597ef1bd53078b8af9a91e9d509dc01e15b539ff9a875200f5dedaf33628830d

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
Size

5.5MB
MD5

9cad1e5895412410cd5a14e97270cfa9
SHA1

00ef5357527b3d2fff743fb9d07fef13e131d3a5
SHA256

597ef1bd53078b8af9a91e9d509dc01e15b539ff9a875200f5dedaf33628830d
SHA512

820db3e170fe6d85155c118c5b7ce395724e5cc2df3326c4b3aa9f14c549fef99de3572ff3bfd723cbdc4994f9847a99ac47145534561fd33bb63534b540dfa0
SSDEEP

98304:sAI5pAdVJn9tbnR1VgBVm1RVlbnP9WXW7H6C:sAsCh7XYEHBVH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
628	alg.exe
1244	DiagnosticsHub.StandardCollector.Service.exe
4136	fxssvc.exe
4036	elevation_service.exe
3392	elevation_service.exe
736	maintenanceservice.exe
1560	msdtc.exe
3812	OSE.EXE
996	PerceptionSimulationService.exe
8	perfhost.exe
4472	locator.exe
4716	SensorDataService.exe
4228	snmptrap.exe
2928	spectrum.exe
3932	ssh-agent.exe
3944	TieringEngineService.exe
1876	AgentService.exe
4436	vds.exe
2832	vssvc.exe
3372	wbengine.exe
1768	WmiApSrv.exe
1596	SearchIndexer.exe
6132	chrmstp.exe
5244	chrmstp.exe
5400	chrmstp.exe
5452	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6ea34e6f293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c10e578c1aa7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4d17a8c1aa7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000003977f8c1aa7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133602871368734126"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000320d768c1aa7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2964	chrome.exe
2964	chrome.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
5972	chrome.exe
5972	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	232	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
Token: SeTakeOwnershipPrivilege	4768	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
Token: SeAuditPrivilege	4136	fxssvc.exe
Token: SeRestorePrivilege	3944	TieringEngineService.exe
Token: SeManageVolumePrivilege	3944	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1876	AgentService.exe
Token: SeBackupPrivilege	2832	vssvc.exe
Token: SeRestorePrivilege	2832	vssvc.exe
Token: SeAuditPrivilege	2832	vssvc.exe
Token: SeBackupPrivilege	3372	wbengine.exe
Token: SeRestorePrivilege	3372	wbengine.exe
Token: SeSecurityPrivilege	3372	wbengine.exe
Token: 33	1596	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
5400	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 4768	232	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe	83
PID 232 wrote to memory of 4768	232	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe	83
PID 232 wrote to memory of 2964	232	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe	84
PID 232 wrote to memory of 2964	232	2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe	84
PID 2964 wrote to memory of 3852	2964	chrome.exe	85
PID 2964 wrote to memory of 3852	2964	chrome.exe	85
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 868	2964	chrome.exe	112
PID 2964 wrote to memory of 760	2964	chrome.exe	113
PID 2964 wrote to memory of 760	2964	chrome.exe	113
PID 2964 wrote to memory of 4732	2964	chrome.exe	114
PID 2964 wrote to memory of 4732	2964	chrome.exe	114
PID 2964 wrote to memory of 4732	2964	chrome.exe	114
PID 2964 wrote to memory of 4732	2964	chrome.exe	114
PID 2964 wrote to memory of 4732	2964	chrome.exe	114
PID 2964 wrote to memory of 4732	2964	chrome.exe	114
PID 2964 wrote to memory of 4732	2964	chrome.exe	114
