caf35c30bb3a8718fe6c19765ef663d445a31a0683f7acd6eea3674fdb7fba43

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 09:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
Size

5.5MB
MD5

c4bfa6d2da2161f9a82b307a81932690
SHA1

24178f31f3c8a4aa5c83a51a4f6abf3b50033461
SHA256

caf35c30bb3a8718fe6c19765ef663d445a31a0683f7acd6eea3674fdb7fba43
SHA512

5200d4b2016b789cdadac55defa4c66dee8eb5c749ee9301e84fec48890996f0b4128a5406afc5ee61617f1f377edfd2415a5f66463c93601cdc3d3329de342b
SSDEEP

49152:wEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfT:eAI5pAdVJn9tbnR1VgBVmWB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4000	alg.exe
4652	DiagnosticsHub.StandardCollector.Service.exe
2624	fxssvc.exe
544	elevation_service.exe
4780	elevation_service.exe
624	maintenanceservice.exe
1812	msdtc.exe
1176	OSE.EXE
4056	PerceptionSimulationService.exe
5044	perfhost.exe
3576	locator.exe
4580	SensorDataService.exe
3968	snmptrap.exe
2056	spectrum.exe
3160	ssh-agent.exe
4512	TieringEngineService.exe
1904	AgentService.exe
3748	vds.exe
4012	vssvc.exe
5236	wbengine.exe
5328	WmiApSrv.exe
5476	SearchIndexer.exe
5896	chrmstp.exe
6048	chrmstp.exe
2396	chrmstp.exe
5276	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5f3d695c4a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d683da92bacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001db440b02bacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ccb3fa92bacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608442417669512"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000048d39b02bacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3560	chrome.exe
3560	chrome.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
3472	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
2228	chrome.exe
2228	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3560	chrome.exe
3560	chrome.exe
3560	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2492	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
Token: SeAuditPrivilege	2624	fxssvc.exe
Token: SeShutdownPrivilege	3560	chrome.exe
Token: SeCreatePagefilePrivilege	3560	chrome.exe
Token: SeShutdownPrivilege	3560	chrome.exe
Token: SeCreatePagefilePrivilege	3560	chrome.exe
Token: SeRestorePrivilege	4512	TieringEngineService.exe
Token: SeManageVolumePrivilege	4512	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1904	AgentService.exe
Token: SeBackupPrivilege	4012	vssvc.exe
Token: SeRestorePrivilege	4012	vssvc.exe
Token: SeAuditPrivilege	4012	vssvc.exe
Token: SeShutdownPrivilege	3560	chrome.exe
Token: SeCreatePagefilePrivilege	3560	chrome.exe
Token: SeBackupPrivilege	5236	wbengine.exe
Token: SeRestorePrivilege	5236	wbengine.exe
Token: SeSecurityPrivilege	5236	wbengine.exe
Token: 33	5476	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5476	SearchIndexer.exe
Token: SeShutdownPrivilege	3560	chrome.exe
Token: SeCreatePagefilePrivilege	3560	chrome.exe
Token: SeShutdownPrivilege	3560	chrome.exe
Token: SeCreatePagefilePrivilege	3560	chrome.exe
Token: SeShutdownPrivilege	3560	chrome.exe
Token: SeCreatePagefilePrivilege	3560	chrome.exe
Token: SeShutdownPrivilege	3560	chrome.exe
Token: SeCreatePagefilePrivilege	3560	chrome.exe
Token: SeShutdownPrivilege	3560	chrome.exe
Token: SeCreatePagefilePrivilege	3560	chrome.exe
Token: SeShutdownPrivilege	3560	chrome.exe
Token: SeCreatePagefilePrivilege	3560	chrome.exe
Token: SeShutdownPrivilege	3560	chrome.exe
Token: SeCreatePagefilePrivilege	3560	chrome.exe
Token: SeShutdownPrivilege	3560	chrome.exe
Token: SeCreatePagefilePrivilege	3560	chrome.exe
Token: SeShutdownPrivilege	3560	chrome.exe
Token: SeCreatePagefilePrivilege	3560	chrome.exe
Token: SeShutdownPrivilege	3560	chrome.exe
Token: SeCreatePagefilePrivilege	3560	chrome.exe
Token: SeShutdownPrivilege	3560	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3560	chrome.exe
3560	chrome.exe
3560	chrome.exe
2396	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 3472	2492	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe	83
PID 2492 wrote to memory of 3472	2492	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe	83
PID 2492 wrote to memory of 3560	2492	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe	85
PID 2492 wrote to memory of 3560	2492	2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe	85
PID 3560 wrote to memory of 2388	3560	chrome.exe	86
PID 3560 wrote to memory of 2388	3560	chrome.exe	86
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 1420	3560	chrome.exe	94
PID 3560 wrote to memory of 2632	3560	chrome.exe	95
PID 3560 wrote to memory of 2632	3560	chrome.exe	95
