9ef44acf41d5f758ee6d247364aa71f5108bde44547c71f27720e8923786161a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
Size

5.5MB
MD5

449dd7a62646af70ce520a5627783019
SHA1

b3d00c409fedd3f1be0fe27c9947c21a0bf31c76
SHA256

9ef44acf41d5f758ee6d247364aa71f5108bde44547c71f27720e8923786161a
SHA512

fb34efa6d28a53b89dbf7808db806d1c95382a11abe7cac41ed1b3a75aaea71a15cb5f90054eabbfb767904f5d3a13ae0365f5a07573fb4117f3d2292cf1e79e
SSDEEP

98304:DAI5pAdVJn9tbnR1VgBVmll2/V0cETQ/I:DAsCh7XYI+Z

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3376	alg.exe
4136	DiagnosticsHub.StandardCollector.Service.exe
2596	fxssvc.exe
4440	elevation_service.exe
4480	elevation_service.exe
4932	maintenanceservice.exe
5104	msdtc.exe
4596	OSE.EXE
2756	PerceptionSimulationService.exe
2772	perfhost.exe
524	locator.exe
1464	SensorDataService.exe
4836	snmptrap.exe
1052	spectrum.exe
1672	ssh-agent.exe
1668	TieringEngineService.exe
4928	AgentService.exe
4424	vds.exe
4332	vssvc.exe
3212	wbengine.exe
3400	WmiApSrv.exe
868	SearchIndexer.exe
3460	chrmstp.exe
2600	chrmstp.exe
6192	chrmstp.exe
6268	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d7795c70c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\java.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0cc886439b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b69a56439b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bfb04e6539b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a67cb86439b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cda176539b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b69a56439b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618396906261437"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070a8816439b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a977346539b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrome.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3724	chrome.exe
3724	chrome.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
5308	chrome.exe
5308	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2244	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
Token: SeTakeOwnershipPrivilege	2204	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
Token: SeAuditPrivilege	2596	fxssvc.exe
Token: SeRestorePrivilege	1668	TieringEngineService.exe
Token: SeManageVolumePrivilege	1668	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4928	AgentService.exe
Token: SeBackupPrivilege	4332	vssvc.exe
Token: SeRestorePrivilege	4332	vssvc.exe
Token: SeAuditPrivilege	4332	vssvc.exe
Token: SeBackupPrivilege	3212	wbengine.exe
Token: SeRestorePrivilege	3212	wbengine.exe
Token: SeSecurityPrivilege	3212	wbengine.exe
Token: 33	868	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	868	SearchIndexer.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
6192	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2204	2244	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe	92
PID 2244 wrote to memory of 2204	2244	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe	92
PID 2244 wrote to memory of 3724	2244	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe	94
PID 2244 wrote to memory of 3724	2244	2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe	94
PID 3724 wrote to memory of 1724	3724	chrome.exe	95
PID 3724 wrote to memory of 1724	3724	chrome.exe	95
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5376	3724	chrome.exe	120
PID 3724 wrote to memory of 5416	3724	chrome.exe	121
PID 3724 wrote to memory of 5416	3724	chrome.exe	121
PID 3724 wrote to memory of 5488	3724	chrome.exe	122
PID 3724 wrote to memory of 5488	3724	chrome.exe	122
PID 3724 wrote to memory of 5488	3724	chrome.exe	122
PID 3724 wrote to memory of 5488	3724	chrome.exe	122
PID 3724 wrote to memory of 5488	3724	chrome.exe	122
PID 3724 wrote to memory of 5488	3724	chrome.exe	122
PID 3724 wrote to memory of 5488	3724	chrome.exe	122
PID 3724 wrote to memory of 5488	3724	chrome.exe	122
PID 3724 wrote to memory of 5488	3724	chrome.exe	122
PID 3724 wrote to memory of 5488	3724	chrome.exe	122
PID 3724 wrote to memory of 5488	3724	chrome.exe	122
PID 3724 wrote to memory of 5488	3724	chrome.exe	122
PID 3724 wrote to memory of 5488	3724	chrome.exe	122
PID 3724 wrote to memory of 5488	3724	chrome.exe	122
PID 3724 wrote to memory of 5488	3724	chrome.exe	122
PID 3724 wrote to memory of 5488	3724	chrome.exe	122
PID 3724 wrote to memory of 5488	3724	chrome.exe	122
PID 3724 wrote to memory of 5488	3724	chrome.exe	122
PID 3724 wrote to memory of 5488	3724	chrome.exe	122
PID 3724 wrote to memory of 5488	3724	chrome.exe	122
PID 3724 wrote to memory of 5488	3724	chrome.exe	122
PID 3724 wrote to memory of 5488	3724	chrome.exe	122
PID 3724 wrote to memory of 5488	3724	chrome.exe	122
PID 3724 wrote to memory of 5488	3724	chrome.exe	122
PID 3724 wrote to memory of 5488	3724	chrome.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-02_449dd7a62646af70ce520a5627783019_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2cc,0x2d0,0x2d4,0x2a0,0x2d8,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff852f1ab58,0x7ff852f1ab68,0x7ff852f1ab78
    3⤵
    PID:1724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:2
    3⤵
    PID:5376
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:8
    3⤵
    PID:5416
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:8
    3⤵
    PID:5488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:1
    3⤵
    PID:5692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:1
    3⤵
    PID:5704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3580 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:1
    3⤵
    PID:4092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4212 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:8
    3⤵
    PID:5576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4548 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:8
    3⤵
    PID:5584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4848 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:8
    3⤵
    PID:5568
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:3460
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:2600
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:6192
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:6268
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:8
    3⤵
    PID:5688
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:8
    3⤵
    PID:6336
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:8
    3⤵
    - Modifies registry class
    PID:4268
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2604 --field-trial-handle=1880,i,17610559963689910894,7229832767820068777,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5308

