aba130420e6f068a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
c1c3bcf10a6876fff0cd215aaaa47db3

SHA1
35756cfb342e5908de4c59ed8f8cdbb2b564167a

SHA256
681625a228dd81a5c8d6245aa7245febb6036a2cffbd24bd1271d7d2bb8c4278

SHA512
446de908cb6b63a864e8f489385e4bc14c6fadbb0eb3bae78e282a357e26259f94393ed80a20d6818abe1952d75469d1a2c9f774d43ec49889f984fd7300e32d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b52a132c3334478a4621f1775a8b601d

SHA1
e14b70649ad58823185d37ef9419907d9f736cfa

SHA256
16543649da890bf187dde6b0fed92a59537f9b151db482648ec82dc8a9bf3440

SHA512
0a0a16758f973db5755e2e729372924b9d336466c92aa392892f9b94df2f8b85f5cfa1ff6281edac68b4b12e781f6d97eba44d6609031c454d492553ba105cd4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
312bdff05b6227bde3821ae4f3ca8320

SHA1
909c5b54ce1cd36f7823c3d384d88f2d8afdb945

SHA256
438c5a39f9e23957f3bfb8238e9fa21e5461d93fa942adc54ab382a4b367c67a

SHA512
d08771f11134fab0311e09080f8147d71d83acd390925eb1e97e556b769ae05e5ed0e9b290c86d8b5ae5e7c05e756bef715d990db6339585c163e0beba7df305

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\4423a090-b823-4742-a791-194d150718e7.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9057f946af799c7018f2d8c3888a3347

SHA1
999e4e932eb4ceb73bde159d28642df93f4b817d

SHA256
a8f56b8617928d4b04235e7a491602d63998859dc155409db25ac48d17a9e9ab

SHA512
2a74f9fe16359c0b60e0d226952fe48c83a11857d50b62843e44c357a3584a71dbd30015695a1d00fb60ec14a42e114a3584b6e1df0cb9ccc0eef9446420e423

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
cb8fae858faeeb53fb1cfc26fb76d293

SHA1
f8952705f285ee5a6cd1a3e0479109f5d043cf6f

SHA256
7f51ea906b5155ebb3fcec7a30e968ffbafe2c0f49ab3cce29eed5cd831747f8

SHA512
06d68e7255f0019b769db27ae7bc6611ebbdace07d8fab0d9a81eff2e11a3b092899b6c9d8c46f738274ace0c5cccaf645ed4243a6e6e552fa6cd6f4907be4d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
58bb95b4094ea52340b0fa368840c9a5

SHA1
03e801a2f4735f3f47b6822d4660e55210e56567

SHA256
65d15a1557409d3cb361251a31e7a620874bd504e12187d1260d9b80fbf6b235

SHA512
6931e70506a094e390cbcb45ae3bbca25ea54ab1937d6b5b3443890c5f436f5ee04dd587605ff1d7055f4f810d3ac690e1a42b39020e242389dddbce5f7b3deb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\5e8377df-2a5d-42c3-92f5-f944076edc5f.tmp

Filesize
16KB

MD5
7e4f862a804c7b88e8bab7946020bbff

SHA1
1aa614a54955871ef784b8d52f5e83b1f78a6c8a

SHA256
d1cf6afd76e28d4988acc5fa0d25664fdf0139b9bc27967f6430cb072c829ad4

SHA512
22c9d5bd848b9a484f3397225fa809b6fc99aa1cbf94f9e9771f85295b6bf9c2d285a2834d6a9b2a909ebf9c58e2472518d7744a32391b0d129b5221a7866368

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2f472331abc3bc476eb8cbac8c9171a0

SHA1
d4dc94940f1249b84168880e35aa75c2e3c5b0ab

SHA256
d15a564ea8dde10cf7a74823d7a96e1279a7a812bd638768ec44331200989e4a

SHA512
74197121a02b4a2f05e0ec53e178177dcb6e387149b0ec945cdb177c2e9a4ede9839c12ecdf9710c4593957e2b655d57c11f755122ff7fc96c6490fac326953a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9952fe5eed08e7ae026e454a2b9a3a9d

