16717b48c8ff2373974b15f403845e135de6b5407fc57023085ffc3527ebadaf

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 07:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
Size

5.5MB
MD5

39433f9f52516421143c8240c6c29e01
SHA1

6a15ac8b7220af6e616c09fb162893919fb34431
SHA256

16717b48c8ff2373974b15f403845e135de6b5407fc57023085ffc3527ebadaf
SHA512

064c90e6b4be365cd52eb8e9297549f96942b6be5cd68483f5b9c2e3f33446aa07325d2c63d5546f3e0d8f5a4161b0734173dcd4c842c20ea541858b63c11fa0
SSDEEP

49152:AEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfY:OAI5pAdVJn9tbnR1VgBVmD+pFtFR

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1836	alg.exe
4208	DiagnosticsHub.StandardCollector.Service.exe
676	fxssvc.exe
2256	elevation_service.exe
2620	elevation_service.exe
2932	maintenanceservice.exe
2284	msdtc.exe
528	OSE.EXE
2268	PerceptionSimulationService.exe
2380	perfhost.exe
2516	locator.exe
5032	SensorDataService.exe
4948	snmptrap.exe
2524	spectrum.exe
4332	ssh-agent.exe
4720	TieringEngineService.exe
3488	AgentService.exe
2316	vds.exe
2404	vssvc.exe
4520	wbengine.exe
2400	WmiApSrv.exe
388	SearchIndexer.exe
5632	chrmstp.exe
5676	chrmstp.exe
5840	chrmstp.exe
5932	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3e2a0db9c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f6dec95f4b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fdf8b795f4b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010369495f4b3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9aaa995f4b3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009cc3e696f4b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c62c596f4b3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001176d896f4b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133617001957260446"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2120	chrome.exe
2120	chrome.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
3576	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
2120	chrome.exe
2120	chrome.exe
7056	chrome.exe
7056	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	904	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
Token: SeAuditPrivilege	676	fxssvc.exe
Token: SeRestorePrivilege	4720	TieringEngineService.exe
Token: SeManageVolumePrivilege	4720	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3488	AgentService.exe
Token: SeBackupPrivilege	2404	vssvc.exe
Token: SeRestorePrivilege	2404	vssvc.exe
Token: SeAuditPrivilege	2404	vssvc.exe
Token: SeBackupPrivilege	4520	wbengine.exe
Token: SeRestorePrivilege	4520	wbengine.exe
Token: SeSecurityPrivilege	4520	wbengine.exe
Token: 33	388	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
5840	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 3576	904	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe	83
PID 904 wrote to memory of 3576	904	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe	83
PID 904 wrote to memory of 2120	904	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe	84
PID 904 wrote to memory of 2120	904	2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe	84
PID 2120 wrote to memory of 4244	2120	chrome.exe	86
PID 2120 wrote to memory of 4244	2120	chrome.exe	86
PID 388 wrote to memory of 2236	388	SearchIndexer.exe	112
PID 388 wrote to memory of 2236	388	SearchIndexer.exe	112
PID 388 wrote to memory of 1952	388	SearchIndexer.exe	113
PID 388 wrote to memory of 1952	388	SearchIndexer.exe	113
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 2912	2120	chrome.exe	114
PID 2120 wrote to memory of 4084	2120	chrome.exe	115
PID 2120 wrote to memory of 4084	2120	chrome.exe	115
PID 2120 wrote to memory of 740	2120	chrome.exe	116
PID 2120 wrote to memory of 740	2120	chrome.exe	116
PID 2120 wrote to memory of 740	2120	chrome.exe	116
PID 2120 wrote to memory of 740	2120	chrome.exe	116
PID 2120 wrote to memory of 740	2120	chrome.exe	116
PID 2120 wrote to memory of 740	2120	chrome.exe	116
