a8537670671c5e73f5348eadb9057f7d6264914ec125322aa7f92bcd391cd4f8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
Size

5.5MB
MD5

1a57be44b751632470b6a227ceb55c34
SHA1

953074ed1785ace6280315229e3a07150e6bf211
SHA256

a8537670671c5e73f5348eadb9057f7d6264914ec125322aa7f92bcd391cd4f8
SHA512

2007e9834df972af0b6c68267122ec5e1c5392a981fdc454f9e0fc8063904801542d57a3655eb4639938de2c2ef07e6448c8e7f172133cff763b908e8b5f7efd
SSDEEP

49152:gEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfE:uAI5pAdVJn9tbnR1VgBVm+nlS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3268	alg.exe
1328	DiagnosticsHub.StandardCollector.Service.exe
3476	fxssvc.exe
2404	elevation_service.exe
4532	elevation_service.exe
1612	maintenanceservice.exe
4976	msdtc.exe
3520	OSE.EXE
452	PerceptionSimulationService.exe
4304	perfhost.exe
4524	locator.exe
2740	SensorDataService.exe
1896	snmptrap.exe
1476	spectrum.exe
4308	ssh-agent.exe
4616	TieringEngineService.exe
688	AgentService.exe
756	vds.exe
4624	vssvc.exe
1580	wbengine.exe
3992	WmiApSrv.exe
1660	SearchIndexer.exe
6120	chrmstp.exe
4212	chrmstp.exe
5544	chrmstp.exe
5600	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9fd93987293b476c.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cac6fa696db6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8ec206a6db6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021daf76b6db6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ced1b16c6db6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000388fab6b6db6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b70906c6db6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f00156a6db6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3404	chrome.exe
3404	chrome.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
4792	chrome.exe
4792	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5092	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
Token: SeTakeOwnershipPrivilege	4140	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
Token: SeAuditPrivilege	3476	fxssvc.exe
Token: SeRestorePrivilege	4616	TieringEngineService.exe
Token: SeManageVolumePrivilege	4616	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	688	AgentService.exe
Token: SeBackupPrivilege	4624	vssvc.exe
Token: SeRestorePrivilege	4624	vssvc.exe
Token: SeAuditPrivilege	4624	vssvc.exe
Token: SeBackupPrivilege	1580	wbengine.exe
Token: SeRestorePrivilege	1580	wbengine.exe
Token: SeSecurityPrivilege	1580	wbengine.exe
Token: 33	1660	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1660	SearchIndexer.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
5544	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 4140	5092	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe	83
PID 5092 wrote to memory of 4140	5092	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe	83
PID 5092 wrote to memory of 3404	5092	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe	84
PID 5092 wrote to memory of 3404	5092	2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe	84
PID 3404 wrote to memory of 2648	3404	chrome.exe	85
PID 3404 wrote to memory of 2648	3404	chrome.exe	85
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 1444	3404	chrome.exe	112
PID 3404 wrote to memory of 3172	3404	chrome.exe	113
PID 3404 wrote to memory of 3172	3404	chrome.exe	113
PID 3404 wrote to memory of 1572	3404	chrome.exe	114
PID 3404 wrote to memory of 1572	3404	chrome.exe	114
PID 3404 wrote to memory of 1572	3404	chrome.exe	114
PID 3404 wrote to memory of 1572	3404	chrome.exe	114
