e601c21ec4c629276105e248a28f0b02b571a397186f560f4fd65d8d3355cf1c

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
Size

4.6MB
MD5

228c1ae34160fd02c4076769f0ca1089
SHA1

b9555f0251dfca078b2d5b376dbc4aa3d823ae9b
SHA256

e601c21ec4c629276105e248a28f0b02b571a397186f560f4fd65d8d3355cf1c
SHA512

303b594a158957b7d8411de454995d1dfb2baf5030140ea023f83f89c370049a8c86d075271d58392e8f073ab3d20415a8f9a8b4f201fc382c65d6f75f024321
SSDEEP

49152:PndPjazwYcCOlBWD9rqGfi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGD:n2D86iFIIm3Gob5iEjTcYhyp

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4268	alg.exe
2808	DiagnosticsHub.StandardCollector.Service.exe
1108	fxssvc.exe
3396	elevation_service.exe
556	elevation_service.exe
2224	maintenanceservice.exe
2860	msdtc.exe
2400	OSE.EXE
532	PerceptionSimulationService.exe
4364	perfhost.exe
324	locator.exe
2016	SensorDataService.exe
3992	snmptrap.exe
3872	spectrum.exe
1800	ssh-agent.exe
3916	TieringEngineService.exe
3588	AgentService.exe
1972	vds.exe
2672	vssvc.exe
1580	wbengine.exe
4996	WmiApSrv.exe
2028	SearchIndexer.exe
5500	chrmstp.exe
5736	chrmstp.exe
5828	chrmstp.exe
5860	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6654a4b7b4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000095828231f1b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4cf9031f1b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618086944261900"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ceeab30f1b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082e22f34f1b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000808ba930f1b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc957631f1b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008db8c032f1b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed1e8031f1b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015f2da32f1b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
5020	chrome.exe
5020	chrome.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
2788	chrome.exe
2788	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4824	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
Token: SeTakeOwnershipPrivilege	948	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
Token: SeAuditPrivilege	1108	fxssvc.exe
Token: SeRestorePrivilege	3916	TieringEngineService.exe
Token: SeManageVolumePrivilege	3916	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3588	AgentService.exe
Token: SeBackupPrivilege	2672	vssvc.exe
Token: SeRestorePrivilege	2672	vssvc.exe
Token: SeAuditPrivilege	2672	vssvc.exe
Token: SeBackupPrivilege	1580	wbengine.exe
Token: SeRestorePrivilege	1580	wbengine.exe
Token: SeSecurityPrivilege	1580	wbengine.exe
Token: 33	2028	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5828	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 948	4824	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe	82
PID 4824 wrote to memory of 948	4824	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe	82
PID 4824 wrote to memory of 5020	4824	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe	83
PID 4824 wrote to memory of 5020	4824	2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe	83
PID 5020 wrote to memory of 2996	5020	chrome.exe	84
PID 5020 wrote to memory of 2996	5020	chrome.exe	84
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1828	5020	chrome.exe	111
PID 5020 wrote to memory of 1412	5020	chrome.exe	112
PID 5020 wrote to memory of 1412	5020	chrome.exe	112
PID 5020 wrote to memory of 2208	5020	chrome.exe	113
PID 5020 wrote to memory of 2208	5020	chrome.exe	113
PID 5020 wrote to memory of 2208	5020	chrome.exe	113
PID 5020 wrote to memory of 2208	5020	chrome.exe	113
PID 5020 wrote to memory of 2208	5020	chrome.exe	113
PID 5020 wrote to memory of 2208	5020	chrome.exe	113
PID 5020 wrote to memory of 2208	5020	chrome.exe	113
PID 5020 wrote to memory of 2208	5020	chrome.exe	113
PID 5020 wrote to memory of 2208	5020	chrome.exe	113
PID 5020 wrote to memory of 2208	5020	chrome.exe	113
PID 5020 wrote to memory of 2208	5020	chrome.exe	113
PID 5020 wrote to memory of 2208	5020	chrome.exe	113
PID 5020 wrote to memory of 2208	5020	chrome.exe	113
PID 5020 wrote to memory of 2208	5020	chrome.exe	113
PID 5020 wrote to memory of 2208	5020	chrome.exe	113
PID 5020 wrote to memory of 2208	5020	chrome.exe	113
PID 5020 wrote to memory of 2208	5020	chrome.exe	113
PID 5020 wrote to memory of 2208	5020	chrome.exe	113
PID 5020 wrote to memory of 2208	5020	chrome.exe	113
PID 5020 wrote to memory of 2208	5020	chrome.exe	113
PID 5020 wrote to memory of 2208	5020	chrome.exe	113
PID 5020 wrote to memory of 2208	5020	chrome.exe	113
PID 5020 wrote to memory of 2208	5020	chrome.exe	113
PID 5020 wrote to memory of 2208	5020	chrome.exe	113
PID 5020 wrote to memory of 2208	5020	chrome.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Local\Temp\2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-02_228c1ae34160fd02c4076769f0ca1089_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee015ab58,0x7ffee015ab68,0x7ffee015ab78
    3⤵
    PID:2996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1948,i,16367496994586809086,17494898569940289933,131072 /prefetch:2
    3⤵
    PID:1828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1948,i,16367496994586809086,17494898569940289933,131072 /prefetch:8
    3⤵
    PID:1412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2068 --field-trial-handle=1948,i,16367496994586809086,17494898569940289933,131072 /prefetch:8
    3⤵
    PID:2208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3096 --field-trial-handle=1948,i,16367496994586809086,17494898569940289933,131072 /prefetch:1
    3⤵
    PID:2624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=1948,i,16367496994586809086,17494898569940289933,131072 /prefetch:1
    3⤵
    PID:1556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4356 --field-trial-handle=1948,i,16367496994586809086,17494898569940289933,131072 /prefetch:1
    3⤵
    PID:5632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4424 --field-trial-handle=1948,i,16367496994586809086,17494898569940289933,131072 /prefetch:8
    3⤵
    PID:5680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4452 --field-trial-handle=1948,i,16367496994586809086,17494898569940289933,131072 /prefetch:8
    3⤵
    PID:5688
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4652 --field-trial-handle=1948,i,16367496994586809086,17494898569940289933,131072 /prefetch:8
    3⤵
    PID:5180
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=1948,i,16367496994586809086,17494898569940289933,131072 /prefetch:8
    3⤵
    PID:60
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5500
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x298,0x290,0x294,0x28c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5736
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5828
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5860
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3956 --field-trial-handle=1948,i,16367496994586809086,17494898569940289933,131072 /prefetch:8
    3⤵
    PID:5816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1948,i,16367496994586809086,17494898569940289933,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2788

