142a55099ec9c550c8bbf53840806cde82c7a83e2001463faa5681939a0ef596

Analysis

max time kernel
121s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 23:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
Size

5.5MB
MD5

d4ff7075d64894aaf09540a547e71243
SHA1

fd9a3ce76f4c92f6d2a3cb8184f7d3bd18ee5d05
SHA256

142a55099ec9c550c8bbf53840806cde82c7a83e2001463faa5681939a0ef596
SHA512

4e1362702277291c44ae2c8fdd80554cf0b962516d74a3374d1364a38c9fb76392e68b71192b3d27fff1c81f44d253c5cbf94cb08a8919caa310cf2f77d7eb9b
SSDEEP

49152:OEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfm:UAI5pAdVJn9tbnR1VgBVmQ/iyB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3128	alg.exe
3380	DiagnosticsHub.StandardCollector.Service.exe
416	fxssvc.exe
1104	elevation_service.exe
4696	elevation_service.exe
5116	maintenanceservice.exe
1816	msdtc.exe
4288	OSE.EXE
1612	PerceptionSimulationService.exe
2820	perfhost.exe
1664	locator.exe
1776	SensorDataService.exe
4252	snmptrap.exe
1528	spectrum.exe
2168	ssh-agent.exe
1592	TieringEngineService.exe
3416	AgentService.exe
4936	vds.exe
3920	vssvc.exe
1392	wbengine.exe
2184	WmiApSrv.exe
5244	SearchIndexer.exe
5472	chrmstp.exe
5560	chrmstp.exe
5676	chrmstp.exe
5756	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f97388cc4a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaws.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000535fa2e0e7b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d3803dae7b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000659ea8d9e7b2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000033ecb6d9e7b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ad8c2d9e7b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e14dd8d9e7b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
4784	chrome.exe
4784	chrome.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
1876	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1516	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
Token: SeAuditPrivilege	416	fxssvc.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeRestorePrivilege	1592	TieringEngineService.exe
Token: SeManageVolumePrivilege	1592	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3416	AgentService.exe
Token: SeBackupPrivilege	3920	vssvc.exe
Token: SeRestorePrivilege	3920	vssvc.exe
Token: SeAuditPrivilege	3920	vssvc.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeBackupPrivilege	1392	wbengine.exe
Token: SeRestorePrivilege	1392	wbengine.exe
Token: SeSecurityPrivilege	1392	wbengine.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: 33	5244	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5244	SearchIndexer.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
5676	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1876	1516	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe	81
PID 1516 wrote to memory of 1876	1516	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe	81
PID 1516 wrote to memory of 4784	1516	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe	82
PID 1516 wrote to memory of 4784	1516	2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe	82
PID 4784 wrote to memory of 2756	4784	chrome.exe	83
PID 4784 wrote to memory of 2756	4784	chrome.exe	83
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 3268	4784	chrome.exe	91
PID 4784 wrote to memory of 1924	4784	chrome.exe	92
PID 4784 wrote to memory of 1924	4784	chrome.exe	92
PID 4784 wrote to memory of 3900	4784	chrome.exe	93
PID 4784 wrote to memory of 3900	4784	chrome.exe	93
PID 4784 wrote to memory of 3900	4784	chrome.exe	93
PID 4784 wrote to memory of 3900	4784	chrome.exe	93
PID 4784 wrote to memory of 3900	4784	chrome.exe	93
PID 4784 wrote to memory of 3900	4784	chrome.exe	93
PID 4784 wrote to memory of 3900	4784	chrome.exe	93
PID 4784 wrote to memory of 3900	4784	chrome.exe	93
PID 4784 wrote to memory of 3900	4784	chrome.exe	93
PID 4784 wrote to memory of 3900	4784	chrome.exe	93
PID 4784 wrote to memory of 3900	4784	chrome.exe	93
PID 4784 wrote to memory of 3900	4784	chrome.exe	93
PID 4784 wrote to memory of 3900	4784	chrome.exe	93
PID 4784 wrote to memory of 3900	4784	chrome.exe	93
PID 4784 wrote to memory of 3900	4784	chrome.exe	93
PID 4784 wrote to memory of 3900	4784	chrome.exe	93
PID 4784 wrote to memory of 3900	4784	chrome.exe	93
PID 4784 wrote to memory of 3900	4784	chrome.exe	93
PID 4784 wrote to memory of 3900	4784	chrome.exe	93
PID 4784 wrote to memory of 3900	4784	chrome.exe	93
PID 4784 wrote to memory of 3900	4784	chrome.exe	93
PID 4784 wrote to memory of 3900	4784	chrome.exe	93
PID 4784 wrote to memory of 3900	4784	chrome.exe	93
PID 4784 wrote to memory of 3900	4784	chrome.exe	93
PID 4784 wrote to memory of 3900	4784	chrome.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-30_d4ff7075d64894aaf09540a547e71243_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d8,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffa4a9aab58,0x7ffa4a9aab68,0x7ffa4a9aab78
    3⤵
    PID:2756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1916,i,14605990093264148107,14645229638240752443,131072 /prefetch:2
    3⤵
    PID:3268
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1916,i,14605990093264148107,14645229638240752443,131072 /prefetch:8
    3⤵
    PID:1924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1916,i,14605990093264148107,14645229638240752443,131072 /prefetch:8
    3⤵
    PID:3900
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1916,i,14605990093264148107,14645229638240752443,131072 /prefetch:1
    3⤵
    PID:1164
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1916,i,14605990093264148107,14645229638240752443,131072 /prefetch:1
    3⤵
    PID:4728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3712 --field-trial-handle=1916,i,14605990093264148107,14645229638240752443,131072 /prefetch:1
    3⤵
    PID:5088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4028 --field-trial-handle=1916,i,14605990093264148107,14645229638240752443,131072 /prefetch:8
    3⤵
    PID:3440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 --field-trial-handle=1916,i,14605990093264148107,14645229638240752443,131072 /prefetch:8
    3⤵
    PID:4312
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4864 --field-trial-handle=1916,i,14605990093264148107,14645229638240752443,131072 /prefetch:8
    3⤵
    PID:5392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3732 --field-trial-handle=1916,i,14605990093264148107,14645229638240752443,131072 /prefetch:8
    3⤵
    PID:4404
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5472
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5560
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5676
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x270,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1916,i,14605990093264148107,14645229638240752443,131072 /prefetch:8
    3⤵
    PID:5696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1864 --field-trial-handle=1916,i,14605990093264148107,14645229638240752443,131072 /prefetch:2
    3⤵
    PID:5508