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3376

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4980

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4480

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4932

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5104

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2756

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2772

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:524

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1464

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4836

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1052

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3536

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4424

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3400

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:868
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5240
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:64

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4316,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=3416 /prefetch:8
1⤵
PID:5504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
71d1fd50b07818695dc4e2b0a295de98

SHA1
308af57d8dabf626b17826b72eb75fa7f2a81654

SHA256
55b3887583b2036c58f7c6caf4b8b241c0ae97d6e4e4d1afafa27a3b06321abe

SHA512
dc773d8a641d937cb7db6f4b7d2c691c985a69ec331670eb48b76a98b40bbe849fce6f0ac724b296042378178c10c87c22819fc8044878a66b8af697ab3acb25

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
f15786fcaf30c9a120e8c9979165da17

SHA1
2b983df2fe2e0e6a04784cbee6e63521a420b239

SHA256
cf532d7c24379409f1ac3c6fc22243bc7b61587b4fc8ff305c70cf6a4200267e

SHA512
df715c35b24694dac1e16b04f094eeec2ab64673745d1634721d7360c64d21c0cf1bb339d9cadf863c11e6ccd3c361d81e5b4e6b1a55fd3ace3d1fcb065d2b12

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
b8468604fa568ae6e2b6d0accd4ba923

SHA1
52daf397ea4a1e85572c40f0d8b537c51efb4bff

SHA256
bf4b781420c829702f8e35887c3778eced6c02e2e401deafc4a6e8227149c608

SHA512
164a888bb19998eceb91fe54d36528bf1b86614864671d1161bfe7d3150ffb536c21ce2e30a34f7c4f319770b5b0ab5ecc7f9f5987c547add0bf55a219eeb1ca

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
667bca0e2664aa9646c8779f6d4b0030

SHA1
a8e0bc9550802e242ab9b745fe48647526a33a2f

SHA256
4219bb3ac282df6586688ba0e8c1832e01deb69e2d003803836bfc0d91f51fce

SHA512
b4910853dcf969fcfcc5ba52682c07bc66d0bda14e438bc4fb1290d904e671f91d8b0de5ccc0b12febb0b17cd3cb12fbb1c96ecc05add2f1f22dcac9456664a8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c217a6fc93806c13ea68151d322d41cf

SHA1
e23256e9107edd626542af5e8dddcd01eb64f2a2

SHA256
730ad7e1345f094f9382012570d847f30d55d43b417dea30addc590e48cbab33

SHA512
cc179cb35dc325f031d769316916b11facbcc550155aa44391206c5f8b17f4ecf744a4ef4effba2ce637418d82910baa1c260e189f41a7c217182f35ff10b3f2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
feef99544e82bb301410d6208a0f2fe3