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4268

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2832

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:556

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2224

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2860

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2400

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:532

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4364

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:324

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2016

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3992

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3872

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4480

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4996

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2028
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6116
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
348ee3946473a9d78e80495cae6a3ba5

SHA1
e499cdcf0bee86bbcae8811252080ed9d1788f2c

SHA256
0f9193cff3abdc1aee85d12c3061f4a7a8419f489648680a705bc3895b59c6bb

SHA512
e08d8c356145af31478536edb5d9dc8dc4d03074b42413f09bb7d49a4d83c4597fde481afb3e0056e7b23f04561e73f949c43ea57d7dc94348ac171429aff04e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
78100e75730979ab2515d7e9b2a4d293

SHA1
0474535fd8cc747a4d54e43a693bb6a1f82c5593

SHA256
7f636e77b4eab0758b4aa5fcc06bd78c84ed41673c32481523a9994fd46fd0f2

SHA512
bd414cfe20c59305caf36d5c82701ac534438e3f91a02331411dce147d1df6722fd31dff9a6794e729535b1d9c325d03adc518c2104e1600205dc43c40e61743

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
f746fbff3de29a433d40bab9e797c36d

SHA1
8a527760010daa660339b5e4c7c63fc046a77625

SHA256
d715573739e0320260127fdc335c36b7c006814e38f17a481e85fece96ead2a9

SHA512
15e7b29616422a1a357bb77057b5e873c023f2da4118ad33fbcb1c5a0eb54de26f4b0e083d62e1e711c94b60863a84e3452726ab1f29b24c06eab9f66b8d6d35

