4ea22f5f3ae8ad52a940fb39be1b330a5ebca491a81e9c885077702115ada76d

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
Size

3.2MB
MD5

b2a09881d6cfbf55eedadd2b2b20e346
SHA1

ee0d5f341bf7fbc44add6aabc77a3ab9b5820009
SHA256

4ea22f5f3ae8ad52a940fb39be1b330a5ebca491a81e9c885077702115ada76d
SHA512

0836d59f61e836321c73a5a0ff95a544ddf2e84ff093dc83173c404391483eb56a42326cec893c6c1112bf55df55939429bde593c4ceb2a19ccde6da1c6d353e
SSDEEP

49152:75k1YCdptya507NUUWn043oHS3fTIYwVq1/xT3DDbw0TUqydf9Ckt7c20+9qNxUW:PNhSMYw8yFfEkKK90

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
2996	alg.exe
3552	DiagnosticsHub.StandardCollector.Service.exe
2032	fxssvc.exe
1836	elevation_service.exe
1224	maintenanceservice.exe
4808	msdtc.exe
3832	OSE.EXE
2220	PerceptionSimulationService.exe
660	perfhost.exe
1756	locator.exe
372	SensorDataService.exe
4336	snmptrap.exe
5192	spectrum.exe
5468	ssh-agent.exe
5724	TieringEngineService.exe
5868	AgentService.exe
6000	vds.exe
6136	vssvc.exe
5236	wbengine.exe
5444	WmiApSrv.exe
5252	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\25c24be3c43e60d1.bin	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{2E67EA64-8D74-4AAD-B11D-5C46D99A6F7D}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_72093\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048cb67501793da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041d515511793da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f96a27501793da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f2162511793da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133580867138725977"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ccde5b501793da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d5236521793da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c17e1b501793da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4092	chrome.exe
4092	chrome.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
1096	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
4276	chrome.exe
4276	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1964	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
Token: SeAuditPrivilege	2032	fxssvc.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeRestorePrivilege	5724	TieringEngineService.exe
Token: SeManageVolumePrivilege	5724	TieringEngineService.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	5868	AgentService.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeBackupPrivilege	6136	vssvc.exe
Token: SeRestorePrivilege	6136	vssvc.exe
Token: SeAuditPrivilege	6136	vssvc.exe
Token: SeBackupPrivilege	5236	wbengine.exe
Token: SeRestorePrivilege	5236	wbengine.exe
Token: SeSecurityPrivilege	5236	wbengine.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: 33	5252	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5252	SearchIndexer.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
5344	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1096	1964	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe	84
PID 1964 wrote to memory of 1096	1964	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe	84
PID 1964 wrote to memory of 4092	1964	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe	86
PID 1964 wrote to memory of 4092	1964	2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe	86
PID 4092 wrote to memory of 4904	4092	chrome.exe	87
PID 4092 wrote to memory of 4904	4092	chrome.exe	87
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 2912	4092	chrome.exe	91
PID 4092 wrote to memory of 4524	4092	chrome.exe	92
PID 4092 wrote to memory of 4524	4092	chrome.exe	92
PID 4092 wrote to memory of 3880	4092	chrome.exe	93
PID 4092 wrote to memory of 3880	4092	chrome.exe	93
PID 4092 wrote to memory of 3880	4092	chrome.exe	93