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3128

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3380

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3960

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:416

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1104

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4696

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1816

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4288

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1612

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2820

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1664

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1776

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4252

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1528

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2572

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2184

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5244
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6096
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2364

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d89916f67abeda7ac26e76b093c86596

SHA1
c077959712f50cb93b6d23e2b6c5d9aa752868af

SHA256
afa65133dada3272877d016f6df7ae9eacd193a530bcc38c60ff025faad1aaf4

SHA512
c9a3ce6c8fe83f7066e1c2cd0c097a84958df3d72e34f2175ac2f9152abe00fbbdc2b8ea6afa4cde319d2308d4aa5a4f39ff08addac168d7c982a78bab236386

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
628140d1a8936c4e95baf195e4a22128

SHA1
e31d93856092a744d20fe64bd46d91b73f454e7f

SHA256
f5a167a32ce8d39b1c6ef1b5833e9817812bb02914d7a919387433fc7684d8be

SHA512
204648427ebaf5630f1505551294f0387006ca9b170db2ee303186595d08a7732c7e656ae837be630b2c2a4006ce11989788779e621b60d5c35b2ebb34bdaa4b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
45c7be9a0561647e362d7f08ee189961

SHA1
f2c783d457538bd3370683f1f4a54d0caa5ce560

SHA256
3c5e546b45d7daa2bb79273a54fd337b9f06ebd952f9a00c8d2d270636d8c56f

SHA512
88478716d2aa4c97527533986f619a4702e5b07bc2997d347fe5957410bd152ced1489ec9b497de562b580b5d0d70e086970721ef9a56a7a356e93d82523d665

