be8df84d9f11832440bbf7aeb68d7bca6620e2e058502692680aac6450dadf7e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe
Size

3.2MB
MD5

88a0f86ca96a7b6abc8cec54a06abd39
SHA1

1d3c2471764a9a3390fb8a68567fa56ee343c891
SHA256

be8df84d9f11832440bbf7aeb68d7bca6620e2e058502692680aac6450dadf7e
SHA512

858484ff9927917864b3a4a2967b05c59842168e4bf6f615785becc42b2d133708fde4a00dd03ee584f3aa37f50376e96270b856b7b46463cf8affd311d48575
SSDEEP

49152:X5k1YCdptya507NUUWn043oHS3fTIYwVq1/xT3DDbw0TUqy3/snji6attJM:rNhSMYw8yvEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
944	alg.exe
1984	DiagnosticsHub.StandardCollector.Service.exe
2060	elevation_service.exe
3696	elevation_service.exe
2156	maintenanceservice.exe
3636	OSE.EXE
5372	chrmstp.exe
5800	chrmstp.exe
6012	chrmstp.exe
6112	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f4098e29102ae222.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79750\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e8760fddf93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000095aac4fddf93da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001be03bfedf93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f283bdfddf93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003882fbfddf93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f746cfddf93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133581729139554825"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003bc985fedf93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2008	chrome.exe
2008	chrome.exe
1984	DiagnosticsHub.StandardCollector.Service.exe
1984	DiagnosticsHub.StandardCollector.Service.exe
1984	DiagnosticsHub.StandardCollector.Service.exe
1984	DiagnosticsHub.StandardCollector.Service.exe
1984	DiagnosticsHub.StandardCollector.Service.exe
1984	DiagnosticsHub.StandardCollector.Service.exe
1984	DiagnosticsHub.StandardCollector.Service.exe
6820	chrome.exe
6820	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4984	2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeAuditPrivilege	4428	fxssvc.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeRestorePrivilege	3560	TieringEngineService.exe
Token: SeManageVolumePrivilege	3560	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5168	AgentService.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeBackupPrivilege	5476	vssvc.exe
Token: SeRestorePrivilege	5476	vssvc.exe
Token: SeAuditPrivilege	5476	vssvc.exe
Token: SeBackupPrivilege	5644	wbengine.exe
Token: SeRestorePrivilege	5644	wbengine.exe
Token: SeSecurityPrivilege	5644	wbengine.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: 33	5880	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5880	SearchIndexer.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeTakeOwnershipPrivilege	5880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5880	SearchIndexer.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
6012	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 1220	4984	2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe	87
PID 4984 wrote to memory of 1220	4984	2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe	87
PID 4984 wrote to memory of 2008	4984	2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe	89
PID 4984 wrote to memory of 2008	4984	2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe	89
PID 2008 wrote to memory of 3296	2008	chrome.exe	90
PID 2008 wrote to memory of 3296	2008	chrome.exe	90
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 64	2008	chrome.exe	94
PID 2008 wrote to memory of 1632	2008	chrome.exe	95
PID 2008 wrote to memory of 1632	2008	chrome.exe	95
PID 2008 wrote to memory of 3920	2008	chrome.exe	96
PID 2008 wrote to memory of 3920	2008	chrome.exe	96
PID 2008 wrote to memory of 3920	2008	chrome.exe	96
PID 2008 wrote to memory of 3920	2008	chrome.exe	96
PID 2008 wrote to memory of 3920	2008	chrome.exe	96
PID 2008 wrote to memory of 3920	2008	chrome.exe	96
PID 2008 wrote to memory of 3920	2008	chrome.exe	96
PID 2008 wrote to memory of 3920	2008	chrome.exe	96
PID 2008 wrote to memory of 3920	2008	chrome.exe	96
PID 2008 wrote to memory of 3920	2008	chrome.exe	96
PID 2008 wrote to memory of 3920	2008	chrome.exe	96
PID 2008 wrote to memory of 3920	2008	chrome.exe	96
PID 2008 wrote to memory of 3920	2008	chrome.exe	96
PID 2008 wrote to memory of 3920	2008	chrome.exe	96
PID 2008 wrote to memory of 3920	2008	chrome.exe	96
PID 2008 wrote to memory of 3920	2008	chrome.exe	96
PID 2008 wrote to memory of 3920	2008	chrome.exe	96
PID 2008 wrote to memory of 3920	2008	chrome.exe	96
PID 2008 wrote to memory of 3920	2008	chrome.exe	96
PID 2008 wrote to memory of 3920	2008	chrome.exe	96
PID 2008 wrote to memory of 3920	2008	chrome.exe	96
PID 2008 wrote to memory of 3920	2008	chrome.exe	96
PID 2008 wrote to memory of 3920	2008	chrome.exe	96
PID 2008 wrote to memory of 3920	2008	chrome.exe	96
PID 2008 wrote to memory of 3920	2008	chrome.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Users\Admin\AppData\Local\Temp\2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-21_88a0f86ca96a7b6abc8cec54a06abd39_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.131 --initial-client-data=0x2c8,0x2cc,0x2d8,0x2d4,0x2dc,0x140221ee0,0x140221ef0,0x140221f00
  2⤵
  - Drops file in System32 directory
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb5a9eab58,0x7ffb5a9eab68,0x7ffb5a9eab78
    3⤵
    PID:3296
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1824,i,6131222675616795342,7852863980510859133,131072 /prefetch:2
    3⤵
    PID:64
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1824,i,6131222675616795342,7852863980510859133,131072 /prefetch:8
    3⤵
    PID:1632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2248 --field-trial-handle=1824,i,6131222675616795342,7852863980510859133,131072 /prefetch:8
    3⤵
    PID:3920
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1824,i,6131222675616795342,7852863980510859133,131072 /prefetch:1
    3⤵
    PID:1836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1824,i,6131222675616795342,7852863980510859133,131072 /prefetch:1
    3⤵
    PID:2572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3600 --field-trial-handle=1824,i,6131222675616795342,7852863980510859133,131072 /prefetch:1
    3⤵
    PID:1660
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4208 --field-trial-handle=1824,i,6131222675616795342,7852863980510859133,131072 /prefetch:8
    3⤵
    PID:4104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4016 --field-trial-handle=1824,i,6131222675616795342,7852863980510859133,131072 /prefetch:8
    3⤵
    PID:1140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1824,i,6131222675616795342,7852863980510859133,131072 /prefetch:8
    3⤵
    PID:5160
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5372
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x298,0x290,0x294,0x28c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5800
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:6012
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x298,0x290,0x294,0x28c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:6112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 --field-trial-handle=1824,i,6131222675616795342,7852863980510859133,131072 /prefetch:8
    3⤵
    PID:1696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4744 --field-trial-handle=1824,i,6131222675616795342,7852863980510859133,131072 /prefetch:8
    3⤵
    PID:5100
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1824,i,6131222675616795342,7852863980510859133,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6820