PID 4092 wrote to memory of 3880	4092	chrome.exe	93
PID 4092 wrote to memory of 3880	4092	chrome.exe	93
PID 4092 wrote to memory of 3880	4092	chrome.exe	93
PID 4092 wrote to memory of 3880	4092	chrome.exe	93
PID 4092 wrote to memory of 3880	4092	chrome.exe	93
PID 4092 wrote to memory of 3880	4092	chrome.exe	93
PID 4092 wrote to memory of 3880	4092	chrome.exe	93
PID 4092 wrote to memory of 3880	4092	chrome.exe	93
PID 4092 wrote to memory of 3880	4092	chrome.exe	93
PID 4092 wrote to memory of 3880	4092	chrome.exe	93
PID 4092 wrote to memory of 3880	4092	chrome.exe	93
PID 4092 wrote to memory of 3880	4092	chrome.exe	93
PID 4092 wrote to memory of 3880	4092	chrome.exe	93
PID 4092 wrote to memory of 3880	4092	chrome.exe	93
PID 4092 wrote to memory of 3880	4092	chrome.exe	93
PID 4092 wrote to memory of 3880	4092	chrome.exe	93
PID 4092 wrote to memory of 3880	4092	chrome.exe	93
PID 4092 wrote to memory of 3880	4092	chrome.exe	93
PID 4092 wrote to memory of 3880	4092	chrome.exe	93
PID 4092 wrote to memory of 3880	4092	chrome.exe	93
PID 4092 wrote to memory of 3880	4092	chrome.exe	93
PID 4092 wrote to memory of 3880	4092	chrome.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-20_b2a09881d6cfbf55eedadd2b2b20e346_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.131 --initial-client-data=0x2c4,0x2c8,0x2d4,0x2d0,0x2d8,0x140221ee0,0x140221ef0,0x140221f00
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd71c7ab58,0x7ffd71c7ab68,0x7ffd71c7ab78
    3⤵
    PID:4904
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1908,i,18368063992487095864,17436810427142359752,131072 /prefetch:2
    3⤵
    PID:2912
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1908,i,18368063992487095864,17436810427142359752,131072 /prefetch:8
    3⤵
    PID:4524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1908,i,18368063992487095864,17436810427142359752,131072 /prefetch:8
    3⤵
    PID:3880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1908,i,18368063992487095864,17436810427142359752,131072 /prefetch:1
    3⤵
    PID:4884
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=1908,i,18368063992487095864,17436810427142359752,131072 /prefetch:1
    3⤵
    PID:2100
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4308 --field-trial-handle=1908,i,18368063992487095864,17436810427142359752,131072 /prefetch:1
    3⤵
    PID:3740
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4432 --field-trial-handle=1908,i,18368063992487095864,17436810427142359752,131072 /prefetch:8
    3⤵
    PID:2024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4128 --field-trial-handle=1908,i,18368063992487095864,17436810427142359752,131072 /prefetch:8
    3⤵
    PID:2568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4368 --field-trial-handle=1908,i,18368063992487095864,17436810427142359752,131072 /prefetch:8
    3⤵
    PID:3212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4008 --field-trial-handle=1908,i,18368063992487095864,17436810427142359752,131072 /prefetch:8
    3⤵
    PID:4300
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1908,i,18368063992487095864,17436810427142359752,131072 /prefetch:8
    3⤵
    PID:2600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4928 --field-trial-handle=1908,i,18368063992487095864,17436810427142359752,131072 /prefetch:8
    3⤵
    PID:2624
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5248
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x74,0x244,0x7ff79ca1ae48,0x7ff79ca1ae58,0x7ff79ca1ae68
      4⤵
      PID:5280
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5344
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff79ca1ae48,0x7ff79ca1ae58,0x7ff79ca1ae68
        5⤵
        
