44f54d39ccccf4aa58b558b7e86814f549d8707964f90cfb4eaee74f61312375

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
Size

4.6MB
MD5

2e779ee967c707fe6a5b47a0703ce84d
SHA1

fad680cf2838f22016a61309ae665abc3d7b2f53
SHA256

44f54d39ccccf4aa58b558b7e86814f549d8707964f90cfb4eaee74f61312375
SHA512

323b77b201fb791b1bbaf9408457443a23126e0e91dcfae0c7c8baeb21d0194e360c4a7e6d6a9b95ee4e11f3d2c9c7a33c8407fbb6c16ecbc55bec68a0615038
SSDEEP

49152:TndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGb:r2D8siFIIm3Gob5iE78

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2820	alg.exe
2368	DiagnosticsHub.StandardCollector.Service.exe
944	fxssvc.exe
5116	elevation_service.exe
4340	elevation_service.exe
740	maintenanceservice.exe
516	msdtc.exe
4604	OSE.EXE
2348	PerceptionSimulationService.exe
3480	perfhost.exe
3248	locator.exe
2036	SensorDataService.exe
3456	snmptrap.exe
3676	spectrum.exe
900	ssh-agent.exe
1912	TieringEngineService.exe
1356	AgentService.exe
4244	vds.exe
312	vssvc.exe
1752	wbengine.exe
1756	WmiApSrv.exe
2884	SearchIndexer.exe
5608	chrmstp.exe
5856	chrmstp.exe
5964	chrmstp.exe
6036	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\64d27e0992be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4B7946F8-973F-4AF9-AEA7-D50B80611631}\chrome_installer.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8c5471671b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0d7421771b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f000c1771b7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000783f001671b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4416	chrome.exe
4416	chrome.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
2444	chrome.exe
2444	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
640	Process not Found
640	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4328	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
Token: SeTakeOwnershipPrivilege	3424	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
Token: SeAuditPrivilege	944	fxssvc.exe
Token: SeRestorePrivilege	1912	TieringEngineService.exe
Token: SeManageVolumePrivilege	1912	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1356	AgentService.exe
Token: SeBackupPrivilege	312	vssvc.exe
Token: SeRestorePrivilege	312	vssvc.exe
Token: SeAuditPrivilege	312	vssvc.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeBackupPrivilege	1752	wbengine.exe
Token: SeRestorePrivilege	1752	wbengine.exe
Token: SeSecurityPrivilege	1752	wbengine.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: 33	2884	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2884	SearchIndexer.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe
Token: SeShutdownPrivilege	4416	chrome.exe
Token: SeCreatePagefilePrivilege	4416	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
5964	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 3424	4328	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe	82
PID 4328 wrote to memory of 3424	4328	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe	82
PID 4328 wrote to memory of 4416	4328	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe	84
PID 4328 wrote to memory of 4416	4328	2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe	84
PID 4416 wrote to memory of 5064	4416	chrome.exe	85
PID 4416 wrote to memory of 5064	4416	chrome.exe	85
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1316	4416	chrome.exe	105
PID 4416 wrote to memory of 1652	4416	chrome.exe	106
PID 4416 wrote to memory of 1652	4416	chrome.exe	106
PID 4416 wrote to memory of 432	4416	chrome.exe	107
PID 4416 wrote to memory of 432	4416	chrome.exe	107
PID 4416 wrote to memory of 432	4416	chrome.exe	107