SHA1
f7de72b1e2bc9c9415719e0678b781a945facacc

SHA256
743e2becf410673aa693d63f5f81fc8c8667698c049a78295dfe650b0beff3f5

SHA512
c9f45424f1886780b8ee55a86110b5fc58c9da7b7f381d4225cf8cddc0996158642eec27c8355835c4c206bd28c555138b727f0cd53bb40299bb314c63ce4b35

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
e757c51c2820924eee7bdc5f863c6628

SHA1
c134773450880499ffdd8b15c1507edf3103085a

SHA256
a3928b8ab20f1f7f37327e916c833e25409aafdbd56107c93376a4d4ec8e468b

SHA512
46876437e4aca916434c13a09478e3dfee160d4264cb89ee40e599e87c0fd18c1013789c23d11646e66bb8ee9f1e5792eab5d152cf7cd22afadccf628c8f5d0a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
284e286a8ebcfb83e70eb8f3639fc7a8

SHA1
64dc32e226065280044adae74a07b65ffb5723b8

SHA256
ae6f5465bd2d262e4fc0d665f697b9451d208631200bbd16b98c0b200d2ec6d3

SHA512
74578c6a409a8c836c3742acd08f6a53d3f4141cfbae32997db22b9e2cd2ab5a1a3401763b49c46f76b9d031a85d5bdd001b472d6cc62d569396ff9f20d05114

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
49ccd049ee4c98d578346c7c7ab5b698

SHA1
c80fa21e615f7d003d6c0a5e00ab2d5dbe7e5230

SHA256
456df2e437cdf067b8c7fb6a77cc9c6708c7fe800fe875c6f4e56220b9cd7c06

SHA512
9500701f2b139b7356428b85bcf7bb6f0de7efb5c5ce9c2ac820465258807a40c9425412170becb68b5c76115a195c9f2f316b80520a4385fd0d559966d18f00

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b341c114162825088129fa39745e15e6

SHA1
8955ba2c375882f19b3086db6e343dda3ccd7947

SHA256
a806ffd50b69b9560f6534c729f759dd9d9cd89a14ee0afa1afeadf92622488f

SHA512
ccf533145d205c23dbcbc1fadd66b227e91af7481f694cea8530d0c1263e5bded3272d712687b15c0dbcfd40834079cccfa2183c9b1c23aa50675530f0145c93

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
cf4cdd10633296b08f714d35dc9cddf3

SHA1
3caaf10a2a17ff7dced629d62c603be184e9f73c

SHA256
6b107f30526345b361c777e6232291bec5e61806a56cb94a7d38b1bcdf7b6196

SHA512
eabacb53bf6bf9f8976f9c95927f0716d83763fed363c6283a68b6b9c7ac07469e9098ad9ab2e4fbc4a2075fda19d6d9e29cc9dc9e43f6b296f5d6ded16e155f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
fd45bb4f9d10112e9eee0aa6cd17dba8

SHA1
3839b755aa892a73071ca177408f46f0dbfd4869

SHA256
cbe0410bfc71136f32c40258525487ed9a5d6b53de538a470d9dbc6d136b1259

SHA512
64b2d871b2b00eef59d5af5965669f3cdafc69a9cbf4fe600db3e1f0a31a282024f188e63c16c445d8e70c5295b0132d760d8af88c5d43d2ea1a7834b4c0636b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
d03a854e23431527528f2f3d8f836726

SHA1
031e9a8f11fbff1692ef8045d027afb861736cc3

SHA256
ca284d262daa52fc4559f61eb40deaf08114d1e761350a0211c4feb171c377d8

SHA512
d20636649cbfde332f03e0ca49f1ce6d169ca6f00ddd48ac8ad3e25c15f86395ea0b2a548525aa5170e0c5c401efbeebfaebfa82c129739ff69d41e1586b2976

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
42b8b50d0dd9bd2ac896659db2308745

SHA1
cf55851937f26ecea13f20dc7c1859b5c4f10e45

SHA256
caa1d93c257ad04041dd2bdbfbe4d2e02b51dd6687e18ae8c280c66fb26cc3b3

SHA512
4fac7fceea84511911d7b7d5ec5f9cc62dc000de4ab2831d8ca47b9c4c698884d270787970587f4a4aeeb9623ad8a4a80eea1a750dab2a1ef64cc029c09ebd75