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
010ec7f5d9df865c635157471420fb8b

SHA1
723bb961068130432ba5c4be70fae0e3c7f3eec0

SHA256
7d5fa1d00caba38cab221c39a86c6964f5c6595eac999aa5a6003c0eeaf38a4c

SHA512
c8b7a64e0f885e9fbf97ebf9d760f40fd394970b4dd7206d14d5d7f6b7a7f0ca42ba25c85101d4a7872d9fe60a4a73dddf96d6c0c5aeda03cf884c48b4650b5f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
33632f64b8bda78adf662311067f8e66

SHA1
9175449bf4440b56c8fd7e4c629aa725731c5a36

SHA256
99acceeb8c6e9cc5bb6144d59e0284bce3955320c565d1da39768211c8f80e82

SHA512
3f33c48ea3cf6ffbd29bc7aa90ca5a0ff0746f89fc8d25854c9c4eb3dd58eb3392343b6ec3da4e567769e0078e7c08bab339dfa17afc3e682cb407abeba2f6e0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
4cd09a247ed0813457ec76d798fe53c3

SHA1
acc72550667d82bd5da6592cc6020957f93f3aae

SHA256
49870626d21ac41903a27170576d3a206d97f42112d9f4cc16a9dc62e7872f22

SHA512
290834db8241e425b753aa281d95888851f7c2dd00dababfa24824644286a043a52e3358977ab9e49564ef00a8222cfe6ae31650fd1d492af4e61facea13242e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
a027310e5cbd30418b42e4a649388f34

SHA1
53541ae24933a6f6a0ba09631e4f3cbce06adfdd

SHA256
99b46808d302cff5e48aa3ee369b88e2e24ea9edcd032b82385d6296af5b9299

SHA512
0577a7703b74de9277856d9d040acd4fe5730e6745aea76aacbfbd522d24d4695617a3c53751c2c802e0f1a1503d041c9c064eb757bf1d534447117431cc22dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
708f15033ed167c250b24d8ca65f6787

SHA1
9b35700a1ba2e55342291039227abbb3bf7cc261

SHA256
f20fe3984a158a4970002008266a5128499f45c5003cb207f5f7a7928d48eb66

SHA512
f0226e67bb93df6d1e3cde2da536888cff69ed4b5c908a1a0fde0e946244215953776b0568a842fd3cb3c5291e40b2a537005243a422d14a9c1fb2fb03b56e2f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
955df58147a432f4ea494d4780fbea03

SHA1
114e9a6c479c53760170cb101eacf0a077f5558f

SHA256
fcc0563064fc77c4746f9c278c7d295702d1ae83c3043abd409e0ed64cdbe501

SHA512
7475fcda74c4c29d7cd9e5b7dd2d28bfd75aeb31148f775020fcd1e42482c282eba95cf0f1af003824e20cacf74e682d362967012331f17e766dad07544424e4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
45ad36cdf9bd4d068670d53466e1f8a2

SHA1
3b9e32af89fe8de2a32a603922ecc0c43bedc188

SHA256
a1144d192b90dd6f6b3a7b5c33bae1e97f31c875f03e5f3fd79b912acaed25b0

SHA512
ed65b9e5a3012438aff39c49f25d1e2b22b4de5b79c69635e08294010db918f1ffb4904529aa9a8f138b2cd97cbc8f149396105a4a01f5229a1df0e83948c8c0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2c085cb09b243b8fba0b70610a8c8e7f

SHA1
7d1a1cc1a25c8a7704c08184c72ef9fe9761c5fe

SHA256
68891c5f123a03fcf29040787e0bc5335a0dd24a664afbf5e9c575070cc576dc

SHA512
90e7d085643533c90849cefbd5bb7d84992ef7eee9eb7151bca152f2e210c0c6e6d4a242ea33ae38fa00c4d7c0877d6547a6fcbd3dd2abcc3c3471b4c23a190d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
66108af052e376b6d4f78a6f447fa31c