PID 4416 wrote to memory of 432	4416	chrome.exe	107
PID 4416 wrote to memory of 432	4416	chrome.exe	107
PID 4416 wrote to memory of 432	4416	chrome.exe	107
PID 4416 wrote to memory of 432	4416	chrome.exe	107
PID 4416 wrote to memory of 432	4416	chrome.exe	107
PID 4416 wrote to memory of 432	4416	chrome.exe	107
PID 4416 wrote to memory of 432	4416	chrome.exe	107
PID 4416 wrote to memory of 432	4416	chrome.exe	107
PID 4416 wrote to memory of 432	4416	chrome.exe	107
PID 4416 wrote to memory of 432	4416	chrome.exe	107
PID 4416 wrote to memory of 432	4416	chrome.exe	107
PID 4416 wrote to memory of 432	4416	chrome.exe	107
PID 4416 wrote to memory of 432	4416	chrome.exe	107
PID 4416 wrote to memory of 432	4416	chrome.exe	107
PID 4416 wrote to memory of 432	4416	chrome.exe	107
PID 4416 wrote to memory of 432	4416	chrome.exe	107
PID 4416 wrote to memory of 432	4416	chrome.exe	107
PID 4416 wrote to memory of 432	4416	chrome.exe	107
PID 4416 wrote to memory of 432	4416	chrome.exe	107
PID 4416 wrote to memory of 432	4416	chrome.exe	107
PID 4416 wrote to memory of 432	4416	chrome.exe	107
PID 4416 wrote to memory of 432	4416	chrome.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Users\Admin\AppData\Local\Temp\2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-05_2e779ee967c707fe6a5b47a0703ce84d_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x2a0,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec2baab58,0x7ffec2baab68,0x7ffec2baab78
    3⤵
    PID:5064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1876,i,8211599593190372399,10029690137492255501,131072 /prefetch:2
    3⤵
    PID:1316
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1876,i,8211599593190372399,10029690137492255501,131072 /prefetch:8
    3⤵
    PID:1652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2232 --field-trial-handle=1876,i,8211599593190372399,10029690137492255501,131072 /prefetch:8
    3⤵
    PID:432
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1876,i,8211599593190372399,10029690137492255501,131072 /prefetch:1
    3⤵
    PID:1624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1876,i,8211599593190372399,10029690137492255501,131072 /prefetch:1
    3⤵
    PID:380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4404 --field-trial-handle=1876,i,8211599593190372399,10029690137492255501,131072 /prefetch:1
    3⤵
    PID:1104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4516 --field-trial-handle=1876,i,8211599593190372399,10029690137492255501,131072 /prefetch:8
    3⤵
    PID:856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=1876,i,8211599593190372399,10029690137492255501,131072 /prefetch:8
    3⤵
    PID:528
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1876,i,8211599593190372399,10029690137492255501,131072 /prefetch:8
    3⤵
    PID:5384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3944 --field-trial-handle=1876,i,8211599593190372399,10029690137492255501,131072 /prefetch:8
    3⤵
    PID:5420
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5608
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x2a0,0x298,0x29c,0x294,0x2a4,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5856
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5964
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:6036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 --field-trial-handle=1876,i,8211599593190372399,10029690137492255501,131072 /prefetch:8
    3⤵
    PID:5616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1888 --field-trial-handle=1876,i,8211599593190372399,10029690137492255501,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2444