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:944

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1984

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2060

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3696

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2156

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2908

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4996

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
PID:2360

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:4160

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:4992

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Checks SCSI registry key(s)
PID:1220

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:4484

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Checks SCSI registry key(s)
PID:1748

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
PID:4404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1564

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5168

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:5308

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5476

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5644

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5748

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5880
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5316
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
83c18eea15494a14b89c013775a0c0ca

SHA1
a8a13b64f3ee2132d61598617f3bc06df317da23

SHA256
2269adf256fac3a5bd8e5760279bb9e1da2f161f18a544e5bd9839e45040ba65

SHA512
a6f823b845bb02cb6fbd5a7b632e8f608608d0e01ac170830cdfdf7247b108e9c3b0ff554c25a845852a3097b656ca76198465f38e26cebab2fd760debc36253

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
5e6d0fbb9cf8b09253b23b5b93e26996

SHA1
54935cdb38ed7e1ce82cacb914443f1c641f9506

SHA256
d1a7cbb8176522765587ba69dcb770d79a05cb3d2afceb117639c4541afdd3c7

SHA512
0c9144fa7b00117d7ea2428680530896b430df669ae585d248c759a6a4f1f52bbc4c159c2818c10e7bb54d0fb9443d6278d615c54c721ca1495faf9cfd0ca54c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
758e21053f087baabb5024002b328f54

SHA1
e97ecaeb01f0cb7fb1ac3b301b075fb9261e66bf

SHA256
1a7aff08eb970d2814fbc05f70ae167f5b283857933b49186336b003ab908c8d

SHA512
172f3b2f62e91e225b147894fab0ab7376ff671fbdf47024b15c03dd95dc17a079fa75e55a18a950420347bb7ab2d3086cc80c8eef7f239e4bd8369ee14dd76f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
fb5935261f33ff93b6190bebef08ea1d