PID 3560 wrote to memory of 4076	3560	chrome.exe	96
PID 3560 wrote to memory of 4076	3560	chrome.exe	96
PID 3560 wrote to memory of 4076	3560	chrome.exe	96
PID 3560 wrote to memory of 4076	3560	chrome.exe	96
PID 3560 wrote to memory of 4076	3560	chrome.exe	96
PID 3560 wrote to memory of 4076	3560	chrome.exe	96
PID 3560 wrote to memory of 4076	3560	chrome.exe	96
PID 3560 wrote to memory of 4076	3560	chrome.exe	96
PID 3560 wrote to memory of 4076	3560	chrome.exe	96
PID 3560 wrote to memory of 4076	3560	chrome.exe	96
PID 3560 wrote to memory of 4076	3560	chrome.exe	96
PID 3560 wrote to memory of 4076	3560	chrome.exe	96
PID 3560 wrote to memory of 4076	3560	chrome.exe	96
PID 3560 wrote to memory of 4076	3560	chrome.exe	96
PID 3560 wrote to memory of 4076	3560	chrome.exe	96
PID 3560 wrote to memory of 4076	3560	chrome.exe	96
PID 3560 wrote to memory of 4076	3560	chrome.exe	96
PID 3560 wrote to memory of 4076	3560	chrome.exe	96
PID 3560 wrote to memory of 4076	3560	chrome.exe	96
PID 3560 wrote to memory of 4076	3560	chrome.exe	96
PID 3560 wrote to memory of 4076	3560	chrome.exe	96
PID 3560 wrote to memory of 4076	3560	chrome.exe	96
PID 3560 wrote to memory of 4076	3560	chrome.exe	96
PID 3560 wrote to memory of 4076	3560	chrome.exe	96
PID 3560 wrote to memory of 4076	3560	chrome.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-22_c4bfa6d2da2161f9a82b307a81932690_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe7302ab58,0x7ffe7302ab68,0x7ffe7302ab78
    3⤵
    PID:2388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=280,i,749154178333762990,5060579432227556670,131072 /prefetch:2
    3⤵
    PID:1420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=280,i,749154178333762990,5060579432227556670,131072 /prefetch:8
    3⤵
    PID:2632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=280,i,749154178333762990,5060579432227556670,131072 /prefetch:8
    3⤵
    PID:4076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=280,i,749154178333762990,5060579432227556670,131072 /prefetch:1
    3⤵
    PID:3328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=280,i,749154178333762990,5060579432227556670,131072 /prefetch:1
    3⤵
    PID:3972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3648 --field-trial-handle=280,i,749154178333762990,5060579432227556670,131072 /prefetch:1
    3⤵
    PID:3120
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4480 --field-trial-handle=280,i,749154178333762990,5060579432227556670,131072 /prefetch:8
    3⤵
    PID:3568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=280,i,749154178333762990,5060579432227556670,131072 /prefetch:8
    3⤵
    PID:2860
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4476 --field-trial-handle=280,i,749154178333762990,5060579432227556670,131072 /prefetch:8
    3⤵
    PID:5288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=280,i,749154178333762990,5060579432227556670,131072 /prefetch:8
    3⤵
    PID:5696
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5896
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:6048
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:2396
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5276
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 --field-trial-handle=280,i,749154178333762990,5060579432227556670,131072 /prefetch:8
    3⤵
    PID:5860
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=280,i,749154178333762990,5060579432227556670,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2228

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4356

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:544

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4780

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:624

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1812

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1176

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4056

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5044

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3576

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4580

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3968

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2056

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3276

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5236

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5328

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5476
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5472
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bfc7b8afc5b569857bb9720cf117aaff