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2820

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2368

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2076

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4340

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:740

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:516

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4604

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2348

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3480

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3248

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2036

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3456

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3676

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4316

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4244

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:312

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2884
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6068
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e0f8900c37c05a25122c76ececf9add9

SHA1
acf52c7a06668789782866f6981a49aa41c1edd1

SHA256
b785c4c882ec54db814d850caf2343e6132783fe2c9ddf48266dc31d6c4fdbf7

SHA512
63b390a7d2e1e02e43fcced378ae176319f26d08c49ff97cee9130be658f5cfa461622bf38e2e6d1af557e7d861cf8eabfb9dd388854ad1394f1fb4bf5f763b2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
741a6cce7bf054f94912303bfb1295e6

SHA1
487a8fa9ba2aa1797ce3235b5df11d4d81067e27

SHA256
b73e6853c3f561988ab680e6ab4925a5280f3fb946e92993ecca04e6a54ed5dc

SHA512
e08d77857268c9443645b3c3fe8c63672b4702b83319bb4fcb67a6b872d46104d18d2c02b815e0e0245c661eb4d2b40eac3a0d1fc9f778675b45199fd22a8575

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
50975e8f8389f91489bba075eafa99f9

SHA1
998c704f1a906259ddcbc8e9f957c7517cdfd259

SHA256
b1ab16f88c1c8b42a73a74ff9ca964da1918442fb5fa9d220a5ee0f260ec3c06

SHA512
a6898cf59aacbf4ad2d1506797e60af40e35e3d30c83bdf38e2b202fe2e777eabf8b41f8972728d3dba3d6d767e37859a64a0f21fcfaccad27ff5a9a7415f9d9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
22b19612a2e0dc89b6b50102283d65e5

SHA1
a072bebb980b3d23bcdfbe7705f8ddf9accd45d6

SHA256
60eeaff648d1373eab00f39c21ad530790232e2394de6db21a125b75fd6753eb

SHA512
3ea4d05ca4daed7c3b3890a6addacd1ef3c1fde654d9bfcdaec351c3bf07acc6a13136a44e63f98c25aa2e4c8dbaf0f7c3d6781034bdc326a9cf7489f2a373a2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
55248465d327123cf1502208367985d9

SHA1
e48f13c8e61da8bd7634e249e09f966e4d9f07da

SHA256
35f6c906dc207ad89fb5160029487014ee245750f60d39a356ccf56c4f6adb98

SHA512
6f77c653088c81e143956920cbe74b5ceec3548e1704b9e3ad98e09536116e995d897357a6450acb1f042e9ec413d6b8a04285df478434cbe6a0fd0a92edbb49

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
2104b9c93ea73444b31f770140e16188

SHA1
56b9958b2ea36d641139dad0d7e90f44077cd4a7

SHA256
74ff661bbfd77a8bd861d3adb11c389413d8f984d7a776c5db0b40be36f9360d

SHA512
2fdbefea42f1ea8b188baa17e0e77583af7b5eb6e16c17866aae2c794a9d4d0fa59deb5f0a35b672fd514df97b70aefdcab18da5a6c7724f15fca7cc27ff8275

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
eff2815091d3888c63b2ea96fa655f64

SHA1
1d4220e631b8ff30f55dd3cdad6d1de8cb739745

SHA256
d674dc136f3d6c93db283296d11a3b2c489e7c2a6437d635364d0c3867d8fda3

SHA512
3830472fded51817bb366410bab40b5801e50b2f5fb8b076ab8ee3771587c91f6526d32125fb00e366914b663e8f08ad203d7f063779a74e898af7fbee128dd5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2f769c379c44b7f0a39c6f49e20b2a85

SHA1
2edcc3b149380a38d8c9d9ecf6e2897f04d85096

SHA256
121ba4ecb27e261a443d61d4a6778c5064b80e58196ff5e176153f84c0870c3b

SHA512
438d6a64fc22b457e5a2fe06d7c60bd3077095b4bc66a7fbfd55136f33f860fdc5402aef6e6a96d9c11e50a2ae95a432984829ca769f26f5edb28294003da7df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
031f61c7b4736d1b7d297cb5b7e64f4e

SHA1
db508ce12fc94e8a44f9fd8212331bb6245eb4c3

SHA256
228a8391bb962d8edb0929d78be22b5b2e71cb46a374989a7cbecde8ccf3ee69

SHA512
d60661bb4262906545819f51323032cf854b3630cf5c20287bfebc33f2a82f1031b8a25a8cb406e160499318cd5008f4cc414033199ec68735e88b49dcafc43c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0d453218c0c249821012b66a8c0c350a

SHA1
b6f9d44dbed8876d3b955136130c89a6604c11bf

SHA256
e4ca6f8358bdf1bbd059956cc32c9a5ebaf362e0b5cfad210e33e12d11ebf421

SHA512
13994ba061b9dacdebe02b6894e74ee3891774b8064019da490890c7a5e6c0de4d0752afb6e6d297da57d913712680b1770a53ceecb0c0e6606247b9f653ac7b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
17315a590106cf452ab444ac4c7ba9ec

SHA1
2bf85a6fabac4687485be94660bd220870027b8e

SHA256
e99ffed5abb6fcaf1744f0acac31bf4fc3003f85286f49ee7c481ae467d0174a

SHA512
1bbd7e8bf9d0d0fa2beeb9e41a6017915c686f87148215b1dc0e6ff66c9975f371edbdd806c85274755e344fdf7640e2b865c0fb922ce74c9b5c774e744aa7e8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b8a55a12f7f4e3e3e9416f6e020df35d