PID 2964 wrote to memory of 4732	2964	chrome.exe	114
PID 2964 wrote to memory of 4732	2964	chrome.exe	114
PID 2964 wrote to memory of 4732	2964	chrome.exe	114
PID 2964 wrote to memory of 4732	2964	chrome.exe	114
PID 2964 wrote to memory of 4732	2964	chrome.exe	114
PID 2964 wrote to memory of 4732	2964	chrome.exe	114
PID 2964 wrote to memory of 4732	2964	chrome.exe	114
PID 2964 wrote to memory of 4732	2964	chrome.exe	114
PID 2964 wrote to memory of 4732	2964	chrome.exe	114
PID 2964 wrote to memory of 4732	2964	chrome.exe	114
PID 2964 wrote to memory of 4732	2964	chrome.exe	114
PID 2964 wrote to memory of 4732	2964	chrome.exe	114
PID 2964 wrote to memory of 4732	2964	chrome.exe	114
PID 2964 wrote to memory of 4732	2964	chrome.exe	114
PID 2964 wrote to memory of 4732	2964	chrome.exe	114
PID 2964 wrote to memory of 4732	2964	chrome.exe	114
PID 2964 wrote to memory of 4732	2964	chrome.exe	114
PID 2964 wrote to memory of 4732	2964	chrome.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:232
- C:\Users\Admin\AppData\Local\Temp\2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-15_9cad1e5895412410cd5a14e97270cfa9_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2dc,0x2a8,0x2e0,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97d54ab58,0x7ff97d54ab68,0x7ff97d54ab78
    3⤵
    PID:3852
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1888,i,14649047919980816534,17659539622394020812,131072 /prefetch:2
    3⤵
    PID:868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1888,i,14649047919980816534,17659539622394020812,131072 /prefetch:8
    3⤵
    PID:760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2168 --field-trial-handle=1888,i,14649047919980816534,17659539622394020812,131072 /prefetch:8
    3⤵
    PID:4732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1888,i,14649047919980816534,17659539622394020812,131072 /prefetch:1
    3⤵
    PID:632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1888,i,14649047919980816534,17659539622394020812,131072 /prefetch:1
    3⤵
    PID:4640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4252 --field-trial-handle=1888,i,14649047919980816534,17659539622394020812,131072 /prefetch:1
    3⤵
    PID:2404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3904 --field-trial-handle=1888,i,14649047919980816534,17659539622394020812,131072 /prefetch:8
    3⤵
    PID:5200
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=1888,i,14649047919980816534,17659539622394020812,131072 /prefetch:8
    3⤵
    PID:5228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4708 --field-trial-handle=1888,i,14649047919980816534,17659539622394020812,131072 /prefetch:8
    3⤵
    PID:5956
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1888,i,14649047919980816534,17659539622394020812,131072 /prefetch:8
    3⤵
    PID:6020
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:6132
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x268,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5244
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5400
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x274,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1888,i,14649047919980816534,17659539622394020812,131072 /prefetch:8
    3⤵
    PID:5512
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1888,i,14649047919980816534,17659539622394020812,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5972