PID 3404 wrote to memory of 1572	3404	chrome.exe	114
PID 3404 wrote to memory of 1572	3404	chrome.exe	114
PID 3404 wrote to memory of 1572	3404	chrome.exe	114
PID 3404 wrote to memory of 1572	3404	chrome.exe	114
PID 3404 wrote to memory of 1572	3404	chrome.exe	114
PID 3404 wrote to memory of 1572	3404	chrome.exe	114
PID 3404 wrote to memory of 1572	3404	chrome.exe	114
PID 3404 wrote to memory of 1572	3404	chrome.exe	114
PID 3404 wrote to memory of 1572	3404	chrome.exe	114
PID 3404 wrote to memory of 1572	3404	chrome.exe	114
PID 3404 wrote to memory of 1572	3404	chrome.exe	114
PID 3404 wrote to memory of 1572	3404	chrome.exe	114
PID 3404 wrote to memory of 1572	3404	chrome.exe	114
PID 3404 wrote to memory of 1572	3404	chrome.exe	114
PID 3404 wrote to memory of 1572	3404	chrome.exe	114
PID 3404 wrote to memory of 1572	3404	chrome.exe	114
PID 3404 wrote to memory of 1572	3404	chrome.exe	114
PID 3404 wrote to memory of 1572	3404	chrome.exe	114
PID 3404 wrote to memory of 1572	3404	chrome.exe	114
PID 3404 wrote to memory of 1572	3404	chrome.exe	114
PID 3404 wrote to memory of 1572	3404	chrome.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Users\Admin\AppData\Local\Temp\2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-04_1a57be44b751632470b6a227ceb55c34_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc001fab58,0x7ffc001fab68,0x7ffc001fab78
    3⤵
    PID:2648
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1944,i,2730144760202019173,12928551710046389978,131072 /prefetch:2
    3⤵
    PID:1444
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1944,i,2730144760202019173,12928551710046389978,131072 /prefetch:8
    3⤵
    PID:3172
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2076 --field-trial-handle=1944,i,2730144760202019173,12928551710046389978,131072 /prefetch:8
    3⤵
    PID:1572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1944,i,2730144760202019173,12928551710046389978,131072 /prefetch:1
    3⤵
    PID:2948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1944,i,2730144760202019173,12928551710046389978,131072 /prefetch:1
    3⤵
    PID:2124
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4300 --field-trial-handle=1944,i,2730144760202019173,12928551710046389978,131072 /prefetch:1
    3⤵
    PID:5232
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4440 --field-trial-handle=1944,i,2730144760202019173,12928551710046389978,131072 /prefetch:8
    3⤵
    PID:5304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4580 --field-trial-handle=1944,i,2730144760202019173,12928551710046389978,131072 /prefetch:8
    3⤵
    PID:5316
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4816 --field-trial-handle=1944,i,2730144760202019173,12928551710046389978,131072 /prefetch:8
    3⤵
    PID:5940
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1944,i,2730144760202019173,12928551710046389978,131072 /prefetch:8
    3⤵
    PID:5992
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:6120
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:4212
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5544
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x26c,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1944,i,2730144760202019173,12928551710046389978,131072 /prefetch:8
    3⤵
    PID:5376
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1920 --field-trial-handle=1944,i,2730144760202019173,12928551710046389978,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4792