PID 2120 wrote to memory of 740	2120	chrome.exe	116
PID 2120 wrote to memory of 740	2120	chrome.exe	116
PID 2120 wrote to memory of 740	2120	chrome.exe	116
PID 2120 wrote to memory of 740	2120	chrome.exe	116
PID 2120 wrote to memory of 740	2120	chrome.exe	116
PID 2120 wrote to memory of 740	2120	chrome.exe	116
PID 2120 wrote to memory of 740	2120	chrome.exe	116
PID 2120 wrote to memory of 740	2120	chrome.exe	116
PID 2120 wrote to memory of 740	2120	chrome.exe	116
PID 2120 wrote to memory of 740	2120	chrome.exe	116
PID 2120 wrote to memory of 740	2120	chrome.exe	116
PID 2120 wrote to memory of 740	2120	chrome.exe	116
PID 2120 wrote to memory of 740	2120	chrome.exe	116
PID 2120 wrote to memory of 740	2120	chrome.exe	116
PID 2120 wrote to memory of 740	2120	chrome.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904
- C:\Users\Admin\AppData\Local\Temp\2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-01_39433f9f52516421143c8240c6c29e01_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe9021ab58,0x7ffe9021ab68,0x7ffe9021ab78
    3⤵
    PID:4244
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1936,i,9078293648836221981,182062794503812613,131072 /prefetch:2
    3⤵
    PID:2912
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1552 --field-trial-handle=1936,i,9078293648836221981,182062794503812613,131072 /prefetch:8
    3⤵
    PID:4084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1936,i,9078293648836221981,182062794503812613,131072 /prefetch:8
    3⤵
    PID:740
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1936,i,9078293648836221981,182062794503812613,131072 /prefetch:1
    3⤵
    PID:1580
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1936,i,9078293648836221981,182062794503812613,131072 /prefetch:1
    3⤵
    PID:3756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3804 --field-trial-handle=1936,i,9078293648836221981,182062794503812613,131072 /prefetch:1
    3⤵
    PID:5344
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4440 --field-trial-handle=1936,i,9078293648836221981,182062794503812613,131072 /prefetch:8
    3⤵
    PID:5388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4580 --field-trial-handle=1936,i,9078293648836221981,182062794503812613,131072 /prefetch:8
    3⤵
    PID:5428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4732 --field-trial-handle=1936,i,9078293648836221981,182062794503812613,131072 /prefetch:8
    3⤵
    PID:5508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4744 --field-trial-handle=1936,i,9078293648836221981,182062794503812613,131072 /prefetch:8
    3⤵
    PID:5524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1936,i,9078293648836221981,182062794503812613,131072 /prefetch:8
    3⤵
    PID:5224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 --field-trial-handle=1936,i,9078293648836221981,182062794503812613,131072 /prefetch:8
    3⤵
    PID:5500
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5632
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x274,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5676
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5840
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1936,i,9078293648836221981,182062794503812613,131072 /prefetch:8
    3⤵
    PID:5684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1936,i,9078293648836221981,182062794503812613,131072 /prefetch:8
    3⤵
    PID:6640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 --field-trial-handle=1936,i,9078293648836221981,182062794503812613,131072 /prefetch:8
    3⤵
    PID:6648
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1936,i,9078293648836221981,182062794503812613,131072 /prefetch:8
    3⤵
    PID:6740
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4668 --field-trial-handle=1936,i,9078293648836221981,182062794503812613,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:7056