SHA1
d70f4a2ba513bd928abf64fac4529c9530fcdfa3

SHA256
839587376eda5f84947e1ff109e98211774bdff3aa95d1e910c6de2dea175488

SHA512
65070f6b7762a628b7e2668c5f6d90bae02e89d5c380e86e23721efc0adcc5aa6051fc4e30ef12d102e24acbe937743c42fedcff575799b08adcf8e6aae93281

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
0ed81755201980d2abc953f800bbd034

SHA1
a307c178d81c414020f4e25f34691e72af753660

SHA256
706aa8f4f3142cbcfb8fabb1ef0b8e044a8aeeaa51be8a98e6680f4640d53efa

SHA512
a77e51e240ddf7ef107554058364e03aaa4c357797b89739d7463db6655fa1e021313c21fad48a9f1b6e44b656d1925f2039069cecc1626f2731a48900f52481

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
9918c86e2bd55bac287f14113d02bb30

SHA1
a241452f1bfd33b18f303e68f73ea99ddedb50b3

SHA256
01b814632318265df4dfa13d9a9a9a20267857f80204fc9b6533b7c79159d182

SHA512
65535fcf5500091f1214df1bfcf0c2b3e2cf032bff23574077d932e64105744de06055697d1ef4b1c76ed7142971a2ed27ea0600967984b1d44a4b3992d8fd04

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
dad8103fae608f6afe420e2d20e29764

SHA1
2010c4db2d7bbe27626ac5420737aed24fc7c99f

SHA256
f362337ee04e3f7a5562ee89fd8aeb35721cc64755f8ccacfa39c5652a7e6d4b

SHA512
383b4e5aeea7a9bc46ec34b87b75af4469ec5fa71773f6827dab45d1c51bdfe3382ab2ca23878cd0ad35765fae1e694c8b60e11083c3031ef07dfe60e1b19fab

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
476de910fefa4f16b0f16984cc864874

SHA1
d3ca57acd939c1061ebdd932b6da912f751cdb7a

SHA256
23e6b9230261d04b99f781536364b334d180c122e5eb2de39a1d1ab94f4401a9

SHA512
7956956dcca86fc4be29af700e196f0882f3ed9e7e3425c8fa2b8b0c0812d22687a614ef3555a25e71c76945bfd042b46f9d818b1fb1fdbb5c4cdd5f99b6e41c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
d57c363721053f588f9b9438ffb3d5ba

SHA1
c0993b05b6108f135917e28eb48698ba54830122

SHA256
7126cd18d9b68ce9bdbeba52108753a9872554b87b505cd5d12c7be5b27c36c8

SHA512
3dc275fb5b657ad474505f12965a25ee7f81b8c97548ceef4dcad976a3451f59b1c83b97eea67e5523b0b6164a585897566cc99a861fddcaef290d3e36112ee4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
121fc7a06a089b1e285686b6418aa6cd

SHA1
7a143296a32678165afefce550c6ee4c1014ce38

SHA256
7586560f461de6c5d17817719ac3dae3b21375782d00406e339d6b7cebb8088b

SHA512
ee02fd820af5ebc30fd6818f45007b533f3bf8264631b77d56e708363426a3bcf9c564b773eeec4792e16c934eb3691ab2311027c3aedc9c8069ad9c4def2ad4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8540cf5927251348801152817c02771c

SHA1
d56cb19c27f1a07cc2e7703fabc7ec5f81761dd6

SHA256
ff8056f430d43a6d03707be904f3d8a03af6b9e1149cf62c9d93ff2fa241e74b

SHA512
97b76a6ab37b81f65cf1643c4c5466c3c11bdd39606eb35672d7f7927c973ef28b11a4a9e97219eca5de248b2ac46c9bf966fbae2220d2ac238f266c822ac431

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
164a65b6eb78365557081bbf8e26bb63

SHA1
fde1f5e9db611b1053f113da56a663b3f5798bdb

SHA256
ac1c4056df65626538d93e65eeac2a60d2ab302bd413597a96c1475b966529c2

SHA512
e31c1de22d10e76fd9aa26e55d808aaf8ff53c5a1a6f1bd6fb21b9c05d07f8f54e2288ea5e72dfbf611f21f5bb2ab5efa89bf56c6c9ef141e2d909d538331c4b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1700e7f9d6c78e80258edf7a92675149