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3268

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1328

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1616

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2404

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4532

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1612

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4976

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3520

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:452

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4304

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4524

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2740

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1896

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1476

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2352

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:756

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3992

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1660
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5212
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
85ef9cc40a7fff97e265c2115f79b5d0

SHA1
24232148b904f042cb84341ec4c318623d52575f

SHA256
c9aca539dfc47b5da0dc8ce265eb7053434938db96b047ec716bb42849df39b1

SHA512
3e7daf363fa9f2bd5a476033c5141ee449d38ec321f071841826fa3aac8a52982d21fc93f0f480b718ac8fb46504de00d14b20275f01d2ae389cbb05d5b9c989

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
da491a8a65d22e87278802cef449b7c1

SHA1
3e5ed57be7792932d67438d020245cc0acf33e34

SHA256
861e5510190bcc64525702709b58cfb8fcbff3a42a7b3adac48ac3e3babe0237

SHA512
58c09aadff30980d33e1bfd0e2cd46573e16ba0386c4c7eb5df8eaeb2b34b0d6df6d77674acdffd62d9b961289d8bb54db26dc3d35c0c2279353901631e7e12b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
34debf6b34c94c953559ff45d225564b

SHA1
e0098e7186032e0accf27b3d378ccf369da5209e

SHA256
f20c11a8ee9f0a550c6862af0628b380694d167139596c43efa1a4839603848c

SHA512
7695a5877c2e83fa047ee06d1ca529473c20ea4c734eaa3ab431db5903d62d45f6b7be13da1e2e1a48f9b9435a72ae5f43df06f6856b8f8e1149f3e5d9de19e5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
fe2e7663cf36184dc5e4ee47aa1a120f

SHA1
85257a8c9d0a0724b400508c1490a21205401115

SHA256
5568dd41261924aebdd57657ab1ba2e4cc3af3fd1f23643de019f45535fbef5f

SHA512
51b718f24dc5928b0559a0a748ee61eaa5fc1f828e2782c81d402ac766b9a1b1f0cc774204732de5c49a56763f6cf43dcd7a4233c8d352edc85fd6347721d3a4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
76df21ded11fbbb71394382c91788b92

SHA1
2a3fc2332436d84a8866a343f6679ab4251472d1

SHA256
58cd5abd96553023e19b447d6d54bb1b7e41ac592c5886bb98c46cd31b6d7be2

SHA512
f3b3d5601da63bc3132eea9535211e9f909e78488a6fce2282039a7f4672e1f6aafee591aab37580d0f2b9926786bce6ec8392e5b300a9c06ebae3975c748c9a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
a7f7e23f7cbd55be627d1ce5d3e0ff57

SHA1
6da19d8c1210d66c00b7e54e8d043367684e0a98

SHA256
6e5f1fe6b89ebddc49ee1e919e4d90cd40b2038afaacfb959119794e634e775a

SHA512
c12f81d1b6f7bb83325804e18a94e882b3dc35a9c96c1b769d3f4fa793734d238f14901350b630d16f9c971450cfbf4cc5deb35bba5997313f47bcfe2010bdd7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
41548742d4ea439f07cb079bbc2dfbdd

SHA1
915c48d35b2927d3bcc812b6ce759f34bee25c83

SHA256
55136228fc872497a4a6fbeca057c07a5e49e956f5d11da2f824a270cd2dc296

SHA512
2e1fb07629caa0cebc70d1562cd1905886cc816136a77a05d4a47ba4badf538ce8725603fc80008056cf123f24dc01440f72cf7669b56d3a21eac00ddcf8e0d6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0bf1b644a31d4567cac7eed180f91004

SHA1
4e2cdf288b344f0a1b3c6bf74c16be56d3bd1355

SHA256
6f8f8e4faf3207af65be030e588fcff1414fc9dff4d1d96917863351dd28f3ed

SHA512
770d68e23bfa3c5620ff388535b470846bc2e434a4000352c5f113672d52954eda47b9d91d7f69f74bb3a98bc0e482fa6697f3c9a11da3fbc9a4b757e1f6817d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
ce6151efb9994199837d3789a2021875

SHA1
6c34a171be2dbac91d3d22e30f12d54eb83c9d23

SHA256
2e0459190b004f7a1885db7aa5a8925f0fb16230bfa5e1d9cbb6c231548f76d7

SHA512
fe7c07f82bd591e1ea9a3971df6a40a25063a94651bfa93bb7054c549f0806f89937cf5c9b921aae03105f543c045066c4a288ac60283f562bdf6609cf37f85e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0ae4cb0bd2618bcfee82065658ef4532

SHA1
32fa6921e345669c23aea14b44086fea6cca2cab

SHA256
cc02fbbd56c9d55fe69748c87cdb183f0c8c4b2df180f77e56c83d569d957367

SHA512
72bbea5bba785166adf7339432082aeb248a289f10b9095106f4440dc0d942e8ff4ef1bdccdd95e76961d75f474fb408b8633511c538a14cf9aeaf23d7003347

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9812040edc1a899271ef7c9fe2b1d7aa