SHA1
1957137b026b4abda5a188e714d15dcadfb9dda5

SHA256
69e3078a9f905fb46d5f18d396acaaf6d50603f3a1cd2b1a9bd7741a52c4ad29

SHA512
f2bcd02c3df7d8610cf2e9968938c23de7c9bfdee27fb686795b98558208fdf240f8101877a19909a4b699b1bde27a14c12e05573a180605e08ec83533757a6e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
73dd1293a613ab7516898bc7b53ce19d

SHA1
2387c3b4076905a38a6785768a5b70da75c0fa5b

SHA256
5006d2122947084bd55a53bea484a23b8ff96f2a78668fa105c9fee54460b516

SHA512
5d1efa6add485f87d88fd0218553ec8ff977752bc092c696173b4e4db2d36ffb96c73192d5ff4c031e4c641907c01303c00fea51279de29983bf99092bedaf44

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
811b84818d35e050a2ecdc71a9b4e0da

SHA1
bd51c9d0d97a0654a86dbdef6c49e2a706164329

SHA256
b6adf59aaf511d8bf3d85ee42236098e8b5477e2edec9348356f0d66007331ca

SHA512
6db7264ce6258e62801aaae2a4ea75dba78e0de36aa856092bfedbac6440fbb0878fd3560377c5a736101b7bb04c0449844ab6514f403ad1400f0a0e4659a0ef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
4731686d96f584913127578be208e327

SHA1
fb34abe57727d756d90d12bf2a69503017109ce4

SHA256
afd659473a6c10a57e232fd99b9a7a3912f959a8bf02c15eb77d5cccdc1a27c1

SHA512
c76656365ec1c5800ededb907238ac1b95af8d35e686033624d887ad5a9ed65a2c886f5530dad4fded4e834b5904ed1af8c06206a880634bff8c9aaf91b632f0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c8d52721b76919b54a108cf66eb00833

SHA1
1bc2b22633a44b2a237420e9d3be8c72cfc69a34

SHA256
1c0bd1b0c722c380b078ad635bbd399cae6f391758d6c8ba6f38117399c09b05

SHA512
eda2dbf25e9494a5ecf19edc17be1783c64ebb6394059be0ad20da1adf9442d93eed44f4a0c7097050af0c4a44d0bda72cd24b1d944d67040d367dcf425e9ced

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
548afe93354995b990a453fd1ea6411d

SHA1
dc90c2d34086e0c0fafcb7cf72b77e8978b1f5a7

SHA256
9dcd6805c56e98d5d12040bf9e525e575b83967976c94ee94c348ef6200d6946

SHA512
d081058a1b2fa4286458f9d026788e92371681ac550687b4307c874e7cf3a26cc20f089453af2e5c0bb92695504d2665732a233b6fb056097b00d4665821fd49

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bc7b721fc5b528873c685cbc7ad0938b

SHA1
bea1fb3e7bf05423c8bbdb51d47bfc9d40f50459

SHA256
4a7d708294dc730e4b0c76f040f002770b98d2d7a1a180246a0897b06f353f61

SHA512
d791de7cfd20e94826499493574b08d3db4241760f7853c1a411d84ba01a1765b3ece5f48e993dbbdb4f447d29913266876f113eaf9d5e099a93942a347effc9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0ab372ecdfb112fdd2df30a30c9d2191

SHA1
11b1bce18faedc4a6e47164f1f2cb977b8791df5

SHA256
91c8154d1881221451044c5b550a11021948da9f8ea5b4b72cab43677705fec9

SHA512
fbb2436c2a75022addea3bbf4fbcbadd86a1fef39b2198347a7d5b0eb7519b190765b5ff91149979698064153afb4bc83ae7a951d10b18da92739ad7519f81e6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
900437e302755588b0b0c7b29779edff

SHA1
c433fe1da79a80f46711af4b823931585696b957

SHA256
a3ffeadadee494483ed9b0cb417b931048da5097427917c9c7b7bbfb5c0d6b43

SHA512
09064cf5eed076b03745372272f641935dfb8a83c2315f6fc95166bf3a7f073dd23df85d5a2b30fa1d00badd001b454c146530ef69eb597cbedae057041e3daa