SHA1
5ea0d88735551a0da4564ef085d014b1c6e04260

SHA256
0c609cd5a832e3a696727697f68aafe35cee870a6e58f8b3b07c71bea27d9e70

SHA512
d161e5b14da489317caf9c88932284a68083a52e16202583ebb45a25930e7ef87c3789522ac781362b448ad855e054d397b472f2c3974b4534e12ab5b17d5886

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f116bf6467b2c9b7e8f2446775a930ad

SHA1
a530b28301da9e94a87f6d4374d24addf656c5b4

SHA256
ebfc2f94295b48a1301e6d576ca779ed61df4270284de01fc179d06aa6ee9bbc

SHA512
fa3748d79874439d6c75ae99e7ed2150a4e0b9cc524d9975774f8fb0ffe740be80559bd86e8f0d31a545a627d51decc08873732f23fe8f198cbcaacac5b797a0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e6efaeef52b993b3d75ff86767db57fc

SHA1
589e1ac9af6020a475f750b8f7643ad457b52bf0

SHA256
7c3d89fffc731c1c1afe0784729b3a68877db56c8185dd354d7cdb3bd53fcc6e

SHA512
78d1a0940a2dcf2f588bebc24edbf68e10b2752eb341c9ba4bc456d7110ccc568e4d8a3f5b098ec9bb55896878f64512275924dcbe23531c2797bc1017607d29

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
6390eba866af9adb755c990e2e7571bb

SHA1
6e6a643b4306d95795b4232677d69940de14b6b1

SHA256
3a8e80c2df04071ce0daaf322ad8760ab3ee1292e6dc9edffbd32072702aa847

SHA512
368d4b11a4b9f7b91b5b66e19bd1c34e7e3f5333bc0f2f852b104f34705bf1366c58493009162740ba1171ed7cfe255c87643208b9eafa4a12868b124f533c68

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
87390a60f800f60f6c5b734b33d5cc14

SHA1
9e11e986b45b6854d0f1aaaf8c1a478e046bceb6

SHA256
e73be84d14154f26a45744b7f76f8c7ac39e3816c9a253034eee7154cdba1bfe

SHA512
a48079c97dc9f87b9252454c27096376c86463a988f1c4063c45eea4286a74cdc1eb061a4c77769bb5013003f62952d74e0dd75c93cc6937ffe9fcdbf5d7e261

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
1bd81c5e5558b4aa8cca790413f4b9e6

SHA1
dbd5ac20f1deecef9076fde7c87140fbafa66626

SHA256
3769435e4c82ed9c0265eb7c8c03d485fac3437af57d1b5fb0dd40bfb0a623b1

SHA512
34e946ed95bc1c5dbea8811d7b69785d6598b2845acb9616f65c965300c3d2e085cc7a250635cc96dd4038ce580c3ce4199b4f7d7034c456362981fb384c72aa

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d73e729f66ed137c2fa7f4dc4158b8ad

SHA1
7d3c344e55c9921238d7f23e4c6480dd9e45f860

SHA256
02cb5a919de34bda93910e9f951bae83bd1b5efb6ad28cdbb16e899264c8d807

SHA512
3ed91babc5265e38be4f4637a66f45303634bc77b66e6e4b78d86599bfb1486e8c854b00425b353de431ae6146b1b2490096b8a5cb5c5dbc3206a8fe5062ae1c

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\8d5d4bd5-1873-425a-ad70-3c1c37ad9846.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b2f80f1863788d5e6325880cb9e857a2

SHA1
673918db6c45a96513de268fbef07686a1c4db14

SHA256
895f7160db00a6c597d53170e3a9ab8d5bad1f3e56f6885d98d37151f209ac7a

SHA512
02b2822a7c9a785a4aef3cd282d679c3c9d88e88ccc7933a47c5cd8e2c1d8ca3fbe3ddc3677489e14047ee114f453e389ada1b8a3575b7ca77150302b3c12131

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
b7563d15b65d20f90a8bcc4bd00faf52