SHA1
88f47d03b4aae9745e9734cbb87b03c02b84b4da

SHA256
5884a9aecc2ac38d3c684a281206651a1356122af38dfd3eab72a0d642708675

SHA512
198de133efb71ded61ad4862a36684ca34aca66dc568881a30fe517e1b8fda115d7e4c367cfa343839e8f24807f618e5e44fc00ded981bf9860ee8059b339769

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c171e1deb91ab0ed564947659b3249fd

SHA1
702abb91405b2e824894d27cd5a288fa4e598590

SHA256
7f7310af99f914733b340bcc1bdf2a7a46461b914a21a6ad1cdd1de36d88d367

SHA512
28f9583904f30308c92e0ea0c872b0ede189500e65c67dd60c8b7694f24a0ab8acffa858859b66a0ce0a6e6ad08bab2d893e6c9a207de55f22fad6676eecf6c3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
a9028ba3737d7abb7502dac5ed6c46a3

SHA1
b3414920e6d0b705fca5b11e115eee2c179814f0

SHA256
4ca7cfc3bbbfbf9a6bb561d3b6b5f417cbd7e7610505a8c40b9142897db8cc8f

SHA512
7122b0880967b90bb840212cb43ebc9a881912061322d46daf25953ba1c38e5ad6393bcaf6c99a2ea79b47d755c7a42b4338722dbe19ebcbd4ee35c8b20f8301

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
53fd5df056070710a87ea1d1421fab75

SHA1
d6e0527fa343d2b06385be8e515b5a724a9b10fd

SHA256
a0969203ca2ecff00c828538af8ba18e872aad7733005961be1845de01f4ea6d

SHA512
689a64323668eff3aa68491991d3d33695801d5b8403743771677accded7886931ec7d0b3c42c036f09e658de922672ceaf6f155aa64d4914d949a3cb52848b0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
76b150fd0bcb68d4c4f0731413520d24

SHA1
ddba7ce4d1f3a02ca24a993563b2852b265cd607

SHA256
95bcad684e1a409e4584ed7cb26c41f7cb551dce22d2500061a1a97509053bc2

SHA512
0fdb39af086ff5c965a4f5dafb59225898a65d299200673051db0cddc4c4e672dd08a60409224855127f151677c4d9881c1c484cc5c1e8150f326ac8fcae090d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b47f9c1db49a77d66b07a9139aaf6116

SHA1
46143b51a70458e0eed45166162872822567923b

SHA256
b62d2b4d775b72c61eb15d1045f747e61a06ca128e2e9440c9c6fb0431f0f576

SHA512
7059c214c03e4fcb87118e53e48f72e82d61f4c90f799237b6f4145f3479e97014a867bcefae38ca51bdb4a1147cbef1d65178e6fa0ea7e09ba5cf4bd08e4b7e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
f5e0ba8239bc7535a24b34b6060bb303

SHA1
d817cfb67615231b7d747430c2804eee84c6887b

SHA256
2cae2d517e161f933516ae916288b70d67ccf5d981e55efd0dc9282458486aad

SHA512
de51c6e0c97826f6f94890784e9fae15335fb3285d51a69a133b76911b6bdb80a0526b52649a61145077cfa794aab0746381e469a2c2322058675c24cd4b94c6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2e161c3aec4f6e7cf780c8eac14aea0b

SHA1
e67b834a2d1646ad5c1ac9fa2411652fbd3b7559

SHA256
eb8bae41c9905d0556cb0dc08d2442472b16d0772d9c68c918dc710f250a729f

SHA512
1c815a3f74f9e7ea7b292559a82aeb2b295dab85ece8e907fa999a818204c3b9eb1f644d1a4c901144c68f88ab84ab76b7458ee1000cb683146d8ad88cfc1c5c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
25c963371d7b1ab943427fdb70cb192c

SHA1
f57590900db4256e91ec1a5fe8f5386638b9b2d7

SHA256
77730b36b99e65e82057b5558f68ef16a0d8dec073e61be2ca5a308f92173545

SHA512
e7bfd4b895f621e73a780e09a29a8dab370a55c13b4f7ea02343c5354f0cc730a2f6e8407b707482c737a7ef48ebd2ff9ea71512df0dbf923dbbf5c8b933fee2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
23e6ef5a90e33c22bae14f76f2684f3a