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8dc1f8f19b0ea86fbd7e9b5a98921b32

SHA1
99732c2120914b98d40ebaea79662e0424ef20d8

SHA256
7149f9bd9aa5cf06507a2efa0440b4dcfc6d67dd5e5f9f8bfc8011f9451fa8e8

SHA512
d108b97288e354e25647d55f71b60b34039d9008715c9b8a845004fd1a96f04ac82be0646fef30c20b1a730cb533a75d07f85a7cd6d08b58c1813aaf04c91fc3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7c8cd141c5f02746f1feca8a89e40d48

SHA1
7259c0654de78ed0269b4f44d201b77b62ade9a2

SHA256
7219e53d80f6f71d0d1a26f48105c28bb7ed437ed9d89ad18b8a719f3340188c

SHA512
18f6279e36fb8037a203b1933970e529b1dd32a1c968eba95c18437bf11edc2a940a64dc6f1ede920f04ad8a0b19afc33da857ec9507e434c9907a21a431c63b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
2a6279b227ea5c8ab632c981c91232eb

SHA1
597eeb06992a757b3daa7d3cfc1868bbd6efbf07

SHA256
0eb8918acd05c28ebc0bb56567d17727219de7f8536a9c9da79eb87acaaac8c2

SHA512
ad4326159d1e763b0bd18125f0bfa108c30b6ff9e067df14f7b91a76663cc7bcf19e070d29078c239722476bac6af9fa8d7b6034bdf8970f28c74295a4ee8fad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
ea84a4c8b121057cfbb280dcd674bb3c

SHA1
1d3073ec0a053bcb2c13568cc7cf89e66f8f2df7

SHA256
d20996a5ea5ffef6b646e3971979391152a0ddc98bace49aebb092e80a937684

SHA512
6e29f3b5badd8539bfe26fb4e270465ad4c6015ae76792ea3ae24aca7446bf18d703aa98a93c34722ecf20c464ad0b827a5d886984161dd0de6ec89ea8cd8043

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ee60e482c30a35feca97742fc9bb8c8f

SHA1
b1c342a0a6d995cefa242fb861a01bc76544f4e4

SHA256
91aac398686eafdfb271871cf724a2f8e26b9a51debfea0975bd1ce32d58bf5a

SHA512
c77de01198c6032db33bba6ed4e0b44e86a211656f9aa4d3b001a9f45c3ecbc99f7cae54423d922f649ebe59f6414edc5492495a1ce77f0d483f2479f27ec4bd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
6dd385a9c81017b52b7879f7439f4be4

SHA1
60dc8d68c0daa0beb31d02617f573332c7da5ea0

SHA256
d54a37f3e7eefc196ce8a013a36442b9f3c31d3f16ec84f888d3b9286d1a7f3c

SHA512
35f84af1a05595f5063ce715dfc33ff81d7d0370bd7d325df3860f65cf08190f42cce3a60127f662e8e839d705772d47291f99ed0f3954f61a8dd1a15949a1a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
507cbae02829e8be9641ae87c2b82623

SHA1
526327f81458bc399a773ee5161cfa88f9761920

SHA256
731a8c833a12d942239711c38d3a1b43798b4be3928ae2343e11d2f2c1492774

SHA512
13027909d99bf5a6999c0b900a51378b9b7b09a6678434eda05b01d18dcca13ca557d008068efb1f299e0c8c0bd50ca5f2ed3e0cac136a0becfd916a03ba797b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c57087e91b0faf827e451834027f81bd

SHA1
699ce0d276449d955f5e1af39758210cf08d3ccc

SHA256
a3a366bd3581449c4bf61bf60ec0fdae1b270100fcaca787ee81a4681c85fa72

SHA512
d29b03f1c34d43b1fc5c10b41e962389034832487d22b7efcb3a9af4158efd003b0f4593fb08e637b8e10842080976b5310d2ace1815df3bcd2abfb23f5a3cec