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
5139adc716c22dba69aed85efdd2f69f

SHA1
d7268f8172e006041224fde7a0ec10f3ade0ebae

SHA256
a4b79117abe6e4996aeed10c24cccc1239063c7242a80f7e434c0d8a2ce5f49f

SHA512
f5a2249e3b5b74d356b3b63adc436465cbbb9b551f5b68f3c3df090d6dcdd89e62e12aa65a81013e330f7d3a067943eed52ca992258e7f51e7c075faf34b5b94

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
9b29b54bef0091fd2c245bf977c5eb9e

SHA1
5cefeda895f61efef4b2aa142f01b7eea2bba850

SHA256
eb973991a59463cf1aa509dd48786b2e524de7d794ed6fe72fd84983674c1c74

SHA512
eff76093bd6fa68d563417340db3e6337df8f43259219338f0d25e5506620b8c8e7c7fdce4c9633db7bf93594b2cc9822bfaad003c6276ae4b1a4e8ae0c79681

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0f97fb41b97c758c60b3e47319c33d86

SHA1
28063f22fcd943a6b1989925f0dfe67d29757aa8

SHA256
074caa6c3f0dd69c9b979eaf330a4ee79d491b40ea016c55ec875354df4aa5e1

SHA512
052d196a7caf06ca6211ac79b1185fa7778d1fdd597d532f8b84b0e4a857a26a698ee50770774ddffa1c3f3a28c69bea487b73ac3b8752dd1e97e302bf9f5426

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
03b7499f68f275be6f30aaff1075641e

SHA1
23df633e43d6cfadf2847e42bfd8f7a8e19bcd3b

SHA256
eb8e5063e35ea782e46860c7d2fd956401bdaef37000fa1da4af48ad24bbc8d6

SHA512
f1903567a96820bc35e22442c09f3b9f8986d38469b9bc33e267187becedd87c6db2255caf0a6b4536b1d7d7c487ae854f0d9220f3e5ff5126ffc5ab1db029a8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
8bf816001d0f4f3dfc7cccb1ee6c500d

SHA1
abd1c92579d3f4f075bb60e661dcdd203521d1ff

SHA256
aedacf28e4a06f24a71f79afc0997011797ec01f54a4e0309374dfd4249046db

SHA512
6283137c8dad86323fb328e7fdd9e91a9dd90935a152245d30e249f12dee9c9a673a4cd7846e3c778ec1cd100d0f585559397807a7f057806b70e0809846d0a6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e8318f15a4a1bd46327ea84829674d0b

SHA1
f5e2a3c01e5b6bcea000aa26cc029797a7cbe042

SHA256
6eb577480f95dd308a386afaf60616db261a6f56701e0f9f9dbf13b805343e9a

SHA512
6153acf9b1139a9583eee178069395635ed6eb4e7a55dccebda21564d5cce2a2b39381ec394e0dd624ddf5520b85958ef620374692e2c48670b307ad498695c3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
72292a6aca345482771312959024cffd

SHA1
92a262313827a8614d9f175ac8907c571e4956b6

SHA256
3ff1fad2fa409e436b761473dd50924303665cb903f9ec62c943385ee16ee1bb

SHA512
2b9f8504698d433af878c5f49706fcbfe0a48bdb03bbbbf8d84a253108e953c733a5f177d91f02e4b136bbccc2afe75d4b1f75765ff70192b432505fbfcaebb7

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\f47fec9f-51cd-46d3-8048-6a28da39fd02.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
879db40924f1fd2febc3a16886742f1c

SHA1
e0c820b79b1b0bf6b04fb5ac38155840f48aa7f5

SHA256
7963a1628c7160030311dac978fa9690153aac0599212004753d863a4f99ba24

SHA512
162559faf69fe3fd4e939117f6f87013578741f13a4957f4340056eef9a8b8e6e050f07133228ed558f5544c9517657229f3d33e1bacfb9f1a5a6e9b3e8ec6f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
a1e16b951869591d4af951743ccfef11

SHA1
55e83b999e9f1cd3600d12e4fd530caf836fc5ca

SHA256
f28b1380c1d71ac5cd2871083061ace3e7a2c87abf41e661bca51971f3cf3136

SHA512
430e422e43a113085a8aa7c84ee8ecd3654147e7bd5b31d91a7ebffed7354ca7fc46138ef25f70de61f4060131dbbb5605ed9d1257c2298af05afd62f1ae9408

