dab8467aa970caa3dcfc4840642cec871a77c64a0ef1eae0c6c56c939db8f390

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
Size

5.5MB
MD5

01ad619db1e90a6c3c888853a710119a
SHA1

a0ddb94db700804460bd1eeba83fbe90df219600
SHA256

dab8467aa970caa3dcfc4840642cec871a77c64a0ef1eae0c6c56c939db8f390
SHA512

6cbfd4bdaaab7ddd10e9eadb6650bfa27063622cdffcf58064d1cbb4b90c03c1c78e04adb4100d2a7ec90c43be7392aed6bebc2ab5ed4f6947444800c2c7a684
SSDEEP

49152:jEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfi:/AI5pAdVJn9tbnR1VgBVmMqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 25 IoCs

pid	Process
3400	alg.exe
2596	fxssvc.exe
3952	elevation_service.exe
1896	elevation_service.exe
1372	maintenanceservice.exe
2576	msdtc.exe
1576	OSE.EXE
5016	PerceptionSimulationService.exe
3216	perfhost.exe
1164	locator.exe
4696	SensorDataService.exe
400	snmptrap.exe
1772	spectrum.exe
4608	ssh-agent.exe
3848	TieringEngineService.exe
2124	AgentService.exe
2268	vds.exe
3184	vssvc.exe
460	wbengine.exe
4452	WmiApSrv.exe
5160	SearchIndexer.exe
5976	chrmstp.exe
6096	chrmstp.exe
2400	chrmstp.exe
4360	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\aa0fe559e703f493.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\java.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4EF9C35E-DC0D-40E1-941D-AB9119298CDF}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e385c5777cabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f9ab9777cabda01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133607689984941978"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035f02c777cabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f79e5c777cabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2fcda777cabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002cc663777cabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3528	chrome.exe
3528	chrome.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
940	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
3796	chrome.exe
3796	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3528	chrome.exe
3528	chrome.exe
3528	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1628	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
Token: SeAuditPrivilege	2596	fxssvc.exe
Token: SeShutdownPrivilege	3528	chrome.exe
Token: SeCreatePagefilePrivilege	3528	chrome.exe
Token: SeShutdownPrivilege	3528	chrome.exe
Token: SeCreatePagefilePrivilege	3528	chrome.exe
Token: SeRestorePrivilege	3848	TieringEngineService.exe
Token: SeManageVolumePrivilege	3848	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2124	AgentService.exe
Token: SeBackupPrivilege	3184	vssvc.exe
Token: SeRestorePrivilege	3184	vssvc.exe
Token: SeAuditPrivilege	3184	vssvc.exe
Token: SeBackupPrivilege	460	wbengine.exe
Token: SeRestorePrivilege	460	wbengine.exe
Token: SeSecurityPrivilege	460	wbengine.exe
Token: SeShutdownPrivilege	3528	chrome.exe
Token: SeCreatePagefilePrivilege	3528	chrome.exe
Token: SeShutdownPrivilege	3528	chrome.exe
Token: SeCreatePagefilePrivilege	3528	chrome.exe
Token: 33	5160	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5160	SearchIndexer.exe
Token: SeShutdownPrivilege	3528	chrome.exe
Token: SeCreatePagefilePrivilege	3528	chrome.exe
Token: SeShutdownPrivilege	3528	chrome.exe
Token: SeCreatePagefilePrivilege	3528	chrome.exe
Token: SeShutdownPrivilege	3528	chrome.exe
Token: SeCreatePagefilePrivilege	3528	chrome.exe
Token: SeShutdownPrivilege	3528	chrome.exe
Token: SeCreatePagefilePrivilege	3528	chrome.exe
Token: SeShutdownPrivilege	3528	chrome.exe
Token: SeCreatePagefilePrivilege	3528	chrome.exe
Token: SeShutdownPrivilege	3528	chrome.exe
Token: SeCreatePagefilePrivilege	3528	chrome.exe
Token: SeShutdownPrivilege	3528	chrome.exe
Token: SeCreatePagefilePrivilege	3528	chrome.exe
Token: SeShutdownPrivilege	3528	chrome.exe
Token: SeCreatePagefilePrivilege	3528	chrome.exe
Token: SeShutdownPrivilege	3528	chrome.exe
Token: SeCreatePagefilePrivilege	3528	chrome.exe
Token: SeShutdownPrivilege	3528	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3528	chrome.exe
3528	chrome.exe
3528	chrome.exe
2400	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 940	1628	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe	83