SHA1
07eff6c81259979172858496942cc0684b1e406c

SHA256
1bd04c438b7179aa81e42a5401c8c676666e30224f7625cf177acc2786f45df9

SHA512
03b46d854372c11f019b269daab644a798af16455e108d5d5986f5606e9c1fd38727eb3ed9e563f75acd114ebf5c91b9d4979d2fc4198da38b4f2bf512a5be82

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ae7ce3b3aaf2cbf6e326af9614da4235

SHA1
154f331db844cf7aeb4e6d8b19617ae503c0664c

SHA256
f7dac1fd1e4dfaeace2a038140b08753e2c28ba645eea3c2d38f52ea073ef727

SHA512
6d302e5039cf059b79c43c85d3ad6235c543374664f1ee53a76de7569270b9b1ec47c6638fd096b8d9f56b7420bacba764983019e09888004119eb6bfe36126a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
a8c6edb65e543a6ef51b745b9c3cb7ee

SHA1
92f1233f896cbc6a45eebabaf2eb7bbe34f0d07e

SHA256
6dff6fedacc0746ad23d7332840aa9bd215c9ff243c82676a6f2e503b5018c6c

SHA512
348e4e52d8ca1f538ddc558877cf76dce5bee80e86164bc4da874d4e6897ae36f09acb949e1ec3c8e8e2e2b6a2d74078ba81854e1c420776738395fd1f15e04a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
baf0dda6ce0104fd35040bcce00ecac7

SHA1
ffe02fbecc5e9977357750ef95b6247437ef9b6d

SHA256
2da626c30e7d2427cd38e03af3f7e10ae31013aea09f6f496a1e5c89a483e5a2

SHA512
98efd0509cb2c86c02401d823f31bef443c5ba91b0725100e4034e7828bf2043aebcff3a3a378c3a848d428dfa97d59684d523c1ce0102c415b27efeef3a4cc3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
ad54241f979851ec51e227979a9fb9df

SHA1
bcd38e19b3520d393c734aad88d8047a10099dd0

SHA256
b7b45d74ddba57df0171b7815116ceb59e4bc2a4cfd2d0b87fb86d79eaf6dc7c

SHA512
792a206699b2e386ad4e70565497206bfdce52d1806a265414ea8dd07f802ec8ecb8eaca5e41abae54b2c63bd2a64c962297024385e72dac62550898dc0da290

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\aafed7bd-ba70-424c-8a8f-a92901b37122.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e398b161f6e10ba59963ab56602e33bf

SHA1
647a0f0351696bd28ddf7fb4ba6397ee35b6aa6d

SHA256
3b7c6b256478f14053eadcb9b7d336dd0b1211c316ea3f5d32e7eb4045f0a0b2

SHA512
92e144a3c411ec84ec5d8c213fbd2d429532d36498a0f2ff24caea3b4397f5a5d8f1c2a81aaa17d89721df6ef6b228ddf7944aafb23a050259b0262275f811b7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
c7f2ca3f4c5c4fc6a236c0a807b64580

SHA1
f49d206cb08acecbdd1e45614df01905e933823c

SHA256
288a04d06dcb58ee2834f40e055b6b09b94bc7e4bf9cee74ba13b97f26f65e96

SHA512
7f9f840a88fd435b7260a4cee2ff9725a0e7b56646348b355a1ec63a248f3c4c3d32c506e29382f5c704dda377e1ebfee167ec13c76f568564dc7caf08ca3dc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
6123155f7b8a202460ac1407e231fbf4

SHA1
13121f6000a380f6621bcb8dc7c83f9cd10ab626

SHA256
dc3766fd1d9f14e305d5483a9e886548c3ff3ad2d8497e26a04c6d8c31e7be6c

SHA512
ef2e48a3517f58cf068d2ed9e202ba4d2a54afdccd4937c74b5c84d5c4fd47d9b92ddcf3b842a102b426dccae53ab3bc9e571a5cf27cb315be4dc58bdaad34cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1584635a0230e0f1343fe3609c994e2d