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
a98d0a9a15df9afd7372ffcbfe753d11

SHA1
6a10e1e3caeeeca258bf43435e487671453bed70

SHA256
9af0616bbf93039564db56e4f2d851e044757b0656a1a27b0605f821e2984c22

SHA512
9eb61cfd9ec1e3d12dc3c33803c53537a0a4733f30f25ef028bd59ff3e17afac87afbca3dfeb08b0737d51957390a18ef76df29903792ca64fbac4b07d46f011

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
813c94acc40ee1c300c842f3da06831f

SHA1
f7d31cab72deb05819a1689f33f3921fe84f140d

SHA256
f42a061cde63f5bd67cdccb7f4fc515c4d071c94249f6d611fa2c16f162144dc

SHA512
a98e73516aebb1617bedbfbf4a289ea7d2400e00f0e88d569a690672d06da153074dc1a09121512f5366738fbcc7f37a563b1b1800f0a13f89763853d0d8fcec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
d4bc959641dde4b4174286c96ff9a307

SHA1
44a87935bd16ae263877cf00e682376abd082658

SHA256
7174a151ff65519dfc714518c79c48ab3d7dd2337dbba726e69beddf8ca2d97a

SHA512
b5b757ab897706a1d2ccda3c2627f6cc3f87d88fc6ce910ffc03bc3e54df63b3ad018e5cf570a50ac8c095c80eea9403aecf23db6961198834bb84144f1012e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
aaabbd350b0891741939b49d172eae13

SHA1
f5c72c7fb9072daa5ea5acec768dec484bdc2225

SHA256
e03c736e92ebad9aeede31f8b8593f0a4665c155be55b5f43cbf2e5d463cfe15

SHA512
b4e41c496c792120cd911ac65585753ba1b15494cae5487ea294b59d481dd22ea42ae11e0896b515837f7169fc5300d95cc67b8fdbbd7b28c9acac449121bde5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
1b1571738da32e338f8967f2c60c0d86

SHA1
ab376a7e42eab86319e0f3a4247e9abb7ab1ff4c

SHA256
5259d087904af208eac2036d5a0ebe811bdb49d23742e08d4929643bd1d59879

SHA512
fc8befce3c110d1e1d8960dede102033455fc815f91bf28bc9a831d7764787f1ab58cbe7b55b807907f88d4e4f6a17fe21293447396a4657a4b0f63c0b5e0a31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
f99df575af416071c1c0642eb58e4c8a

SHA1
e873f8e0bf9aa123365217be7e81c46fbf88e863

SHA256
4b8b05aac5b1e512700c47f9630a7bc6f065f6cf3bcffcdc421a9476da34b05a

SHA512
720c14de049c33c813ad982a5701c7bc24b217d3cf44943cdceb13eb1ff6d3bef78f5013d209615204f845ac2379d8884b03d346d5d0e7b1344375b8a04c3f82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
00baee762972048aaa7473fc7273c1d2

SHA1
f8bff2a753bc1dab53414f96b6f9caa5ed3ba569

SHA256
f895c03f3049a73a2d010641be1ace8f2bb081eb5cab6ce9126ef396cc4582ba

SHA512
6cbc83342638b4bfb1a1c1e5362b6fbc133204b3026f464e24673b7f1b0e0367f34109e6212cd36096ed00ed10ad980abccec95082048c48a9cf6b4b31c13057

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
786c763442a750c8dc72c477313ff3fe

SHA1
2daa91bf6c7e0d539363747e174f767dc6815deb

SHA256
138697df3b759cae5c8b2e43110b6facf3f6d5ca18dcff913b34a71775bdf582

SHA512
10517bd66d82b59012fe81078b14e800431c6a68e3d6b12d0c350610db6074b00c2c6121caeac95c3494c461b016530f5892d1485aec617b6e75f39a5c41726c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
9b2e633a86ef66c156c64e0bc4eba337

SHA1
3a6b132aac1a9825285ddd560b15ea97e0607043

SHA256
43429233fbcfd2d098afc9714a78020b6756a384b4c82f0d361d848876163d76

SHA512
8891735ae48946ce6093a8e86e648ff52333631267556c4c3b219a88ef53a0ed7490792f2a91ad75fa0c37a5471b0ae438600cd1cc361268012a66d531963d15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
238925a36de127f01c30deb5c2344eab