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e584855cad734ef07b60e749b72a0852

SHA1
fd963a42b4eeb8dbe76bf59fe400fa2a78c5079f

SHA256
248df021d7cf6b3df81a749a2cae5b9e86cf739f93b7c1f8693ec892d87a1956

SHA512
eeea39e0a83cebe3bbcf92cfcd282f67db77cf090438287699dbc00f564cb32ae91e589ad3ce0a9e4c4a3e8ce79ddd9a334678ff6ccd0eefb6393bbd11d45643

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ff98842eb84a70359b55c563fae4f52b

SHA1
d2b11fccd0a5e3e1dfc813a0bd778f28402cd9af

SHA256
d953748abc76e8aa25d0ac31314c4d5976552758d7feddcd94e895689622d52e

SHA512
8a3ae7798616dd034395224bc1fa5d738800af48cad6be8065df8fb952279f25053b44e11d8eefb3c26bac757cf385f8cb6d143d79f72663415c92a63c760565

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
268fecff5595ed552c193aa2a1419697

SHA1
ccae16e706e79d1279e4285ebc285f1f042f722f

SHA256
cb5188b428425b78159a4a0b7ac8b104d7506f57b1c35c831aee9755b413c52a

SHA512
e239ae12575e58011d33cb67e2bb59c3fc5834ad8c6671a628914269988dc10cc0ad0ad49aead6f486e9c2e2793a8fbf07e0f6b64ef7112a850092fe0db505e4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
7f0302fe0363705cdbf58830048708ad

SHA1
7fae7a522bb8df4ce86d40751918a3ddc4ce4338

SHA256
7ddd7dae095fded5b3b0fa1e391643b9904cba4a2543e8d1a44d75937c8fe065

SHA512
cf3cfdf9ccae27edd867f100b21a00663839189a2f31de6cdd05c0f8773187bfd22e58e431103062c82905a7eca71afc680471c9046cc0f0683fc01ffd1c14de

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
ed995dd51e11964e9a41e6dedc3ebf20

SHA1
1947ae8b7389bb90f1e507eb334c4093461a5a64

SHA256
7da1b4a57c0be07b528e6922ae35c02a2e12e69c9a03b8cbb63b8df2e7ebcdbe

SHA512
9c8ed9db575690d13000821e27187c82189aba5869ea10262cbb9658671ddf63866b6e08e35cc5b7729e53d9ee971e1ccc061ada17cec45f881cfd664c2065cc

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\14781492-0a27-4b68-8f28-bccf32ff73c0.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3c87cf22e20703e72bf1b8b841a3e5a5

SHA1
7a16d58ccbe50a2d0cf578d3ecf6e68d911cb6d6

SHA256
29e617a463a1f252cbe005c5f6a7b10f3b6cf27dff8a986102c3d657b0d48b59

SHA512
ac7f404fe8a51edae6bbdc59a73c99c95486acdd0d2ebebd3d3f453002d4d33dc7902c5599ed88c65a6d7f1e5a03048e8527deae4b67d54a24b495d6cdca99bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ead5c5b65992ef68cf2eb90edd0f8846

SHA1
e23f95767614ce9830147ec6ba7b0b5ca18a8101

SHA256
be7c1faec23a46d25250554bdeb10d8f49b4fc3176004c914f34cd0c8caa990f

SHA512
043645f254ad57e33e6968a60ad645630ca980de7555b410631fbc597bdee7402e1f4b15e7d522537f01304ca08400fd58a69609a125e7440dfa3f1bb33d1077

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\52e34e9e-5d7a-4142-8873-2d0da0733668.tmp

Filesize
16KB

MD5
c9dd9caaf0081074d60a0bbf56d8d5c1

SHA1
ca5cc626db23b8d48a784bbe9f737af154fe4c9a

SHA256
1c34d20a095d187fcecbf7b9929b54a5eb69c320cfc31ce6648768676d165381

SHA512
7caf63d87ae2ee0ee218394d757d528b79461eecccbfd8e69aec9f661cc9a80cf120294ccedfab426383a614693b1f61f459bde8fcc9af38936ff4e4d05fe19a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2eee8c26f77511ff6e516d4ce4d79e1b