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\8196f108-f9dc-4d13-8fca-8399af66a863.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Mozilla Firefox\firefox.exe

Filesize
1.2MB

MD5
dd4e8d328f346a46379132b555aa5d1a

SHA1
7f99990c23f9eba9863ecbfd863c3fcc77825c77

SHA256
ee92e09f14ee75811577088a70467faaa4ebd46f4c97dc6e16edce1e162d2cc3

SHA512
a128433640b31ce68a7b068a89e3e7cb56ff4d098ba6d07ce287282918055153311520d9f4c681e94a9dde40a686bcae2e866195388eb2be9b14a142030302e5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
36438a31c2f71f0d9e780238564419aa

SHA1
a2f83ba020b778bad71e767859245126f7fee372

SHA256
42a98be454f87efd0fdaa9c4436b53e88dc4fec165352380b02b23431f791ce1

SHA512
aed8e288a5cd49e452629dfeaa09bcf08e554aaf454d168b3f7d09c4d091b034009786701399afe804b2d9ac25e4ec01dd39c9ecfef4480425b6674b926b90c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
e646991f9b7863013f4543e5deea2d49

SHA1
7d3ab1c249b15c5bc5761baef819fa96b043539a

SHA256
0cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07

SHA512
8b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
16f48356ddea1d87835483ed7b0d066a

SHA1
c1f0f802753a6a91ce7093dfa58014ccc9cd546e

SHA256
260b342a920111449c717f9600c27f03deb5c0acc6b3cb4910e5a104021fc52a

SHA512
5149a548dde6755b0264c0e47759b243d39f9cda858d4f622066d7d2d485cf17f9d45a5b1dae5d8bfaf3ad0200143fc43509ae975d87f6c7dd41a0ef21d8b7a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\e5e6b2c8-3c7f-4fd5-b276-1ed3a3ceac6a.tmp

Filesize
354B

MD5
d5f9a9e90ec546c51de87c4503e7242a

SHA1
e6c568c962ce5c83874c99dc16555bde762e4759

SHA256
17f9bbb3bd1b27a069561bc20cafaf790610b274c282a5fd11bae71cca092cba

SHA512
a5d3c17a879b5397131754abd968d626a6efc60a9b35023307f3a4618becb96e58f79ad18a8ef4471499f78d9c3c22153520238fa75f8871da2cb7c9b7c4c933

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6763fc733e2ad835c6be517e5c64cee2

SHA1
3ab339b47cf620113c31dad6ef1972f6755555bf

SHA256
31121fccf365a9f9797b32480086f25a85928650b49f3cf9d1f6703da0aa03c3

SHA512
89b1fe916d1d48872047d68ca44f0653b57a7c4962e4344a8dc24a968408c7b721e5947fd5534060e2029b4d0edb532a4c6f67ff9dd0f9f181b59584c17711dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe58290f.TMP

Filesize
2KB

MD5
c4d12c24a85b7e1aaf85cad983fe7610

SHA1
00bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb

SHA256
6568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337

SHA512
0d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
a1ac483d324bc1d7821af73ce7192bdb

SHA1
9f13a4f73f45264105f312420577e2f68a3bc1fa

SHA256
5c47cc3abb00df27b680022eb9ee26663e8bc36b260990e0c2c2c61e19837125

SHA512
08946de384d1367996ad9855b98e542207fd4af2052eed541debbcceeef223090a2ed3ae94afd84373d931515e23bc5153b33d4765953732ad8ea5e6e55f4df2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
87ced794df71b42bc704f064d034211b

SHA1
0cc08d1f031fbb5282b74591fc9c851073157851

SHA256
2460a2342585ce89d1cede428176796a1565593a8dc2c3d19ad8bc9e6e521fb8

SHA512
1c3167250cf9d5357404141a958eef25308183c24a52a008487570d74499fb7e4d6f4bc1436e2adef0daa31bb370593bdee0d2e2a1308d7695e710a8ec357111

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
4b807f8d8c1001a439a2d0428adf3150