SHA1
292a5224af693eb10ace163f0ed1864acf1b5d5b

SHA256
33657902a924640a4335b8efdd233ce70e4d7ca566e14e3dc1648a2bff5d0a97

SHA512
d60c43e1280aa2df442958dce9c2efbf9429c332910bce22a5757b99d89c42359267a1588ab922c6e1f757c55ca671a2ab1f22dc4945813ff5b5fe47ca7b43b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
82d200d4aa22071027ad178e4d0de986

SHA1
ba5116b8e3f0d3579122299e646ca8e2946ff970

SHA256
71d8a6c3ee3fa93973e68185b1a5179dd0153b8fedbd13d5ea06bd9e10dd3101

SHA512
a37aa989302bdd55f709f5d7ce9b2968f211c23f4354db91baa328abb8b3ddaa4881faf7bde32b8c46528259a123ee21f97774947d71d2461f89dbcca853d27e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5759e7.TMP

Filesize
2KB

MD5
8df20ad2489acd1e7f8a24fbc9a8362f

SHA1
b37b2bc2ee82f0b39ad3a80f6b15ad382bfe6c59

SHA256
6ddca1715870af630f7f8e66256978606fe92341934e897f0db7e5182bb39389

SHA512
8253fb905874f333413b730cbe021576a9ed2dabcdcc9c99400a8ee22792135052b60718defdf45190e05f3b4a70a95bab0a328a2c6d1ba9a095eee0ab4dc112

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
360378a3de8e8fe20528e35e48357b51

SHA1
205b89e193c07283157662d857234db2650e0671

SHA256
9f00f19056d959e06b03abf22321e8623da1c1a312a05793f60794d68b3a871b

SHA512
e157c6409d2c86d351d3c371d2f1e48e58c1a32383b7ea6a51f93250ff12ff5ff4d3aba405c4c13f2d7b2f2688777c4e89bc654de33c24dea7340ee5fce974ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
40220d70a4daa276ef235e630822e1f0

SHA1
74160bf396284116a5236a4565cec350a9d6905e

SHA256
c6aab57b75242f909e7bb87ac49bf10501c29c64c8acbded5e65ad9e6c60b48c

SHA512
0f5b2e52dcbeda2dc47d3a541687dc7cde371ab613f37139c7441b8d1e41a52134de4e9c51eb1abfe4d141d01bed3f25dc840632187b620d46408d7587399b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
2dadb9761d141a417edbd9e94c4f55c1

SHA1
e4caa0645079a071f0d5d33ede1e3e6247b7f7f0

SHA256
7512bfdfa468413d8ea820eafd0ae256959a5d338e5246dc75a8adb8640a9e7d

SHA512
d6c8864fd5f370b4659f91ed5c5ba17fd5381677d4bd4444cec8688f6ebf024ddd1404156a148d0aa2cb285703d86624447bc089dcdae794919aadf400c4cef4

Download Submit
C:\Users\Admin\AppData\Roaming\da2bdf9674f8f84a.bin

Filesize
12KB

MD5
3a08bddcb40cec66ce4ab3d7b880dc12

SHA1
cea9c1b8e157405507198a84835c45669f97bdad

SHA256
c07d62ce803357d7217cc497dcbc45f71569f0b52925f8190c68b8542dd06914

SHA512
c9d48048742461728b5b5a0bc794d42b246140ff24bcb376bbd5c56dd472806a15c4ae134e0a6152a1e719761323aa5933dd8c54491899266bc26324c78f0a0c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
5d5d591e6148a860c7b5ac18b1fbac98

SHA1
6dc7c88dd5da840da02b1ea05c6d80d0e67267c2

SHA256
2749caa40ee99331dd36b2426d637d542f928c48d1a51db04f6d7d2645140918

SHA512
d36d38da556a47ebf7616cc9a870701079516890c71a68471bcc963ef8a760cb553783d82ec471baad8210cb5db1d33f5a954eea29b128bb5ba18ee9fc276b4d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fad5c77f1ce3de44b22396116383c687