SHA1
77c72b67f257c2dde499789fd62a0dc0503f3f21

SHA256
62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790

SHA512
23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
bd4389e92c813138622e87b255ac8ddc

SHA1
267ba521814e0c646a42fc53f03fab4ad32d0dbb

SHA256
db4d42b46e7eb008d9bc7cc6d1bb3946eddf2e1884906dd5023f52c709af8771

SHA512
94536a965c28f681ab04ba0fa2e7e87195972f992dc6cf84b4651c1a70022f121501f0e08805e5c1b23eec53ba2586a051ba076ead2c68584cb5618937394933

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
43d9d3b9d3018c26e1fd0b9b96fe49e9

SHA1
f1a2b9887f6387d0d2ab4fedea70230f872310e3

SHA256
ffee76d1ade5242a678f238210aa7d9604c260c47a0a701ce7c20f7a97b00897

SHA512
f94294c41bdf7d193fd656e250e21ecea1d22ada847c202fecf735a6755b1ae7ca2bd80e1ffcd749bab635e10bb062e7f8ca7df5404dfe9107ff0f4c1d5a182f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e5fed02af4e309a6eef070eee14aa4e1

SHA1
b657b694d9ca783af8763b041b7f0e7626e22efa

SHA256
39c32f3ce8bcf3ffdb5d2d98dedf16cb20d3e3db30f74abfea8cd0f707132e7c

SHA512
c923631968a6d501dec1718fa11c64d8292f180288a1f2c108ba7bd6a88854589aa57d899a1fb8837a9b1016c8f06f2f6e26cb95b555b95dc88d763ba23ecc80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578e07.TMP

Filesize
2KB

MD5
8441fa327ce1f6c12f371a1535e655be

SHA1
7ccca62179f1eb9a2d47c3886ad8ad4bf5b15071

SHA256
975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158

SHA512
986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
431604180347a4657a295e246c3ff9b5

SHA1
8d14f55883748301f468dc067ffbfa9887f33164

SHA256
f93e53399f0fb35db741b6c327a97a6d3d737feac583a0cee1149637bd234474

SHA512
e680b6e1358144053c6032352e0268857ccfbe7bdd35da776fefadee80ad9af596157e3177cde1b5ebf81e4b569db7363fbbefb25b47c31be07521f582d1905b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
a30b6e43672729d54c88b0f3e50c3f59

SHA1
59ffea3e5833bd3204048aab0c00536a7c068f04

SHA256
db0ecb1eb9ca4787b31ce12a8cdb4343f00a557e19c247b384f305d4dfd29a65

SHA512
83bf0d480d95b8b325de7ed2363c80a3a3c56868b5ba0476fbeb97b69f46b3e0d64669cca494947323b7fbd81a6d990c55104276c7b1c022d081b6c9cb79b04f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
6b50488b07226989218fa815bc4127d3

SHA1
61575e17f7466617346c144cda1c5c1fcb5e7e12

SHA256
10aa6f60ded65c2ce74074b00d1d6cfcda5e0e2bd2a0a4c7c0bd456f508568fd

SHA512
0f921a06459e4dbac1090dc7637a3b8d751dfa15e1aabeccf14851bd04e2b87d78d08a050e441d65ac8d0216d7f71b6c0c9c22a66ac1af8f510bf0c9676108fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
bf53165608b61d495f37c5845dcc5739

SHA1
c3509785d9bc7651078a0a779e17f971c20c01a1

SHA256
6e558b8a98850db66938b06d625f4e315d66a66046ffe3f366f9cdec427e7015

SHA512
e724006cf3f05184f6551ebbeeed385c777bd637d01e9a79535a9495677378e9628166e1bfbe7ac30e4500c6c324ffdd6e45cc50753ae4cd132b7da594fa6677