SHA1
2bef220f217eae9087c1bf4e3cf228a428611cff

SHA256
399a7a27d44f95641e0b3637d69e960fbb94faf1a074d69e82b901d3dcc6aa36

SHA512
abf52dbb4f6e5386f003ba3ef9cf2b2a517640cb6f9c1a14546d74ec87ff2b48e291c8d4f3abde1a4fa4319ca412315652061d71b22d672b6e086e6c2e0fded9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6f05b7cfb829b5211b3f53032703a0b8

SHA1
4972922f791d3c279216006e4a7269c3847d0dcb

SHA256
e96e587595d6021411b6388272b1fa9c3e20c9479aaa880b968bb6a95e797533

SHA512
9dcb788744112b414addeeebcaf8535e5e5e8f3824f0b9629ead6afe22b2c749ae688d5854b67a14f0e77bb0b19a26e0dc5a58c8755a0f4fc871bfa3f0a464ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d2a8cca0b858a2e93262cff7142aa381

SHA1
b861c770221b5f8a7abb962b9142038aa67d9256

SHA256
e71a94b8efc42ae03af490c2dc2334044fe1e279c4e22eca8acbab94bb672f25

SHA512
eff09fceafd9a31fe7f91196209a89aba3740baf7be5b660811377da0a7bbe948ff4a5474ef7f1ce6617da5038a7d0ee5df8b7aa501674427e79e4e8488f7458

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576f44.TMP

Filesize
2KB

MD5
80c9ece824708be3255fd46fed4fa84b

SHA1
6ab10396c88f4760224c2820d198207c54f01266

SHA256
1f8af8464e8755fd26db7cc2bf44b59934126100a43b00a66da96ef4bac4e336

SHA512
c8e8c5ce9c0607264264ceb4ccddc869543fc5b9d3929ad42904cefd147938d6523ee61e5ed2f6f46fba1e6c92f8b6dc14300f4c6c7cfb295fe3274677d9ae2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
9363b9f46a9be38bf0869b607f5c2317

SHA1
d4d5bd9ba6480ca5aacf2ea4dcc48eb4e202e6e9

SHA256
69362fa3c18fec797a3a301c4dfb263b8992d2989f0dbc9201fbacb4f18ea76b

SHA512
6c28e045733b8ded4d80a87e6e233c5491edb6adf825dc94d194a1c9beaca6117bbd2b13af3e0a244af47916887ef53c867725aee92b6dc03a8257526ae83a69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
7b30a31709ff91a67567277da5013cbd

SHA1
ef42d7dec50a71ddde50c2e6f192ed9c3e44f1bb

SHA256
ffd20958d840ee0d72bfe48c28fb15cd759f4adceeebf74681be34c7bf0538a2

SHA512
803b44fe375dcb84267c2d8c698b31aaed22087ab965eeea54d4483d0fd5635fbcd4e06652005f628e3d05f110cc247d61b6c1b5dbe90df7379a91177ff6f206

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
c17af7303bbdef9f627b9399a02cbd5b

SHA1
9b67dfe9b5844009606e862dd19e77e2b77ac321

SHA256
3a7262c976d8d61646ce38a6006d60681c4b5bb7060ca5ecef4aeb1b4ef88446

SHA512
4555915c4735e4b7479c16c2cbad899782bce2f03bfe9d78cc1522f0f2cb020b13ca203a8216d0f8cfc17b44efc559e852467bfdd5e2a72b5b3a9c6bee65bb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
a00b80c97398f6d12fe09122983a6220

SHA1
49d926d4db1f3ddb3eea093e9272451c520d6d60

SHA256
7dfed84d4a877e8d43db02f55844d1229b5c89c03efcf4c47c480a672151db32

SHA512
2364f5a53d5a25d6c12602f7fe8686fcac16f6fb570fd1e84d68da4802c72814b899914f6c9950a11c7c3eea8813bc49e8e6d8cf97f5d0cd960b152d0207b207