SHA1
d4368108b81bcceffa86a3d1e1865059f2858839

SHA256
59c49692e79c0721b5e108c8ed1b7889a8455489b687a8139a90348770236e6f

SHA512
cea57ebe2c55fd91fe5fd9a4fc948dd93f9f6ed453daf73fe184ed9575508bfa0d5be6d8783df742d38005dc624a111b61f8fafe637b102ebcfe14dbe18f10d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
8126b63d6abfdd0d86798052a9558eed

SHA1
9962c4e3ac4ab70f2e18190272f6ce72d6751ce8

SHA256
a3e0dc46da11209340a21e0ea76157a3eecd9aca72079f4c81d35af4c65fcf1e

SHA512
8e1939d76c2b32aeac36462fda8d0fb2cfbcef8a25207f7a7ecd2cc356c550b1daba90d568c1f6b538bb4a9c0e2e4f9a9f07706c553d3845e22251b94a4ddc61

Download Submit
C:\Users\Admin\AppData\Roaming\d7795c70c3a5208d.bin

Filesize
12KB

MD5
de54187f7e7ba8a657f178bd20ca50ac

SHA1
1190aad6e1f7d110e399b09646417aec66991dd1

SHA256
550cfe2b103b38c43b5f50928cba2e4422f914869ac7102281e2ea7521551119

SHA512
34428471de45e843c02074a6084233daf2d2a37a4a839c28336fe71235c29d7f6b17d92731fe8007b2e58c88b2a1ca29cb9f587b81ac943d02e5c3fb35e21e76

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
3635f12d259d9bc84a84ae1061f4e2b7

SHA1
b1d3ecb5be78e1f0aea16802efc21cd5f07101b1

SHA256
5b7cbd86a011ed293d1e852693fb0eef8726d456daa5f202f6967f3d16c04385

SHA512
1fa1ccd5c156f36b3f0fa86f5d40617ec815d165073d5468ae929bf32bdb43b3601ec6d77a7da92a9e0098a6e795d2b21898ea5de044e9e058adc8d99a6826a7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2550eb922b31961686d5c0deedcf20a5

SHA1
39ac863fcd8a400c402fa6518ec15d24ebe2a797

SHA256
7cc255ecc7726d1a7d8848a80a55dd743d14acfcf5f0c48ba47af2a3adacebaa

SHA512
d9a016d0a1c855ac2807d52c80d6a368083a9a2a477751e62d5842221396e6951c1851d84c4bc7a8b3b2aba5f8f279f6afedb045edd61d4e6a8b98a55244a82b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
0d73d361e5200b98e2164b08fc29e8cf

SHA1
551839714c0e352a1503be5ae8172dcbc599568c

SHA256
ab38116afd4b47ec04416f04e036825a6ccd759fa217a14396dba5fafd08baaf

SHA512
45e21a64ad5c94f10b499154a21f6a65a7731ab3218c88d578229ededdd273c7c6169826d69442f55181c8b511babc034e6be70eec9584bdf5bdeb2f836ec68c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
bc90b745e17e519a5d6c0e55fa3eb423

SHA1
02e391e29cf991f0852b3b0a00f90a28f1429900

SHA256
4cb9a1e1117b6accd10bd482fdb92b53c2f21bd4f5e42e92858fafd7627153cd

SHA512
11d488864f4997befb67400b374062dade0ab5d9d59ee6c1e9f56c0ff6a71d1d542cc8d705550dd84ed6e75e5a0d5276edfad519a7f63a1e7464b549ba1edacc

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
72e7a7cbbadd1ed5c7026333a7c0bdd1

SHA1
58d74e3472163f6c10a1211644fec7890a3eb901

SHA256
2ba8dbabad43ddbdf749173d8857861224bb485457ee06d7b53c7a0f8377501e

SHA512
5d3a9196e37dd4ca9176abd659235acc62407e72664a41549a2ff225f78e4a72c4bc7527c332aaedb7ebfd3df48563c2dc1f313467cebdbf6d88e0edb6f89aaf

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
e27f0461a05704002bbb7a2a00e27658

SHA1
c102ef43824d5151f46bd7e1efcc59f3ebe951f2

SHA256
fe72a8f63cd54f672658cd0de652ae08b1aa6a809b3af7e18c3dfd468f1ad06b

SHA512
30a238b94b7d1c482fe3c7b6d972225b30beb5f91ffa190da71626fcc01dba7855c1baeb7a2f4d63b042f1810519b90ee1eb4280938f72982475f515be1596be