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:628

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:516

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3392

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:736

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1560

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3812

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:996

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:8

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4716

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4228

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2928

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1240

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4436

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1768

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1596
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5740
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
39ad08864f71741a825e511ba5afa5ee

SHA1
79cb2ad230f2cbd48b5ae7767483bb8ae7a115e3

SHA256
c6fefd8efd1ccdaa3f78fd5fc8c5c9e3081c1dee46cd1a1dcd007f2e3fa5cde2

SHA512
deea9cbcb323320fb50b15788057262dcbf2545ede3966c8211da0f1102b58f62efb37ec3781c8d227524bb51b297e49d41f698a509c70ce2c14bd124c48f46d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
76f965ea14b25ec0e51277d692b36678

SHA1
02e835e85293d4d704e2e5236dd245ae686339fa

SHA256
de3d7240b6ef73c0fa14ddfd7d86c332547405e983830cc15ab745defbac1f16

SHA512
9258533af54e026835670bfa20e4ef0192d2c702e6ec0ae2b932cdc2c6f125c7e284f48c08971c81dab92f155af77dcb927c628591e4835bdff95dd08926d837

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
c84733cf28bba3e6b280ed07bdc51890

SHA1
d75a864251486f35760bcec9a03c8e21f5ed129d

SHA256
4dedc0e7e7a14d1fcc0461bcf6f2f37aa0bebce499e1632bcf7b6e278cece5ff

SHA512
9cedcf2f68c991013e4e772146f16e38b19da31fc2fc8dcd37248bfba5c99710ca83292c03ebc091d8d52161727ddb1facf96ae7f6d96101bb5783beffaa0998

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5c1785bff37b97f2745d9e06ceb4c45e

SHA1
ad067626596c64cb20713aed7c1bc79ae42d4ce1

SHA256
fc048dda2e635e6d57637ecfddae067bfe3d50ad3f02f5587526a2c11283bfa4

SHA512
8c0ce19570aa0a3c347324d517d0ae67327f8a28090654c1bac059abd8d83152b75f99d041bd90dbf4d867b16d49645290d39a620a8e42329df4dc1359c21b5d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2e9c8d9060f66989776d870c6c28c53c

SHA1
0c37dd70e9fb25ab0a90bb5eaaba1ef9c9766456

SHA256
61788a1978b663c9ae848f4752839e2aeea91d7b7bb79be928e4cc0980fce59d

SHA512
05cf4ca139e37e2db993c83dd33902263e647fa16c088c0f98f8f46b2fafb2082c2dbb4cf3178da98440b7adece0bb0cf12af3fb1f54beb20a0ff438dc1ee20f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
de6f2997e8be3496f9d6ef29e2d68d4b

SHA1
a1756af8db2e93c5a5d3fa2114c95362bd361751

SHA256
9dede9148ef262eeae345f8c8aa44cdb79e40147a419d47d9ca1cb88f9aaa193

SHA512
84138fc80af40564b0ceaf607b2e8164d103d4325408df31587d61c6445f0b1889bc8ff027355ef47cb14192b82143470b5f196c105d6a5525aa23c77206406e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
7ce14db9cb3f1bcc51742a3a10011146

SHA1
76c2d1486b9741d99598301a1535a392e5d6cd9e

SHA256
0eb74df92a00aface6c3e8d9e0206ec47ebd1e87ffaec875eb23a00ad116bad0

SHA512
ee506ba73bc0e2679820d9abfb30cc729bc39f6be342e0017146a3f081e26a6792c8f083dcba8ad910080b6ad1f9d7b4937dd86de1180809bdcb5ef3bbf6f606

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
419872da4662d789bae01fc756874162

SHA1
3017f4917f39c33eec9862bc2d77ae4c5012f193

SHA256
a237b58a7d1bc713a8c4152efcbb4a2d3ae97b76879b19349553cdc0a3bf9b96

SHA512
0b50ecd3bc09f96f4b5d37b166cb7ad4bc40cb817f6ddc20849527a939c4679c398f2377fc03dd497e88efb721d7e55f8f820b38de42c18f7df47b754e639f16

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
7ccf3393c5917f4e7f157e7b26ab6f56

SHA1
3be9d1d0b581caa5b723be13c6d5ba3b4bb7c7df

SHA256
331d0b8268d25fe1ead827836b61b28951122545dc02b40e3800103c357d86b4

SHA512
d23c8d1567b0eedd8aeecdee1caaf5f419feb5547e6361e7fc23620bc7339fa62173069720484d03ae521b0b86499812bbf58e249e55dd1ba700550d7e192542

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
534427bae8815c4fff8982ad6c14ecfe

SHA1
3ef0c94b1dc2d5e5012a22ac13f332897e70fbe2

SHA256
23b87e1a8fe8412b35cb3bb60c442e76bd4f1681f6ae9970866a3c362507d285

SHA512
ddf92056707af5300b527d1bfdc914575fcf85ea9d1cedc84f4361302f92284b7465bc6657f31614a0e8eafb2572e7c0c067a55db7db14d6013e4b522b9c445d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
512aae12019c94509a1cbcb3c59a0295