SHA1
47c2a1579dd26ff1450cf069327bf6acba94c672

SHA256
79d72a22b129871289ac96988b1cf1d5a208e133d2c6b7a64eeda790f52ec1a9

SHA512
dc02787f44148121797a6beadafc7f5b39a09225e30587614f38c99b0158c5e5461b5df50494c7f478113544d2ae39036aacb9bc880803bdc42f63cc5c0e40b5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
1e7851f155cd2afd1db321534f024cd4

SHA1
a1fe6a2afae20802cb8ef04c65fe924255c12641

SHA256
43629cd67f9160ac3a05273c6522c99d1c3c88773db369c952e53b5463a18450

SHA512
b6265d8746a8c7d61a15520798a3664a8a88c0eb846d5d1490e7c11b58c460fe624966e1b360b265442afbb0edc704bae655366b3de5aa6bcfe604824529da21

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f64482ca16ad14d8a8cb380338bbf9b2

SHA1
d80e3fe986e79e7096824989b8995272840be5d8

SHA256
f58ed7b38a40f0f13d1e090ab2e78a4156c73e96d17c2ab268b70a3689d57ed3

SHA512
e89cb1adc18fc610f78bb0f34f68f0c0d40134f7061c4c5c00c621abd6b81fbd071536990fd83dc5652fbeaaec5bb1b3e74047881c59dec9e22cecd420e3b383

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
8658e0c8380d03bd3deb4362e99c65b3

SHA1
967134123dc8951a0929fc7dd7f1158efb037869

SHA256
fc8fb5b4d6fc83c320eb261e1b1eda2208c923247b1d8b52c9d17aafb68e37f5

SHA512
a2ef9e1f7f2e3b06d9e73a2c83f93e36c293a9b1a247733beab8cf617c6625de1f8c5cd49f444191938791757cb54e769e58368104779cb38277f88a8e6155d7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b1479a4b8ecd530c961e65930b998326

SHA1
6b5638f8946a3209a8f532323206574e664f7fc2

SHA256
08d208f1c22544b397c303f43df88567506b719f4d9369b00439b8888af0930c

SHA512
0f78d40f75f736976295fcb1325e89f5cba44d183dcde0416d852f42e2eec6618bafda0a1d3f7faad7cd9cecf6ffedbda35608f3d65b34bf9e4765c24cf74f83

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
269c2f9268b271fbd904dec8b2a02042

SHA1
5495f62bba1830d68d283f04301abfea005013aa

SHA256
2d6306d5ad8ec20e3de8f74ec0e664947313bf636375ada36ed91c48b0150eac

SHA512
deb14ec9707e4448d5db12e0309a753ed6aa4fa8626e5420788d33600104ef5233acfb5aa28bb9cd8f1b2266ff10b23b57bc7e9780b6680735db0108517b22c9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7bf80cffe91013e3e6bf3746a0fcfde1

SHA1
4e3df593654b6f74741f9f391b897a4bf31a1a21

SHA256
9cc8448255cdbe891c1c452f69faf824294065e138fa15adcd3e612890f59118

SHA512
112ed1c4cff1e351f96ce349fa3c27c2d6c97ce3fba6f412f41865b74b533807e253b9b6d39ea3397f802894cf52f29e50dc26fd80608fe8e564867ac78ba01a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7cef108d500060fc4a18c359d96875a5

SHA1
57575a561fc10d8a8e357274500d1ca08ae62f88

SHA256
2f27c4dfbbf6dca1e5dd0876cfe93e7e150d2f18bb84debc3f64150010a929ef

SHA512
88872f7e83f3973eb01e2ab495ca3d498a7308a6ee0e5fda363d21937c92404ce79d9dd1adec88a2e0f9966bef25076170064f1f1e7dab4d6c9bc0bff8c3e099

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2062985f6cb9edb3b8fff90796cfdf43

