557848dd059a41630c00f5606db0b73dcca03d66929735f060a6dbbea2101912

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
Size

5.5MB
MD5

7ef2b294f16db9226daa23566178d396
SHA1

f8871369cc40e3e236fca12dfc5ab97b1595db26
SHA256

557848dd059a41630c00f5606db0b73dcca03d66929735f060a6dbbea2101912
SHA512

b566195a3bc05b3b16a96c084cb848fc425805f7658dc0941ceae63232a880b2edd245355c1a13cb49d4a3b23db2ee2d863c2e7131121281b7c28aeefad81163
SSDEEP

49152:WEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfy:sAI5pAdVJn9tbnR1VgBVmzqj2FAQL

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3168	alg.exe
4108	elevation_service.exe
3652	elevation_service.exe
860	maintenanceservice.exe
4936	OSE.EXE
3036	chrmstp.exe
4284	chrmstp.exe
1452	chrmstp.exe
3064	chrmstp.exe
5524	DiagnosticsHub.StandardCollector.Service.exe
4148	fxssvc.exe
2460	msdtc.exe
5660	PerceptionSimulationService.exe
5608	perfhost.exe
5348	locator.exe
2716	SensorDataService.exe
5020	snmptrap.exe
1808	spectrum.exe
2848	ssh-agent.exe
1924	TieringEngineService.exe
5972	AgentService.exe
1240	vds.exe
5612	vssvc.exe
816	wbengine.exe
4048	WmiApSrv.exe
1348	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\db349f0a74f8f84a.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{01C6D80E-08BA-4005-BBC7-FA9D9019DC00}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75234\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000daad6d928a93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007608cd928a93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7be61928a93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072484c928a93da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000563558928a93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133581361521710318"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000320e51928a93da01	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2904	chrome.exe
2904	chrome.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
4224	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
5744	chrome.exe
5744	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4012	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeDebugPrivilege	3168	alg.exe
Token: SeDebugPrivilege	3168	alg.exe
Token: SeDebugPrivilege	3168	alg.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
1452	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 4224	4012	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe	88
PID 4012 wrote to memory of 4224	4012	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe	88
PID 4012 wrote to memory of 2904	4012	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe	89
PID 4012 wrote to memory of 2904	4012	2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe	89
PID 2904 wrote to memory of 4240	2904	chrome.exe	90
PID 2904 wrote to memory of 4240	2904	chrome.exe	90
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3428	2904	chrome.exe	93
PID 2904 wrote to memory of 3308	2904	chrome.exe	94
PID 2904 wrote to memory of 3308	2904	chrome.exe	94
PID 2904 wrote to memory of 4556	2904	chrome.exe	96
PID 2904 wrote to memory of 4556	2904	chrome.exe	96
PID 2904 wrote to memory of 4556	2904	chrome.exe	96
PID 2904 wrote to memory of 4556	2904	chrome.exe	96
PID 2904 wrote to memory of 4556	2904	chrome.exe	96
PID 2904 wrote to memory of 4556	2904	chrome.exe	96
PID 2904 wrote to memory of 4556	2904	chrome.exe	96
PID 2904 wrote to memory of 4556	2904	chrome.exe	96
PID 2904 wrote to memory of 4556	2904	chrome.exe	96
PID 2904 wrote to memory of 4556	2904	chrome.exe	96
PID 2904 wrote to memory of 4556	2904	chrome.exe	96
PID 2904 wrote to memory of 4556	2904	chrome.exe	96
PID 2904 wrote to memory of 4556	2904	chrome.exe	96
PID 2904 wrote to memory of 4556	2904	chrome.exe	96
PID 2904 wrote to memory of 4556	2904	chrome.exe	96
PID 2904 wrote to memory of 4556	2904	chrome.exe	96
PID 2904 wrote to memory of 4556	2904	chrome.exe	96
PID 2904 wrote to memory of 4556	2904	chrome.exe	96
PID 2904 wrote to memory of 4556	2904	chrome.exe	96
PID 2904 wrote to memory of 4556	2904	chrome.exe	96
PID 2904 wrote to memory of 4556	2904	chrome.exe	96
PID 2904 wrote to memory of 4556	2904	chrome.exe	96
PID 2904 wrote to memory of 4556	2904	chrome.exe	96
PID 2904 wrote to memory of 4556	2904	chrome.exe	96
PID 2904 wrote to memory of 4556	2904	chrome.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Users\Admin\AppData\Local\Temp\2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-21_7ef2b294f16db9226daa23566178d396_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2e4,0x2f4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd01f6ab58,0x7ffd01f6ab68,0x7ffd01f6ab78
    3⤵
    PID:4240
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=304 --field-trial-handle=1912,i,444362932690262795,7780774876882793433,131072 /prefetch:2
    3⤵
    PID:3428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1912,i,444362932690262795,7780774876882793433,131072 /prefetch:8
    3⤵
    PID:3308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1912,i,444362932690262795,7780774876882793433,131072 /prefetch:8
    3⤵
    PID:4556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1628 --field-trial-handle=1912,i,444362932690262795,7780774876882793433,131072 /prefetch:1
    3⤵
    PID:3496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1912,i,444362932690262795,7780774876882793433,131072 /prefetch:1
    3⤵
    PID:4816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3608 --field-trial-handle=1912,i,444362932690262795,7780774876882793433,131072 /prefetch:1
    3⤵
    PID:1540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4144 --field-trial-handle=1912,i,444362932690262795,7780774876882793433,131072 /prefetch:8
    3⤵
    PID:2432
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4456 --field-trial-handle=1912,i,444362932690262795,7780774876882793433,131072 /prefetch:8
    3⤵
    PID:372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4260 --field-trial-handle=1912,i,444362932690262795,7780774876882793433,131072 /prefetch:8
    3⤵
    PID:4940
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4444 --field-trial-handle=1912,i,444362932690262795,7780774876882793433,131072 /prefetch:8
    3⤵
    PID:556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4980 --field-trial-handle=1912,i,444362932690262795,7780774876882793433,131072 /prefetch:8
    3⤵
    PID:4148
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1912,i,444362932690262795,7780774876882793433,131072 /prefetch:8
    3⤵
    PID:3528
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:3036
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x298,0x290,0x294,0x28c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:4284
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:1452
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:3064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1912,i,444362932690262795,7780774876882793433,131072 /prefetch:8
    3⤵
    PID:4692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4200 --field-trial-handle=1912,i,444362932690262795,7780774876882793433,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5744