SHA1
4e0ad9f71ec5c43bfc28c0f7838326051ffd7c61

SHA256
84fb454544a592346cb1dd1007d9c8ef72bb7d562bdffbad3e7ca40b0fa8597a

SHA512
b0542704bfb27720736ec3b92784ca980083a0d85f18089ac9d1f672816164a3ef3c86b5b412aca403d681f9af4d3b371714352dfb048a1fe61bf10662bf423e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0d49224c9d83b96ef95fe51707ccb57d

SHA1
fdbd83c8c5a82a9724b750a1b113eb56ecb3410d

SHA256
aa0c18727bd1539a220ca4cbfe4eb819bc890cc23ad54db33beb6caa8f95c9f7

SHA512
9f05efd79b34b3206456a701117788208a4c7329d07e79fe8f386a757b5287997144e9150a00910826a4221ef5ef42cc74501a213114a1787d226e57d97b29be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
be816ecd76f8f9beb8e41b6ed93fd038

SHA1
a4336eba1f2c8a2a7ef8e7c564ac5a1c19e480fa

SHA256
a5a52b8645a3d4f3d12be15dbcaefacec9269992b1fc7470c79b47240e4f25e6

SHA512
42a46001582a0b4e7a4cfd7189b02d01bb71689dbf944fd8d902bf06c86dd2dd27bd767369700e711234837a04ea9cfc12ba1330d4d7f26e87e7421a963ba5ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576adf.TMP

Filesize
2KB

MD5
056cebe70ead07d8acc38f1ddd50556b

SHA1
906167b4de443ef14bb095ae8f196165c25d17e0

SHA256
bb4c89650137cd1ed35cc2299d77c4b282072dd0e43418272d06a04c82c3733b

SHA512
ba3fc43ac1e418b5c33910a18aa115755a4350b946b3a6589b77361b95f5f109973c3a072b4724ae9590f8ef2cdbe52ad0958be62d7d08ac46fd90dc3de00fe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
d0549cc736130999de45e8991e805ae5

SHA1
d050d7ddb144892b0ae60c0814632c74a8a64803

SHA256
6c89064aabc63c66e751cc5134f789028f848bff04bf94047cdadfdc7d086f20

SHA512
5a072f16f32369e9267cdce21cc5518953528390cab23b36827c5ca3a8aab1b19e8a8d6ecb0706f9f38cc12d8b39d131edc0d4760aac7dcaa90856db3f6520b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
b5dcce9ec4cefd2e9e5d1701b51f7dad

SHA1
f44c75d91f4a559731785d756d32413e1938c9c2

SHA256
1ef40c803e12c0bfe0e910057c037a264396128b755aa2bd87202cdcbc8628bd

SHA512
39c77c690f9329805480b25294248b4bac33a66e4813ee94102dca8f3e8f6ad504c9f30acf1628241db4402bcc034fb813ffdc12537de717b7071d7b4569744f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
31af281c490e3fe905dea71f3de1d6a5

SHA1
617465e2ef1edd6771657669e1aaf414db68653d

SHA256
97014d3d482111afb5c7f39109f6e80301cca73a09b06a5a44bfa65bbad66977

SHA512
5093320e0b69a04cb185b3c7c55ebaaeb8cc33de9caeabbedf01e379e3501bf39fd146fa3632455632c998db5cc8629f059f782b39900a24a9192c4e1228e54f

Download Submit
C:\Users\Admin\AppData\Roaming\f97388cc4a48edc7.bin

Filesize
12KB

MD5
92f9c7d32267b326a5e26f56760786bc

SHA1
4472d2c18b8065081cac46378502aee8805dad7e

SHA256
608276c8fed6a7d2fbde21c8e67f24093e00c8887796ad99b0b1e88d4ddd9ad4

SHA512
d9accb4db742c763d522f3872323b0f20ac0870eec40366709918e37cccafa9c54bfa8caf9e11f38285b89a20830cf842a690998c91c1e287c07a24d578be98d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
d90cb0a7a5654b753f437e0fe4001ca4