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
a17a7ea2b6060472e27d0f39a9c0bc23

SHA1
bdebbffa7d71d54d7fd5f2d9fe0d8cc6d43a3403

SHA256
271ef660db0a05c3b09dde7d75af6d960590475c99477bd15bdae56d5455fe02

SHA512
3ab1b6367bfb6313f0b1fae8553e54c02cf67354f0efaa1be3215e66395cadb938226a00a0fbd5e26678248a55db0e7f470c59e4878e13c21e318f16ad7109e7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f8cdce15a824342b984b6fa3107f1d51

SHA1
ec380f85d3c92db5d7e6c8b450be3cec05c2db47

SHA256
6bcafd3587eb2f135c0677af1c87cad9cfcac1922c0f7504d5dff23aaac47374

SHA512
c15fbb209118b62158a1fb83980e8622d6d33ec5c2dcfe70828642f37a5b084b002c7811a5993891aa76eb2745bf864d6553ea89c0727ebfe06c09cce2784a58

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1a2b224f17daad981d28bb7f75e544cd

SHA1
abdb89cbbaa94daadc6b1924c6435223c4470f6a

SHA256
55df047a2c86335c25c92c184feccad6faea4e440de530f5d2a62259b196eada

SHA512
b0bf3d9f38b9ac0d4c54e496dac3e31d5281330ffd865bebd6143534d12b7620e28ef765447a3180964eabb3253747666c2017eee808b27610c04bbc3e59b9db

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e396d0a8b00f15fd1a9abc78cbc2a222

SHA1
a6f63f2a10ce3488f5551e7d463b24a9ba396dc7

SHA256
e34ef607710b7ebc54f518f5ff7b741bda0c889792a5f20a07784acdab3f42f3

SHA512
b3ace30490e494c871a1ce525115cf7103964ee28904eeee343126e3290e5641cdc5dd966155083683bdcb1d14ad1aa1d66ba7c56d663a63cc24244c5e8e87f8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
9eea0a2dd5b84ba10e07e9dd45f768a8

SHA1
7c08d5a5b68efe0147d7fa224359fea9e51b8e1b

SHA256
1168e37c1f7277006566aa05e864d8e114999afdc68c7643a9803949211f0eac

SHA512
0b5efebbf0c4e3b6cc5d3f5b7d4101cb409423466d56c63671cd7ee88bc87f19fc51c83c01bc09df651d99aae372929d981c6a7f0f0ea6672846f4169f168202

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
157fd48d976d87e165171ff00d511585

SHA1
78e0e02011f2be42398342228b9a61da949d6a33

SHA256
ce97fe8f8340bf18b095b6bd29e292fb00bca25d75ed29ace8ae69a678c9608a

SHA512
353024181b58fe3c3a080afdd5f7199aff86151ac0b755b9a28433f02847eb26012acbd57d95d27efdd7ad493f51477a567d8bf88e3fa12f91c4f9179aab68ad

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
760c81d8b833032487b15cf4161d8cee

SHA1
af90fde06d488d6e8b42b6e952118e1d9713e374

SHA256
380b7628486f2ea9cf98496307872b6eb7e15bc840928eb66b1dcef25fd3ced2

SHA512
6ec1fe5500a7ac7be720d2f1e842afdcae1c614acce79b442604525801dfb955f8c2cd5561f5129eafdc675f9228ea29c7f71de5c1162e4c2ff211ec18318b0a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
9a40c8a3a37c8b5a8d7c09483ca9006a

SHA1
372dbbfe54690b0d37d3f17d599d1bd312429206

SHA256
6daf9174d8aa01ecf0619a07aaeabcc0164a59cc3fcf68337007a07722459f96

SHA512
bf276efecb587d76e55bc5fe6119d6830fb479634f1fab9aacd657c1f45729c0760246003e531459fd494f15643fb004ea7f521592d26d9415ab076e3a751eb4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
e2ba9cf3e51008fcbcdb979db3e1fab5