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4108

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3652

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:860

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4656

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4148

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2460

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5660

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5608

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5348

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2716

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5020

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1808

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5476

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1924

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:5972

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1240

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:5612

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:816

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4048

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:1348
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4804
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
eb0a1ae96c143808ec62e3f76e84b400

SHA1
aa64542141e559bb55135e38353da457f693f165

SHA256
e6862a03d8a67e78077787e685ef464feb79c816aa7f02b0077b83abb3960836

SHA512
d780f80618fa642cca7a63af4b35f65bed41cea93750f4456438287a3a86fc0030b28734cb1a9fd0cab2e29a7e238b9e5bdfdd7d3388b7d06fb0ca52bf626285

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
622ded6340369c67951f19d5e946f4ae

SHA1
42bf42ea3d0e6a4900eedafb6e6d5629a399ddc6

SHA256
c3d48a94232b3eff77e9003378410b66fd8e473e424c92a26feccab73c7b9311

SHA512
8c5288ada7874f8cc423beb62a180cb4a324cecf91a5732c8ddf0bc14ca87f2d20b38f6e4fe479a03a43daf304e27714ccc5897183da996ca245bd1ab319e7e7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
b02ded9d10f93eca695702a4242bd2cf

SHA1
8a5e6102d89a689090ff5d67b7245c2fbbd96a7f

SHA256
8edf84c84c06433a5f94b3f0d7eaea1fce72254b9c6c80c794596a2abad04006

SHA512
3b1113e7c7be73c182f0099f1e2c661e66ce4cf2d7601aff4da7ce3dbb7db819c62872039c7500e887c7f93c453f522ef576bc81c7deb51334738cf3b73c4732