SHA1
f7a659bcf7a3ceeb9180e57a00bb64d505eccce4

SHA256
fa19984755c880bc51e3e0d5ed302e56c3ecc9ff11d68c2c3e5ee420f99edff3

SHA512
81ac248081a0eec224978bf27d487cbf23d6741affba0167352c7a6d1dd934bb6830a09a4f7fd725692db934e2282e906bd5a08be2490b8ba2f114c448cce431

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ead5c5b65992ef68cf2eb90edd0f8846

SHA1
e23f95767614ce9830147ec6ba7b0b5ca18a8101

SHA256
be7c1faec23a46d25250554bdeb10d8f49b4fc3176004c914f34cd0c8caa990f

SHA512
043645f254ad57e33e6968a60ad645630ca980de7555b410631fbc597bdee7402e1f4b15e7d522537f01304ca08400fd58a69609a125e7440dfa3f1bb33d1077

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
26d1419f42ea8fdc97827817203bb980

SHA1
72e8a26867a9ac9047894040bd9942a733fa480a

SHA256
c034ad0f41c804349db38ce86c4c3eeb6ed21a2ef7593bffc2f0d87685d86509

SHA512
d0fb7720e9f28a46e848d4f8724f7adf3cb413e8eb155befbc6c6f8d2cd1b2162baec0c335495b775994651f63816b807f5c09d0afd3803fd5968237979678e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9c1dd67e03820b05896158332030c889

SHA1
cb1b1405c059fbb5796c16c20a1b22420f54328f

SHA256
03920800115dbf2f9059d6036b93198cd8e521eadf71a4ddd6590c8a7cca68b3

SHA512
f2e771adef5cf4b7341e90d4d5873a3b3b8759bad5f03f0f5da20190225efd273c8d6cc22188852849e091fce99b1d46655bf6926e55764d7cd7a9e32f91ee14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3da8fadce20123e93888938e286f55e3

SHA1
0740e35735e128d88fbaa15d848a66700836ce9b

SHA256
4e0d746218b1b433ee7df112b3b2647a862aa117acbf934f570c27af60e840e0

SHA512
29793677e351cd55b04cdbf66401f9b69a15303d16a9649fbfbdb5e1c1e08e134f6101bfaf88c6ebe62ec78e96b89d0224286219df52286b153196ec5ef7695f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5759d8.TMP

Filesize
2KB

MD5
056cebe70ead07d8acc38f1ddd50556b

SHA1
906167b4de443ef14bb095ae8f196165c25d17e0

SHA256
bb4c89650137cd1ed35cc2299d77c4b282072dd0e43418272d06a04c82c3733b

SHA512
ba3fc43ac1e418b5c33910a18aa115755a4350b946b3a6589b77361b95f5f109973c3a072b4724ae9590f8ef2cdbe52ad0958be62d7d08ac46fd90dc3de00fe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
3fcbc15d1167189ff1287f0e91709a46

SHA1
d8120b368c655dcb96d58c706e08ad961ac40b56

SHA256
7e9b933ee111cf143bc5c333d09ed067cd304b3362b88cc3930c8ade7117bcd8

SHA512
6a4102649020180a27736ea39c64f2f9aa94e6febbb249830af04e63ff61fb782fa2bfa8e5fea4a6cc2cc5e7f589164ca6f8a36fcde9cf5640147cbebf1cd81e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
12c239b180eba32ae70e04b7dd324e44

SHA1
2763beafed152f53ee771fad2f64bea327ea5c1c

SHA256
691f91dcd1c0bda0f486daf00f3f393f2cada9a2bc900ba2313ae518d0a5b13f

SHA512
22ef50cbe6331bd5abbaa55d752d18ccfc0aebbac54972165c54ae57e236da1d1ba9a85852de4cba5487d097e87808ec70a75fcc7b309024caa00e95381e6696

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
e95dcdde5befbd5584cbe8f3530bd042

SHA1
41fa0d20e4776a79257bed4a7b9951ce5acfe114

SHA256
26a1cadabfd7398a18056596a6b01e852347868c13ccbbe14497d14c3f5015e8

SHA512
680ac7b901d85fcf3b09849c21685113a50f9767378b768d599af241a17b037f63f4141e39a4c0bba1eb673b303d839d056bff6c988e1477b4aedff36f8f64e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
1325ad37d8446d7d09aed5e3a2e1ee38