        PID:5392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1908,i,18368063992487095864,17436810427142359752,131072 /prefetch:8
    3⤵
    PID:5808
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2524 --field-trial-handle=1908,i,18368063992487095864,17436810427142359752,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4276

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2996

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4860

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3168

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1836

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1224

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4808

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3832

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2220

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:660

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:372

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4336

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5192

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5500

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5724

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5868

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:6000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6136

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5236

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5444

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5252
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5896
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ec50c7e6d0a2ab03933b755abd5b329d

SHA1
44961d708e2e48dfee44f94073b70abac3581682

SHA256
aeb6ce1a6c02115e8ac05a0677509c668d225aae76fbe696cee01e595f00f33a

SHA512
47d0c6deb611cbbc91829d5ce28c1bd4043c70116ad72245f09fbd17813a7a89f90e54569faf5176a0ad9cccdd7552cb330377770a0dfea80b4539decd01e462

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
41e8abbe12abc151ee53076e8e125b6b

SHA1
6cb84ab9510af796d80270057cad929575684f7b

SHA256
b61d9232f525d4767b01e8a65551b8c3d978b689b0339c33ba6f8a99a35a2a4b

SHA512
1954f7f3710f3851a9f77fc5db37252590135db7923de8183ee90813103007346397960a137800246763a22cab707c83b4dff6a64304e1b9302b07c960234ba6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
5042a71eda6c848bbf60edd328e618f5

SHA1
4caef845696e08358a0fb5e457d20af16fd20d45

SHA256
42a27ae0dcd7a26253e674efdd9ff245515ad956f5526e8ed644ac194bcd8ee9

SHA512
71a4c105057a35af83a09ff7a7812366fca5505d590a3ecc5aa5221cf219187ee3038eac6185a56d8b233ffb630188da55ff5d550753808e85be45c42b630b1d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
dbc505e5fb744fcf91ab125b3679988d

SHA1
9269ac7d92c1ac4db84cedf8aa2ea5a2a1471ee4

SHA256
e01e1769e6c3a6f12859b3d8e275db2d6e0d392bd21400e65fd8766c789b68eb

SHA512
a4bf6046b8b1090906b9bfbd5db49acfd58097c4b60385272720de427d4fd2a83194980fd744f76a50ef6534642f73ddc764b3c889f593b116bf5fe6f6450cd6

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c71a5175b747b392ee9c7940d11270f5

SHA1
7580527e2e6afecfd964fb12252f10d6a77047c3

SHA256
7cde61be83f707c6633c74adf1a55e5370dd45dd84aca8bc196e98b67cbde2e8

SHA512
87951ceb3cbe345bd83a7acd2ffc0aa46ef153a12a6383229c3fa79c478115e3d875f94693b857cc979c50e6df338c7744d743cc8b855c5971daaa16039d1428

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
9a66bf702283b6a25c1279945ef56aa7

SHA1
53e410ab059657b4e0ebdb18594a2cd7ce7ab97b

SHA256
d154f52ad80f0e3fab35ef9ef4038864dc20fcda790106e025e82319261afb04

SHA512
82c12cd215afba2ef9f6e51aa6d8728d064487170a8482c391c65352ee6539d04b50800ede0f43de100a3cc158b5ff3b0ecbac618ea23657f6e2d476d696e050

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
1edf3b8bbe70983b7fd7b5550ae2aeae

SHA1
9a0f127824f5d20784ff97943b0250ae1114be53

SHA256
a5618b18ffe3de63fbd8acfb4f75b07c5998452a20c5da823c766fbecdcb1e2a

SHA512
a460ab7dad76dd0857044eb5c5e628053e07001ffd8b29480b746e21649e94d8762b924fc4c02e017f0b0148b1b0531ff2cd15ee9fba4df56e648ba96c8c19d8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4a6d29a69d6ea594abfcd6baa1a34ccc

SHA1
923ab8af97c4f4cf3c42c11612a3263de574cb69

SHA256
a88a2edbe82d2964934b40ad2804dde238e46e791587a493f5ee74e45ba1b283

SHA512
574966fa284709b64ebfa72641dc928cef69a8ec11aaa5b63f7008888762ff7023b5bd8fc306f17d827e6dbaf8d3cc4ce28d3ff1b28477973578efcdf0616fc0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
706f89fb074e4d9288ba508384e136b2

SHA1
3706c0ed4eb46179e541b1c0a2d57487ff7410e8

SHA256
efdc018acad35d90c75c5d51d6f6de9ec99148c3c46fb08e4d21770398babd00

SHA512
6ca7971f55c5c9d4c4524df5a9d72ed2eb1391436093f2f027964031471bc236b6b6f46cb9ad98d0f2723508ff3c2badde943a4bb4b1bb6affa469650e51f996

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5942c6b5ff64f96242074b222dbd49cd

SHA1
e914c90dd1927057d0044ab0427278f8b8464fcf

SHA256
761513d0f20032ed9234db53c6dbe005865bf42b8cafb05684c125ad2aee867c

SHA512
5f3addb6b1b2ceac9fd5075d036b23a3d0e6539fd026aeefc178cba4d69a58dfb47e47f5301897bffa6273c12e3d83cadf330990977806e7a719178675904d3b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c45330d3678cc81d958117640f7dbee2