PID 1628 wrote to memory of 940	1628	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe	83
PID 1628 wrote to memory of 3528	1628	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe	85
PID 1628 wrote to memory of 3528	1628	2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe	85
PID 3528 wrote to memory of 4884	3528	chrome.exe	86
PID 3528 wrote to memory of 4884	3528	chrome.exe	86
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 4316	3528	chrome.exe	90
PID 3528 wrote to memory of 2916	3528	chrome.exe	92
PID 3528 wrote to memory of 2916	3528	chrome.exe	92
PID 3528 wrote to memory of 3012	3528	chrome.exe	94
PID 3528 wrote to memory of 3012	3528	chrome.exe	94
PID 3528 wrote to memory of 3012	3528	chrome.exe	94
PID 3528 wrote to memory of 3012	3528	chrome.exe	94
PID 3528 wrote to memory of 3012	3528	chrome.exe	94
PID 3528 wrote to memory of 3012	3528	chrome.exe	94
PID 3528 wrote to memory of 3012	3528	chrome.exe	94
PID 3528 wrote to memory of 3012	3528	chrome.exe	94
PID 3528 wrote to memory of 3012	3528	chrome.exe	94
PID 3528 wrote to memory of 3012	3528	chrome.exe	94
PID 3528 wrote to memory of 3012	3528	chrome.exe	94
PID 3528 wrote to memory of 3012	3528	chrome.exe	94
PID 3528 wrote to memory of 3012	3528	chrome.exe	94
PID 3528 wrote to memory of 3012	3528	chrome.exe	94
PID 3528 wrote to memory of 3012	3528	chrome.exe	94
PID 3528 wrote to memory of 3012	3528	chrome.exe	94
PID 3528 wrote to memory of 3012	3528	chrome.exe	94
PID 3528 wrote to memory of 3012	3528	chrome.exe	94
PID 3528 wrote to memory of 3012	3528	chrome.exe	94
PID 3528 wrote to memory of 3012	3528	chrome.exe	94
PID 3528 wrote to memory of 3012	3528	chrome.exe	94
PID 3528 wrote to memory of 3012	3528	chrome.exe	94
PID 3528 wrote to memory of 3012	3528	chrome.exe	94
PID 3528 wrote to memory of 3012	3528	chrome.exe	94
PID 3528 wrote to memory of 3012	3528	chrome.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-21_01ad619db1e90a6c3c888853a710119a_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e0,0x2e4,0x2e8,0x29c,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9fad2ab58,0x7ff9fad2ab68,0x7ff9fad2ab78
    3⤵
    PID:4884
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1920,i,8800258498414487664,12332127153611465430,131072 /prefetch:2
    3⤵
    PID:4316
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1920,i,8800258498414487664,12332127153611465430,131072 /prefetch:8
    3⤵
    PID:2916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2068 --field-trial-handle=1920,i,8800258498414487664,12332127153611465430,131072 /prefetch:8
    3⤵
    PID:3012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1920,i,8800258498414487664,12332127153611465430,131072 /prefetch:1
    3⤵
    PID:1952
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1920,i,8800258498414487664,12332127153611465430,131072 /prefetch:1
    3⤵
    PID:4428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3616 --field-trial-handle=1920,i,8800258498414487664,12332127153611465430,131072 /prefetch:1
    3⤵
    PID:1840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3892 --field-trial-handle=1920,i,8800258498414487664,12332127153611465430,131072 /prefetch:8
    3⤵
    PID:3632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 --field-trial-handle=1920,i,8800258498414487664,12332127153611465430,131072 /prefetch:8
    3⤵
    PID:5584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4928 --field-trial-handle=1920,i,8800258498414487664,12332127153611465430,131072 /prefetch:8
    3⤵
    PID:5904
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 --field-trial-handle=1920,i,8800258498414487664,12332127153611465430,131072 /prefetch:8
    3⤵
    PID:5680
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5976
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:6096
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:2400
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:4360
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1920,i,8800258498414487664,12332127153611465430,131072 /prefetch:8
    3⤵
    PID:6104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1012 --field-trial-handle=1920,i,8800258498414487664,12332127153611465430,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3796