SHA1
e8d7c50e4785078032efeb5f39136b73d0b382a2

SHA256
1489bd15157895eea9e20f1337788d784e5cb15e8fd9905b63c54db962aa4f5a

SHA512
951f1b20a12bee123bef6042297377d160252e96bd296b17d2ffcb144c50ecf1fe619e72afc11f98d0744be7fbcd43a174e7456182446c24799248cf7ebf3446

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
e3a89478f874fe9f28bc8a0fcc46c4d7

SHA1
28ea2d6d8dc94a2d780001d0a16be53f1508247c

SHA256
f76d5bc9115c48220a752041e0f1af4370c5651bbd3f098a50f810442cbb1d42

SHA512
707e58ced17bacc635fa58344b40734f9534f27546f82e722ecc238c9a0f350958cb341f2ee637ca05ce9416449d588a05fa3e7b47dfb6ec4dd31aa467d7a07c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.4MB

MD5
95117ffec3c35d14fdda75f8205ff19e

SHA1
f8bced42fb76c2c5d1cfd9db40a848f4d0ec42e1

SHA256
07e284617eb4de98ac48731fdf1dd6a0d3acec9ac4e87ec626dad52ed7cae727

SHA512
a46a3c4d2a629c114a0023d8bcec30125be3e0a5f305be5019484317657157729a44823f306647b8d489a8e3782de55401bc599ffafdaec396c1e0e1c9b2958f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f3d3c1a4c783780bb77d00ba89334bae

SHA1
b6d719c676e3d3e26052ea0ff74ffb3668e4f85a

SHA256
f1c3ec8b4026591afb7849965f1ccff74144ccd1c7dea969576caa0a321ecc21

SHA512
b66f3c22ca0cf8f6037d4df883d7935dd738146a668bbafa3b564d69d158cadfd7a5b8693c4eaee28793b8e00c224737fe6aa887da3c25f03bb03ccb3c10a887

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d51b70566aa8ff62552d6fa7a613d009

SHA1
4d1cf8b4672678e2d9a44d54a82e4ae81a7276d1

SHA256
441d02a357a3a5241bc78fc85514156a728bb3310a1ab8db03bfb30b1362e07f

SHA512
bd01e2e9606deb694ef1ff6c057d8d4ab103f64aaa47a105110246ebb39957d2fe4ec4d9962ef72404d94694aa96bd74ae31d1c273aaf539b7f99712681fa1db

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\4b6bb6ed-ca5f-426d-8f88-c94b61619be9.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
658597c4928f2d82eccf88d920922124

SHA1
19a184e216a097bd9830a2c3e8703aeaec4cf5c2

SHA256
379fdcef04b0433d88739761b4bd57edc6a4170a4c5ba096f5dfd66fc44607ba

SHA512
c90d0475dbd30d5319f250eaabc0d152a36120a207b16a2847ccaf7983cd4ff32c5493b69092c8016d3a750eb8c46ef3837bb43c85e6a43e6ae0c89b26d8fce8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
6be5ac4df05c64310434e3ccb782313b

SHA1
83004920e77c3a81421627c9cd6647f282770028

SHA256
d3416e158e22e032668d9a7d19b24b9b664ca71675fdfca4c2be9e3931a79573

SHA512
cae5ba13c88330c68275c3a1e86d710de34c0c3dbe3a3c2af755751fc80901738cff83b8d56116654403170936745823929880a5195a0f9427e4ab2257b2a5a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
2cd879c3b1b25f881f4b7ab71b67a095

SHA1
e8c477526bb5bdddd659fdd44606060d83e703ad

SHA256
d15ec0b42a1305238584533da0ddd5ec2959a76896cabc74599185af8af9e92a

SHA512
95c25065ecb23b375e233d554beb9c5fb61d877f6b5586155d5b5931d270cedfd4508a8fde3dfee5073af2215b256d7cffde9f77923d41909d4168d9bc61123a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3a0a2ddb132e5a7e6b5492c76064bce9

SHA1
2074c56d765d500157576d024efbb0f91e3223a3

SHA256
8af283087073da506b2ee8c3da61f8ecf5698392810bf592702ef5a254fe2425

SHA512
b3ddcec0e8acfd441cee0ae7069cec2b9020ddae1a5d3afed75a89675e4c026cb8db0e225504797e55f10727f53b16d1022c4365609543523e2fd042f322f197