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b382fb05674d584a1ef5cc988ee878df

SHA1
696dfdd90ceef7bbf388e9aeb06fde0e725cee78

SHA256
d1385294eb9010331440860597f66c4177e80f0bc8bc1a3db1652cb47221d033

SHA512
0117177850a74b4627f8f25b5ff6bed1a6402f791594b28ad6b9bb4cd3ffa16f088837c9905dbc6410b78ef2f5e30dd656cbf8b2591937226f6b75943fcd2383

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
980e6c553024b29bfec898b38adcdec6

SHA1
ffabe3f2874594e3693dd61d50a399f121eea82d

SHA256
84acd5a31190b9d0d8bbf3603f097210d52db3752e4cf50368cf5f89fc74d2d8

SHA512
617a76057b3dfdf4587643601cf6479148f8c8948d888941730756ca2c9c766c23adb0fc6cf780a2ff30b8f69ae1aa8befb47cd00a6aca73689def3b76a03194

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
c19c5a665c915dae8d939eb31277666f

SHA1
f4d07a0a2904dcf59b5f71b59e381e69bc9b1039

SHA256
1ddf9ee4a31d94537cd3074fedbc5e63eda6e55806732a94f7a70577c31515a0

SHA512
2c73c17225cc2f187543becbbfc565f16d50004d264f961824d183e829ae1fc336602fb08ed3972271ca0572f323efee21eeb2d6669fec9224b07da35d4feacc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
aeef0b9082aa9f112a6815bef4a0a2f5

SHA1
85ac8f934bd713fc4400aa94936ab14a4b8d18ae

SHA256
349451d8d6f690f70e018c1ffb386fae92f174614b4fdebc35c3ee6165570ce5

SHA512
8d6c8b8fdeeabb8b076017595df39bf107f5a2871aa52246357510fccae285e029af26054281ff279ebaed0138b1d14f4922f4745969fe330ed7c7cc8b46bc8d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
119fba0d6f8108ee1d8ce886ff3d2776

SHA1
35c441dce6281c416833d563bcac1506e8d56257

SHA256
d9e1d7dec8a82a3e660947c08ac9cb73b2a268486ab20b996d989d74d3a7995c

SHA512
f07666e05be6faf290a3edd6928613f5f702eea69c443ea467f993532dec192296fcf7098ceeb350a9c4f912e78a0d3188aeacb16f3285d93a4999d06156a5fb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
9013cd705b8febe2cbbdae76828a4092

SHA1
9dcee74ef686ef622052fd8713eb7b3d190fdeac

SHA256
0330677b2a5d9d3bff7c8faa546febf7bdb2fc3926417806f8e62e36570e2d66

SHA512
9d7c16f7cc30bd633ea021071ae4104aa79c157806e33c519f002c1d78a3b950c8102162c6a8dc1a68924001e3f6361eb5d998267c24412060649f639e55840a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
71ca64cbc866f311d9d53c95a82b5fb6

SHA1
38f598974dabd21daec9322628c736dfdb24e78a

SHA256
9877efbe23e66cb356045e35f8fc852383a7f99cd649579e85ff495d8be54701

SHA512
dd32aa990485c8289156e293657b20e0e1de1c467638f6a2356704b562ab09c64c16b644b609fc8ae479d22655a2868fe5f54278f60ab2534f717caa34ea6aab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1c0d53f558b9d9f63f23d5842e0db209

SHA1
6996e8559199232aa245f041d2de69d4d55f32e9

SHA256
b754b4212fb13ebdaf1c71f235a3bcf65f7fd0fe8b1f7ce639aaddb3bc447412

SHA512
162aaf2806a0a95bb1b34f2eea849631561668bb6e2a9eff006c827d65f43760d2fd4f2d0031222005966f009eb28ead1e64161aa535a1391515a6689b79beef

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6e00908e3588c4c495f6e65e41af9397