SHA1
6d850b5eceb0a9eb9216558ad3dd7f7a25ac6961

SHA256
aef2693f38c40d58d3dd7be7dbfe0aafc85dcb63957b6e84d89a0d39c9b56ccf

SHA512
6f21181734e301267562fdb0f2e3e7e543d3a78ea0938f2f9cfa6fea02e1b91a386e6182138cc2ec3e165ecdfbe125616bd9eeb9cf7516161689949ae90a0ef7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
c5aed0b2ca92ddb44e381fc8830dd8a2

SHA1
414f2160844a602f1e3fde3b1e649d451431c2ca

SHA256
f923f7fd29800895a5823b05d8509e1a09272619812edae4663b735a741db0d7

SHA512
68bfd594bbe7e517e5714041eebabf458a1fe2ce0e53a5971f1279a55a3a43e82368294d1eda112fb81fffa6e3f9d946a998faf028ce21373c6c45c5bc061e4a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ac8aeef4061a9db8f25cbc3acd202f6a

SHA1
3a6dffc40405d2667356f5a7abf79de66c3401b0

SHA256
1ce8ae76adbe8276c2bb172e8b5321f977c5dbbc209984d11cc77cca066af628

SHA512
510cbc8396e74b17cf9a45dff935a84d0f6be296b54a61953ece7cc5f62bdb02bbc55aac103c5235cbcaeeb84c11609a7b21552ba9d77d37219ba2fa9e21dfcb

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
2f1e33a13b22fca23163c92366349ee9

SHA1
5bebe759c02e0fb341b60fbfee81a31295c40db7

SHA256
22399b316f92f501e683d5ac1e84cff700088f6a686d254cd471ecbfc6a147bc

SHA512
2d05e3f4ec3534bdb4bc44af56cc485d6141ad7e92de90cf964d55b8e4fb2a4418b2599f48ff768cec3ff90921e5beb8282154e5cea927c27fa2c5e3e173f59f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
c129a4f97fe501f5c92675cacb876b28

SHA1
517cc23cdd7d372b69466912c7c94e1938896e73

SHA256
ee062418a8ae4ac68e7cffac658126f9b125ed3666ef0594313b24f1f723dec9

SHA512
678631ed2af8844ecd4f7804ffd24f0b62bd07453cbb50d5b333cbce48d9e7df306a35c4e877453ec9ebe20c462bd8cc5fa06f3e33b73f23705cf45e6933c52b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
316e0297bdcd211dd2b8e87d268b35e6

SHA1
9445d738e2e870a9840f03b5d4bd1320ddaec968

SHA256
f5cdcb9191efc0278c58e4c63b69aaad9bc8ca74c0eceea7940da4fdd011bf6b

SHA512
e7227322da0450cf68c74943d2a9b84523afe846d219f5a48d0dbab121810ea9387e2290358378b4603cf40f4fc945b0384f962484e2c9b19f310a58915216d1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5f162d0e301a067fe5668a0b0ef9c1a4

SHA1
ee30e3bdbbe4a4d00a130a3d49d72534ca3fc68b

SHA256
e7e4fa8e8c670bfa1dae5d494de560cd319e9d093bf47518d4a039f1b6c7ece0

SHA512
7499ca5fb2184641727c338a4ad61a0b98e7b2450dd1e642ff815125c09a9098b7ab7d8f137a76b8a0dadfa16a25df41c871e3ad0328bb8dca63fa4d43327e8f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
8c59b271345176af25e1aad08f79daea

SHA1
7e27dfabb5a432a7b7fbb55264a84b37a9551d92

SHA256
09e6118b851d6a2235a5e80af8b768ee13fcc771bc758962f8c390be5cc8d1ea

SHA512
3118c5243c443708e92bc2eb140c3e3f5150dc222d5d4ec537043ba4ad2788dea4230222a18c3c830099bc819ef5bdb269d727860de44082decaeb92b77d1424

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4d43a58a3d8e8aa3c6bc0ca0c8fadd6b