Download Submit
C:\Users\Admin\AppData\Roaming\64d27e0992be0f3e.bin

Filesize
12KB

MD5
92f9c7d32267b326a5e26f56760786bc

SHA1
4472d2c18b8065081cac46378502aee8805dad7e

SHA256
608276c8fed6a7d2fbde21c8e67f24093e00c8887796ad99b0b1e88d4ddd9ad4

SHA512
d9accb4db742c763d522f3872323b0f20ac0870eec40366709918e37cccafa9c54bfa8caf9e11f38285b89a20830cf842a690998c91c1e287c07a24d578be98d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
76b688be488cf667773c92fe9a0e81aa

SHA1
ff1524c11c263d9a9da75b3c6bdbae997dd47816

SHA256
276d7f245d40bffcbc579ad299038a4f555f9e3527cb228ab32bb24466d229bd

SHA512
7308b3aa65dd74a4eb438daca52c4caad798a1398cd361f8cd7727ee8479fe472f61f00d9aef69d66e8904f89c6e170b2b0bde9b3dbbef735981dd38e869f148

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
09cdc7c6f3eb41b0ed9804c8d5c52f66

SHA1
8469a8460089236315ad7811d3195e7b77c529fb

SHA256
b4866372f1417e7bf6878ad969866ad77a05bba4b65c21f8c6efc6cb2621c6fb

SHA512
36728ef13bb5f08f9bf9cafff1cfe2dd8ddf92844c76984f0cbff33a964d6c2b3aedc3874c087e8f88bb6cffdad69b8cec1e6eb7abcb10e9d1106a6f10fb466d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
8e55e9d3da6930b736296e0a75be6b81

SHA1
5e7b80571883376473198e4acf7f54844906ed54

SHA256
077bfb7115813f2377deff74136f8215b8a601e8dc8ea078f400a5def68ed7ae

SHA512
bd72b7acc2a752baa7d0eef9ec86bcc672400ddcfe559e6635a6f53a0ceae61fb8f96e895ddc13c15601c839cb6277972a1b1a0300eea2b2d723042bcb118757

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d090b826587235ad95a24350efcb0490

SHA1
1425991cd8dce13b9c1a69b3d4cd9415c0573c59

SHA256
9c7f31707bbe228422495283124f885500a69d059ecae79b2c676bd8471eb961

SHA512
39ebc840963c24b11b24b0086c29cd709b42855c2481ee66668995208b0019df9ff96b2e26f3758caa093d4e40da6f49eda20f71d6f1c0dc0989212ebcb68a07

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
7ab33be9d80c25dd60249bd99f8f0ce0

SHA1
971b70c9d92e792386108bf01c2ae77a5d2ff590

SHA256
21fe81a1fddbe832a9477a7c884b8f2a7bdde1dff67433f63d350ea7f3b062e3

SHA512
fe4a5a92c21c0b4b19a967b5f53eb08210e3ce16b599c00a80f1bbee2b6628118e8f54e7fc8972ece35ed17b45cb2c2fca549657180ced6a58feb495787d7fc8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b4e532758f4dd36ac2233c1c674168f1

SHA1
5cd3397b3896f2a36baa123fd02e04dc848b5ac5

SHA256
b8cd62173cfadbbe77a7c3a4cae40fc00ece6901f499a1de9a457fe7880ff9d2

SHA512
2cce7881aee4c85162a3a0eb0c41481e8002f2125ec28bce2de1ca052b137dd44b8e8b26a60f7931c3903a5881f80c2bd2cd2980afabcc22e7756dc12945b546

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
048ab9304ea439f4e1541eb2f74bf084

SHA1
88398fbbedc6e018534ad78d9c6e6ea2e0beabf2

SHA256
fb0dbd5e608aab63d4ff41e229edf2073a8f9d19749f3cbfb95ad33dc38c691f

SHA512
f30041ea2463e17b4ce2142bda88f8317b3551d8b1da9a539c65b089c6f5806e99e2fd43fa494cbcc056708f6f7bbf88c2f72d8f4991af5bc5e4f531a66d01fe

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2f7da6a6c942a945be93416d21530a91