SHA1
8af3e2dbe2b54b8613fa58e537507fb844686059

SHA256
6d54141616c1bde1d8b06bd68d11ff338b283a1a01e34830e5577ea8b0b9899a

SHA512
fc855e01fb43d0ff0dfadc8efd24f3e449692e567ce7c780e5c0b81cdb0e0c5d5d2c31e0e8703ddb08fa7da250f1bcc7b6c1f9cccd7326ae91f15d6bf6c1ccdf

Download Submit
C:\Users\Admin\AppData\Roaming\5f3d695c4a48edc7.bin

Filesize
12KB

MD5
dbc6323b8e40b888bd7fe30f56a65ee6

SHA1
2fa885f054a80e81ca0dbff4d06d6e451099af39

SHA256
f9d7e999dc83b48f257195e3fb687603f5289878871a487942f0f3d512d5955f

SHA512
1e63ed2bdb6c9b170820b7fd7d8f5e19777754a4a57a1f3c7e5f19d1ae285074a4fa3aa4c78765ba835a286a476506d4245f94e5c927469df45bb4c9ff9fde5b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
69d555f4465cd30f0fbea42029d3ec51

SHA1
66910f4f16da626b83b00a364d008b14f3a3cfe6

SHA256
c2e43e4ebc082dadb2681edacfb1bd1b6132effb93ae62ccc9c835dcb22fc706

SHA512
500eab7b153e9237350f2da292432c5e0e9ca134eaa9d2ef9cd710c71de57edb71935d3f502675e65658b54bf9799f8455a99a941be4d7fa5717cd7b053d820f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fda0e69622b19744be0c9946d9caf8fc

SHA1
fc8b8deb6c64cdca0ac66b3eede68a2853974539

SHA256
57dfd1bf637b319427e8f2534590fbbac787f995c9d15aa671b3f8083de259b4

SHA512
a8515b9e4e04777bb9b13478847ec30daa1b949c7fccdbfa31efc3e7a2e54dc52f2899875ce9ff4cb58b5186c3f9fd6c557b5b9bf910f1599d4b5897340bc4aa

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
4f002b6656425402815efabb8a88c5d0

SHA1
659557342e31ff95a78cb4e54ee9ed56170037f9

SHA256
b541f7c03ee97aaeff71eb35208badbd06b706e1fd661e788847a70b79838ce7

SHA512
fa0ff9db24ad7fed1f878e7d6f4b53a8653be887db2eeadf4eb4a4b436d2e178b42135958d39a0be6bed98ec0bd53fccac846847593d6ca2f13868f07eb26576

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1d69b3271d6d066029c6e5f072ed5c3b

SHA1
87bd831e760899b4b56d4ba82ce8f9dcc81a0e5e

SHA256
c7c75cf65287bd1e10aa55c79f56e25115b9a33a8863505ad67ecd701302b618

SHA512
1b9c75e428f0ebc24421b0d55dc1b97935c5121d4fdcdbddf3c7b103799201e2bc2da1539cb42e316b26f75640cb2985f44f07d83dba880c8d3db10557a16371

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
0a2c266dfbcde08feb2a1a406b7006f5

SHA1
d8a831f5d43a4fa400dd25807bce250ee25c0b74

SHA256
33358c1f40c21665b6e70597b34dc562b62a6cb549f1b65700abaae97a95aff4

SHA512
757d29212d40b80f10255acee227e84a2253b74885caa1398d1114838f92096bb69fea4158764282dae085e2785c51c2702e7e57b406ff0847aa0a5e651b7696

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
a58925f5038adc380e4c1fd9469b2a29

SHA1
4899f007589a5f04d03835a3aff38827cea633b3

SHA256
13349fce05eb6d2f5e644078b85635572a24c527ce2daaf7e7db3442e0ba9098

SHA512
4fb425506917c2dc097d94091374e4cf1c211960b117894d0e48a80ddcae658536ab627572db8ddce39821034272cdd89e969350895536f82c9a9d3b206ffe71

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
6b3c800cdd0ffae6d886f6a28ebb09ae

SHA1
bd688932099fb5fe7b02e44e039a81827f2f14bb

SHA256
180913fd85d0feb62be18673c1f2f2a80d834405ad2e388e6211c5169fb01b59

SHA512
a4c3090457ee6eea4abbdd45a3a423c22c04888fd0b906f6cdf496024abcecd01a4974f2075f16b380927a02815c59067f16bf03ca3e41913391bdd9139672ff