SHA1
6354e71c0a81b694f7ed5fae8c7e52dc053332e8

SHA256
e8c2fcf0c7e6f45abd46682e7a94aa4f106fde39cd820beefc22aed6d48a6055

SHA512
50f1ba0fd185eb23789b79b28cc80685494d4a710862ed1299244555cbeaa6a6664e2620ad4bebdfee5b3b342d9d79859410e18794f0d463fd79e519200e52e0

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
3b8d3a35700899dca51806a9163fd5ec

SHA1
4db812d733d8c02137d7a8deb9b824a4ab2739a0

SHA256
01a6c427ddc33ab90908295320318314e29ab1177ae2eded82911fb468c8cf69

SHA512
5967d3f4e5858e70239d44c767b51e35e938cec750eeda8c95c5eec6cf770419964e5c95a273fb7239ddea292feec74b66422fc03885e7eead77368579b10bec

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
42dd881214c2a74c5a22427e629d6d92

SHA1
ea4b7ed070c70bf205c1ded9d9dfef540fe3e236

SHA256
bd199cc669821f6f8afec60633ad1d56f100e0567e2a90f913b2000959086313

SHA512
8ce4bb931d07e6fa70591b10c118c9667de4ea2d55d4feec14694614f899808ccff481518fa7ac38921f38b9fd2945e7a2256697350c5b667705291f5977c42e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
c9060d4226056e78a1560e71f08d436b

SHA1
543a86b1b004e4be507a853cd2d4ad4b70c07bcd

SHA256
fc115674c6d07aef48452a680c732a3ec3005464d6c7ab7b7ecea844c8ebdeaa

SHA512
664400f6e8627df16cfecac24eff3297cfe7be5c0e1303c7382d8061ff3dc070fe0006acf35e4cbfce633b90cf6b1fdeb67324c4eedd61f3b5d176c894de21a7

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
d70c7a3de0f7e0e0977b780ff3fe848a

SHA1
1894e87da4f2d2e218081e91537ffba3b80438f6

SHA256
f54ee5fd1a8424a331b8d2753635f9a3da31761181bbf95120129047a118af3e

SHA512
080f740f1bff6780248be388358655ca0b5a1f851a6fd2f60e86990d7758acc319e55284bf5645c74bbf161c4ef6aa873725b10bddead66171081a595026121e

Download Submit
memory/432-120-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/432-118-0x0000000001AD0000-0x0000000001B30000-memory.dmp

Filesize
384KB

Download
memory/432-114-0x0000000001AD0000-0x0000000001B30000-memory.dmp

Filesize
384KB

Download
memory/432-105-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/432-102-0x0000000001AD0000-0x0000000001B30000-memory.dmp

Filesize
384KB

Download
memory/1620-225-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1620-147-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/1620-137-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1972-240-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1972-151-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1972-250-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/1972-158-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/2676-123-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2676-122-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2676-131-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2676-209-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3000-243-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3000-334-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3000-253-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/3036-186-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3036-193-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3036-290-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3176-0-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/3176-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3176-7-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/3176-35-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3176-29-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/3624-13-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3624-103-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3624-24-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3624-11-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3660-85-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3660-91-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3660-163-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3660-84-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3684-55-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3684-46-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3684-135-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3684-45-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4216-304-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4216-212-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4216-219-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/4424-321-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4424-228-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4424-237-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4644-37-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4644-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4644-113-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4644-18-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/5012-74-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5012-80-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/5012-73-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/5012-101-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5012-98-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/5096-166-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5096-174-0x0000000000820000-0x0000000000887000-memory.dmp

Filesize
412KB

Download
memory/5096-261-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5204-347-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5204-276-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/5204-263-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5252-381-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5252-376-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5344-603-0x000002DE791A0000-0x000002DE791B0000-memory.dmp

Filesize
64KB

Download
memory/5436-360-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5436-292-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5436-300-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/5584-314-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/5584-305-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5584-319-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/5584-318-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5732-591-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5732-331-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/5732-322-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5880-335-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5880-344-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/5992-350-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5992-357-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/6100-361-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/6100-370-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download