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4fa871c1fb3897544c1dbecd43249a6d

SHA1
7400edb4d37d1c5292b7aa86bc14d33553646836

SHA256
7025de201d539b2d0e3daf8d7a5178eeb9018504b30ae60bd22ab6e8d7a1d936

SHA512
7890aab121239daf47afb4f22258c5c4eaa38db8808db590500499d9149c2e99578ecac451b6017749de484f48bc3b942b330c857c577a1338f5f69abf594494

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6454e0f2e4c4925532b9b36b644acd70

SHA1
0b395daa5416b9f9b47609c9039e95b0307bfdfc

SHA256
b26b8b25e0f511ba2faa0a1676510216f86f5224c5765d78541a81c84604ae81

SHA512
b9a31fe6e94b842e6b17e0b531b7a38ba2e79a93ddbdc17c6d8c66df38d0bf139e7ffdcf5a6c3b332f137733665f269c987d93794babd98c51a57dbd31eec5a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577ea6.TMP

Filesize
2KB

MD5
1f497c78bb1cefe5fae1f2d3e5c467dc

SHA1
12ec3f79d43fc239252d3812f8f0c2edc492bc51

SHA256
e7fedf1f3f9f65c94434b56a0a6b0be4a9773cb80c1fe09b6391adaec9849dbc

SHA512
f7ce6b59abe22c099ba4ded438dae24ad228fad07f742fe053c580f2c052a91d5af99bc7616681f0f377f8b5bbbe7ae2defab99203bd1af816724a1e63b62e92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
f7fa1b7b801ca7fdc52b8e65daae6736

SHA1
73583b3108a342a25d7c27c4aa476cddc3013028

SHA256
673cfe3c154ce3ee975ef4f587d3f986d33a52a4f0451db984f5df178582f59d

SHA512
138f1437a8559508190a5715ad339bf7e0cda3aca9f1e5785512be2383b37e1202b493e1f1b10cf56f75157e9995f6a41cce77ce4d783488d723fb2ff6ac8681

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
abfb021fbe8249d90a4cc5995291caa1

SHA1
90cfb4365547716d1d53d9f16e3b40b6c45e7cfe

SHA256
13ea9e28f75404de2e71a7cb5aea2087535ad0e06260282113a5c2641184eb56

SHA512
b655bb1f61cb335b7a9b408c94f40d1a6e0a0acab8f58f248bb69310b96daa40d7b72f3431b97ba2172d4813e52d78fb89d026d7d182b9efca9841fb49438d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
d1aaf6a11d9418fd633bbb504e8f1f01

SHA1
51de16a3a2fbf56eb0de6a51d6ce3abcb2fbd404

SHA256
883622433561af68f708f3a2870858445071e3499fc8cba0a86851f675763013

SHA512
c6e3946de2150b8e29dbce38da028394f445b135d449b570ca0cd8f4b05ee96fd91d42c7eef86a43344a429ab845aa949ae0e9faf0db82eca4681b3e5990f7ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
b9b4d46263567b96ef29a497a9989de3

SHA1
2cb535331660339ea5ec8797f6da6b66444dfced

SHA256
915ed223e09dddfc5fbba0108622e6d6c9e9677dc5a8306740e6c43771cf4fff

SHA512
60792c397659ed06423fa421344c51ab917d9185230f15b452c847976bb9bf1ffa90088a7808dd6661eada5985fa788ad2c253832b3258aab44b40b87141f70b

Download Submit
C:\Users\Admin\AppData\Roaming\6654a4b7b4b1389a.bin

Filesize
12KB

MD5
d800503698c65b2c12af4ba178f463a5

SHA1
8012671619cc9f29b1d134113850933b27fd430f

SHA256
771477aaf059fae628b6fb965d9f05d5d4c2b6e382036bbc1ae7c6edf1f45022

SHA512
2e24468b56223173060670f417e03c70d5d66a2d1207f64b8ca844acb98c248234663186e3de2da59bb56e36fd0d1609302893303b80a8380c14d622c3b9683f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
f865764dce1ed13e9c30235396c99eb5