SHA1
91a4a09b10bc64defad5f52db1a35df8a4b1c97c

SHA256
c900327cc3affe91771aa562b78e8e2ca30c26caba3191f700c67d86c71a6d75

SHA512
bd8c09a4400bc672605b5c52d3fbddeb5bf3329d93e0e439e838b2dfd0886263e5df7bc9ce2a161d7f2f61c27e7c27464018ae66c94cd1ae8f10cca837cf4d40

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3dfa8e7d122415b4a30e9451c77c2d8b

SHA1
0a2c88fe04abb90b83993bfa2be99acd8c9259a1

SHA256
83ef2fac0bc8fdadbeb3c1b7bebd52adbb5ed91456c3062a2afd7819a03051c6

SHA512
9c319699c03de5ca6487aad0af670050bbf142088fa21256f9e355bed2461332e197b81b5b52c48b80028e521753bce6b802898bf9aa4e21dcdbb8534ca50c91

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
3fc6ac3493cc9c0e42fc57f23ddf9e70

SHA1
0b1997ab1caef0a50b62cd9f33bb33a227cd7e1f

SHA256
7f40ab627b8ae3ea55de233c66bc3059341c7988b7c94f72dfaebd83b9f156a7

SHA512
114e39cae2265d41a3a544b09dce187875994f4b0b2546e5b27090b620fd1718f7d1ee6922ea329d7e1dacaa1df794382c02a8bac88b202c247e97ccb4ce0456

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
569847461fd4127b02324fd784b732e1

SHA1
0b8eecaf4a55eeb815da895a01323b480045350d

SHA256
0c8cc73a0e3993e292198c86829ffa6816e640f6a811c736fbdfb02e3092437e

SHA512
35185124d46558d593cf7ae6488dcc8abebd65d5b2d736c5ee988ff8723b65e9450a8f1841f272a5446138a55e8f8546304b72003b72a1d80910af5a8ba54406

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d5d4512648c1b0c0fea5b6cb46750667

SHA1
b99d8a88cc51bae70f7af948cc4d53f9c0472406

SHA256
2a973df1fa2ab1394ff4f6815fabdd9b0e18f39b4c9121533b6c8d297a466bc4

SHA512
5323f68ea5ad12c6e56c7416e236b7b06967f1e0db391e995725666d2706690b0bcb4dc123f93bd54d3732adf52b07b7ee9f23a689a4e1abeb5fd7146be21fa9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b48bef3eddacc6feea9d3942445fcb49

SHA1
6f60b15751152e9c6800e502ce1d9f4d4626a4df

SHA256
21802acf3bf751c5bb65de9707e038a3ceaec059913fc918817f4079b0d3fc61

SHA512
6112ead7350d05959c71a7aa739cea1051cde1b01f19c0844851b45477d60fa1600e5634a1df29b33648fc692e94cdf6228518bf073c5ed3abcbb0ab73a91c13

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
b07696a29dc1854211bb9f1ca5d6aad3

SHA1
8af4f6290ee6adb0954489aac5ce7c749de82330

SHA256
fafa91f028c0b9cee48c84a8ca792dbf8f555aba3e5d5c962585ee09b42739b5

SHA512
8764824d0ba901af3031840ca9ee0154d74377ae96cbb127c201b6f9d66d0fa24fb5c848a7cface6a91084a42440a85ba87750baa396ed4d6beace5e5e3b17bf

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5495ddfd15be33f82da8be712f942dcd

SHA1
6265b3d2e83be15d1f89d887ab9c1d665bf4abc3

SHA256
1ad2d521f4a391201243f03786549a00771f720a8b7d3548e64693e293538b7f

SHA512
ada4435f07d3977b36ed838c8688076d89d2b536a84bf601d0c7f24f09b8ba4dfd8e3ed10b3fba58a40a9870e94bd5b8445257ee673450297a672672d1cef20b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5bbd053f38a672a79c5c0aed393330d1