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
da0023c27d83e35ecd53c500baa26e17

SHA1
fc60efaa08c8224220d656de520c3dc970a80928

SHA256
cd3fe264e5175863a81e66aa344cbe81b606074260291d1253ebe13da1e757ac

SHA512
2af967713a0e0f8a16e72ff73bab333e118390c330a407180a41da39039753c646e89e3b1961af094f46641def1ac67f9820d03c54ec48476031f5ae5eb56882

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f825d63e4ba78c8d445d8b6b85c2efd4

SHA1
4040789cc935bb03dc606a9623d95902d9b0fa1a

SHA256
651a2d18317e519657cabeae06befe6e559a11d90719e1430fb7a1951e394670

SHA512
41419ddbb8f95d718536fd5274c2253d463de0ef99590558b83be51d515f52f56e397f3107223671cbdfc4e6ee4d5d30d47d38801f183c42c780a56d5d7a6cb2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
aa0598f00b033338bc3ee08d0f83f5c6

SHA1
717444a3ef1aea35d6cc2c48924fb9f868145b00

SHA256
af97db73b011c6e3bd96fb4d8e990ab6a1572e4d8f0101e27abb7c148ea72ae0

SHA512
4d582fc18eb1be0965ded6630b140410691b0a6de7655c2d83a8849750277f293ec1cd072da64ce47848eafdc2db2a380c1086798d3c8e15439f462d2d792004

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
e79f3bd89edf22ca922e30063e525d49

SHA1
f28964996856e19cf557144c6429e60af8c88262

SHA256
9f2cbc25485721f9fe88bf56019e1d66865b6060e09f78ecc3be6afc1881380d

SHA512
244167a749c0ed83feed380806e0167e7b9c4184855fccd9a97e7a654f4881973e83b54f65e48876c4b970db68e67fa449e6fe59c84d898eb38c4876db83a00e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
106d30a8e86b392acee085c15b6e5bb2

SHA1
414bcbdd06c78760226ed78b3d9988975efb1928

SHA256
d7700d52fa6c055d62254258ea2292fd912851960331e0f877f9ae346acc7b97

SHA512
57c5beb95e0007c30d4fa31290eafec0def8246f9a5b5bb051f0543cdb5f8cb1311e67c896854f8ab000f82c7efa16503465dd860699f4aa32e498a2920a7adc

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
008917869e1e016379d6c5db9a522b8c

SHA1
83d8adbc91519e55e16bdf63586cec5ec21b7d6b

SHA256
8519f013cb3526de200e39c17f1eaef7981d8fb68c8db821017e4fc4a0877038

SHA512
ef0ff755c305f56c03d2494ead41258787706c3a4b970db0a7d61d15cb31e3ac7f1bfdbf2504da769da424c92e9f9dad6893a974af3e3a9cb3448c09d873dde6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
d82d828a508fe9d5ffe533e62cf03e6e

SHA1
be197e9072fe3dfab639d9b3db80273210361107

SHA256
d7c1d665e29c0502e653eea0f49695d9475016d307d1e703602a362c65a55a71

SHA512
114f43ff77ce1ef7d37e223da666e334cda1e3742ea3220be33b4e401f1ecebd6370ddccbfe2e6f4ccee3f55dfd3ed85071357b01fc04b72ccc05dba3b7436aa

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
fcd169d981f1e68ebecc3e5486bfe2b5

SHA1
0485a1acf1341d87fc9cebbacb300c12256c438f

SHA256
e8d03f8173a62d0a600d5626b2852add731d93b3922e33978779d5bb3b34c27b

SHA512
5e26e062a77d22ffaa370422896685d594738794fe8b4c793511b051f4221d6a2af5695bdfb99c47f7429415a2143663663d2d25bd42f51da924a2add3b9f2f4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8be800da6d4a8f8ef958a00c14132b93

SHA1
486d02b10969502941ab2863d8b3cbbc13ded652

SHA256
88af0f7263082cc0e5215df8d7faee2531ebcafdb13bc4b6b5d3edf7808e2e64

SHA512
9c9a381cc78998c4c7243d27b77028c9a4ce5b1abf228771970a17fdebe4c7fb0dd93da629ce7ee361d3bdb4ca9bc434a872a23adc4736cf63e2b4234ca04612