SHA1
3acee48da45ee1f8680ce9927f64d1767f2fa1e1

SHA256
6358c10a29b077190abbb938a57d8af3e714fcb8aba21e7ce2db61d322ba8305

SHA512
0077ea82aa2bc4f4eac498a60f8f3c2537188719fb5595d83d20474367895e50f09009c011eb58099857613d88661c690b56d3b9ec53821b9fbf8c44112ae9c3

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e6a8e7cc7c87a8f830e3d967d98bdb65

SHA1
4939a6e7b4179c1a8760e37413ace6abcd7ec4d1

SHA256
63a405caaae729aae21613b50817a034e4f7b8002bffcca2fa556df8980a2dd2

SHA512
8e4a06ae97e7ce73ea7a5b4d443a72d58ed3e89d30ba745890944c6ebc23734d94ac2f02e8ad8025c51169fff6a7732c75e5f12b88665106e790bc971e49d1cd

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.4MB

MD5
cac692b6f82c321695a6e00d957e2233

SHA1
4ec224a20668fe45b71160cf6c7f2a314574884e

SHA256
a5871a8c14a240948808730e2bfa45acca15a852fbe5e6eb777ed14547048f2f

SHA512
020a865ec3575af3249bb8e6e422ca03194c3a7c93ff12eeaec3651e2bf1ef78b7cdd8f84c263f13436bd22cb26da5cce1ad5b12086f2ac96a03e1b1fd272808

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4062e0952debe3ec1bafaaa2355b478c

SHA1
e8bef519397d48e584db8ddf88cd4386eaaec2fd

SHA256
a45472dd6ccc81e3803de219a0a5d874244354223012651561342cb43d578901

SHA512
cda155f0f7cfd2fc938039302efeb4954e9a2ee0c9becef4626d73f4cb09ddf9a648254bc9b7f5b1691569bd56ac134a504bc89942358bf34737c8c46ec0ac51

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.3MB

MD5
a38c201a377a5c6fff29ff23e6e01ecb

SHA1
023be97de3ddbd6f02f2cdca2f4bc9f410740ccf

SHA256
344e7e6b92deb35f86fe29754e24e130f4d115c6f4987156240ced0042dd9677

SHA512
9682f1b00be3bd371b9a0903607ed67a3794c3b1483dc6793596ea17fec879f969dccc3fbbd7c985fe1d67c86178ae766485907c90af60bcc8daaccb46cab378

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
f5ae77ff373c6b15e70aafc5eb6ee138

SHA1
2bfd5532de378835765770f125f9f43a5a03823a

SHA256
ae333b9dafca11f12403bac1473973da0c6f7d79494cfbd0f20488388478cabc

SHA512
5a181e8b5c07683d210831b8d6ef005dc6ca6b050c891fb46b19f628b18a5b2ca543b6bb1ea75b0969418aa0299d3364d0ec49ae4510b6e217ded9f0309c206d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.4MB

MD5
d037937c4955aa3b892e3500c5038d68

SHA1
34ed5d9f454870ff33eac95d39c0d68d5a7d5a57

SHA256
72a0e1e4e1b809fed935ff3e75548020e3587e84f5271d62248a3c354c642b1a

SHA512
b476f477a154f26febc5259324153b560fe21ec5da72dd0b7ce6cffd3449018033d840dc9a6d582a8407c7d7b0f430a6d06124940e6a74c4b24deaef631e1000

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5d7979dc9203285825ea8f8ea1c65ed8

SHA1
206b6ae06b4dc6b818a62de0172131e4b384e422

SHA256
dbbf0010edcbf32f695c8f92d23a2b1c38ebe72ca8351f6bdb44cdac24636cb4

SHA512
bde2560338dcd47ef3682484d9c1674d085a0533f2e7e6010b52553e31f4077b8b25b0287aaecf46e1d6504d8b2a290ec8195d575ae10a4d5162bb3a053ba070

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
01e1d0e73cc6aad0ffa711ebfde28daf