SHA1
c6acb7bbc0e03cbadc78c43e69abd9cb5859b95b

SHA256
365944d64d73b6c5aba7a5d5ba1f5a3a172c82611a2e6ef40f8cb76154255b31

SHA512
5ca0286472fa74abca1c670b54b6d0f9021657873569f0800292a66d2ab22c00800378c31f408090168efc41211f2f8c9cb3559ef4459b76e8b7a1b62c9159dd

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0b2347390cb9d7ba8a5fdaa7b28b99e9

SHA1
23c6b719bd36b7e068349315281c9e6b6da969ca

SHA256
d823fa679592e45464b4bb3ba93eb2de014645f4d46ad6d85d574f6da5fafab4

SHA512
a41ed7a59f424143353a239fe982f62135c40ffbee95b315f25e58e9ae36f8849786557ade6572d3b4d9516b4afca9f63d1e3e75ec6a507f2ce064e23ca5c7d9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
278cceb9af3cc1acceaaaaba2b105df1

SHA1
b939cbcd46a9bf29e2ed4a03ac98175a6c4e01e8

SHA256
0b2100d26f2888715035c0afa728978d19c87c33f8f9b8da09490c3f56b3af8d

SHA512
440d17d77e1243d390eb3717f689a70227f278681733352a94ea6012ecc59d72d68dc66e1c97318d1c6bf486365d43050fcb983a1706c52e10e3a7e78827c037

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
784e89e082fbe4fd2d3eca931b50aca8

SHA1
3c1250e9f4183e895d682cfbf42fbec7d4738248

SHA256
d7074d88ae1ae3efd56500991e28f90c6c7c85448dbcde3c8630a1d1de652cd0

SHA512
3f40774dfbbc5a59eed5224e510af77ac35dde54254009e7038bfb8126016134062ff07b084c1c9eef89c5226bfabf1874f6d993b8805f80e163d0606fa7d9e2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
431bf3875ca579a18dd93eeffeb2a222

SHA1
208c6d53850b0682cf81700fd3abd6a4eda5746a

SHA256
4c605b840309002577daf9a2989cb9f447dd44aea7f71f2c032e2cbb3f3261a2

SHA512
8347447b3ead856c5227659496573b864837a118bf33dca8398f1f25a5b799b6ce7c3b1a07e3fe6498accee488e34abde6a6d578869bbe0224b9d03093233ea3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
83d83d268d003ee509681699db832ac7

SHA1
8e3df9325cac75234ad857ac429730091b91ab92

SHA256
8b49384612c0e6c55c007767b5017efd276206c24cf02d9c69ce6f6530bb7e7e

SHA512
41d9a39ffe2fb8c38c9e6dbeed775ee84210670f6bdeb4c24af8486d784fbf04b24d4a6f9ed93b79943c691a9f9e33506e0c495b84031f9328141ed2bfb236eb

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\80486251-4fe5-43df-b75a-94b706e0f922.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a60a989b0dfe27ae11f71939e0c1f894

SHA1
a8f0d4e449ffa272727e2f4c9d7ad564fb2c3f9d

SHA256
866a569caae1319fa23acd0a2bebb59b2154e305e7812043134f192bbee72782

SHA512
369a04069e83cda45442ec45addcfb59727eebd152ed78f2858f202fa3dd9b630a85652954b9b7b4c3dec21a52913e3e2879486ad176fa5109e4fb56fa71ca73

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
55d53945f1753174a8089b98f81003d5

SHA1
d18f5f76636f4659c111794c00edfa9e9495c256

SHA256
c12222a3db9da6c29e5cb863e7f75bbff8bacef68335f06a91090531c30eca81

SHA512
5f3a2d4cc7685c31fb653d56c9c59654eb3be256782eae6f69beb33ed2b9bb9bc5c917de3e01fe4a0427fefd9fd4563023c32c7b5a9ce2c57ba0618fd4c5fcb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
23e6ef5a90e33c22bae14f76f2684f3a