SHA1
df5f251b7ae0a28d95671917746489dd3658597c

SHA256
5305728d7965d4adb4c3ed268aaad28731f5d95ad1ecafd48c5a9487298a3985

SHA512
fe76b915122d604fa736f8418ee66063661893c4c42a65ff13f6d59491a4ae33e5f4316f0efd7dbd5905aa7f5ad7247056b6ea754101fb650ad3ba307e163241

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
4577e4668e1523eec3cf7520ba824a56

SHA1
682d2ae3b91d21960e9e7e0c987d289ae644db51

SHA256
4e09eeca85fdf976334dd6dbcba4356e5e19e0b7e15f022edb59254ceaff0936

SHA512
b5e469ede193eda6986e1c8f11de1325c0ea83608d75b6742da9ba6264d6f18b563ca371762ceb1fe43ef31fd57eb3c51817d0f2a3dc74cc7a38053e16832f4f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
421b3d2da4f224f1a962dc1533dc1ab9

SHA1
a4bd65e9a5d723f9c5e165cb118b9c00319849aa

SHA256
31e494a259bc0a513f80e4bf594cffe2c4aaac5a8bffeb658b41befa98a75325

SHA512
77d71293923c38bade292ca001b542970872f119439f975ef02add016c1c6fe5ed7714090197e953c07fe0444bf3f3a1dab9429f3d516a223116d08521cb89cc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
78be9aa92792cea29b694793eb9619ba

SHA1
2efdbeb829009c4afddee77066178c9efb67674e

SHA256
9e1322b45700ec97042dde0f973d0b837a45552b12eae6109bd1b7ca4ed5ca3d

SHA512
39f6b3b2afb840fc48645841011e310d6c0872e33c688dd004f8e0324b132a9fa7a96222350da0bfab512f322cd1ecb07a10cc08320209bba12e4333843ea87b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
1d1b75a1d16d12d8e6459225885e4060

SHA1
22996e1b4ef35a6e3697b3b4e65e27ff40e583d1

SHA256
58b849776cff5cb2089e2fc3f183ff2b2499bdc1b6e04a4643f737858a538202

SHA512
1ea8d7f1e40d87f2e2d357dcf39b4d6e8f4c2f3f49c79cabb98ac3875b005f1b7c4aac51bfd9a4bda9a4992b79d6a45ae41eadadef83be17d032e7945b3773ed

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
2a20d52fb8f5ec90d5085256644fe528

SHA1
353351d3ec0cbbf1580aaed99a8a2d187b8dbfe9

SHA256
89bf5988c066b41d7b4e246993cec032f3aa6ffa5869392408143ae55e7467bd

SHA512
632287d2d1b02a2a9d620ff9553b4c833b07c4e2ea3e423286d18f92939c46379293a1412f093b0cbb2f3a2ab7f2f30b7961233695b2e88d191a45f345d3ff19

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\84d732fc-bce4-4727-aff0-71b0066de7db.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
e977c4b7d938cb555f7f53409bb991c7

SHA1
4f97307a4146300ea25081aeba471db06c268b58

SHA256
f8769374b93b17b22bfc257aad16809bac98762e529e4c848a6b3991113ece59

SHA512
5445a1f4c08c9fcac903d5ad81a8e952dd72404b38f5752d56de899844bf92fff0e8f394741a02f43a6a638a4f0a5c85f124ffd4e2a90e97b4b35d17b2abfce3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
58bb95b4094ea52340b0fa368840c9a5

SHA1
03e801a2f4735f3f47b6822d4660e55210e56567

SHA256
65d15a1557409d3cb361251a31e7a620874bd504e12187d1260d9b80fbf6b235

SHA512
6931e70506a094e390cbcb45ae3bbca25ea54ab1937d6b5b3443890c5f436f5ee04dd587605ff1d7055f4f810d3ac690e1a42b39020e242389dddbce5f7b3deb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
de756446984ed37fbefd7579d67de834