SHA1
5c465d742b050daf9f64f699a4be7e51c6b39eb3

SHA256
8f6d5d9890364c0a01f108463a5d7fce2f1d246a58082c2c339a501fc2ce503d

SHA512
df39fe234f6a1d65f9a9bab9d0f6d1992948354d530f4d0768aa9fd43738d0485f4b691329c5a448c8ede6b6b11eda4e910058f8d66b09dbd2a71344ca4cb63f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
81c229381c4b2ee3f778734c9cf3732b

SHA1
f617f57a4ac2bf85040c428ebadb60ca2c5f962d

SHA256
905b131158ae231c2cef85dc5660ae5b86f162960b45e369ad8a295617023e7b

SHA512
e9f4362c5d83daf63304c693dbd754f397c7216a076d331e1b0892fe7d1b47d9b446e582126ab4852605685d93ed896e2c4b2da75958c3149c840327db68bd42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
14690cdca3fe46428d73a0ded76545ef

SHA1
eee29a5bff551a011590685d866491d3d0166786

SHA256
5d32d74b68b4eb32cc1162125b4fc1ea79ec747f2e48b613c684599b508bf6b9

SHA512
c90b937cf167d2b72eaa94f4f17f08720debf6441ad4c37f580f8683a64dac528f18b88cac3f35c96e4d816f1c7a12cf33e843735bb563d9fdc03193535daa8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
424a2b96144445085053faadeeeb64f7

SHA1
6793e2d24074dffc43dfdb86f949296c967a2441

SHA256
0fc8aac4a00ce4ed2d02ee76902b59577ebdd47d781968a9b52f3e4e46228cca

SHA512
9fb2ebd65a9a97f14f52f4b6af141fe2342ccb87b7652898718193718acbae58eaf1857b790bccd5690150f9c35ba6fc00782c5dffa5a630fb91e449797bf13b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
cf1c011ddc2258311f1be1205cf92249

SHA1
d0afbea7f0ae8c541c0ab859c0a74f596272a6ae

SHA256
264f87a1bb9b6c6d2d564f50ac69d922f15b8e01d185d25e911ff47abf8d698f

SHA512
63de7777d5566ff9be55155a916b6676a5fc3aa8008c6401de1acb18c5f7c75a29937ef46ef27f2e4e8401178ab19f3f4a7a93399d0cafecf406fd50d4fc743b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
437a605189599e9ffafe1da0911f300a

SHA1
6cef8534e60fc6788fc87da8c26f6185c7316c72

SHA256
f1eca15b2e38e27ca1fcd466a2c6a6710c807ab7fcb1d3c7014def704a4512d7

SHA512
452ba0d42423f7e6c94b8acc9af08f8e1339e4c39c48640afb8dd905aeaa531820d1eda39ea343eefcca5a2f923068c2dd961bb63bb9d63f83c260808fd6d877

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
0e84de36385b5ca795b3db0891804af2

SHA1
9ca2b01d5fdb86290867dd2c27d0ae33807f8cf1

SHA256
ff2a976bb711f6778cc74a38d74f74c2a8bffea94b81539bcab74d4f257ee6bf

SHA512
89657d67397d92356f471cc06b8023b7d4492d68af01d4f7b6fb4f28893cb08f2c8bb9324f8417bf7f937ec15536031d17d31accf6ba1afe55deaea14223fa84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
21f45d231176e8008403c237a8f751ee

SHA1
9d59a00469c9742ecd9e3552677652d69f2a2fa5

SHA256
37d89e5577505b5ff5c61b59a0a3e071204cd2a38573cf130cae848f491e2b9f

SHA512
b6459a561e8623f397533aad30876c6ce1a2fdb64c8d7c4f5ecae60d10844a28963a18b3acc120eec27c3a43528b4f0957b331c035fb1b91e355776f81be7eb2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
8b4a3d3967556cedb7603a6257c28032

SHA1
cb3bede6d0a311ac3db1bb775c65e5c1f279292a

SHA256
77d79108e14d12c92baedf4ef391817dab4d3411dd84b6b4b7ca7d5559e94041

SHA512
eb475cc8a1a6bcf9adc27c5b77843391e1781391b1d21b99a35132b99d786421a1af18ed83beca046b50715e6514e1bf32d430dab4b7f34c6b774ad05c6e428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
5b232f2ec5e33f7709f554291a0582c7