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1036

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1896

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1372

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2576

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1576

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5016

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3216

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1164

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4696

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:400

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1772

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1156

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2268

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4452

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5160
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5464
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
be4860b2130af75f2842e1cde385053c

SHA1
2774d4dfef182941f6bc57b519e8d9fde46105f1

SHA256
b3340314a6812238615cbce27b31aa28633d7052d1597dd432ed954026069cef

SHA512
55e0932ea2f18131464fe092f0e78e29def93a9be3a20aec23fdee7ed157d75ca63e80f64ecad004e93d4d5853666acfef2e169e10c84986deccd25efa71a960

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
7e10e7b8c1b42e9edc6038e37932a5ca

SHA1
3099dee8fcbe4a3deb31955175a64be96f953679

SHA256
d9d3b427af6f3ff1b52e2437f554dd976f6355b7acde5460b49d249f734fb9b9

SHA512
88fe1fbd7e6886745d8d35209bf1e762b25fcb0a1ee2439ca283a1520771ff1644b988cfea8237336a5f29402ea8dfaa0eccef49898e5e206999800af47ab432

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
48ed6b00db6e91258b412d432a5d690c

SHA1
d73cfbff524ac8badcd091e94ea002ca065a8933

SHA256
bcec895b1d78fa9e87f6de0e056b4a311e0ccd5f9a29056350d44b0c77620874

SHA512
4d000ea7e1dea818fff3303fc0cb440cdcc4c6de75145b9113378666f550d9245e5ab04e3382c9043b68f82a5c3b7c1307076708c886e52473ad825e67586e3b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a2873b1bea26219366ebf42b9be9cd79

SHA1
4f240d488e9515b55fcffc349fa8520b76cb22c9

SHA256
bea8af4a1dc370ed8f5a683426114ca3326da063e260542bea248ddd21cc301e

SHA512
65429fb0c3e93f21d52a2dcfa316413dbb1369dff307d7c9fe01125b487308b0ef4bbca61add353cea53b05968ca3689f7def603227b1ef4f02a89a5c6520262

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
56f2da207b6731a08eaa41d351a5ee6c

SHA1
765c38da90421b518b2eaa4dbe5390b15f114046

SHA256
1b753851e02ea67c561f6495fe5c4f159afdbf8a38f675e02a7e896f4a1bd017

SHA512
c6fd89555edf5ef68ddade79ce989f2fe416da3380d3dd1fad0ea0c17889cedb948c713708fe93b0d455c0f2b6aa45f3c289b4828ce9462a8e0569747b5cd8d8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
8601fcb6d6f519c18480658350394a65

SHA1
2464c166fbc6ce6b499427f2afda120c95575503

SHA256
11b56dccac517a9c8135b18949806cbc62db52530394fc46be7e5fd415d9a062

SHA512
6ce6dbd3e64754565173e20904f94a3cb2b9e8efae33a3269b993bc1f36ed7ef13c3bbc88daf46f3f396ef7e3fa2c9fbb1927595f20ef78ec2860522322ad9f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
058db2462369b420dceb963dea83e8ba

SHA1
9f7670ec21c76de9ba0c86039a38f914175546d9

SHA256
912535dfd528b196bf10093c851b3db52e9780dfbef8066fecf22dbf13ed0efb

SHA512
ddd6602aab5cc260fbbe3226fbdbbb58e77c1cee6e832da540f338af8004374bc545760370a2592fac78614c7a3e91f3587dc701b0515873b93cb20ea9000a87

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
92c133d8d243399999516895aadfd8ea

SHA1
7ca55fa7c02014efdf4a7f623e0b3ef3312ce2a7

SHA256
4ddba0aa39d9fe3d8e948103c650cf0510d9f53c93bbcd386508a432ea8f323e

SHA512
c74724358b9e7e03e3e66703fbf8a9f7c3ae2f12680473e3f4f371d44f7293c1008dfb7642e7c01571cb285e9957be3efcf6b4f7fa80d2c23593c2bbd69a9ddc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
60b7c55cec5e1acc5dc75f7606b81de6