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
f64f940c3ddf0c0dd42467bd7d367fb9

SHA1
f737161b7e85329efeaecf59dccddde4b518a2cb

SHA256
3c474ddd1ac5d0353d2271a9ab3f1b321241b2d35f7e83a04df513502c144acf

SHA512
8c23e13f1811f2fe1f422acd55c01df8ad46ae736c584aea6e2f4e2287d0b22dc102eb3781c308593bc5aeb2d593e5e701e13836215d759ffe5e4b96975ece3e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ec8534df723a3cf5d8fc2488ea89eb2f

SHA1
be602497b423eb7b4661d5cdbd0f3482ffbd31c2

SHA256
5e661ea79818eae9e9f5e19ab824417280b3288b49d9a91c68b2c0291ff47eba

SHA512
4d3bbef6fb853d9102a0c86aafd82a171aa20b0f00e9ba9b95de5949d2a5b699ad2fa2fd65d1d441eb838f9fd2274f08ff2a21e297de1fc6f76838990f50ac0b

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
295c35172675c56d85b3271fc5adbaf7

SHA1
fc8f7052aa2fdfb84e7cb6bf027db403bcb8cdf0

SHA256
f022aa4752d0400339634741871e82f3bb6e1dc719e1ffe9b3987e457c01bdc0

SHA512
15813f64afc1d8f3fb24db561e3b68c8efcdfe45dd0768d53f85b32e72352c0f22240b9f4156dfa8feb88fde664025c75d3fe6594c957aa961fc010496f8548a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f500260b697272cfe0f94feaf6e06ee5

SHA1
ad4598f0e592893c36a110fc99da20dd99983999

SHA256
b650b70b0df7849671d2ba52f6993475a259ae4f05351087f8a594e087d3441e

SHA512
af19b482ddadd9427b209a685849633d35e262d5cd996fada6736054aff42c362b572744a1235137c3bedb356c282c1f775299f7df8e0b4cc79c70509d470b70

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
94a0af97115fda51d4e3a4500a6cdb79

SHA1
bc90c57e121cc69a78a8cc8cf0b1ec7276d1845d

SHA256
2c905423b75370ad32176ea37a5b1650efe9ce0ae5a4850dce98e179a020ca0f

SHA512
5fdcfdaab637c154e05fe21cc0bd2086b042133ea22979f0ac53bb52650fc59bdfdfdb94996de6c77d756eeed3df7400d5be45c1904adca7b9f7738c9fbce267

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
4760ebd691dbc4bf2eb2a40fb23f5f8c

SHA1
546f4bbfacbce9c7ef3f3563ed67386da6964ef0

SHA256
a887e373eb8c15726146be18a824726d7ecf6d7109d708c3e9ead6e67450ac0c

SHA512
967d42293f51b5cb48b5b68497cb44aea6558e3ee827c4262cee9a4bc314c157b64dbdde5390410bb7dc67e1e11ad5532cec3b4360e66ddaf2975c8fadba8afe

Download Submit
memory/544-76-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/544-163-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/544-78-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/544-70-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/624-94-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/624-106-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/624-93-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1176-257-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1176-139-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1812-242-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1812-110-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1904-243-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1904-255-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2056-207-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2056-521-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2396-547-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2396-590-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2492-41-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2492-6-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2492-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2492-35-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2492-0-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2624-62-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/2624-56-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/2624-64-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2624-66-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/2624-68-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3160-535-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3160-220-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3472-11-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3472-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3472-21-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3472-109-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3576-175-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3576-293-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3748-664-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3748-258-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3968-512-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3968-203-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4000-29-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4000-166-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4000-22-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4000-23-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4012-670-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4012-278-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4056-269-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4056-147-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4512-231-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4512-556-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4580-190-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4580-663-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4580-312-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4652-52-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4652-46-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4652-54-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4780-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4780-88-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4780-90-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4780-219-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5044-167-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5044-281-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5236-676-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5236-282-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5276-578-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5276-749-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5328-294-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5328-677-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5476-321-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5476-682-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5896-601-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5896-518-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6048-522-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6048-748-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download