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1836

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4956

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2256

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2620

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2932

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2284

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:528

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2268

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2516

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5032

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4948

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2524

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5000

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2400

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:388
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2236
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0ccfb4b2520a4d4e27082b46b4394d44

SHA1
37c92049ec1f01e0bc409607ded291ef8550475d

SHA256
0ffc54aa0405109e8c864c3789228b57e9164f9e7208406fea6a7300dfd40295

SHA512
926fc385d0d6efcf26bca3b664d055d07c1b3cc9bbfc46ead40ffb54a6cf4bec16a11dc7bc44daf4ae85abc872928ebf75fc7b4a30f353af19fb52a915a72303

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c5907c992c1ae58859941aba0922d863

SHA1
942f0a7fed15404e2ae2be361372d1099b842966

SHA256
c9fc9e148f344efbf662e50a9ccaec4110a5b47c0d1ca80fe6c63b1918fa5e5d

SHA512
db1563cf75a54a734a76db8afb447331fd172a84df20c4e8e81e2af0ab08a7270d8f886d13e8310a74fc101b0a14d490b5cca0ece33971e6763f992128662672

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
b22e96574517ff6dd355a162ec62f91b

SHA1
4f33bbb545e524d71816dc882ff3f24b5639d2ce

SHA256
d7ab991afe7bb009743862cf3c0474f394f247c03c0bee1e400598ca47184b59

SHA512
4a2fc611756d4b80ba4dc7a718c7c90f5ed4aa1e0040565e38e66ea304bf2017566c385ec234ee43bf665c953f16794fec3c9cdfa45067a48c069e28d5c34161

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8e460aa2bf7b191403f769960dbdd7e4

SHA1
1a6be8ce705690447951f09d5e47c26fc4b32544

SHA256
fe73b899e12b9e5db27ff3df17c43e5e0ad394f1da5811010bdb02be66d7c954

SHA512
3f7e9fddc8e086c5fec4522e55424408f2e1b90faa07e987e675d3a5679243564db628d7907ce0f48a882e3088614734ee977d80a105729e8d12cc217e02983f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
501b5c7fb8c3decf0079d118089fd9cc

SHA1
4d74b1f18f01b062213edfe2b7eba185da2b85a7

SHA256
f69838b5f8e8880e5108de3c46bf4484f62ec4e1cd639588364406ac286ff184

SHA512
a95963ee62bad07dfbf07b01ce95b199fdd7a77631b6c6c54883f236dba51e1c6f0a5f1fc8aa2b1aa0c0c0fd99b79eda272ee903ffe2a5acb2bccecc42842deb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
49459359eb0c3160b26eab8895526f24

SHA1
aac94aa23db842eb8456f9fc5603e423cb026c15

SHA256
8ad8c05bdc9e3a96313cf60428303051a6ffa57fa032a2d469049059b3d9ef91

SHA512
b08262441e37fa83a2609ae27c1abe3575ba52cfb49c0b69a6984a4602a72e26b5a2b82fcb7f453a3a4aae71d09e21000b8a1bdbced045b12470b8c76cc4f8f0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
28327ff45593a4b656acc3fe081f2829

SHA1
1a772eb6c63c3df7a0af837a1b6c8f12c3b938d2

SHA256
46876fd184507684a5820459fff635e5c32b17aff6cbb5fa7110827850048df1

SHA512
42d2762300698fab3960fa68e0248ca3040eb0e7c6f7d530eb8f710afbce8ab14b0659ca8f1e9a537605c112ea21989371663f68af1e8eb1a1d88a15e08de830

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
12745b7943549ae478113a059f693dfd

SHA1
b3ccf74afedbc173d176d46414cacaf697aec0be

SHA256
80e531879c2fdba36ec27aa7c4e44ac7233f4762b2957bcd1c9dfafd64675e3f

SHA512
f61a2040e4592591248b1d6dc182d1e89ed513254051369505b4ca9f945ce8c6e2058bc102c0bc90ae44011a2872e87f264e819c11dbca8415c8107cd64b45f5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
9fce0fde39c1e769320643875ef8ff08

SHA1
b64e4345c3b306da29678c837b3c98bd0dddb0e5

SHA256
b0399456dd34960ec73014c7940a4694e08d4c8e442f7e82c36505f3cb7eca8d

SHA512
14d1a720a4c57b066a511f28198f91a8949439d2e48edb6e7abf5b69712f66215bd8c99b094081e2b3e0de91b274a450750cfdab83be5b0912b6359044373088

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
1cc4e7fe76d4d23cecdee1fb2b942abf

SHA1
7564f3fb83a425b829b7ff1f1b65129de906e924

SHA256
5b3a91f23b1af9638a54bedeecd76e1a373b1d143e0aa4efac8354167fe56f5c

SHA512
1e370869057ce523ec881e458457947882261b4d56190547968002e4e53dc1bef94e90934e19e52e1d0a1a5098d708f83a281e6181ab85e8d9b37db22b1e2159