SHA1
77c72b67f257c2dde499789fd62a0dc0503f3f21

SHA256
62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790

SHA512
23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\63df61af-1a50-4b42-ba94-96049275d21f.tmp

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0f62439ed0045ce81c92c2b021bcebd8

SHA1
da25f23ec013bf00cbb2be98ce08a3bb5703ab36

SHA256
595214779d9665237fa90eec198051ca4eb5bd2b456b7ba797794065c41731c2

SHA512
b0408f1ea72916418dee9226606bc549b42154bd134d0b38d554c1c6613db0d8dfc2a35fec86f7b20f894adb496af3937b16de0582213908ab46951747db37d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
12c15f14c5856f58105c409f20f07d9d

SHA1
ddae73550fbd921039faba014893a35684f08a1a

SHA256
42cf0379aa4d0755b5eff079a167d252e1e23b8427b8649eaf7c036d93bba4a2

SHA512
76aab1c4d15a71132140350163ecbd698a3d8f4a37d89d0aa8f2e20f9397d53cbd324b0e0d81d8593d1b61324920e33ab3a7d7d686b6bf3ff9514076ecc2ec5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
648d234d16233879b376872c7a003dca

SHA1
7ea7592214c2d98b6135c9646e1684b7db3f863c

SHA256
ed49e6875ef198e048878eea09eb8e6f117c885ac25077d7972b74aadae02be0

SHA512
02cd48d43621b8827ce533ea20409ddc2355586466d2c595142ca8ee6e7bede4fa91569ff5f0eec2d69ab35c7b46253fea2ea16c47237a8c94aa8cee2e8c5c53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578b67.TMP

Filesize
2KB

MD5
8441fa327ce1f6c12f371a1535e655be

SHA1
7ccca62179f1eb9a2d47c3886ad8ad4bf5b15071

SHA256
975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158

SHA512
986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
8b83f0ca3a48cb841c6cc4e912abdd1a

SHA1
3328a86c10d3b9cf57a71144e07cf28134b2b3d6

SHA256
15266cbc87c4d59d65acb08e27c931ed2768b470542b3e7d543dec1eafc2cc5b

SHA512
223a608971a2d050bde7eb0b5da404cc932f3cdf502e865b270198da1a3b25f2340e2a52527eba1a437e50c42b2db8422cf0793a227eb82027f42d663a2a7fe2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
f7f73affabfe7ca36de4698e98109d75

SHA1
648d815fdcadb95aee76cfd4a114dc140a2de563

SHA256
0ff7b73a3a5f84eab7cf601a12720c6f6273d9d2525bba0a7e960aa042039c22

SHA512
1f7699a6bc6338a579d17c1ef5ec895fd915eb22df83b5125e8ee939d80a8d8d2122bf218d48fb73af5b79d8d7e85a1e9cbfa80d534263f0a4e395d1a88193c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
22ad2b7b5a641c668b3ee71160d85fbc

SHA1
a56079885cebd467757fbbeb98d5c7eed381b876

SHA256
aeab6ff2ce6e44c1b234c144911e36fec249c553e0061ad10a20fb24ab1e911f

SHA512
72db2c2e79c1940975aa2f116b859acbb67bb226159fe26b9343ddc81424eb6917d903694c8b958c88626b8eb10a581c629d3792e8f24bf18510d36765d7cbba

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
92ce6469d49fb4ada9c24793d1631880

SHA1
de49a85656a1b699e97c567b025faee5d36732a2

SHA256
79893a0812781ba1a0015ef675e095d936f39fca302ef9e73804b330b246b27a

SHA512
ef64dcfb421f565e83fcc8d9d26263985dfb12efff1676fa503cb6002a0fc2105722b8bf28bdd4a6d91418d268d8fcc20b38453731be191fc962ee3347ee35dc