Download Submit
C:\Users\Admin\AppData\Roaming\9fd93987293b476c.bin

Filesize
12KB

MD5
20445dafff50f5dee840a7f70184ed72

SHA1
0005dce4ed99e8779627932eda222c1f68f32edd

SHA256
ab84f8e621bb4915aaba5bd6f9a69f781631b8d7f009bd5809c44e44fa732c83

SHA512
7106a7f7d12fa49414171f8771afc276ce7cb96c60167ac9f8aab2af4b211154042b1be20999841815e37f868612b297df80b8ccab911ff6a6a018ddcfe4689a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
349dd8d9070d2999d513fbee88d4607e

SHA1
81a5b5212b511a1a16e6aca1ae43309dbacdeb97

SHA256
3362ac9e0284a5cf1c73965d1d79ee298d1c8a597f2f9168cbb4e0386f8836bd

SHA512
ad6def69e852ea62d47cc83c5ee0f3ac293dd26985af63316321102d2f841d3533f41ac954edf3998672f70e8e881e7bc55da6bad6125a851eb24f48da26927d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
efe7625ca8d9a060695f1e2f34508aca

SHA1
7c8bb50db8863ce03cf55ca998c26740836388f8

SHA256
5cfac47aa4c19af0bd9f338ea65aca69eb3c3f18d498379fa63001c8056c7699

SHA512
a2ccdc1c606bdb853ca8de9138b241b6dfde13684036696b78fc2a32ef7941268f26a8d7476bbaf5ffbf1e0ddec5c5d310cdb9a7d2fa5102ec707515b3b95872

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
b6e864d9c8980f0c4e6240464ab89d78

SHA1
700a685c72e2146422d5eec13157adeef0cd78c5

SHA256
eb6c4c7d417d7d190d5c4e89a21e4c67dd267ea60030181fc2eb599e61955807

SHA512
cb5c4b9725dfcec11dae38c49178c795ecbc8949a5db13ff3029e1ab36f2fea310f6d67f887fee93bb262684e908fc661d6bda34cb818b0d82ac4ea470c8fbd9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e0ef35524188bcfc1d4aa1447faf3fa7

SHA1
ce20d39251865c70865b00c00d4418aaf7c6df0a

SHA256
9d7466f196638ec4a4774ec408061a4796fc9e2a63affa03a576fd18db3dff67

SHA512
2eed9eb202276832ff9c6b2056df11e58880e9e5970ab3d86a06bee73bff1958aa5cccd4d8551a4da1c7322003e28539a8b1ff4dcb7a13e1b35d34b9eb3c8656

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
bd2933f3523e745bb777dd75e24e3da7

SHA1
e8449e7b93aae1d5707975edb90fbece73265621

SHA256
611b4f9fa7d76dabd59bd0bd1689fb89394c3f04ef589132e71eabcae0cd5fac

SHA512
d6712495992cf66be4468bae41998963008546e13cbb620c217368602274e3e7939646aa3e9a9f0172ef840cef667d34a7e1757fac2fb55a3e889b8d2cc97b78

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
e56153e277ae498451f755908b9a1a16

SHA1
554c0a2fcf2e413528657556f3e68ee3f4b30b12

SHA256
bbda66bbe95545060e29f678b032eca959cd624f03e3f85962c7725c380ef56e

SHA512
49f7684c85cdd247bdb24faa1c02e89fc0829d27d44a125e1678838c59112e8087c5f6821fe636b7e09045919d2f8910e8d6f5ac30fec2f2125ea01799891e52

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
2914f5110e5e8d601131d9db62340df0

SHA1
c4c063b73a08dc9dd16a9e0e82190a9ad9378eed

SHA256
34d172b144e260935fdc865cbd304b6cb0a9d31aee9eab22e31c9242eb912385

SHA512
5459acf3042292acedc2dea11b70cd6fbd3490ba2162fa8e18d695162f9d5ad0744e2016def402ea1b3f9e6fd7e0a680c681ba439540fe054889ee73c76bb9c7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fe019995e60265c58017a089be7c3284