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
89ee6465c59f269085c2bc574c964e9b

SHA1
6fa5e333bf68118f25a70dcb2db4c3979e4342ec

SHA256
2912a73415f1e6d09c5eb4e8687a278aba4665d1d633a99a459156f6ab09fc46

SHA512
d52827ee3e7c5e2ad432ae414c957186d31be7564bedfeb5540ca9719f10f38f6dc79f7abc812b8f5484ea02f273ae677e5a25cdf431d3f379519b664e037faf

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\cec3f967-0cad-41df-8d2a-649b28277266.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
02e48c542426637c538da137af955649

SHA1
2fd55b07c79e7fcae5cddd604cbfa3b1e178ada5

SHA256
2a283e95297309298157e667b96ae1e314e6b7683f0414352f1ee6ec1f79efd6

SHA512
65c5e322587dcd42826f727cd354dd55222c0fb44264019bff159c3d7a58d812db7d9156197eca8dcb000b2992e661108ad52152d44c2fe8ab1f24c889c08624

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
757f9692a70d6d6f226ba652bbcffe53

SHA1
771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b

SHA256
d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad

SHA512
79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
01748a8ff39170570a17a29022edacec

SHA1
4deaeb14e66a2b7b00b4bfa7c1b0966fa2bbf294

SHA256
60cf81346620d79b0cb3e7d50638648bd81777b0568189de6a7ce1693c05f1dc

SHA512
11cae266c95584405bc913472b9da774cb4788672626792bf4f3cb43d6c8efc3dd9c4259ef14a1150942129b8b8dc994a9c3fa663ee63c58b04fc8545c8a3e9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4e0dbc0af71ff3b49ca66aed4a3018e9

SHA1
091657f0de378f6a6a7b8d33915a2b0439c73b81

SHA256
a24832b662ec4a64f9fb5e1a820609fae12e925a07d585e53f44ab5688f80345

SHA512
d142bd784bd3da502de47f90afb565d9ccb37dc8bd91b33e28cbeb6bdf0527383aea569e0a09fc290d03490c69095391feef363c763b884e17e72d6b692533e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57880c.TMP

Filesize
2KB

MD5
6c38709f2b92b4197d45f6df3df81cb9

SHA1
92d1adb3512f085dba8c03ea68d926704ebbbda3

SHA256
d5bb9e1c53b6d6dd67dcfdf3963d7d8b0dd3094ce6a86851e8b8ab7d3d6f235a

SHA512
3cc01f22a75c283dd55a4fc9b02211776bc1246ae7787ffeee21a25d0ea8ddaafbb70cbe8d0976356fcff59c9be8e9c178c15264d2a44df3653bb1e03fe41bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
6c7f4a32ea77792b5a218ce41483dedb

SHA1
dbca2cc89d9676b1c9ef52449f1d02f229456089

SHA256
a655359434a12e84e856bc3c41ae5436c36f824799bdfe8833300226d5f62813

SHA512
d59c2e9391b1409caf9d3a8ba70bb4db1a32aa9ebd4ded3f9040bedeeccd1d422db18c6b8b2784e07b41eb4ab39455520fde0d7b15f02c54af601a879182488e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a78eec6b-b432-4950-ad26-1e17089a429b.tmp

Filesize
5KB

MD5
0e61cf04bd476b2c3060fc75ce272460

SHA1
f71ef0c6c4e98d15e1d9a8d9af121532fcb51961

SHA256
7108634fdee81cec27e084146529fc02254312f3a139986314a044ced300e077

SHA512
2a3bcf60c4f9375bd2defda542dd8f97727c648e7ec67cedd90f9e6d695c00b63817367ef41d789c2e5793c1623ca48ebaf448a73dbcd89ae056396586e49904