SHA1
0295a0caf1d5a3e7bf517c7e8b20d2757fc76bf3

SHA256
a3d151a7d86ccb17eec04635be4f769b151ed43b874ebb3af6ba62fce582ff83

SHA512
e231d1241c4ad5b0e077d2de658c21f942f1449e0e423e207d73d5bb1db6de6c2ec5bdd964018f86ef3f67542f00ed23820f6923530321f04cdee4a57a7d238f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
44558fed8ac6f47e27af828bbcf1a7a9

SHA1
163619923a64fa1fa5f10b6a30dab974e4b68021

SHA256
f59f4458cdf875290443a264b54ca435be53dde6a40663de9cf892d290e3fd75

SHA512
3976b35ccadce1d1fad1715ed2b17d722c4ad37a1e693a8066bf0f88d55db81f5a404b46d4306631c825d891d8b966965ee1ba77ccc7a2fab5ce95f82fa04bb3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
9d3b3f1a823be0269fbb6b999428963e

SHA1
5bb6c00620f390e9949723e3003e56a8aa25fc99

SHA256
31120094de27028ad3ea257d8b6f15debbce9f64742401f70b3bcb4323a8f378

SHA512
e599807f8e2a6716d5a0d993fe9683c51d96b076b163eedad66f3dbfaee2363a831b31e8a346910ff8fe5a2c760118be8cd642371ddf7cfb35528090d0cc533a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8604b105c9dd82842d452df33be6ce0b

SHA1
490cf792ea15bc3b85ae6aa39e6932225d4c3ea5

SHA256
c1ae6ccc36bd897d9350dd734d45741536942b8e8db31a13458f1582f8109bad

SHA512
d55c52606ddd9d81057a9f4ad43291478251477bc9f0a38c34cd186b0bec92a434588a8305c1d9de67bc25d7425da516bb8fcda9de6922c2d1cec9cf13dd6ded

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
1442e46d7417103184677c9bd478e7f9

SHA1
5d42d3217dd208d9dcaded302ffc97853871feb3

SHA256
61802d9dc3d46586ad587cbd5e08b936eccb33cb736730881b668efda932d367

SHA512
2f14477134f03b2cf74add5abbcb2e0970e45b599045b27db77b2011e6f981d0d0e08566cf44b5fc23ef2c77ddf0453d2db6d5cc532b964471c1c2149f67f735

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e95b4fe171f0180f389e5b30810a91b4

SHA1
e210a51a5390e5a5820a7620738d6e265ecb9fe8

SHA256
1e2a3775840e703fe0af0be8d7fdf12af420c2ad2712c90c6e91aba6b295662f

SHA512
152cfe7464ed37f4d43e00a286b0e9a28a017325b3079065e3179a1f998b91812e26640756d363013d76af2708f89952c1061781cda4feb7eec55fa8bd0157ac

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
8bd81366f5280825cf55f1c7181f84b1

SHA1
a86038f1f534ca63ac328bbb23faee339e28ad5e

SHA256
9ecaeefac0371b757bc79294db36dc86e59f3bf308e364fdf1df8a36725e16a5

SHA512
d73af590bea6f943d3a275b26ac754d43e524d54255f743b1a96ef55b7d3aa2a67d1bb3955b83d96d68137ff0e07345b01f24c4b606d7659cf126355ade7f44d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ea7e79570d64af54a3e81ac83b9b29b9

SHA1
0f13a210b77de291558474966c50c4635fd9d201

SHA256
e5de20f85fa6d42e2c8f8740b250ea9b8c9c9db8d631084e8a90c34b7be061ca

SHA512
4d4934fa7aad25eeb9516ad6fcaa02e95cf0f2383facefa7a7d9062a6984bde03eefb110177dadf59fd9c0f1d26fb450731483e31efb1b1149d81deea7ecd986

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
1e2fd8589aa00e55be05896c26267c60