Download Submit
C:\Users\Admin\AppData\Roaming\6ea34e6f293b476c.bin

Filesize
12KB

MD5
2660b2a8933fd5d310d61b2ce1fa610d

SHA1
de6259d4bb0415d2ab109ce0ea4c417e776d04c3

SHA256
b95c7704831152ff6cd26dbfb7b3a931997c36a74cec6c398a18c4ef6edd8839

SHA512
44e173769e492cfc3b069eb70da8cde1dbad25c8fad7cefd3893aa5df7f36c237a1d855329f5fdc6a796adc5bca5d6531d9c9e1e50dde58e641240336707db83

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
0624deb51ef00a77da1cb6267e670c9f

SHA1
e18dfe0bcf64ac3d9bca8cfd90975d34725414a2

SHA256
d342898bf9aa9e7073d7268130f7902eee8f1a87cee77eb027eb494fc77a5b48

SHA512
c2e9cbac756538b27c648a055fdfe4f403387f0f29b132d06b81681b94632070101a45b321853f78cdb634ae1d8ed8787e54159be18af2e764bdfa39e5a25014

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7a8f528207e83a597a7b1f518d4c8657

SHA1
3e02a8736ad4d2a870a8e0302d32a6e52557789d

SHA256
4b59744027b389f4256d8b563102cf8d8ea2b4e6184652e93ef1dac04d389e97

SHA512
ff64ac87e49ba1330bb37b46ac075315dcb99df5fa05c14b10b56487371bffcb57c69e73bfc915af4054cd6dd4248ed7d977eaeca095e9c21a1e3cf04bed53fd

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
23033229ec46c5c9ac5ef19a856184d6

SHA1
78e49d29544c136f11f37f84ea022df0d31f0d07

SHA256
3edc83a5253c0375cf7c9f0b62407c2b475e5903f59e3a4b83d49401b3cde5ba

SHA512
24ffa1af04e60b440c036b3f327d1e46d366800d6776413c1d617f03522de0a59bb0f105a62634cdb0c845748937d4a97487c5a3ee2ad8ab3e52d66025d4a832

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7cb5b77db96b026ead1d59ecbb16e477

SHA1
6ed7f34f031d3bb356b4512b7842af64b7b25ad1

SHA256
d674629ca62a33a6d9c8462de3f6822eaff7dae2d6b0d15493f705084d172d72

SHA512
8397b6f42ffeff22cc691dfab19712b88c0db7730867bdeb1da6f950f593a51ce48b76de629259322572a0ab76c6b168775482b390500674a35af2dd0e6d1be4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
0b13bbcac08db72aa95271f532cd38df

SHA1
6a7bc830ef850b9a3973043af36bdcaa8e818bfa

SHA256
1e6ad92dba205e9b180ae2fd888745cf51837ea280642653ad2939cc16f86bec

SHA512
ae6df88ceab80d8f07cf66a72f1247efa8387772a19d56df89e44d2da721aa10d809ba4f067bb2f1b645e6c12a3130924c32315d0d8139f80845d991480a016d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
faa3fa60e1562e6188728160e6d4662c

SHA1
8e13d68842ce82f9cf35287e373d61c70c174fca

SHA256
89083da5e4f8c773fc608245728ad6162ebc32e81abc4ea336bbf9c577f962c7

SHA512
5c7453e9841c7fa4ea4581b0d0eae47d0e48455f4dea70b9e5dd07e3947b8b851e5cc2e443847325363cc09e6d8b704d89ba395053fb77c5f6c07b28bfd15f63

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
40b618cdeb56db45eb5688fdaf36ab33

SHA1
f2466bf4cdc0a24c3236e1e9100193d955f72d1c

SHA256
7b1239b76d98ba4ba3406efc2b8aad39bc0c8c29e778acedbded8daa784802b9

SHA512
2250c16694e0f4768ef42f3a49c09e75281e8965c84653158d68d92c5b4771abbea3bc00bd18f989e5d07c734982dc9b43338765b4e7f6216d80496b2f73b12b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5b263660a04ab80e91c0d1b1ca4ce484