SHA1
443bb0dbe543e31e6adfb86ba1c7332b7c7edc10

SHA256
d8e2ba21adafdbf485d2b20041de76b3e7a1e2cd2c533cec3c354d58145569cf

SHA512
15f276fcb7147841b5a63970e4b251655e10927837b0dc1b12dd69d4ef0fcaf3034afefa70865e6f37848fafe2ac94dd07c0b832f414b4087b433bbbda6a04c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1785868bf78ba15d7609fb8192c58f40

SHA1
59e1db3ee0a4356a4fad9fed8f9d4c49d916972b

SHA256
564ff694ddd49ac60847dfb65455b8e785917ecf33d8ecab1aeb7ed0a65eadb3

SHA512
4f0ec86c6075dfa42a401d5c2837032ff30d2b2dcee89deef856632fa424a79c037b2abc7049c7aa39225e68acebb1d39e7ac07ac8c1395d2fed2f2ad7c3ed01

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1301136f1fbd19271550a31a6f9e4848

SHA1
e27c7262b2b73b7e663c8da5a0e72856f9034f16

SHA256
ec03631116d19505250f5bc07e68fbba92d3b43226fdcdf08e6eebcac65ad2fc

SHA512
b5491b1a58bc7b47975462365e5923882289510bec02cefb61c74bae2a8cec06e7d8d0dd55950647cd91b8d9eda79dbd8c73ddc7278857c3f9646d0ee2a65b04

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
196b1839d1921069621088287b82937c

SHA1
2f71d9d9efb0056d5a7a11b1ecf5f00089f0d98c

SHA256
334ce9f7db6da325a9958682dabfa581b520de3b528562257a9fe571f575ec90

SHA512
2dd4d5d5ce642fe7337da1b28998a44d947f461f1d87b9fab7a9b8b43e8a1db67ec8b3394bd384a2f280e068e11225a866c2e8dc69f3f6fd411f52af1e519e1b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
0bb820a3b1ba4b8e260b2132aa8f1528

SHA1
3aacb4fedcf09cdd22c976c7d8beb0697aef5818

SHA256
44088a639880ddc3bb378d1e8886eaa70b3a5a1bd748907d674ecde9da71d4c9

SHA512
9aa1dab47ce0ee585c0a060f3d127f597e209f228ab3fed2fda4e23dc0df77e8d6b357e7d1539e2dc7a1aa8eb31997ab5c33b6d74cf5357961a5a207cc7ac69d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
0b6bc8be790d4d818f5b497cb19d51af

SHA1
72e4a53912d7df96975283351e5b806e2ee1d3af

SHA256
a0e882dab4aaab63b79c54e2a4b6ef6da8fada8070fdd48c7bf28703d99ac77f

SHA512
f859101243a01657a18477c81e7cc7ee7abe5acc4bc1799123ee3aa952c428fa5bd7288cec286d5d13281a32eb7d78239f45fd7f9d2c9d46590c281e9b4f1053

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
dc78164bebcf1b3bd4eef5eba71f5410

SHA1
f0aaef61c91b415d2a06633ef4249f49438e0c2e

SHA256
f5c2ce22728c42d9eb08b3369030e804322c35950c3e86e0ff75feb0a5101d26

SHA512
0b46286aeaa2e4891cd39b86708abf7da3e2337f23053d8ed639c94f68fdac692154ec5bb0f0fcb3a50559d60bfc5b495292dea7971dedf8e348009f38f50141

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
67fb8ea5b084b8cc73fc370e97321293

SHA1
ae7745a03e98d7cbf969138a1103fea3b659df66

SHA256
6426fad1ffa0af0bc82d605aacc66757a4b0aae82f44b75a35ce55598bcf9ee3

SHA512
a8ba39d4eacd7de16b136cdaca8ccf557ebd9260e2bf3ec1e9b84a2fc58835b02e951c7a6f1da95ecb154aca16e5922fcbdd962b0afff0daa07ec720610424c9

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\45985637-b31f-468b-a5e0-d004d17a37a1.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
894573af359230b319bc2b9b75d28b90

SHA1
018542c5847fea388d0394be410942930dcf2469

SHA256
692514c8ad188bf8548f9c88a14272fe0f5d350b98a3b4bb2f1cf5b872eb6e4e

SHA512
188c4b9cbdaccd5b1271f956ece93fe67fc10dd32bd8beb813ad79eeda71bb18f83fe06ca07153b1922e831189ba6d060fcb2c774ec9db0909983859244caebb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
d2da2b500eb0dc099575aca39e74fd58