SHA1
9c1acd6ca263ded4de589064791602313959ecfb

SHA256
b29004d482264064c8aa9289c5d747109a78f02dc8cc6eba71608ebda6ec9514

SHA512
66baa36f4bd047c6169c7a123b4833c73cf5575b23d116843625f54fcf51131ed10a93a15c5b6983762bccdfe1c89be671c3ff65d265d59dca71e536bf3dce9e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3682e80c729100ce23b7e0df0808bec7

SHA1
37f6c46fc677bcd0974521622e30576d619f0d85

SHA256
891375eadfa23db5d2a3ee44440b9769aa6bae111a8e094ef3e52bc7bf9640ee

SHA512
74ba82fd53ec8bbfbc9993da158581595e165464a0ec7522169b83e31241be2c14307617cc73419e3cfe21a5a6690c519502e05c546f277ac00641b4b9c27d24

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
bbf46191766ede77f9dab9254d5b7062

SHA1
190c71ff3df2372cd15ca0ecf418580930341293

SHA256
a9a428e5b46679da1134783b9011551cd4d299bfaa285b318ecb38499ef02463

SHA512
07b9a2620ac8015934a3733ae3061109c8ee23bddbfa9101d21190a542ef00645aa2ecfdf867f5e58ea5246765673194123d6e622a2d06f94816680dd9fa5645

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
8d7fa83bf2f4c5deec4e3db8d0e8a39c

SHA1
ab77fc10ada0fc14d6bcac0757b977fd3cbd19fc

SHA256
4697fb86d9fa3818af219682755b4552313bf075fb8398abfa6c7d564c19b9c6

SHA512
ad19ca56dfbf0eafde9f54bb476a35cd78587af7cbcb97adeb6da44f4222babb873f8cebd995dc49dabdf7bf29dd58748cd39c433141123d2c682a2482ddb473

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
3ad232362af371b0d77d0edfe36ed27e

SHA1
8a726829800f0de737d44f5da518a1f970cfe5c2

SHA256
56197fee4c9c7026b60fd651e8f6b7a18e4ad257890c045907901f1cd248d84f

SHA512
d26186959932d292079f15f00240076081e6d0e10e3f5862433e3387b0b289cfe2e94a23ef2ed46f6d16fed2a3e4bebed680567a0d2ab457069888c88972796f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
479df2558cc8a5135f7766ce7cda85dd

SHA1
1481c5c06981b2cbe44ee82488ff6547f648580d

SHA256
74a396bda0bf46f09f3d449be5a12ed180bb5a85a71eba7a28ffd90957ea1216

SHA512
d9a87bf08001a5896b6ca0a969369383e00998d700d2eaad555f42a5f2b8fdbb2b00c00f35a1ddf13240723fe57920cdd3102fb3d65cefed1c6a406fada44fb0

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\0a2c147e-0c5c-4c44-85b5-1fedd6671f44.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6a3ff3818e04135d85c9e5b4f660fdf4

SHA1
8073e29bae6867e1bb2d74fcd06af15df9f5b832

SHA256
fe63cc6873a83409d8261d96b600f4f0e3bf3ec32dd7cd0a3ffc945438455fed

SHA512
cd96dee53886fc628f55d732ea1340ffe6c48e29dd265d96339b457be6e38f3d9ac92e20e15b27a331904c28c402fd22fdb7b18409caca5faa3ebf70a9b2b0fe

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
afcfbccbef363fb3539db46db7e40237

SHA1
65422a4b78b20eb2d35c0e96670fd45eefe36c05

SHA256
ccacf5e82c19d115dae2635058996091cc6157684edf9179e405edf591dbc266

SHA512
71e4daa2b1da87a2c914c3c024c11f34d3e030c61554985683d8a2eec2f66a9ac83c9532b0ebb44c2ea94ef98c4b5c9e411168a26596da566381453ca67d977c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
273d2cbce45caf2ede717d027049f931

