3ba114ba534c457a5c99fa9b50014c8946a779b1468366b8d6046d4c5f8d6cb8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
Size

4.6MB
MD5

2fee48b9147885376a832ea376cfbc5e
SHA1

4b6b5188137421f6c5d4fb45405e685e8ad603e3
SHA256

3ba114ba534c457a5c99fa9b50014c8946a779b1468366b8d6046d4c5f8d6cb8
SHA512

d05b183d061ed0f2d17648445e9c36dcd38fb82eea6043a46a2b6cf5dca2bc4e54b24ebacad3b40d1c898bdbb471b35b867d378f05a77857004cec2f64a3b07a
SSDEEP

49152:8ndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGk:W2D8siFIIm3Gob5iEwU7dG1yfpVBlH

Score

9^/10

spyware stealer

Malware Config

Signatures

Detects executables containing bas64 encoded gzip files 1 IoCs

resource	yara_rule
behavioral1/memory/3340-103-0x0000000140000000-0x000000014022B000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File

Executes dropped EXE 26 IoCs

pid	Process
768	alg.exe
4744	DiagnosticsHub.StandardCollector.Service.exe
1040	fxssvc.exe
4092	elevation_service.exe
3340	elevation_service.exe
2248	maintenanceservice.exe
4412	msdtc.exe
2064	OSE.EXE
4300	PerceptionSimulationService.exe
2296	perfhost.exe
3016	locator.exe
636	SensorDataService.exe
4356	snmptrap.exe
228	spectrum.exe
1824	ssh-agent.exe
3304	TieringEngineService.exe
2100	AgentService.exe
4060	vds.exe
4296	vssvc.exe
2744	wbengine.exe
5172	WmiApSrv.exe
5316	SearchIndexer.exe
5596	chrmstp.exe
5856	chrmstp.exe
5968	chrmstp.exe
6064	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\23d287a3c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af41e7e551b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005da4e9e551b9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ecbf0e551b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9331de751b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e7de2e551b9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e2ef3e551b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d662ce651b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2400	chrome.exe
2400	chrome.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
2400	chrome.exe
2400	chrome.exe
2856	chrome.exe
2856	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1876	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
Token: SeTakeOwnershipPrivilege	4288	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
Token: SeAuditPrivilege	1040	fxssvc.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeRestorePrivilege	3304	TieringEngineService.exe
Token: SeManageVolumePrivilege	3304	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2100	AgentService.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeBackupPrivilege	4296	vssvc.exe
Token: SeRestorePrivilege	4296	vssvc.exe
Token: SeAuditPrivilege	4296	vssvc.exe
Token: SeBackupPrivilege	2744	wbengine.exe
Token: SeRestorePrivilege	2744	wbengine.exe
Token: SeSecurityPrivilege	2744	wbengine.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: 33	5316	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5316	SearchIndexer.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
5968	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 4288	1876	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe	82
PID 1876 wrote to memory of 4288	1876	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe	82
PID 1876 wrote to memory of 2400	1876	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe	83
PID 1876 wrote to memory of 2400	1876	2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe	83
PID 2400 wrote to memory of 4368	2400	chrome.exe	84
PID 2400 wrote to memory of 4368	2400	chrome.exe	84
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 632	2400	chrome.exe	92
PID 2400 wrote to memory of 992	2400	chrome.exe	93
PID 2400 wrote to memory of 992	2400	chrome.exe	93
PID 2400 wrote to memory of 1236	2400	chrome.exe	94
PID 2400 wrote to memory of 1236	2400	chrome.exe	94
PID 2400 wrote to memory of 1236	2400	chrome.exe	94
PID 2400 wrote to memory of 1236	2400	chrome.exe	94
PID 2400 wrote to memory of 1236	2400	chrome.exe	94
PID 2400 wrote to memory of 1236	2400	chrome.exe	94
PID 2400 wrote to memory of 1236	2400	chrome.exe	94
PID 2400 wrote to memory of 1236	2400	chrome.exe	94
PID 2400 wrote to memory of 1236	2400	chrome.exe	94
PID 2400 wrote to memory of 1236	2400	chrome.exe	94
PID 2400 wrote to memory of 1236	2400	chrome.exe	94
PID 2400 wrote to memory of 1236	2400	chrome.exe	94
PID 2400 wrote to memory of 1236	2400	chrome.exe	94
PID 2400 wrote to memory of 1236	2400	chrome.exe	94
PID 2400 wrote to memory of 1236	2400	chrome.exe	94
PID 2400 wrote to memory of 1236	2400	chrome.exe	94
PID 2400 wrote to memory of 1236	2400	chrome.exe	94
PID 2400 wrote to memory of 1236	2400	chrome.exe	94
PID 2400 wrote to memory of 1236	2400	chrome.exe	94
PID 2400 wrote to memory of 1236	2400	chrome.exe	94
PID 2400 wrote to memory of 1236	2400	chrome.exe	94
PID 2400 wrote to memory of 1236	2400	chrome.exe	94
PID 2400 wrote to memory of 1236	2400	chrome.exe	94
PID 2400 wrote to memory of 1236	2400	chrome.exe	94
PID 2400 wrote to memory of 1236	2400	chrome.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Users\Admin\AppData\Local\Temp\2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-08_2fee48b9147885376a832ea376cfbc5e_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6493ab58,0x7ffb6493ab68,0x7ffb6493ab78
    3⤵
    PID:4368
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1908,i,5901188818237709604,8857970140516720719,131072 /prefetch:2
    3⤵
    PID:632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1908,i,5901188818237709604,8857970140516720719,131072 /prefetch:8
    3⤵
    PID:992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2236 --field-trial-handle=1908,i,5901188818237709604,8857970140516720719,131072 /prefetch:8
    3⤵
    PID:1236
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1908,i,5901188818237709604,8857970140516720719,131072 /prefetch:1
    3⤵
    PID:1872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1908,i,5901188818237709604,8857970140516720719,131072 /prefetch:1
    3⤵
    PID:3096
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3580 --field-trial-handle=1908,i,5901188818237709604,8857970140516720719,131072 /prefetch:1
    3⤵
    PID:4292
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4032 --field-trial-handle=1908,i,5901188818237709604,8857970140516720719,131072 /prefetch:8
    3⤵
    PID:4060
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4660 --field-trial-handle=1908,i,5901188818237709604,8857970140516720719,131072 /prefetch:8
    3⤵
    PID:4440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4768 --field-trial-handle=1908,i,5901188818237709604,8857970140516720719,131072 /prefetch:8
    3⤵
    PID:5196
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1620 --field-trial-handle=1908,i,5901188818237709604,8857970140516720719,131072 /prefetch:8
    3⤵
    PID:6080
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5596
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x268,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5856
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5968
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:6064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4300 --field-trial-handle=1908,i,5901188818237709604,8857970140516720719,131072 /prefetch:8
    3⤵
    PID:5612
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 --field-trial-handle=1908,i,5901188818237709604,8857970140516720719,131072 /prefetch:8
    3⤵
    PID:5360
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 --field-trial-handle=1908,i,5901188818237709604,8857970140516720719,131072 /prefetch:8
    3⤵
    PID:5492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1908,i,5901188818237709604,8857970140516720719,131072 /prefetch:8
    3⤵
    PID:5560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4876 --field-trial-handle=1908,i,5901188818237709604,8857970140516720719,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2856