SHA1
c30d8c0d64386a6d5d50f5c2f1ae780249134b19

SHA256
dab5004ebdab11479d1ccf1791064213679a6b201ddb852e73acc2ddc6862bd3

SHA512
dec78995cadc2ad3ca2a1d38744d72c35b58683a2e0a5d88167bc41ad7c0170e5824da54d759c1e38229db1d95a1e66ae4f525ea07716d46897808ea5eb77058

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
42ea751856ae7583866d580b8d431da2

SHA1
a1d5dbb1cc760ff67d0dafa65b9cc39bc5187191

SHA256
226ae790851205644c1e7058b99330fdbc8ef5b18e44c037cbb6ec477155a1bc

SHA512
295c30477c910aafdbf509868ded71b74f619c65356415dd94ccde706650091232383f5d9a258f4dbd0e9421e232133552498607fbadb61bde947d63c46df716

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f635d19d50b75fb18c4ff6f1a03869a8

SHA1
7839655ea9e2dd65a6d102bab07f4514fff89b8f

SHA256
3285d9d3b0d9564e5095e159574ee6683c759ac7f7fd3b1cb595be50d9b02cd0

SHA512
19ba55fd2924b29c54388578659e53c931cc70855cbedbfeb836ff33da96c2b9332352af230d13096af21e0107d14c942e2b6c79369fa6837d03f0eb6c1c27c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57978d.TMP

Filesize
2KB

MD5
8df20ad2489acd1e7f8a24fbc9a8362f

SHA1
b37b2bc2ee82f0b39ad3a80f6b15ad382bfe6c59

SHA256
6ddca1715870af630f7f8e66256978606fe92341934e897f0db7e5182bb39389

SHA512
8253fb905874f333413b730cbe021576a9ed2dabcdcc9c99400a8ee22792135052b60718defdf45190e05f3b4a70a95bab0a328a2c6d1ba9a095eee0ab4dc112

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
13ee8c62723ef22db16ee8e81a6ee722

SHA1
c5605d6438fff7684c527a37435ac2a06650046e

SHA256
2239731231c02662770c647f665e32fadb9fafcfcf69c6e9d876ba70b2c3566f

SHA512
8be49b7e017a8f5680ac59b3071d612a5dcf56be94912f1e4c06fe9c845c59dd35d46271f0182ca8343c80170f19877b79cf9d11ba3dd1705cdad5bf2395c401

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
66a81310c9bea463cb5dc8c206775d84

SHA1
dab1bcd53489ed16d7df13fefd0ea29261194664

SHA256
7459ad73471a73625e9c996bc5c8de80b105872f01cadc2a8b229ab0389e55f3

SHA512
e2acd7d3a3b33c827471adc4d94bcc16f5d183c7c9d80f9ad9780e58063468afdda91e92268e11cead3e2ebdf00fe44022fe311041e302f49dd47bab604e8809

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
b5d475e85c5ec3b25079ac4b7e654ec5

SHA1
daf2fcc8803723f043ff81932d5c320d2b3be376

SHA256
f1c7a55ec864f2eb66103188aec5a8594cb9473292616ecdca560ca1ab24849e

SHA512
d949d3139bbcd690ebcf7d118fffeeadf72598cc67479d3ca9e0a0cdefee534934974037cbf8d63059760418d558990d580956ef0647b169ea74bb2cc46bb562

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
b72bd33c756f3f65e47fa4095916a7ac

SHA1
053bd1aa284d7701c8811325778d9dee9b074aa9

SHA256
139c5026c19f6e24e91a44b13dfc5a12e1380125029e8428d24b74515051ff55

SHA512
10c311b52dc96dee418179188045e3e972aa20d44cad4c8e990a4beb0c19e14c251d0c16c8411bd3bd87bec701ad04fea0e129781761c11c5cc878c1009f02f0