SHA1
4d3880a875edaa72dd9cf1b44108c5748cb3dca2

SHA256
37b7d501862fc5714342a23f53d38d130e4f685f0c7302c4cf9df83e20d07154

SHA512
c2dfff0f1d845d68cac6758161653cad51fc47644cb4231bd92dbf4a140b50876312b254f9381a5b8c42723d00e123956706e94c2c41354d36c577c79de8f5ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c38c540fa4f2f9d75d94902fd91783a4

SHA1
474b5a8a9fbbf8ba5a8d727ef88cbeeddce683b4

SHA256
3cadaa3d52f2199bf468c86ce81085d8a3b9919d0e472773a022ade33f520c06

SHA512
3d3e5dbba8f2668fccda515e75c706ce2e81a90cc9128b18ce257911348e0ae0b173ef2f32a59720cd6ed4d56bd0a63bd27d975fcd27a17575376c5be54c60db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7cbfd14f15098a9f65fe4193138a5f60

SHA1
a2f0e47c5f952294dde179d8eea65def36a577b1

SHA256
378538bdc708ef6f8d41e1efdc7755a75070f4c21f5d450aebcb002e82404341

SHA512
5ccb5d37ea7bca50e72bd065a7de72b0404c0978e3f48a7e4118f8213e25e6128892424419721bc0cb54f1d572c8fcf17ad738b43dea9254026df12c68ab0ec3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7bb35bbd915da701ae5a14461bf307c8

SHA1
29a4324071a567b1297e299c450fe6ea5cb361e2

SHA256
832a8f0b1ad2397871f143ad7ce87ae7829150404a0ebd1f0754ea5594c28d21

SHA512
50c2c605bee60c40151fce9f6f63a6f40142818a98c5f7877aae7689cc5785cafdc8fc08d8c7062905d23737e39e85939268f5cea14c13f115c82a84e5c20040

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576225.TMP

Filesize
2KB

MD5
30b8f508502e1051f3ee30171879ef7f

SHA1
1fb298e045304f43b89e5fb50effb26aefd3220c

SHA256
b46f199a934c112c4c6c76e3ad0cd1337f73f6c878b53a58681c7c2837601816

SHA512
b653622f44b18004d7e9e31679c3f8039ec14c38dbcf766736c1990a0b50a1faa83b2374d63e1daadd6b0a49829478940be397228d6eae8ae9b2ea3084ea3546

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
77ac4a9cfc6a2a4acbc7c8af33474ed9

SHA1
e59d651474db4ae61149dfc94f34d8751623214b

SHA256
9f9451590fdce86b02279b337a0ccdd910d0fd7aa6788d76f3579f92fcee9121

SHA512
3d000a647bc427c350f64c882b85ff68d44dcecd33d18173ca2cd713d02545f05ffa34eeb744d4a28a13aa0d6015b0a9a0d28efd3473e1898c4f7bfc4dd8bb67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
34b26d6e7d717513a7cae41566c3349f

SHA1
b684cddbaf7596b98359f2744f6c6b5d3b95825d

SHA256
252e7762228807005e34eb5b382322955d38b7d3e1cdb1f6069635ce0b9da47a

SHA512
df2a17d2329e342e549f65ff3d76208bc12034377db59d748b704db86e14497bce1cf78595d7a19c9f76d9e737751708ecc9629e74d70d21c4c47ea1cc890d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
e3f8c2af63a8d3668f5b2bb7f7757dc5

SHA1
25408bb7f3cf10a5b534c9486ef3beef7062a507

SHA256
a3ff5ee5b01744e3edf3979b3a587ebb9315021803f77d301715e1bd3ab2839d

SHA512
f391555417fba37037820521b53e6dab19a5604d76b1a1068e2d307320388ae6078457d395b690864bed35378f070e19a5c0de3ca43b2c9aae05443e0e808cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
2cf8b43db34a8fd8b85269ae3a8cb3a0

SHA1
44c200c78e27a3deb2621e6ae160eeaf68282190

SHA256
b153e9c7889be2278080edb32de8697d73ca3a1e86f447fad7e49c294f669d04

SHA512
31bb885ddce71313d84087607240abb7e27210f969a8a1b17ad68a44edd20e5a5f56f85a46937267dcb99d01352a66cf7e3d486ea12190faad93325ca2b0d82b