SHA1
8e09d16cdefd7434b6626535778c4d6aaa94502a

SHA256
539b48bb8997ee07f386d39e50b64b6a7f14ae24e0fd7c49a5d72e387860d5b5

SHA512
570f3bde7f527c8af2cefc04c0bb7d9024c2836b328a25dd50546cffc192d8256a276c6e8e07c0ca5afe06af86b819569f25ac6213e006588fc7edcc95e24d81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d2afae218a6ffb9a88388742854cc24a

SHA1
25eb035d0a205939147709892571e5d7b90c4e5f

SHA256
2e5c9bb54a1cb417155c2ec92f716d17a50d2bf3b06ea4669a97aead4c65a733

SHA512
28acefcfec32ed089f06de2c9b88e6a4d70501b113089c94aa0eb1440e108eef3639c970672259a867a5e713218d07f93fe3fa2a7f284360be41b1438b88e9ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0b757d0b98c78e50caf5828eceab77ac

SHA1
a8761fe0a094c91c8fbd5b86960963d6165e2bdd

SHA256
86dbe0750489307eef19aa3e444112a63022fcfe6e7ef0f2988bc33b4dba87b9

SHA512
25e44b8cef44f71a126d94e4a094e840792f8d2da1ff749a3fae94683cc49ca4f7dd6fbeb515ad037b242dd0cd22773162f591b3634881e5ab347f56c3796a1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
34ae0150e2c13116bf81b1611646bb08

SHA1
767f53948f59976cd1963b5e85c8f6953c55054e

SHA256
46c9722373673ef017c80a72491339470e57cce908d6c6713fab8637f25ac4ff

SHA512
c29bdbc6827ec3b5ce41887655ad4f66a8eb673331aa1ef742ed80d2ccbd512be5a4c471b0eb4b03d50e3d5275263f527cca5bd6731f47728e274613d432f169

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe579c6f.TMP

Filesize
2KB

MD5
4b293ef6e36074d11d943e6699266d96

SHA1
c59e290054f47b0a4afb481a1f974ce5bd4d854a

SHA256
13713350069ea503b433abbd2932f6a25aad6afce17c2e0c3a0f787b58071054

SHA512
3238c301df585a7499d814c241bb461ab4b7a5e53ff040836183d3f8d07a3aece36d6a5f21f55a6bd69dbbcb913911fd1cd439a73de08143f809d4dd77f49009

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
7e86d22937c6cfc8eb7ff692d2cd43bf

SHA1
d791af07f4caf0f14bff75f3797e296a03ac2612

SHA256
4e83a3317fa28074b7ec6c97eb52d780d48b936b3f5801f433a3c8d17216a815

SHA512
241f7ee99d626332ba939451510308760f0da5c53b97334f2844f908ff97b478faabfd450a22d48bbaefefa6a22f993854a0ba3b3f491054a1a12c10c54259a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
0823face005a008aa2c0838ee6fe9804

SHA1
cb3c9be43cd744fd72117454f2406776a16a3164

SHA256
5833285d234246a697954d54975f660947e0db8d81b9de15e42b4dc15cd8e021

SHA512
39887c0ca7baa6091ab58316410d26b4847d074acb2acc52d3c53dc971edf631cc729e43b02b252b369b03ac8899e969549726d2dca173f59ff0aefe4918fb48

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
512e1e49d8769fffc0ad0fe409fed5d4

SHA1
492ec9d0491e66e8d6acab7efd9a994c3ae712fc

SHA256
68de77d7eb65f55354c5c8e4b3c5a4f8283f887f34a1a873a5c6c9e6e2f171cb

SHA512
1602747f03a52309cde0d552aeadd827f4daf3a4039004ef73a346dc8a75c3483341f03f2f719019dc3664ea01a4eb333cc2f6fa82d8853ca004d5925c53623e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
2b8e9a937b836ab75883ca18777f53dd

SHA1
0514bcf8156fe41be5bbcf01910491f0733c509d

SHA256
75471b9589fa2f6328ccb0f6cbe47ea68ad211be4de8615bb311fe3b21c78517

SHA512
7cded8b17f4eaaf4c6dbaa9bc7575a05cdda434f065bd1c1c1fd0005946fa7bcded66f63d7e114fa26a96d40c6489a54240b4e86e236827153f4fd01a0e5121b