SHA1
57b3ed2517e808ad1b07ba158d50a4cdf880b83f

SHA256
86ac006b7c9460bcfcdfbbe3075ffc81bba06782c744bb678c503f1b46933755

SHA512
b69d1529bec378eaa9d85b3195bb7f53d92453dd854f262ef033f0a1d7146ffb889584ed0de37f75f3d707ee31d3837ff529066a1fda45f4f8f76754996c3580

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d47f5088e4ed7b31e6a5b9d97d085547

SHA1
d5cfaf6587182762f5e9b7fc3612b33b254f0170

SHA256
ccd9e5b9a6366f1f3449ce437d4c6a4d02d5f4784af1546b8c7ed649a0048101

SHA512
747a22eff46f94c89c623370d37f436a4185d3e589afb2bec8d6fae0c353f81ef34f4d7ee46c34ffce54ac2479d0eb6c5cdec3dba6c818ab80672d4734d11a36

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
ee0ae7b5542ce272357750f2cdd0193e

SHA1
3e516bc1e07ecfd96568a8b9c4a41da2834eaabf

SHA256
683bea61444ed8f918883733e5591572321092ea9f552b1b728aab9f874c4d7b

SHA512
1125111d77a572ba801b87de2ca64a634e0e55cca5f3bfa0c580cbe8067ac0ffe8741eb0acfb136033c65a7999688ca2a7cfe56c179f6705746700fe397fe7c8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0fbf6ec714f6f5b449daf64d028457df

SHA1
3eaf054f3e1bc946fea059d05183aea92579da61

SHA256
46778fdc8c153352a40217223da4639d4496707b39f386a352de4e0f1c1bae7f

SHA512
1bd0fb8c23809ac16785c5b153dfaf441fd3a874a5ce78e9f3d083b44ecebe97993c561f653e5f3dcc6e074afc831867ad7bf62ec0376c77c5d3ca728fbe9d2b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
fc25554b811dc35928719905da521827

SHA1
6cd059d64aa0f5dfad35de78b3a65ba2742e9db5

SHA256
813ddbab6645aa075983dc130a3f239899dae58e884b0a8b8103cd1cb90ef5da

SHA512
d301a2de88666a00309ff6d8ef1955641c93fb7800b01946ed03f95e9398ce9783b04115c2702381efdc0b2efd5df03ab643adb58ea64eed0d3bc30b33f06e07

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
c90dc75b302984ad749b504174f794f8

SHA1
47c474e1b95c6fdfd0044900d31d88979f7501a2

SHA256
a5bf1fbc1f5904264d384c8a1876bbe5c647c4aed371fb95a28b1de623e6926d

SHA512
5ce79777b29cd73f111bd5bb64b9aca1dd57b67fe3aa88a0d220f7f1c258b664239615e1d8601b05fd1bb45b028c57108a4ed29186c479acc03fe3cd7fabb09f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
59e1e34b7aa151eb33f9600ddb73ebd4

SHA1
ecc17d67a46a65fcb04e2bb2b7ed5aceb3e5c97b

SHA256
d911dfc6a21e162a91982dc36a08b2bdb1712458d209209ec775e9c0104b1a31

SHA512
855e64862e4190c56eb311cdd566f6f7eaadf7b3170315aa419933b177c56bed8739345fabb9d3fbbd17305f53b429928e6d4002e51586e53aeafa6418b710fe

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4012294b08de2ca32566b7b21b5f9afb

SHA1
79d7e631e6976268456ad97ad3b993c406fcb612

SHA256
2f574ee617200cd8ef95d5c324b6c1347e079e0ef643bcf545f78f158124f0f7

SHA512
6a6c6887b509d05a0b5a9c19c82f37b5d4009bc06afb14682b22bfd0637970d62bb56b500e459dd9d4d7c07c55b029a41ead7c890120d4cc66312f4d42914dea

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.5MB

MD5
014eefc85b5aa6847678a822d203639c

SHA1
095721598755e3f0a92e5e7cfce715a179306c19

SHA256
5cbcf8a3ecc4e808fc6425cdaa789e1aa32da800c03af4c59abb31b9b081c931

SHA512
b6a7b8848a70303b46fe959da17901be38c68afe5dac5eb869c959571ce1b34e9228a7554530fa6122736382f942ba96d3321c5f0b0d6e54e7f06fbecfe0728f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
88b3af2d4af507c42117d0e9f3081dd5