SHA1
80d213b4b00fff1b2c2030ae3d8538745c94fdae

SHA256
3bc976c6eb9b3f40e77e62ddd17d0f9ce9bc515d26f36a7b1b80466eb7bbed93

SHA512
e715ed53279997a0a19158bae5d1b9a9513cd69fdf61e3b1d14b73b627d153ee4e57e82fc6b9bf5b4d1f34671eda7217e87539101210803775cb1086f7b7ae28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
d0df793c4e281659228b2837846ace2d

SHA1
ece0a5b1581f86b175ccbc7822483448ec728077

SHA256
4e5ceefae11a45c397cde5c6b725c18d8c63d80d2ce851fa94df1644169eafc9

SHA512
400a81d676e5c1e8e64655536b23dbae0a0dd47dc1e87e202e065903396e6a106770cec238093d748b9c71b5859edf097ffff2e088b5b79d6a449754140a52ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1b0dad712a1224e6ff68acf01d833bc5

SHA1
654990cb5ab5574a3ea8ac5c1eb9e9f9ea75069f

SHA256
5474862afedcc1154b31a9dfab8405e12a0e10d5aea3804d1a27dbcd4f95aa89

SHA512
aab51c416304cddfe4b7711dcd11969ff7123f0529b23ca52a3a3f122912434f64c52d381d8ba6e35aa2cfb3f33efcb2632e8c7eb5d0ba9f01038a5cb683c011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
1d853e674ca70b68be20a12b61802381

SHA1
33fec7ea02f1b7270ae18672a710e934ca08d42d

SHA256
3d025a2a88144a12677eebd76c5a9f12e03dc14da8161307f2d7c1bad4857a02

SHA512
674cd5f83f521786eadb2cf64c001bc67dd8f7fc8b2349ed20c2453fcbe2862fc4cbb24a91ebf09c144bc8672dd8d03d45067f434aead6ac84109c65c612d788

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0764632cfc55bfe4ee897199ffb9984c

SHA1
c2f3d4365e8a78ae1fb2b7264e5aa8d6aa91125d

SHA256
941f02f3a83aac360f23952a097550a2b2a9130920d2ab395ba15d73fa1e216d

SHA512
421c5f44906e0bbeae9e17c640b64342bbdea4f6fb605aee3a0dde94a217f75dcd3a48868afb8d362870c1a2e77018e990716e7acf8c1a8181ce036bb5104132

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577985.TMP

Filesize
2KB

MD5
1d0245a0816fd932b1963600bab98460

SHA1
82d188a3a5fd107ed83000e16e41e0d67eed941b

SHA256
b9d8f68c1f5aeadb1748f8efa21c33a4235cca822bfdf19951d296b2f29944f6

SHA512
febc999100ab08b73d52fa2a08f7c09cf2281c420762d121150da6cecc922372a9591619163881a5d2956cc20a7bd6d1b5017b6f0575b55ca6baeeaa604632f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
4de41b81e55a864d9e9b7589b5a9b42a

SHA1
c72ecc3f3bc3508bca858b12bfe402c70dc500d5

SHA256
c2afe7679f9f232bcde1a82ec3e769c359436ffb809c08addf3a94ebbb17dc31

SHA512
699a1664021e5172971307fb8d35975fbdbe08966f6b5412d005d3a7cd582b9ee86822de6c8b6609543c28716fc4c697f4cff160b24a7c89822f0f8eee575eb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
259KB

MD5
e178d6eae1afb564b67c8cb4fb7d7297

SHA1
006c0a22122c4f420893d855dafa54d137e6856a

SHA256
2c34ed8c82812b97aae84dfa337a6db113c2d8f5daa4b09549b073b2874bfd44

SHA512
b19f70353e7e769ba81f47c5e7799cc9bf3ccf9a9e18898d5a0753fd9c25bdf7898749452db9c7d683be523d57e4be1de86cad6f963df73c702aa0aea61bc25e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
969fa01cb8b731c8576b0e8173628c54

SHA1
bea2fe1aca024fa0d47a8d030168f91c93b1c89c

SHA256
92852b61e1aab7d36465f9e80595107188e798f829ae6bc5e54fb21d96180549

SHA512
4103b458fa68a3e771970f11959f7b44be2921db1d33bcd0e678736f85651ea7f3df65f7224cfc5fe8bd3fd8f4e8e01cd2155f723450d23a1f9b71211b19f791