SHA1
ad730645e3e8dfd5db44a7c1b0130b8e1ccb5e6c

SHA256
f52cc1549e18a5141e9d699ac07ad3baf8e72ed8eebdd9bffe63e4c6902406e0

SHA512
e5461b69a13aba685b400badf9c65da956a14aa4e8f1f477b92873128d0c06072b1166d6cd4e159180a77832002b747d02ccee6f7b322b68c8934eeffc383ad7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
56930d64f2ca3c9f67fb4c2386656ac9

SHA1
288473c79725f2974f483b12bc0c919605fb9fa1

SHA256
8f272c7bf7ed59376853e4250dea940860fd9c59e865cab2ef1977f276a1708c

SHA512
4234c11e691b546100c2a23b95419b7b99653e49a2704234ea1340a9510f617775323d74f375bc8a705d28d2415fdb38fa37f7fc9bc8af53af7155bad2ca07d9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0f0d0f899ae799a1f051f5b9c350fa8c

SHA1
931eea958da30b70e34bb7ca7d9fc9aa98cf5296

SHA256
23550fa0e216f74696406c3652e58380c76d96c33d29868cdb696a30cc1b676e

SHA512
acd29e02ecff1f9203f81f37dbee34e2e86d511b0b2e9232850e718570ae3392957e9ba6a99b2a888203253fff9fbb5547bf7d6491c28b361c5abf5bf1ac4d0a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
a6cd1b5ad9209741e3829425a9fc5095

SHA1
ddfb397ef0fd710106e49670ded88afe53afd0eb

SHA256
d2a0e8b336feb2c6bb6183d96bac3dc449f819b5b1247dc216452b54e7d55db4

SHA512
83ae5a83e672a6c319682bbc182d6d5137f863c3ee44e954caf89067619b8f8a5b8f89e0e7aac5bd222faae4bf699c9b322d73c8197dba820b5c1fecc34bb11b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ae3301e903f516591496f0b54f3f284c

SHA1
e592baa2bd0eb394c38c27b42bcc0499b38a95c3

SHA256
b61735cfbeb3fdd96c9af2c8c9274703375a093f3fe5c6f8c7d74d96641080cc

SHA512
b7a9498fd25e83f8e90631c957c6d08dd83a239e45fb10916cc5c408069652bc16d396d0aa0b3277402f9e4ce624a86c8b082adaab80698a87e3bab4091c5a87

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
733a4ae290f8c2e1804ed5d6bd6a180a

SHA1
e07bacdeac8cab242d138a4e1a309d72081907d5

SHA256
e8d01f64685a0d00da9a57f0d6772866fe2efe978080a1bc4338346a5e217ea9

SHA512
1e1a2cf9000c8da489cc151f623c9503068cd5d1cc20a3bc778fe07c601057bdb48fdd25f4d374551e164e27bd78853fb902619cf774aaef0caae8ecfcf86ea4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
54d32caf0af71345d150bc7c1875ab08

SHA1
34ed040b2f3a1bf644bec45ba77d247e96be987f

SHA256
a999ec55aaea42ac08a1f2585f8021dfbda4a9a4df5ebe6da95705ae55c98449

SHA512
0589f674f5ce0c1962f7b3de937c8e9422c3895f51c3473dc5d5f35b63273f92a39a6e5e39e672e2a8e96156871ed869ccbd6f0fee339df2410fa7a9cb108da4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b9dd5ffa1059f417ed4aa1d07a540c4c

SHA1
74f93dbd87e1252f1ef1140f52318fabb07039a6

SHA256
192515bfc48023f38c20ead6630ef64e7ea58adb7710967fe0c3267e614c857e

SHA512
8f9ab5a3d40768ee716030ba65da651a0a12b2747624a618357fdf0e6c3d05b7fd1125c4f9f5fca3daa777f7ff1a9d5d3c653658257a6b5833a4fb1e5003c1df

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
56877f729cbde39f58d5352c995e87d9