Download Submit
C:\Users\Admin\AppData\Roaming\db349f0a74f8f84a.bin

Filesize
12KB

MD5
5261008446ea8a4793b50f9e40010bbe

SHA1
bd7aae5a5e5d5d32e9eecdebb64136dcbbb1de4d

SHA256
726434d42c7f5ec517cd1718d2dbbce866adc340d926047d5c61c2dca4830f10

SHA512
6e087087c1827a975e0fc47c6235f1fe0ef88d810e918cf05e11737c1b16a387268e71f891aca14409925f78a07a30b9814a27a4865a8b277a95a2257051fa5b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
917032cad801bbe8d1dc5cb83b077a63

SHA1
7da09bfdf15ec952d4b6c48936920ccd1eff60ed

SHA256
5b9f759aec79ffb5897868570b89468f51aa8198ebd7e841cae7c57c185feee9

SHA512
8205d8301fd6b9765dc408c515617ffd9f3461f424c9c71d210fb80047ddd9555ed72b245fdbb82145f031e618d780b0f068850f98bccbe6c795a3e34308be66

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2f3a76cb5060ee3f1a157c6981ae7809

SHA1
93017a1c24c0d8186c6e0996caa555519af64814

SHA256
1827bccdc599b06157c8a394cc4011a1f9e160348520c012d63a85a097677a18

SHA512
12f5717b67200e6b3a10f355a79fb928412afe96b906c244073d07e7dad7b23884718622e8934ac1b1aa7e7d1b3713eb8cf01248b39a990eefbd8b938515c23e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.8MB

MD5
6abbb5b63a618da7d760b46317e62c7e

SHA1
eaac5fa94f34d53cdf70fe64cf1f64971ce24555

SHA256
3a3ee7dff26e9051cfe7790a4d772d35ab760cfc2a44b0e8548cbc595552f0b4

SHA512
6b6d7f6ad33123e1a7571f7c05237b4d94844cc23325292cbe31211e049f77597fead33dbf67b922ee003e5571bcdcb1d6a052026425ec3f6ed91e5daccd542e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
36a69541472e89b11c6a5bc7f76c6258

SHA1
2a80a13077e00ee6a8b3717e4a601a12866292de

SHA256
53aca369427a3a955882e3fd32241dfcd4fd975a55e31d950b451a542cbe16a2

SHA512
fef62dfdcc960a10148ce70d75bb6c37f4f64ce75159ac0a96653ef9a5c70124d3180afdbdac9557f1ce946305400d1b0ca6fb44074b126b3f584c4b2d8b822f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
05b960673687d11e17504ff00f079c34

SHA1
23b819cd9c3cb7b8fbf50ee67aa3ab504aa63af4

SHA256
d9a8b54ce1339d3eccf4df8821eac282985340190e21fe645fa988f0736c9ff4

SHA512
0271a458781f5561dfb62c9dffca4f3cd33d3ccabb3cbde0105a08f2136e95b5efe209671e477fd4a6c8e3493c3de612a1366cd1c790a2f684f44e51cf0962fe

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
9b3d420b11c817291b22044ccb7ee231

SHA1
d00c5ef05331d1817620bc0c4d3382b9f59e6d45

SHA256
2523c0809df32822a7ff422fd02e28dcfdc65234086d3d64172f10ebc4402145

SHA512
2037ddad1eb565de25bb5c2d0c5897c560fa659d8515a65415ea0a2e04036493246eff548bb62d260d087e72f972cc4035c9a51ad215ba9788d826f1bd804b1e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
ed0b69a8950d2edb871915cb40ec0d1e

SHA1
68df259496a717c326ae7b0364165227dd637bf1

SHA256
41fa4f51498076b2605af9283998096155921034cd034eac0b159b1629cb9d56

SHA512
51c88188837d454dc7f488da8d7c23bfaeeb39f4f2c82b630dc98c29692e809e84ef09c244913d8188355046600a4706b0dd87d631daf005217f680fdd150603

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f6b6bc4a4ad069ee4f5c5b5108e442cc