SHA1
7740c45d7793a282abb087c58109b1ded9ce8ea8

SHA256
3424f88b73adf7f8251810ad8ad76eefad645f7fbbe0c606cb9289b68e0410dc

SHA512
7a4e87eef1b064a608644a387392c8c0bff8cdc9c7302add66992fae1e051b025cd74bdbee0ce8f479ee80b49cd01803c0be4d93bf3416a2d993ccc97ef29ac3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
df71979d301f9106ff2596a00f46a3f8

SHA1
5d00db8948b26c00fa18574e473576ab4399f290

SHA256
5fef45d8775024f33e376297f0ddd4561666c71f11f4913700817790693271d2

SHA512
c63174a5f38ac9c6fe2c810cf0d4d068c30d697257c987028de67ab4f307150f62a2529584952a430c11f4daf40b0afa4bb0b3580664ccd36ea8871c1c82f4e0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
be6c42f3fc66b4811241acb2df66ba41

SHA1
ff1a12b32b4c77b3c58c2210a9d718e0facf441e

SHA256
f01574373683db987c65f95dec821bbb4193775615775338d27f0d39a1835640

SHA512
a110a0124b3d1c5ae686e82d61eb4bdc6559fbf7c7f30fc33f7ee9688cb4e0323906b4865ca7ce3a750be01d791bccb5f44be73328b3fa2d28ba7b7c2bab70b2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
dbd8b69f361d56aeab01a613f1ed1f5f

SHA1
ba1eb5e152ed2e97174f1e1e20f683ca5b57e692

SHA256
05cfdd1fea4357f7888ece55c911dab41a6be41c9423a26967c531048890111f

SHA512
483de3b28e2282c776ab95ff1b874f92e688c933861e443af0dab642e3d2ab1f359474a382f667251ff6e64213cfe23905decc69b57ace7c63f7635fcc3eb3b5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fccf8f660cede85ae2ad7eb9c759aa6a

SHA1
6e87e6670f29b80625cd7140d3d9ccdf751b1585

SHA256
703c935782ff0b3b98604bdc812afa0f5d061a25a8972c9f8ae9684d1ef50583

SHA512
d8c5a820426cc2ccda1ce91a441f23a51aeeac604eaeb8cf8884ce6c13013541e619e5a806ce84b2eb2c15412e71715a93dab2299bbbd31582ee58ec84470618

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
dc7f9d3653a2b3f8915d483ea741a93f

SHA1
720cb4d4647f54dcd1c1edd42d76812fa40467dc

SHA256
abfa012b106d7218ecb1cd937d31adc6234a816e50cc879665cedb56b701bf60

SHA512
bb4f484d2c523bd24ffdb080c18f2bf307c7aadf7a720bb395c5e649f3d05aa5f0afeb79eaaa01ebc3b0a35a973a07437ddbe8d5ed48cfbb5ba5cbb3351cc2bf

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
919e3ab5f5c1a3f8b7681b0a095c0cb9

SHA1
91e9d39d8df3394f85b1ec6fa0b945606341eb13

SHA256
2f2ed51d7188213802c2cb1af49007b43901a94d3d3da1d8623cf44d05ca00e8

SHA512
b371f4e2a4c22daeebeb230b5c87cefee13bf811bce2b26deb05bba0184a55e1633e3a74786e3056dbeaba6b961b206814f48d14c1a4f267cd2d9735184bf782

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
5b39be76f5f67b4be102c24c347b82fb

SHA1
f960e0a53b430a2684ec0d74dbf0b11aab645163

SHA256
a0a0e11b8f3c74055e2c5aea45e2dc202f0280c6b6751a1fca52831c8f4bf68b

SHA512
94467093f330967101b4122c83adbaa8d7af7f94d3b0522e22e71e42cac87e88d0735f11dd5b7b0419b051c85ec8a4db8e41f82da0a1b276c850df218ae79333

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7bf05eb2055e5c4b5821d2e65d4135fb