SHA1
a50ae848c5120728db9e45df7b4ce5f441211e72

SHA256
996190cb15459a3bef4959f02a0888f5f297b8112c5f187fc6374d4f0cfdcbab

SHA512
a4ab2e0d317ecc914a791ca84940c7e00c1bfe99d4795aa8f1b11c82940edf1514933147377f350989b1b8a31c5c4ccbd1ac3fac08e88cf2e0a46a7ebbcdf36a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0222ef00ddb13ba6903fb6925be613cc

SHA1
8b4dab21204f29016fc533c7673906269582cb40

SHA256
8d358325183c0e61f6485314acabca1a3ce1e56fcf6ba04494cbb2761ea43e25

SHA512
57ea2cebb4b32c5ac29b6643700fd1a060ac2e32d600b53e0306b8abcaae7c8ec8795f102e5115129d01b93f77cc9cd1db08476915bef32a2b7b62b11cb395bc

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
295c35172675c56d85b3271fc5adbaf7

SHA1
fc8f7052aa2fdfb84e7cb6bf027db403bcb8cdf0

SHA256
f022aa4752d0400339634741871e82f3bb6e1dc719e1ffe9b3987e457c01bdc0

SHA512
15813f64afc1d8f3fb24db561e3b68c8efcdfe45dd0768d53f85b32e72352c0f22240b9f4156dfa8feb88fde664025c75d3fe6594c957aa961fc010496f8548a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
30aa2f1f412b57118dd7a0c30d1b9073

SHA1
966c78918fef46838495143e23529772e5f43ec8

SHA256
0bc92a19dc643e72232e1c3a00e768eac5a585ae2491e10a8bc87e08c8ebaa91

SHA512
71b1721fe498741b2b62c10129fdc338accbbc94b843e911fa885a804c3b1cecae29b45f98847033df99c32da85192bba45d8defa782dda8197b8f0ea0ad77f4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
c1cf95a069dd05a9457d02af0a7d3d8d

SHA1
34923896c35a88016745f937baca5fd0b706b169

SHA256
ed19aae83f83cd3305c18f39f0deafae637d7bfb37107ee9eea1f3f0ba3162ae

SHA512
8cd84f82b4802d1d98615b19d0f920371326fa19041741f6bc79dc2586b52dfd0492e971df89b39fc83ee14f519c10c52ae4f587c1f4bb1381c3cbfd76da7866

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
76e53c80740d75a53ac7541c07eaefe4

SHA1
a128819302a05381d7471819106cdc79bd1796c7

SHA256
98ad6bd0abc7470bff39afd9f4d39a0cb0ab4f615720a9b7225f34b2341782aa

SHA512
15941e29eb84668fce3298cd72387af667a9c31fb7c0ce5a3241c804859c309b2f1888562ae4b6172bd9bc2c4bff4e8f6534eafca99794761edbfcc012cf878a

Download Submit
memory/416-78-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/416-80-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/416-58-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/416-64-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/416-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1104-69-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1104-163-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1104-75-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1104-77-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1392-284-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1392-645-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1516-0-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/1516-6-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/1516-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1516-29-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1516-24-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/1528-518-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1528-214-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1592-551-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1592-232-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1612-272-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1612-151-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1664-178-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1664-295-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1776-634-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1776-308-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1776-191-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1816-124-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1816-253-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1876-168-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1876-26-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1876-10-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1876-16-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2168-221-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2168-523-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2184-646-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2184-296-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2820-169-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3128-39-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3128-31-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3128-40-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3128-177-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3380-53-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3380-45-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3380-54-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3416-254-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3416-258-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3920-635-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3920-273-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4252-505-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4252-195-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4288-260-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4288-145-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4696-219-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4696-91-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4696-92-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4696-84-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4936-626-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4936-261-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5116-95-0x00000000016A0000-0x0000000001700000-memory.dmp

Filesize
384KB

Download
memory/5116-108-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5116-105-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5244-309-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5244-651-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5472-509-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5472-582-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5560-701-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5560-520-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5676-524-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5676-571-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5756-702-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5756-553-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download