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
8e30a7da46aaa40bf396f530db7b27b5

SHA1
611fb92bf8dca5c0f3ae66a279b316b4da3b5e7c

SHA256
79b3a6a61df3510be4f1a4dd79d1c27b3c83978621bcfd9756f42834fa09339a

SHA512
17e886ecace357433bef0304602f87485ce835387bebe531f7d0d77217e2a27546d6a5b928560c01f63334603da51cec9887927b909eeec7c54dbcb67996976d

Download Submit
C:\Users\Admin\AppData\Roaming\aa0fe559e703f493.bin

Filesize
12KB

MD5
643a91d14ab02706c140f692dc88cef7

SHA1
f93af61cf1250657f06aff1af6622e334155c22a

SHA256
64fe9f3097356e19845c8204f153f807dd9589219c1968e8004b6df9b4b48fda

SHA512
6ee2014a9e5eef0c8a2ba5e188c165b50acc728be1067b9c4d41dffd14f6ec5f4c850b15c8fcc2d9e5eebef5ded3ff9e6dc8223d957ae3defc92d7f021dee8ee

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
e001f08c8578297db26b8357bb3bf7c9

SHA1
7ec45338e5a0396cd7013bb813e559e2825c2c4a

SHA256
fd3f5196a749e53f072a1880ec224e560043f8b42e6874a3722c487fac64ee69

SHA512
3b5c607b9dcb8df9eaed65b750ee5690fcaf9f2f1e696801ec52ada7e05e87f0ee01cb792460aa238760e1741e42bdb0b405afb5142e8ba837ce80687f5f99e4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
107e13ccf2f2db2612b4dafc9d61de8e

SHA1
71f55420631d2a32e61951524f64b1fb4c5b1bcb

SHA256
6d03b2adfd1ac721f9c96f0876a14c9fe4ee6d649c14cfa948a0805a22afa665

SHA512
340b4ea3a0b3b49d0816a27553e303f9c18587adebc457e42e0e1611486c0f82ebdd0aa16b8ccb98dec29deed9bffd010e9d6acc68c0bddfbd599280eb119933

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5632e2ad3b4ab4cb78d14668752ad74c

SHA1
55472c4d5d8ebf92c79697a2d73e60ffce37b292

SHA256
e479acfc6b6e53996b7db460e57778dae39e36027f537b77f18e5f5cc0a42a7d

SHA512
4d4d3935d5fa8d2aa0d8672e37cca93564e805cc8475cb0c28989b6339bf6abd1da770634db0b9488c8cd37130242a0f31b85c9fc6f73f386bca5961127cc685

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
0b46363edbf3c54ecaeb8a9c1577e84b

SHA1
8b507fd3c5347228a03632c06cc24fe7faa288a6

SHA256
c30ff33d729288e6bd9a450ea8abfb40d0f8b6f6cd1dae07403431fe99c94464

SHA512
4f9f6c95ab6c15247966df511a3395852dac5d5d975eb3c84e4946b7549919cc59f2df3653d754dc9e17b5c863dbf00bc6ac5dfd803523e0305f9279d2f594a7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
45270247f055194c6f15bf7507fc448d

SHA1
ef1587c6be56528103238288dd6438a69570e86a

SHA256
d22a534466b4b55b8fa798a3201d216d0400be088cd7859e04fc1f71a3ca42b2

SHA512
1bfa8480be661c44db9814890843753185543704fe9ffc107a239e899166fe3b3c9d2456a2bb198fa454dd638f6a7208b90b108ea765792cb656823bbcd83a4b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
630b0af8492d4e9f1d6f14044ea68fa4

SHA1
3b2a7c6cf0b6564ec6914e58b825e186230607c1

SHA256
837eaa55b95e5c568ea6ca6ca6a634a2b90869d839351764ae75263c3c855aea

SHA512
7af96fe9db3de4b6029ed68fc2511fea957949cf29f8b3fc9e9c798bd1d9be6d6662e39b58ff0664227d11afb4e5244dea1a396b8e48f2adc37ae94acfdf559b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9f45aa1290ab81d3b18fef0347a9b5e9