SHA1
b212daf281f659fb861bdd5bc529bf5fb2948847

SHA256
7d9d560caa5c1a22f4f78d51e2f85feda7ef4a73563d88f64465e2db7ae5e785

SHA512
5e77ac77b2d39a7d37b10e0b36c8816e83f5be09596f51435b75e9c58eb85c33c5e1d17c35770db1dd14dd1007b9fcb6bf1d59d19b5b1bc7635f67c1de943b0c

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
b2c359ffd4bf582baf62f6e8adf87a6e

SHA1
8e9a26cf9202a00b2f38b9cf92a2cc0fa2e76b79

SHA256
ee8fad0e09119ff89b6f13fc18df351e81b41199adfc10acbfeccbbb88e02a9d

SHA512
1b1cddd7353d0e9300f1c661feda7f8d1a71e6d90279cb72c3adb51a7bce9c64e2fc87777926db50a8d41cc945445821d1b3cc1628f7446a7c03e64bcf8aff92

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
730713e335f3f455b13794bce8251805

SHA1
1fa6d884cac2d089ac3e202709f83c762abb058d

SHA256
533b79af89c4af579f225e3aeee16ac54d512d8031e5887ac75195ca45f25425

SHA512
8ede0eddd7c4dcd997148f75bd988d8a8c4e3ec93786b18e12691704a95e9a6dcdf988afeb705038e0fd3740f5c28b74a1b9dfeebef99053024a98694e9497ed

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.6MB

MD5
c9f4a1d07579bdfe891669ba4a39d71b

SHA1
c256809f3c4bf91fdae47d4616f1602f7c23b76d

SHA256
fdfed4b171e8b8f0f7af138fc43f533cb7fc4a5829b6d54276402a696996c5bc

SHA512
911c297e21c2fee2450c4304c6b2d84cf45a4a7cfead4cd6acc9402d13f3e35af661645b2e18b1d911f4d556b860051863a763344a0c4094362ba7aa5d327099

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.4MB

MD5
e40a6748e4b631723e47698ca1ffa411

SHA1
14999cf1e6295dd631a755f6b93778c5486f2a27

SHA256
d839a162e1d8f9c9a692a8a25010e3fc5e5167f364bf4f5f3cc0427f65710445

SHA512
02e8e823fe793debc6c3e2e13e1cb18b8941a064da659aa022d18d714c6b0decbc6b13fc659e2d7658e47e09365100eb1b9d75aa878691e22f2f200494bb208b

Download Submit
memory/324-315-0x0000000140000000-0x000000014020C000-memory.dmp

Filesize
2.0MB

Download
memory/532-313-0x0000000140000000-0x0000000140222000-memory.dmp

Filesize
2.1MB

Download
memory/556-307-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/556-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/556-795-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/556-88-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/948-540-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/948-11-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/948-20-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/948-19-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1108-58-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/1108-64-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/1108-67-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1108-68-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/1108-70-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1580-352-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1800-323-0x0000000140000000-0x0000000140279000-memory.dmp

Filesize
2.5MB

Download
memory/1972-326-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2016-580-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2016-317-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2028-796-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2028-354-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2224-104-0x0000000140000000-0x0000000140246000-memory.dmp

Filesize
2.3MB

Download
memory/2224-92-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2400-312-0x0000000140000000-0x0000000140246000-memory.dmp

Filesize
2.3MB

Download
memory/2672-327-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2808-45-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2808-54-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2808-53-0x0000000140000000-0x0000000140220000-memory.dmp

Filesize
2.1MB

Download
memory/2860-308-0x0000000140000000-0x0000000140230000-memory.dmp

Filesize
2.2MB

Download
memory/3396-78-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3396-306-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3396-449-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3396-72-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3588-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3872-319-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3916-324-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3992-318-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/4268-40-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4268-32-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4268-648-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4268-31-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4364-314-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/4824-6-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4824-26-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4824-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4824-10-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4996-353-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/5500-599-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5500-535-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5736-797-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5736-546-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5828-588-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5828-561-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5860-798-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5860-571-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download