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
282KB

MD5
95cd06ededf9253e041cc7e33daeea6a

SHA1
905324949f5e200b000d6a28771127732b9725f0

SHA256
633cdea17225d2338aa61ea596c2ffe28c58ebc03ab4b8bf25e472e9d3a62ff1

SHA512
20a4953905466511d52e2645a4de69a0475cba950ab5f2882c34e1b0155a0580b117aa7c5f42c1422828a20bb8f905e6ddb88095180f9485b69afdab843b4397

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
2fadd58f2aa75cae4016954cdfdc4582

SHA1
2cd12992c5776388bab85838a8c33441cf9dc7df

SHA256
847e891c031952f4e217d7126e51a116d2a07c11819aef05982d5daa39edc39d

SHA512
5ec41860c1bba0183003c81900844b8d23b074c65be804e830249355759d1ab924934c6cafa994734cdafe60d855dfe478b74ff100e74f1d968fef7080798239

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
263KB

MD5
049aa8b715d21c7ac91053ced21e7514

SHA1
f743df869acbd586c977a9254dde3d4c24ac654c

SHA256
2e74df8be7ecb1831132c50b43ba4d8bcbf9bbe4e58bd610ef1b84a61810fc9b

SHA512
fd332998968d8c9fff1554fba60ec437421bacb9da1237f69a0e5184312873c2674fec755382f8135fa8ab49e56bceba28760f8fe56e31951473bf55eefe5f4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
262KB

MD5
0f4b84582a63ae07ebf0a1f0ebf81b82

SHA1
b1a1e206c981571a1f7539b6193c4b836f467de3

SHA256
4874ccbddb55d22362a14daf037284e1eb390695224684c71245d170c93bee45

SHA512
3c0c000a8f3860895e98a003312d5e0e68f10cdb3ffddf812ba3642bcbca8ec286e385ade90f5104670e1ec0d934fdcc3b6d69ff727ede4b92a8c4e42e751099

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
3ad22c9b2a5bcc3d88982ad9602c72af

SHA1
5442d30f61d326bcb0fa316688cc833551d130bb

SHA256
53805a97b013fc7796f5e59588e3fed8c844190360ca19bcaa9d90ac5a2f5ae1

SHA512
489759e75a8eb4e9c68efce9e9a39f161f6698aa7c671de479e99b07ae8ab482947a0ee068b4b1fbbc8e41efd07fc8f311ea232dc794addaafb35a49a97e3f3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57fd5b.TMP

Filesize
88KB

MD5
7c4d4c3ff549021119377fd9f9362475

SHA1
5e5beb2993e7c9428b488ff073b2e71a732fff53

SHA256
2c31d33f38da90005d2a4ba8e1670169dafff8060f23dc6b6a28ebdc19fe2d17

SHA512
0b51ef01dc2b996b2f23bde293fdd3430fa572e4eba0fa757322d4b3654e9f79e4f8fdfdcb945bc772c1eed74ab25aa09b19746ac4df182c07b7d97bf679e3b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
36274981c1a62efa70068b70bc7c6e84

SHA1
634103b35183cc4ec8b8163d29cb7643dd1a9564

SHA256
f1d20260dccaacec5ef287137dcfb392fe7638e3bca365ec004e3bdcbe506836

SHA512
b3dfd4eae92047aedfc0f1b337eb2910d270b29a2fe61747fa0841fa62f148ae43fe741d4898f3b6f71db37ae62e37eabe22a28d1985d45b7bf5c7c06d4e0f93

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
cacb594c689f903f036c8f63ba1ca5f2

SHA1
9750ede4cc00a94eae78b1c161db799b4a082d4d

SHA256
d0291d84908e2bb105fb287014e81ae6acf36235a3e4aa3572800ca29bf32497

SHA512
7234a6c3080239a6ae555a72464b85900b6a502bf689eb24fc2c27084e90b239bc8833e75ce135e70b47fb2ee536ce940077f39d0360513cbce8ca5d31aeb48b