Download Submit
C:\Users\Admin\AppData\Roaming\25c24be3c43e60d1.bin

Filesize
12KB

MD5
7a24e3fb72b0ae21d31efced4733c843

SHA1
5dc564a8c76e793404125b4646b9735df10d442d

SHA256
c85786ad59f9a6b3dc8d188356e04125c6ccf4c31eeca18d2c3c35bc1e1a2612

SHA512
eb8fef92227d7a58848e6965c529e9a8cd80aed34efef2e1c3c875fd2a615a9f35ed9211afe7d0559a28cddb1ad6bbdef587cd33cc041d90fa4b6ba6a3a6f2c3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
9e97984c761128cb14d62eb64810aeed

SHA1
62e0507a4f65ebfcb475aed0568e2103384c84fc

SHA256
44e88180292d6511bacd8e222132cd89a2eb79214925bbc6cff4a65f09b5ec1b

SHA512
7eada3865c3d22d9aa810c200ff492acdcfa01caaa04d0e45e0f0a518049563b4e5352648e0ce8d39a439561015313b6c39cdd288d64ad855ddbd16ae0d21481

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
af569b33f7c1d64fc1e2cf847acdada9

SHA1
df5d0b422f15abacc6e6256f4af97eafee49e67e

SHA256
aabe2650ec7c5dfad8808c3c9bbab77b5d48cc88f7a2750497aec8464bc6bd55

SHA512
852b95718d6e39ed51912ea26da2d718c1254d31a4742fa5d336343e276c1d1029bf6c2f8ae033a5d9408f42603c97d020042eaf194f6760b118269f04953689

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
8af7b3765f1617a3c1aefc17816b2f30

SHA1
e68aa9a7d77a4f0bc894749955929ba7b1b7df91

SHA256
d8b3c95ab788b03abf1f156d786c843b522ba3afb5c5af53c4e2f579447cfcf0

SHA512
1d1a3e8a025e0d63f12089972bcbb4a9d74d80c620e442c236fdd531df7c2391ba3108232779e6e4ef291fd7af49e5232813e4120d5e622fc0d8147ed02c1728

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
28a116817cf323afc8caf502b8ff0932

SHA1
412cdb78c4da68d4f716b1c23fe43f8c1159c888

SHA256
6f235d5dce3411f2260e63b2a5d3e96fa5e92572f2cbb581654deb2e6a3bd47e

SHA512
c6544a773871dfe0e7f31dff9d67d180d780509a4cdbba0ed31fb8349d3aceeed8ddf550ef9b0cfdcf31ae1e388d2cfc02d61919acd409cec5fb21cbefeb7673

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
72eb1d4bc876eac2713c0e83d23a4491

SHA1
8abc65372701df7c695ed66a3fc50b09cf6d5bdd

SHA256
8a5ab01a8020bf4baefc77ef4c52a9e3559de220574e4616a927d0b0c5d47e71

SHA512
a22679b59df38f1213800a44fecfaaa487073f8920f483cf4de39b5984b0e17e0213db10a62e29dba5aa3ce4411c6b88eca353e6bdb74209c8c513a059019d9d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
875e2202f3c2a3d9e4dc1f0494cea243

SHA1
e2b5574802173671761cf8766c4275af19572f5c

SHA256
e30ccf9079099d4e55784dc6fd8481f59c6e207e6fb9b0dd8ddd3d9c0a8918ab

SHA512
55de23699b1978c95f7f6c3ce9d36f44fd07c3670df976fa40f1a9c42655d3ebacadde90f207cf7dd6e7d3999299f5a41acb2c8c217f0441c19d7493d84d4ccd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
b907c53a931fb041f37f3869e8349a75

SHA1
3bc33da69945e4b5ee9a1319049c642cd7ed0a7a

SHA256
cced11b63faa078f22673e07d2f5919db90307d7a286c3649919318134e98ece

SHA512
a2ac827fbdf5830573248b40ae3ac02b22e08b3b85539cb615b02bc23f17074cc39a6185bad9acc25c6186793d3beff88e8102a404ca95b0a58e73b003056956

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f3f75515415fbcdb21001b640b11f461