SHA1
3e37e1e72797f2392f66e79c14fe7f2caf42a3ea

SHA256
3306016e5ff53ca9364c32c31e0abd1e36c1c39ccdc8ef7dc309186308421c86

SHA512
68d76d446f25fb8f2f87ee058bcf291d7814305cd439afbddb928bd823c6d74abb6115e27b05657c1365eac67c886cbb2c4af8b9d5dcbca8c3ee318da2fdbcce

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8876e9c9224821228cd359a4fef7e259

SHA1
272f1095022a72f28f3b20baf440bb243d8efc35

SHA256
1d0ac17aa8dd26b1aab2409f0643fa117afe720008672a11cbdb4aaacc6e3cb6

SHA512
87aeb95c42f3721b6600eeda03ed15a2c2bf7c7449eadbbb990fe76321493972e1f39115f3e69323d2b19a1b0cc5e9edb9c7096ab4439b5c9c21d891bfdba7e7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
fae14115a671fb03f2d119e9d338ce77

SHA1
556018020a339a3cd82ffa2e50b0bf28e4c0d7f6

SHA256
0b0525fda7d6292a83d325bb6db326decac0e6b98b35a3c3eba35b119731f96a

SHA512
f18f81fa0f7cb4c73b7ba47d8020331a5f65e497833ddb05d5c60742b19effba20da97aa99db1bc9484e16d68a43030984a237952e1d88914f511c7452a82583

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7ded05eadc5cf29b4d9ad743b908e32c

SHA1
ac453b9548de3ee3556318be79936ce030523a66

SHA256
c02037bb4bb44e824eb3eab2560e7ef70faf5efd480f5b9a4f5bd394204eb72d

SHA512
2b6c8447dd2a057cdd17325a15dc820ad15ddfaeb006feb61f61c02e2ac6c96e0ee62117d7492de6bb556a37ce0101d66780637bafdf5206936c93466730d49d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1c05a795bda27c57922eed8c7f8eed2d

SHA1
5cd535c6b6aa707a44141985499fe896d06c963b

SHA256
25d8f2c8a94bd2d23ce32b2e9256608a600ef936828e32ec4370c4790675d441

SHA512
6d3b496556ec1c65c3c22d29931baa9659c18499740a46dc230ec9e99352843ea42b63b2dd444accb4a7791fd163ceea52fcd33c5253eac772358275d0566c90

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
1cf748e431012cc99832b24ed1a11534

SHA1
b5eaed998941592979dc7b01e6ae22025e79dc5b

SHA256
3bd5bc68f09c137adab46ceb2008cdb8f0eb2b0c44455a999aa982012c3b95b8

SHA512
56e6ffdfb5f689d36926ba37393bcda6e6bb623790ab1911873a67438730fc7cee4abc60d9e062feb9ba9550b920451d9abc8e137ff8c66d11bb0ac1c557b6a7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
592fd88d19dc22d3a1d6acb7477685a3

SHA1
da751b4da6011279ce1f0db4b767270028b412ec

SHA256
3205a9254a548e7f30c44b11a29cb1a1defe68d935fea2b1d1cc91051a0a986a

SHA512
2c004b64b5cdcbc6fe821412a177c65032d25a9b4923042e7916e985eb0574d951ebb1a0b3e8d71e792bba21de545b027ff0c3bde20cf524f7926fa564d8ab2f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
7859551132325ec8a077927619d96919

SHA1
bfcee24051d819a50a555da5a9f3ff676e5cb5ee

SHA256
5c8c6692e0c35917af4554f43b6c968bb15eb71a83fc32610b5e8ee905f317bd

SHA512
979611f2bab6d9084d097559f242776fd535cbcd34ee0c88c38381c723df812f4af0d70b71a3bbcb79f2251983db97298dd5a8cbc0731c979116266dc7bbd0b4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2fc298a408ceca5002ef483720b9d87e

SHA1
352e6852def78237b7ccd6c62008ee6e966c9cd5

SHA256
a05ff49aab5732e2290c755e3a8252e578320c318a5622b38a48c7f2ec30d063

SHA512
250133e210bc99093804aba08a6c5b15cd9b1020689a6a9e7ed69ecaadbfe97d654d77620415dfee7249ceacb51ecc5545350ac7b99f0942b3f9715c487d9b47