Download Submit
C:\Users\Admin\AppData\Roaming\3e2a0db9c3136770.bin

Filesize
12KB

MD5
9ca4b5580118feb2cebb46599154d393

SHA1
9305fb78ddc9ee4f215fdbf29de689dc6633ce25

SHA256
f72af1fa4d177eb54acc79386c2376b1c71cadf00e4854642cde3f557ce6d489

SHA512
e794b8017f610c8178266a9862b10c10c84dd304a822b10473a1e1e6087c15e9704e00235fcebc3273d811d5ce72ce9a862db8ed62a6560b1d74a7248c30531d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
2748b67843a5d6bdd5c76da2577ac87a

SHA1
b0e74921e19d59c3caeb0ef503ad03f0c286efdd

SHA256
4056cfe9b1d8770182da6e9aa705aefcfedc496827256cc27b25b432d2c77133

SHA512
42bd72a878fae08b16304e821e35ab0919d607c6c4f3720e931eeac3f0f262ab9c3e245f18a7156e6c19e4ea2cb16b2b91741f0d1688d28d2fe29a908e12bd40

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1321ff7a1b82525d441956710a44a02b

SHA1
b28b299fc2db0d6e4dd0a394d1fd0f0ae306a3fc

SHA256
8afea02fb4a9a28ceeaf59442f6433d00174f0092027e8bd9c3397e58571d880

SHA512
43cad8e37a066c33771c24b30380f88768ba151b73b3cf1f3e9a00c6d28247ab1513fb01c2bd723397192aadb067b36926f45e1fd281d2c133327d4dbf404ea8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
7cdea634f44f9d11a669d5f78f9442f3

SHA1
5f875caecedb434a698afd3a93cb1e6485c3a48a

SHA256
e723162dae22087175b0d11a2efff5d01828050492aaa90075dd79fdf560223a

SHA512
a6ef68e11aea248fdb619f1aab1ac6d5dddfa707e453d4a16b223aa3ef3c480360985b7a86cd360684df751776331b17dfefffb1e348b8843f65bd1c722ad510

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
aab0324f0acd4d4182b856b3d5839235

SHA1
bb3c13c2fed2111bda278c61845923568f172315

SHA256
938122f54fe193e51faa549a4fd8ace990ca7ea6d01c6966e2e9c901921a1028

SHA512
1ecc6b2958794310a0cb1fcaa7748bbaa2105ec853598adf0b6628c6365689d34a3745808a5ba82eb7dddc5a9d6ec51f1ae504e6d4f396c1b30909a1a1207244

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
b6b781d7a23cd19545aadac885755c39

SHA1
05aa44d0382c5668404a3d7677b2aba1bcd83beb

SHA256
eb82dfcd6975152ef17254d518a6dc5c9d66b8a453908bed16194b3120d47ce7

SHA512
b30d8a83da29c0b1f8d3b7ca6b5ef48c8093b8d721b06a16a0f1485862afb118baa5c7249f4a8e70a251a6db4ba2d3a0f36102f9bfd8d11998ea5ccbed0cfc98

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
01f96375b922efa4ed961d1f319a40ec

SHA1
2f640f77dc0d99dfe620c38a8731b0b67c46f0f7

SHA256
eea328a06728f474235b3ea9e2be7719f8c145f1f5605258bbc48841c3a7dc1a

SHA512
3a1c8bb5956536f47c4b6deb309216e60a28bd18db9038a4ed3e67f26828ca40660add3648226033fe85e54c3b9fd8993395bc47c8730fe13ce248f26acec203

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
b5de712ff459c5a07a740b68224fcffb

SHA1
60d597cbef23e1474ff05916c1690f47197cfa18

SHA256
70a0da67fde51c167db67b45ebe06a6a65b6ea3f927b3d316785f752cb576bad

SHA512
5de4519b7360aa3f6519dfbbcba3d01f0dce09cb47c83a5a8fa5f07997c0a404c826966b0c3c1df7675571f9fc006837e2ccc3d7bb696c1925b7be943134b7cd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
890a72e19d5c7bec526391759897f9ed