SHA1
126053a805c45dc8048ff737c4acfd55197c979f

SHA256
633e4fbbe6180f73c7e166271f05aa68f49b42fea34473b9268b77278bdca6e6

SHA512
7f823acfa92eb381486e7befec504e115804214b513cb98a68a4ce24cb3f1e39eb3925a4b4a88be32c980528260eb09cbe76d9913bd332bfc8332c24ef9f2d4d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
461eb617c7756f9693bc658dcac905ff

SHA1
1d229119811b0b7047562723c494b49b0b2bb7ec

SHA256
a08ae5578ea198d1b65ffc2be769fb35db3de0a0469ee30661b56d5678513850

SHA512
99b7258d53fb6cd5a240d7a636cab5318d1d3b6e435c7d615c6791c97249f8adc8538977c4270c769d444380ee2a79b37489d01abb8039f0c67114c6ed4157a3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
724699b69b4e6f8e78d42a8d95b06ffb

SHA1
5e95b727417afdd7b96be5eb4d3990a2ca2e777b

SHA256
3fadbad7f8b47dbea87ce3ace4f94a882372382c49702b14f93539b426e3a672

SHA512
35b352c4a54d82a3007afe615de1f7a1bd912b855aae95cf4586ab274099c6591db5ec0594dbe8e2dae009ff0e6eb976a9ec04d4779fea3399032f6949e595ef

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
096be5985c8d4817ebd652db4e53236f

SHA1
a97573d01ed29c46d3b8374074dbef1fd131bb9b

SHA256
050eaf55b9047e01a2ac06b704d5ac631b321ddc8b2cdb19f9a79894abbc2800

SHA512
802d4f49be3493257be4ae6c8171a7669739a9dd10f1242adc0f7afe46ede50696152c5aea6be9b7c69935cfd0e8a5406bb59240a9d8af17d35da399710166c3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e75a3f79d93211e8cf71254cfa2e8952

SHA1
8d0d76d780c0219f6fffef647163bf36b146cc07

SHA256
db407e401a941aa607301576b82ef090db86b49e8fac548cf6fd8233f353877d

SHA512
bf4459026239784436e8df0395e12ceb30eee3531809a84899b21b5b3960598593a29f5bb154598c38e3bc99a5723f06333943e9baff5b44586ae01391b9c468

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
3621e56267bc298080dede1345b56a9d

SHA1
57879d24504ed026a255d9c692d8bad7cae51d55

SHA256
54af5508563e73c263e53036daa9802db9cfab1ad11fdb047a1b700801d39dd2

SHA512
fe68f9dda6feaa3c6f3183ce56b1e3f20d74b88488f94eb62d8fc88f4987b21502313853f4730cd237a08a6bf6b30cfb8e66f21e6807a38bcb49a868862471b2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
4e4b8e79faf34254656ed4518da279fb

SHA1
230ddaa3cd08ec2b8a060a572a7405464745b351

SHA256
d8d0f35c3cccf4883715249bd2bb6d33e5d0214ccc4fd969384de9bc519ed8e9

SHA512
e3b6e3ddfca1fafeb95e7430272c9b1a1ae49959d663c70c81c2f65af0c67dd07cee56b8a922457926df47fa21e7b327912a5f212725653da15529c597bd27b9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
576f30ba09cd3d74c5d768ca0ad167b8

SHA1
7f964b25d4a3c87aaef7945c4222243ef74a70db

SHA256
0fd34c2736e489c1809f790eb97feda111b96e5c80a8a147e799e3a80c27d832

SHA512
0a1220dff6fccd5f72c749214242186ff18c5d5cf355c38055882e578f382dcb4e47a468e9c2b295423496064dd173a2031b9e6f8b8405719e7810ca5efd1bc6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ea3213e264cab65a80974b2612000afe

SHA1
265dbdf5c477c591cc79363382b6efff13cd692e

SHA256
434defdf76238282d5af50313db3dee2e923dd64fe3b9e5656d3056f09f0be70

SHA512
d8d077eff473e7f870306b4859fb33268949e52e98b06fe7a9027a357a0bcc80191e5261716a995a15e5fae127a2d23777625ab5e9f69f032a7ffa46e0e431d9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
1cfebbc24599670aa4f439b681a48d36