SHA1
9cfae5aca10e11ec0d9e7bded5c8824d9ba09a54

SHA256
331d908e0fd5e343ae899767865efe1a9b2ed1968887744ada44b0a491b7b806

SHA512
303ed2b94096bd4d6a69365b35439bd15541e04138f0b41f698f29a0c4e0b0f38d937e7514285fe2f1bbe8cbcdccf023b1380fc1ca1ef0743ae2dd4f19ef3407

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
32ff6047e549771bee351ca68399bbc4

SHA1
b712c2661be25de93d58c73bee4aaccbaf5b689c

SHA256
54499f56148bd6f4ed9ae7f621ee48e4adee87e140858ea1abf3cacd846ac44f

SHA512
1b9854fc555182f9c8992b692808856f7edb7243bc26e30c84615ffdd2a2ac881fa055803acb9eff5b51a0e539ed3b04273d955f1c418449d2ac900504240fb6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
39d16449553a258aae8e11cef6506931

SHA1
c29b36e0fd309cba2421b5b9e8f8cbe18517a995

SHA256
cc93cee53c0edf00b73902b497d1f2ba6666ed07500cf2eb833591eb2f8c8730

SHA512
a8881fdf0a8325867324431c3cbac6ce0a20894142519082498a8b5a6c0d69548bf68e220cf05434fb5a0bd7b50342b99d28ebfe497a549e4cba9961366acd21

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
c491e6b4b04c3d00b5923aec7c9782b7

SHA1
4deca2b0b61564cfcd500cfebf9986ee49f002a6

SHA256
807a36c3418bf6b75dcd3910951ca68d94480c59bf3e416ac8e0b4cf862c2081

SHA512
9456e60b4452ac00c789e1eb7caa9bc305f1d5dcc40ab78cd78969b360c57dc100461385c0f1b20eec26ca1c4b9e9d78e2a819db2b07fee6d6b2b8b1b5f668a3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
78d61d326e01cbbd45cdf309bc7319fb

SHA1
fa8e830dcc38b2bd5e92e1d8b74befbc9c26c746

SHA256
19bcb211a73800189d7796f9c29a48d936cf0b1daae596b2d21672b4d5938ae8

SHA512
1fb8cfb13c361cf17c583401919f84c4b1ab8938ed637a66c35231a091cc713e56f5ca0f7be25f9a492489b6f953afbdd0d1319a8a51fedb085aba9de7812533

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
ea0477f7f3cb90a2c7f671bbf0a0018b

SHA1
18cb50bbdcfe3f3a5dcfe68fe95e8a785792c767

SHA256
14bf950c67e11a9a069ab13f4f7fe08ba922ae8369ca90bfe72af2074fac9851

SHA512
1c47b47c63dd558af5e111883276d851acd47d78b4090cace2bb515886dc3725327b9a0535a152ddfac1476b18234d4cfab157600f5dc0a0587c425f3a8dd44e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
609f96011fbade7a41eb2dac525570ba

SHA1
97697ae893d75ca7fcb21b99e04ecab691fc7731

SHA256
0e33c30f09ab39a6f035f9b67459d35be560ae0c6afd93e8635aa4436d7dc72d

SHA512
e5dd9da7d7dd34638b018994825b8d65302c249624c8825cbfb53830fd9292634c56daf5c541ffc394ddeedfbd4ef908f9e7a2cfaba8bc026fb23c1634f357ba

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
e2e64404f6942a5c79aba48ab3405f20

SHA1
a051430196b464bad958e19034fe5f8de6caaee4

SHA256
14fe0fac54b3075b6cdaddbc2a6ed3d343802ca5ba0336052916a14f3d439142

SHA512
51eb39a809cb4a8451446c0e17a8f9bebf7718171646efba1f02a44994646628b6220580c553433ffcf2bd16619708c6476d4efe7a599b5298a40921f5a72f49