SHA1
3000a56f1d7103eed5edad1c7081f260591767fb

SHA256
5198b5cac5035ec17bb7805a210a1e9d741520dcb82fdc9782dc7bd16531f5ab

SHA512
61e71841fb9eacb200385fcb84a6db858fb10679e6cca35b1ccd5f99016e1b0967f777b850a1f71886402509e3a021128bbb793befcad8c2fa9a430ac6febcd3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b46ca127cacbcf40e9ee6eaeecbde6bb

SHA1
233c8766844df872cb64d795445bf32f45fcf3f9

SHA256
1f6451e3de48fddea2f8cb6cca12f1add41395b71b75f0044116dd5a34e700ed

SHA512
8e0000e947b7e9b47098e79c7747e7642bf2ad5295dae9e723825fdf2040118e8275ddd958218a582b9a1932a65d559e938725091e043b34b52f8a25a5eadf31

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e0b7a35e093f6c78a5761df7577b3b42

SHA1
570531c4479225818c63ec6bdd9e1d489f5f0887

SHA256
584040b01c0f095a4826c1de4fa17d0b38fa6bf13f62251d2f18ad10e5bf7959

SHA512
246b24d6bba675d57ebbd5b03236cea13fa8b09477bf8b656e76fd334808f46fc764e251b891c1e11a3d20048d14c0a839943f9693d8ae1147d8c9945cc52e28

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
440112092893b01f78caecd30d754c2c

SHA1
f91512acaa9b371b541b1d6cd789dff5f6501dd3

SHA256
fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6

SHA512
194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ee77a90ff03ac62d1a04add9e363a678

SHA1
863bc1f0440d2d7b6624a8fe58ef9f0dd0eb2536

SHA256
c48877d32e4c05f8fb29e5f258a2b64aa7c63f75a28c5a6f6f969ef129980754

SHA512
ce27a063d61be29ce7bc01233f09ec15d27dda2347d813a3398c3b4a03ed57becbb97de4af9e9c4b5e43232cd0c573979b77b71e3370e9e3a4471cbc69456858

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
94259f065307d95199de503c9d5292e0

SHA1
a76dfec70f3a17b311728ca51c71dcca91097ed4

SHA256
63b12ad4a4cb7261f935b2fc25d8366519cd470049ac893daee827ed434e186d

SHA512
7c975d4ed26fa9be19d5f6e2a64dd5a1d243ac84de6dcf2c5a607d54a421adc1b6a8cf3577d3eb4a7aedecbcf8dd45209205fe7b07808cb70683e13c04f31ca3

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
0a59b2304f72c2746597da231684f906

SHA1
ecb9d95a1859422e1d7cfc6cd9f5bea94bc5fc66

SHA256
9a8dffe5ed061fb0451e207cbb75c01d442bd4b6059058ca6cccd3c31243afad

SHA512
4007b4f875fd4b82c2060f5d700161e2585795a4ee96015e4e367fe2b7ae96c09b1b32153cbc8f5538eb047a6946431fadcf89ffe7e7342e1d5f349bcb6cb8c5

Download Submit
memory/452-338-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/688-224-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/756-348-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1328-46-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1328-52-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1328-45-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1328-667-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1476-343-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1580-350-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1612-104-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1612-99-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1612-89-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1660-356-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1660-752-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1896-342-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2404-72-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2404-66-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2404-460-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2404-98-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2740-341-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2740-627-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3268-40-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/3268-557-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3268-31-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3268-32-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/3476-62-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3476-77-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3476-75-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3476-56-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3520-337-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3992-355-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3992-751-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4140-12-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/4140-21-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4140-18-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/4140-541-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4212-542-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4212-753-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4304-339-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4308-344-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4524-340-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4532-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4532-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4532-746-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4532-97-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4616-345-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4624-349-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4976-117-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5092-9-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/5092-22-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/5092-0-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/5092-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5092-27-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5544-569-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5544-622-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5600-754-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5600-580-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6120-632-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6120-539-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download