Download Submit
C:\Users\Admin\AppData\Roaming\f4098e29102ae222.bin

Filesize
12KB

MD5
80d273f771ffe7750fc8fc09d8ee6486

SHA1
b68158366a80593cf96a897bcb28eda6e8e17e8d

SHA256
3b6d647183f658cea900bfbd1f97c5d081be40ce2ba493859bb0558b979be987

SHA512
cde58da0cfa7ea9abc7c0ef17dc6f4e5419da87e004fdbef42f61074a9d326d1ec23fc4a81415556a870ff670f79aa619edcdcb9d0c2bdc4f773ff9948a2a7b0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
2d14a31771d6cb6566df85c50945679d

SHA1
2ed9011b51cf672873fdf29520462c0b1e2d826a

SHA256
b5b77d184dbc06d396d98ebb94eb3b25784cee1f3e929c5a6bac7b442807ff3e

SHA512
f9084ee992caba34bc0aabbadf4f05aa11521407029997b4680c8d862306034f96121d17140b30a64505c91c1e8dacd19e4799912ac5c6c4f2f1a1001ef633ed

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
49cda0d4b3eaef901c20cfd072df949f

SHA1
2d9f899dd187ae16e5716681c60696e1e04ae6d6

SHA256
c447fdebe68946a55e2e48861e6112efd249b3df55ffe644fd688807f69a0b7c

SHA512
bdee6d3478e21a40b879dca83351325c1d0245fc7b430a33dbc84d3761e07707e8b715e6cbe2af2bf345126535354e70d48180081428842c40c7ecc744806ff0

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
46d8cc58fb75731c9c27c4055e530c55

SHA1
18b641a0a11806aebe197434dcd1f9fc4ea5e8ff

SHA256
496b542f566823fe4d1751c9c2cdd1cc897a1551cf82bb555cb761453c8b1a1e

SHA512
9f63ba75dc3cdd655eef4dd803c8769c8d4e2cace36f4c4779656493a55981c81b68fab3e100dc2746708d9b738ed4138d8eabf2655adbc5ce3bfa9f2d493afb

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7ca2e9fe672866c064ee6dab119a0850

SHA1
5b9ceb7502b7a8c9c2482482e21b26724ab503df

SHA256
4fdce655600ed0c2f334766bc2b1c969240ba6f2e899ef4c27e62a71d9b7eff8

SHA512
30ae29551345c2f666245702e72ede0e58122e3e86910d332082b3811a9fe2bd10dbcca2b5f71547fd92678b42b625dc54c0671d44b290233b326e9496fe7488

Download Submit
memory/944-21-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/944-38-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/944-22-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/944-120-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1220-18-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/1220-11-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/1220-302-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1220-399-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1220-318-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1220-12-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/1220-43-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/1220-50-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/1748-342-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1748-351-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1748-427-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1984-49-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1984-64-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1984-127-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1984-51-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2060-109-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2060-55-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2060-54-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2060-67-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2060-111-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2156-99-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2156-98-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/2156-107-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/2156-117-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/2156-121-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2360-339-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2360-204-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2360-245-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/3560-395-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/3560-462-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/3560-450-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3560-390-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3636-297-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3636-115-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3636-116-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3696-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3696-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3696-80-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3696-240-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4160-385-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/4160-373-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4160-262-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4160-285-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/4404-374-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4404-439-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4404-386-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/4428-154-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4428-132-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4428-140-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4428-165-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4484-329-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4484-415-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4484-337-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4984-26-0x0000000001F90000-0x0000000001FF0000-memory.dmp

Filesize
384KB

Download
memory/4984-7-0x0000000001F90000-0x0000000001FF0000-memory.dmp

Filesize
384KB

Download
memory/4984-0-0x0000000001F90000-0x0000000001FF0000-memory.dmp

Filesize
384KB

Download
memory/4984-32-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/4984-1-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/4992-388-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4992-299-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4992-289-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4996-335-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4996-148-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4996-326-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4996-180-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/5168-414-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/5168-413-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5168-402-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5168-410-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/5308-417-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5308-425-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/5476-436-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5476-428-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5644-442-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5644-449-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/5748-452-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5748-463-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download