SHA1
a05fc103bba7991375f48464160ab64ac1a7946c

SHA256
ca02b66c8af1291a65d060b09f1bae560d08535b9cbbf9ad9eaa7787f6c1c870

SHA512
40c3d7f04ee44db3e7070654bd4fc65ef0cc56a82921d6480b6516833f703af5009ce95e1869200058ae5d52150a7cb40acb37ce9b366bf1e2ae7b525c99e8bc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
5d2028cf2efbc850855ce429f6824b45

SHA1
9ee76122c1ad1da6747382826526d6c0c0aebe0c

SHA256
2eea2347e27a97236d1dbfed93225fb353a3f125112d8f6167f0add3eb26c17c

SHA512
95afc4d3120fcca03a128fadacdebeb0372aaf795424c62373ef90d4db27da72807a1a616ca7bfee1f26c1dc65611965c0be83d80740e1056137f57b414f7fb0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9475ca7325e906e2c9ef2e703394d6ca

SHA1
29cf8a46ed5418cba05af706950984c859e3fefd

SHA256
a1f6a3f042a253968f5105e1d9e8f949097c1aa863542cd121c56dae5864f3ae

SHA512
3d54d78823514959a94b262b812fb396e68c7ebf65e47f834bea0fb735687537e8e3492f71a00de5257262016af653db2aaf74baaa68c4cf74b3c31156e0cd0e

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
f8da1e3912337378c0f722f616cf6aaf

SHA1
22482c3e69a3b76d24d4e88d30e345654afd0338

SHA256
342768ee193e599905624366abf160660028ba384d57ae4da8734bc9473b010b

SHA512
b72adac4dc3ef8cd0c1275eaf376da652f8aa271a162aac1a54571f6f93c0e5fe9fec69a9cf380f84fa3ce438f06e3c9c2493a1d422f5d1bf4c46d6962ca9f47

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2bc1a057ec4dd8ce02b21a1d8b0912f9

SHA1
da383f45aaaf0c4499d540ff1f3f85a817de7bf5

SHA256
566a548086c6dd6c51307d3205cd13ff17b59bbdc52693cb5fd15f6fa6c70f03

SHA512
cf9cae778f3df0443bc031145b3398855355b3f8ffd49e50d7b59c3768cbc513cc8f9b916045a7de8fb1922cb8aa138bdbb730f6cb33ed4040b415c72186b42a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
07529186d374d04b13bf0252b256a72b

SHA1
e117e19fefc17ff196dc7501fd6e18262d864d46

SHA256
79d661196fc5e2612cce4812cec68b3202aae3f2458de85a2b1ec5ef6a6a43d5

SHA512
87b911436fc78f2744affe8f02b8f2169b95b92c80c6be53f6082ec04e0966377c5b1820cbaac13129afc0c3b6639c44fd651a0fe933e5ac93e621d62e62fa41

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
ea279e69aaaf9bb58024d855f4280795

SHA1
4e667199804b9e8bf0422a69322396fa89b92512

SHA256
695c58d732e3c683980fb461e461120f9c57aa0821af05f751839d76241fd35a

SHA512
012fb194d6181f8b0538ca4423e8d219723d36378d779537f918d628ccd0fcb41b3567a27afac3abf4ebfcd9c63d74de79f4a9fc6c17d8ba80e252d85a3eda6f

Download Submit
memory/312-278-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/312-663-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/516-128-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/740-94-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/740-106-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/900-224-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/944-67-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/944-64-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/944-89-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/944-91-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/944-58-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1356-238-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1356-226-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1752-289-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1752-685-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1756-695-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1756-301-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1912-225-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2036-616-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2036-188-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2348-185-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2368-53-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2368-43-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2368-54-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2820-24-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2820-31-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2820-25-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2820-254-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2884-315-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2884-696-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3248-187-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3424-20-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3424-184-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3424-21-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/3424-12-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/3456-189-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3480-186-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3676-557-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3676-200-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4244-613-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4244-255-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4328-41-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4328-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4328-9-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4328-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4340-81-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4340-87-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4340-531-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4340-80-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4604-129-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5116-268-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5116-69-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/5116-75-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/5116-77-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5608-543-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5608-606-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5856-553-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5856-701-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5964-568-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5964-595-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6036-578-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6036-702-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download