SHA1
b1092ed662156cfa7661e1a0798bdf2614426fc5

SHA256
ab5dc2045766450d532feaff591bbd8ba9b2c54149ec3b6a218d11ffd162aa94

SHA512
79be44d52464fe53748e83bdfe68f45016703351ef14435064e8a28fa525b4d2a484300e7102bc6edcddd51cb9806bc84cc0081c6a0ca253ec9c8b15deecf129

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
765e27cb2f10b64a87f695a5c380b7c4

SHA1
f1642b6d60116963d37a4fb1cd379d3494b372e6

SHA256
5a5414a15cbb16378859129008435fa8df75a5a577ad289da03e0cfcf0ba6261

SHA512
ec6339becd137f84a4428b82b833e4cb33000f6470ef02df7366779de998897f518909d212849ed55a995117e59896920dd262b756db0e849b796b317030eae3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
24b1e1fcacbaaa15e699a832f6882eba

SHA1
1860a94d8ece567a3643f15beea8eb4e2caaae5d

SHA256
f3a3d87a26363fefb1dd99c8493bce65c04184951b4837cbf9c59e8a2a85fec6

SHA512
be74a30bfa092b7b6a784611c22ae9a814a630edcadcb28f566d56e34b6e338078527f0e6464966678bcb516af250c835c6fd06f079f0ab097925fdf537def7b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
005e0cf9bdad50c74892154cb010daa6

SHA1
dc96d7f0e92e9dddc989e382aa086cf2d46e994d

SHA256
4fa276418393ad9e6eb55ac1413f59bbd2a297a8e8d675c22e77fce511be73b1

SHA512
3c1c18c17e5a064bd8c6ea6d3fdc74152efc39d0e537edf8e46098ca91702578b8887bb3db490759b53dc44730be51ee1a3d05ecd6499b1d60bdb562b0b5ae91

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
de12892063f81f60b11c0497ec332fa7

SHA1
ccfa0530f55d277c3fe6d75260088ae08d5b7616

SHA256
afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae

SHA512
441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0c40e0cd4f83a5dbbe07a815b0bdaf73

SHA1
7d97feee3ff4c73789619451232db1772b0d50a8

SHA256
0bab945ab8ef811ec7ca419c5c398a31c0b3434364618cc97ef2b32a23dcf203

SHA512
856aea4f3e3a657c9910c888825a75c92316fc4fe1fc5be1c7b485f170404f9e9d0665ef041d5d00ea34de328fa7d8e69bc7994639f59e2c8295a02041465b41

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
8361669181536c57edbbcff088e5a992

SHA1
c1d85132bc31df9eb46be5e8d000982132be8d03

SHA256
286ec65cf187e3e7c93db41487c1adb79f456cb9242792ec498bb05d51ed4527

SHA512
43c11afa3e509d9c5791df2103a5db4ef20b8aa144e1dfeff5e7807057b0906d33115adee8487c425968b5983858def83892979075fcc95acb4386790ef73b31

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
fc19d5ecb2a0edffec4c38553a2d1249

SHA1
6957e877b734bd1993a055c98b831edbb6df257c

SHA256
054719f059968e0200600fdd9c97a380445b0ced08648ad554312015d424fbf7

SHA512
ade247840ae3ab79a57af95d76688d8c52604b01965a199332f241b5b79356086f6d2809814d425d63df0af5ea550d290330ef87a5d0dd370a92f1fd668335e7

Download Submit
memory/524-280-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/868-291-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/868-640-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1052-283-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1464-606-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1464-281-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1668-285-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1672-284-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2204-552-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2204-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2204-17-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2204-11-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2244-6-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2244-34-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2244-503-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2244-0-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2244-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2596-62-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2596-77-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2596-64-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2596-56-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2596-90-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2600-738-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2600-547-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2756-278-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2772-279-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3212-288-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3376-22-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3376-573-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3376-37-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3376-35-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3400-639-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3400-289-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3460-536-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3460-599-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4136-50-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4136-621-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4136-52-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4136-51-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4136-44-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4332-287-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4424-286-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4440-431-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4440-73-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/4440-67-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/4440-75-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4480-102-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4480-81-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4480-87-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4480-636-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4596-276-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4836-282-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4928-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4932-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4932-92-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4932-107-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5104-277-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/6192-588-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6192-572-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6268-739-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6268-576-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download