SHA1
10e8d145307d5336b4fc0c64b6c3968700c68876

SHA256
dce42b3429252d42e5706fc56ee65e0ab895b167a5fdd233c77087792c581aca

SHA512
9cb9df86674b8b954bb541aa92d948c882c79d6029b052b33c1ab2312f01b49a019b255c1dc0a57a3368efc194dedd0e3dcaea4f93691fa384f93ec3e08c22c0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
18e51dfa9a48105024a547a19e34a1b1

SHA1
5f11f28f43181a22116ada6d868452435cce2cd3

SHA256
1fe69c68fecc51d09da92cd7982b290c0d2c4fda21cb581b2172e46b0586ecee

SHA512
42d414dbb0ff09cb77ab7e181610a2080841928cb44707e0a5800c8c6bbe283c0e2e2a84ab3cb7f96206da91b674279a4503c3bd23a94186a1401a0c5b79c898

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
79b99d24c705b178a524398a17e1c1b6

SHA1
e7c5b088e57e4bcc0efbe70b0e35f58c3d1465e0

SHA256
f51f76c04e0593144afb73fb74111b9c8bb5a8379e538a27378f4afd6cc97553

SHA512
2b6ca557d2eed1413fea4418a946bc128c8f4d7832c2748a6f60668ec92dd67a3b3043e7bdd64efee04cab8a52695e275b29f5d56be1839ba0f53b325154d9b4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
72010c69e737c12191be5f3ce626f096

SHA1
6584f21eda7b1ea41ba9b8b03d34e402f11e158b

SHA256
195a0a30850811848f1d9943d28cb031a534bf1e5fb7b79e5303a52450210374

SHA512
430c8046da1fe943f880fd22bb4bccd969779919d9c58f591541b78602721329c91c33d04a87f2f7d4edfdeb8fc166ba793c497949b2211e1692babcc75237bd

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
404efc7bb3b5b0a72f1cde9acfd62c93

SHA1
afab7b2bf83dce7ab18914dd61ce03f990b88fc5

SHA256
8001d723ed360ab935d0e6b74b4c097a84032f948d96272a6a7367fd763f71c3

SHA512
430a0f7c190ba1ebcb31086ebf6ce0df29084b0ea6877cb0daa9345a026d60dc5c9ebb685b4c72bb25b53279e863b7a42096e8a7f776e316fd0dbe36c2d21f87

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
7470270f0b9bba167e619539f87f8bd8

SHA1
8041a1f167fa797d1b850e6e8dad43104a922061

SHA256
a16a64b46ba233dcf1efebc4aeead25e16ab1e7c218f119ea58e8cdcb01f4b4c

SHA512
44d4056c5f597d78ba777adc6dc63f5968acdeea56e81d171a6fd81d2550180e26eec6ba1bca3da4858921ee857b91b9e1a5474e039c96143f7ed993c69f95a4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
0a07fff0c04b6999dc65860d341ad542

SHA1
22f6ab7a37ab978c1239f6ab2f1c02ab8dfcc0ee

SHA256
bfdffadb9cf1670308d2da2891342290399c070c24201f84c49a4b54290bb43a

SHA512
5e630f9b644a5ec08990373f2c3e01e26b5bd817c136156f5ffaac7ee388a467de1ec7cdae42d8ae8dc333a088a29bbc960453e19a43eaea755b3afdf1a2619c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
5094bde6dbc7c7f1b5f4811ef6a004c6

SHA1
393d8aedf2e9a060e1aeaa35efe6e57ee2e4bfe7

SHA256
0959092dbc38e763bcefcaef01fdc26725e3371562194995d1d2ee99a120f8b7

SHA512
8d3bc546d63e2cf52d64895e8dcbb281e3403a622520c190b69b72a2e73e02e055e444e37526f0c3f98a4660ee0a663e59c09f9f10f19c3bc016229fe8792a8e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5df900f915c7c6247d6252126f28540d

SHA1
37a12d7a78e8503fdf3baa6796fc05d663e99908

SHA256
19f876860affd21d250655cdf3e4615d4d552ff6de91ea714ee1f526c76c0297

SHA512
aa1c04a4705809dd66e299527fb0264d851b5459e9f31977f532906c5e5d3baf84ed9ba0accf3983b6933834bab976db2681a812563c073c01ed89bed725a569