SHA1
7db5ce845432e835ddf9ba38fec99cea1a36ce51

SHA256
0ff1a45329f820d6626598951b3a4749428b2a9ad9580a133901bffb156fe6ed

SHA512
8f049fec845be2fbd6922deef7ad1b4e77364f5fa0e4ce17b543a981383158cccff43272a1aa0afaf67f8d1d88ef7dfb330d6da74e012cb0be4362147eeded0c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b057361e662f52c4af4a1a8165167093

SHA1
0725a88f9798f8ce1d98213a531624568b252939

SHA256
5abef1cade4a7f7487df1f31d00cf9c84d416858f7efb484eb5bee936b8aff4a

SHA512
d46a309ea975d9099f1a4ec5a77704b5bad47c17747c8935a4fa7f385c1d2a2f99a1268f26b5b20032301773e4d6324aeb9e75e1e28743013f6ebacd04cb091f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0e377ba320ed94d8c116989512e250c5

SHA1
5481784f03e343d81c731a88700a3c8370a2dfb4

SHA256
c1af3c72a0d62eecf5dbc503933e98af912d8295a1d133441c6c96d0b4010d53

SHA512
f81bd2615267f187cec2e857ada8d3429d6170767e1f94118f63163c9a54ccc7c71e2a018b004c1e1de22dfdfc785391a6cb8e507a82158d5f9437f403cade6a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
e67ff998b4d6809f5a4c0d93a2b4597b

SHA1
1221e7b1d1f55ddbe9dcc50b5b79e172a34dc7b1

SHA256
8bdcdc3365beb1efb970995d16efc568635abc2d56d58212c44a6a27add22d0b

SHA512
4e11f19408971550e71f312086a403bc7e5e9011aa6ee070298b65fa55b1f494378c42a79b3e7a38dcef0db78ebc510f81e9c93e0b13760fb37563da38c823ad

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
353b97dde929da8adc8dd87da3e02f9d

SHA1
ca37f721d7c0b6baadf12aa850186b7355d9c4d1

SHA256
dfa5d3e98de36bc543cd7f5b4b64ce6e8958384e265820b6f6abe6f5a498289d

SHA512
389dad4d129692e9a7b3982c95fd0de8718fa6ff012daf270320b328d116db44e50ae51f6eb7a1dbffd800ff7e23d5dd34fd4d1930a4c15578117601f0bf8af8

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
bd56bd6d2bb37b9cb46077b2bfc591fd

SHA1
e973695501575edf758639cb02d84f9427b79d5b

SHA256
ffa9954f4582b6eb1aafb947d9f317daccbd7e54bf695a6ce9029239645a0477

SHA512
7e26734f8ede723f7b89b99baea75b1b568f7bb6e1f7eb06b49130553a1c374d9adcc7fa5a3d1210ea5d34686a342a4a6fd3d85fe6feb433857613a2ed48ddef

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
be05b3e8f6e80f17ebe761bd88711f34

SHA1
db83a629d625b63a424c4350e405e938409a8813

SHA256
f9c266e298998850794419f7a702541e63e0388535369feb23e2282afd0ed32d

SHA512
f4aa999fe0ec8f2feba72d5d68417e1bfd8ab722f10f8f4de0cedc0f5d57714c3cb69da66ab523e7e565add62dfdc66ae5734582849be523e60cbeddc65eaeec

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
1266996fa44dedb95ba082a7d8a4c8b4

SHA1
82b048be2dd44823eda62bdea49a17e201f2a26a

SHA256
571732d4c2f67db2dc35b634f806c79ab0df3853f6dcdc5f6e9831325b72602f

SHA512
2d02bf4f62dd0bfa3297f58dd7bd4ef82bfcf02aa5e678f7eef80c553135894721abebfa38071d10def9d06fb7c72e30e219d936ac12aeb6d53d966d4aa47a43

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9ef7d9b73802cb576cef8df53aae88a8