SHA1
127ad6e1e6ed89926227080583605ca9d6986a09

SHA256
857dd7626f6ba78c92a89fa02c4cb26d9c4b1aa8c70048a7b811fd1b0d804aac

SHA512
74b58a385d8833e49ff41564f79c88b7758691c12ec6a1cf869779480aa12104c5c2e912ca8133433979aa385d9c26a8e9fb6044ab6616aa627f75aec4d622c4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
98ae948ccb6f619e9f333a4626b32e51

SHA1
3044ed97caf459ff48e35c5fd4668b2e93ec3919

SHA256
9ba57f7e9fccd7a295e2a4b2c8bf4cc5eaa0726ad4c2f567e8db2393bdb1c4ce

SHA512
df82af78011c9d3fba5b44c14c2345992d25d0ac74f14a458994611ae2ccb66fe34854d46091770ad0f7b92699b0e2fda28f050fb4df968954b4755463350e82

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
fe544d4eeb8ee141ec5eac7e627548b0

SHA1
95a1ff175753393316da7a3bbf40acfb9f1803e8

SHA256
b33681d42883c15838f67f4bfdd2956a60de42459a8018d8491fad00c9ee4e79

SHA512
e5fb4a29c56cb9bdd45d6db608d3051ed0d04f787971b9805e5806cacb96751085e6fcd165b9790173a7fc89901cabc3d21c104236d02ad6917c6997173be331

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a5fefffec83a4bbaeeec9a1d25c43f13

SHA1
85637e3787c97b7750bcfefa5862efcd1a8c6c12

SHA256
aa6abd2bc813ce883e96d797e524697756e38fdf17518bd8c901793e2c94cb9c

SHA512
a06b67b9f78224f32384f1323e2b06672aafaef710927135ed6ddec846012842148f028e3a6455485f26e86c43140ec751764fd1ce2f2b1822c66d1c6097c5be

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
6d3baceb96787bdb8da109b12f94ec56

SHA1
b295869321da2faf7920b07d7f4463f26ffe1a95

SHA256
e6eec5429c892381eb84a438c080841624dbc46c8561dc84305651af95b1d50a

SHA512
35ab52e95ee1d70f25d59d12841407bff2ab245dbcb22bb48a1ac0bc8ca9c9524d3594053b18074c44119c24fdbc94695edf8aa3444ec4bba73a0722e6bc0682

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
1598fad79839f3721454d767fd85c32b

SHA1
da06a7df73723db9c1caf4f0daa537707360bd4a

SHA256
05ce760942ced541423ed5e91424f13b1e35ce2d03a4126cb2ef21bb90057b19

SHA512
da51f97c87caf16bc6d395dbd0c19a79cbe4481b93e8c969d1448cac26b50ae5ca84e0350a4c3198f781d41a2cc38f9ff5cf869e5ecbca395bc824eef138b24f

Download Submit
memory/372-303-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/372-205-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/372-196-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/660-269-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/660-176-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1096-101-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/1096-12-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/1096-13-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1096-25-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1224-100-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1224-103-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1224-110-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1224-113-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1224-116-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1756-284-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1756-190-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1756-181-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1836-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1836-93-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1836-175-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1836-87-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1964-0-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/1964-1-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/1964-8-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/1964-30-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/1964-38-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/2032-60-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/2032-99-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2032-95-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/2032-81-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/2032-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2220-244-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2220-173-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2220-164-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2996-108-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2996-33-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2996-17-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2996-18-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3552-45-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3552-133-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3552-46-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3552-53-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3832-232-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3832-139-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3832-218-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3832-135-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4336-219-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4336-317-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4336-210-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4808-120-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4808-203-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4808-126-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/4808-118-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/5192-332-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5192-246-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/5192-235-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5236-348-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5236-355-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/5252-380-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/5252-373-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5444-360-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5444-368-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/5468-345-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5468-273-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/5468-255-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5724-296-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/5724-287-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/5724-358-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/5868-320-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/5868-311-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/5868-318-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5868-304-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/6000-329-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/6000-321-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6136-333-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6136-342-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download