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
acafead9ed95f53ac6459e57e75ca68f

SHA1
98255837bc277abb2e82145bccaac4e277faf235

SHA256
090606dc759896807ac1aabcd4af871c2906bd18b3133af4f596863c8f46cecc

SHA512
d6222a3efbf223969b5a3d43a5255f36bec2b285728587f3a89ddabc0a7c2912bf9e632633d76f7ed849f7c22a528ba9d406d070058698587096e71c978eec8a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
db356b780ad3742f368915625aa8e94e

SHA1
7fd8d8434798e226b999220c6c4fdd4132868d31

SHA256
bd882c7e34ded16c1a48de3e3cee41b0819b5f0abb883eb2846bc5b1209fa3cf

SHA512
fc8c25fe1f2a1a1d6323330fa1a77174f9c3a82dae668e4bc8f37ae8e5c1e8a477e1060aaea98e2ca7d5891dc52ba5d5fd7f6a8a71bc73c210b94e17d39fc7bd

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
3b8d3a35700899dca51806a9163fd5ec

SHA1
4db812d733d8c02137d7a8deb9b824a4ab2739a0

SHA256
01a6c427ddc33ab90908295320318314e29ab1177ae2eded82911fb468c8cf69

SHA512
5967d3f4e5858e70239d44c767b51e35e938cec750eeda8c95c5eec6cf770419964e5c95a273fb7239ddea292feec74b66422fc03885e7eead77368579b10bec

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
13137e8afcf1a078357ee85d82afb2ab

SHA1
9e570ce1ca12a62194b821613baf7854bbbabc79

SHA256
f0cc9029808aaa66e76442768d938e3fbc9cdbe93d67979c0add14c0083e038c

SHA512
1d8bfb874f677e3fcf74af2088f7df8ee7e0f5cc1c4f0d84a24c63dd4b03457533b206d3033f784eec7ccaa1f3e9b92c8ea44c7742278069408552b53d94dd2d

Download Submit
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
5d503075268944042e25a6ea6b1282b3

SHA1
5a3aa168ab243fb5477f86dd3f398505b7b120df

SHA256
af452e381c1adc4cb5619c9d971cdc7331c582b7cb5e20025649082c470e4c7f

SHA512
0aa845939ad0ea07811e78f13384c5f4628d8e7de8db9b50cc9592172f6f25d05f524686d50de456cd9ae3c6a04aae20998ce8a63806bf9ad6dfcf93a74a47f9

Download Submit
memory/860-100-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/860-79-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/860-80-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/860-106-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/860-92-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1452-370-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1452-332-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1452-371-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/1452-339-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/1808-559-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1808-549-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1924-585-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1924-578-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/2460-487-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/2460-478-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/2460-544-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/2716-531-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2716-523-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2716-589-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2848-574-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2848-564-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/3036-382-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3036-383-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3036-313-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3036-306-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3036-304-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3064-421-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3064-356-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3064-348-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3168-13-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3168-27-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3168-112-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3168-15-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3652-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3652-60-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3652-59-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3652-324-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4012-0-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4012-2-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4012-35-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4012-46-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4012-8-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4012-7-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4108-43-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4108-42-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4108-99-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4108-95-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4108-54-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4148-461-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4148-471-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4148-477-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4148-476-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4224-30-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/4224-116-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4224-14-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/4224-17-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4284-326-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/4284-418-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4284-319-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4936-354-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4936-111-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4936-104-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4936-103-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/5020-606-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/5020-537-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/5020-546-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5348-510-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5348-576-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5348-520-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5524-450-0x0000000140000000-0x00000001401D6000-memory.dmp

Filesize
1.8MB

Download
memory/5524-518-0x0000000140000000-0x00000001401D6000-memory.dmp

Filesize
1.8MB

Download
memory/5524-458-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5608-507-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5608-572-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5660-504-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/5660-496-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/5660-558-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/5972-603-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5972-591-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5972-599-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5972-604-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download