SHA1
2b797d9bdc7bce7f92e22e7039b3f58db4cb9828

SHA256
9c4d7520af04b2c90d4ff59c528bee27c49e28ef4e18ae81f27c3664a5f1a872

SHA512
4906fbe860dca6cf01c16d2caa5080f71e8ccabbca6c7d2a777095dc97ba0ca76425139edb29a69960b1e79d0292979a7bfcf7ad46b40cd85180a8849fd9fb44

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
d3f4126ee732ef0eb836f27f64a6d1e9

SHA1
b30edbac23e078109dfbbb3341676a448a48479d

SHA256
691ede3b69f171681aa07a1d3023cf7ebba3f82907e2d991cff019764551e32f

SHA512
294f17ec04f7f5a2a2084c92caf22264412807da46f265305c4209f6120304ddbbb59ae66b2da413291f610e68971fe15847bdbe94ea3b19bd36fcffdc442105

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5011fd90da72af736c16de329b029574

SHA1
0199b10e5cb856a7a6312006c3090c560833205f

SHA256
772023e2c8f0922002ea58bc3ef25feb8744e74822438b1a97808c6d658532d8

SHA512
f612f31ebc5583801c5c90499d47a26914170b4b8d40061b8cbbc300655f26845720ab58f62f0b3c467d1310329759dc5ba2344494aa76a6387be710fc260a51

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
8323eb783d4b3475bc1107f7b22fe30a

SHA1
8b61ba2d4ceddcce64913e45b0b3aaedba641153

SHA256
b04e4a8229ad76f418899a184586a34f1da04653efdd8f0386b76fe7282bd7c4

SHA512
a6e5fa59549dd9f848741b7c5e0e99e3efd1ac639e61a1a430fe7a62e6f13bf625fc22d619b29e9319f0bddd46eda6bd61057d4afcde7c846a72bf6e4ef79972

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
01ce9bd14f2587ef97ad18a0cf31aef4

SHA1
7fb6dc77160c88226b67968ed51cb246ccd31146

SHA256
3c8443cd00bc80ed7bd27ec128f52c0d87e718fc7176375a8fd1aa1ed6fa22b8

SHA512
6e652786ac0ac60b5dfad1b3d20f3f666e430fc92f4affbc16518695f447d2caf7872ed585efaa73d7ab72bded8de5957f5caa046c0d6b15f606d3586bbd8c07

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
3e984fe5fd11c7bcc897675d9ed7cb0d

SHA1
5aaf6cb24a675faf4c0bb9772367ff5000fbffd7

SHA256
cb9be439b77b14da3178f9c18bd105a178fa39e3c4ecc58ebc11809742fb0bfc

SHA512
593d3d1d1abd637a2088423dc4a260fdcfdd6bc30344201ade9f1a82c42fca64b349171579998a1e587d66bb1349e4447c73581bc06c506ae335a8837f4d013e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
623eae6aef9bff753c03cecf9743e70f

SHA1
8e916515e75a1338711b8d4fa6846d02c814125c

SHA256
85a108cb62faa12d7ee08e61afe1bf0ffbf234dca2e8e58938b7600f6c0d018f

SHA512
c54f80c514c5cc7e8fb2df3780eeb75c0a5efef54786a2368f71a9d8a7b95d744541134442e5b7b229a4c7a85252c92785789970b99d805cba438cff562b6337

Download Submit
memory/388-780-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/388-336-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/528-314-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/676-76-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/676-61-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/676-55-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/676-74-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/904-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/904-6-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/904-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/904-22-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/904-36-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1836-28-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1836-34-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1836-38-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1836-771-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2256-71-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2256-65-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2256-457-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2256-311-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2268-315-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2284-312-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2316-332-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2380-318-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2400-779-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2400-335-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2404-333-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2516-319-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2524-326-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2620-78-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2620-778-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2620-84-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2620-309-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2932-88-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2932-100-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3488-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3576-581-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3576-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3576-20-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3576-11-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4208-53-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4208-50-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4208-44-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4332-327-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4520-334-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4720-328-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4948-325-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5032-322-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5032-587-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5632-547-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5632-608-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5676-781-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5676-557-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5840-597-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5840-580-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5932-786-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5932-586-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download