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
68dfb714d908d1ab98ddfb9d467bcc4a

SHA1
1d15af91c59a148883dee8cea984505a88ded585

SHA256
9a501242e6f8826fb85757bb80466a69001bf55f116373c0d3b21b4d435d1fa1

SHA512
410f48520c3d1923827c73527ba745e190d8ea3341e97fec3377f809dcf6bce83325763d909101906efa24db79c91a957778dca2b58d9677afc0823c46b7513f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
a092cc1ef38c5c3e104c1bf06af570e8

SHA1
4090fdeddbaddf0614d08e5df6bd70f230ee3093

SHA256
5f8f71c48e9ccf1677d7fb8749b84bb8427f038d0060a8929de512681c312851

SHA512
bca93040a414da33f8a3d5eeec5822739403ac5978f008c61d280c04ec25ea3642547feca4210d18d3e9779f20800221b1ff8089bdae0f217dcac7c11f46cb1b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d703e21fd52efb184d7beba35a359393

SHA1
6365141b2779cf6b06b148fca3ee10c00f01a702

SHA256
ff2fcaabb000c879c4df9b609e8ee88f4d15af1753a7f727ac1f8ccafeee3ae9

SHA512
ee0bac623a9eb0e837da5ef0c383ab7e8735526b87834cac1faf09824fb02dae55f4281c4b36ccd4db25ced056ed9ba9878925a1f4b135b3d7a9e1e5f5ffb13e

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
440112092893b01f78caecd30d754c2c

SHA1
f91512acaa9b371b541b1d6cd789dff5f6501dd3

SHA256
fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6

SHA512
194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3cdaef1969d6a493ac1f7e4e9df29261

SHA1
cdf9168f599d580f364a1ce221d4ba3a1a84ef31

SHA256
1840c272507f942e3fc2421cbfc1d4f6fc83c8916028c96e2586ea4f5ba3846d

SHA512
624ff208afe9843a4fe85472175ab41a61923f0c4db1323d6ef70caf3c3613e7ba601d51bf1241a5ddac7e412b9a3e7e9d276f4b7ab0e7e3190f224918607778

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
9db0fef083920022e808286f08d9f50a

SHA1
7c8eaeb92d35bb601b398101df97b4e806a50160

SHA256
f6ca5cd59e7b9ce08882071272718dde8413a9d42bd0ff118863e8a6308df264

SHA512
5c1fa253afa62bf1c6273bc5d5440091fbdf924c05cfa84ca83fcde3d7f519d05a2407e475f57a617496de8967d966876d52eebfb42168133bdb7494f6deb89c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
310a40df43fabf719159f3d69611c59f

SHA1
17b2380bee51da996b811ceadc10c654d5111af3

SHA256
662caf49ac84a853505d84846f1afc70d5f3ce34baef897e2158c23d02f8e19b

SHA512
ef62a3032cc39eb07929cd01688a759eb2f05142aa52ba7fb301cc21910ac318e90895953012a2e7b3bf424264b8ab61740a9e65a3482194e4038f905864b104

Download Submit
memory/8-324-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/232-22-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/232-29-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/232-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/232-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/232-9-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/628-41-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/628-805-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/628-42-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/628-33-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/736-101-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/736-90-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/996-323-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1244-54-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1244-53-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1244-45-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1560-320-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/1596-342-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1596-816-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1768-341-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1768-815-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1876-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2832-335-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2928-331-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3372-340-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3392-318-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3392-80-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3392-86-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3392-814-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3812-322-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/3932-332-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/3944-333-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/4036-73-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4036-67-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4036-319-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4036-447-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4136-78-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4136-57-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4136-76-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4136-63-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4228-327-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/4436-334-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4472-325-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4716-326-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4716-603-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4768-12-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/4768-571-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4768-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4768-18-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/5244-548-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5244-818-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5400-559-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5400-584-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5452-574-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5452-819-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6132-536-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6132-598-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download