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
e386f57dde3aedf137474d5b94a7fedc

SHA1
126c19d6325eb2a32c79292451e7388741a656d2

SHA256
b063ee28348a4690d2c7164f55c4e713c6d4192fd95b6173d0a92ae86c2a3c95

SHA512
e5dfd936188b7b7867f4d880da207bda107fe2050713950325302b44186a06e0a2dba8c8ac8046725d2f4dc5bfe91d7227f80484d78bb23d52a045639e2a25fa

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d09eae8f6a3a2778001f60e4886e9c26

SHA1
41e163b34ee2dfd49a89cfac7d144f24071f6052

SHA256
2a27149e6852c2995b019c46f50d2e258279fdc6eb105b06c0bd0dc30de9f548

SHA512
ff50b71d165164d77d35045ae9f466c33dfb45fe4db74758fcc6cae75197be241385e8ba83b98e70b999ae81faad568aa8a4a2d1963b5bb1a17ff254715b5408

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
dd7a044bb22136e85285d21163fdef66

SHA1
1fcea0d904998de1bdea9cfa654a50c20b3dcc5b

SHA256
b918a44d48859b4ed705a9a7a23d4a816a368aa2161ad495a7a6d1c6992b61a0

SHA512
67afbad0468b8d5b405186c63a0960f5fcda15b2ab73767c292863e221265758001b2e110a3296f5d2ba1463863d556a535850a65a107344ade40a79c33bf358

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e96e8d6cf92568eee283d6f6983a8031

SHA1
27617c8d735bfefc2ce0be1655e9c15b7521d274

SHA256
be09a78ac1a43b2c59ddbc84fa0e1355d881da45cc50184ba439f581f5e184f5

SHA512
0da2c68deb8288a095c21a07127f0cebcdd612b329b48952960bf45cdd43f740f954a9629646cd02cdd6c84ff405c8db70de029e3f105c7d3334f5423c24d585

Download Submit
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
b3b4fbcdb9af4050d7d57edbb03e166f

SHA1
6ee64d5530d0338c3af0b2770b12193d9d278f28

SHA256
282ccab66bf2780832bf40c1a7df70a588004cbefec521032e7d7efb4f6dc333

SHA512
dd53d81bc6ec58e553c4588f0cc51df938c3560c02ab7c6c19761e91b3e005096f2ebfba887284f0267c1a2c748d1ac1dba0672e6ed6e34024270f01f0bb59ed

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
acd0f06a55068ffb25943905997efd72

SHA1
11dd7ff9264d4b5ae7df6501c77c97821cc93ea0

SHA256
aecf5f208273a0d7d473888bd496fc247614a69cd60985221372afd87108a88a

SHA512
e47a225cb700a8a6027cfe5c4d2dca7f4b395ed0835b99f475b07ba85b6b9195ce4ea2335d10dc836a7f5e97e5ef55ef9635aa74bc1e3c60289f375c42a14555

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
e95c98d530b5a649fa5a9e84054d3f43

SHA1
b5fc1df12030c499cf259e9e2061cc4ee7887697

SHA256
214acb218df2c3f2633e7952447d6e49772f95c3938e1525fb07c5ae14efbf12

SHA512
f7c933fb1b6cc09107c22931ddc2d2e973c01fe775fed18f4ae6e5e75923902da0873e374528b27c9d3f707150f0fec291345546e6ee84e63b3a23e62f087aa1

Download Submit
memory/400-343-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/460-350-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/940-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/940-11-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/940-138-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/940-20-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/1164-176-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1372-109-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1372-97-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1372-106-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1372-113-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1372-91-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1576-139-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1576-770-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1628-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1628-6-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1628-41-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1628-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1628-45-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1772-344-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1896-89-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1896-86-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1896-80-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1896-550-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2124-244-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2268-347-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2400-599-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2400-561-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2576-127-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2576-116-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/2596-50-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2596-114-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2596-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2596-56-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2596-111-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3184-349-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3216-175-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3400-23-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3400-519-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3400-34-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3400-32-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3848-346-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3952-70-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3952-142-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3952-68-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3952-62-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4360-791-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4360-571-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4452-786-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4452-351-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4608-345-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4696-649-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4696-342-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5016-174-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5160-787-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5160-352-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5976-610-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5976-525-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6096-790-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6096-545-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download