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:768

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3920

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4092

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3340

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2248

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4412

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2064

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4300

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2296

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3016

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:636

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4356

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:228

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3992

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4060

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5172

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5316
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5988
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
42b1901a668ea882c64a77dd7823fb0c

SHA1
3ab838acf7202cf5ae38378934b5e26977d6131c

SHA256
2fde78a16ed7951bf3a711e9bfd646fdf31dc4f35524b9f82a8993f349867017

SHA512
20d6c696d208e703bf4f8189d28eee05381a86e43ba53c94bca3fd942dce00caa7fe3de86131e9dc0d87a7c02d6dd9c706dd973b7a240c5dce30eadb160181e9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
70609c10285a4f7350a3e2501f0d5bcd

SHA1
7ea3466fe1da75b7a5d4c1cea5c5383eddb5b62e

SHA256
96d78e3ca05ea625c65e0b426084364a9b909ba8feeca1849ba878f3252ed0d6

SHA512
f4896f6bf0fe2ee80982b5ad339a28c27173726b2959cbd69de330b43670f0956f3a2d60946b98ec167532dadeafeeb04cfd98ebc5fa299e649f47506cd93ddc

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
b116c841d1ad01b7ca4424f2cdfe55cf

SHA1
4fd44616d5317e38edbbe8ca362791c7be79fe95

SHA256
1d5318879364fc4b3c3f95e7377858e74d367675bd6a650c31bde691ef4a70b0

SHA512
b8391ec4c92177ffa9229814b17f063ea613a4e7efe640b600d441e77f4ee1a94351a4ba08d3c4bd81c3d61a85c77237c6c3f18d7f24145e685d478dd4be22b1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
dec85d1d3e773350dfffe1e9340b1268

SHA1
082f4b68df0d27bf5c9a167881ea1fc46512385b

SHA256
1b20a793ce54840f882a66903e837fbdb832eeb00105b062be33726987eb088b

SHA512
39ea2b5a4e41f089310fe7ca2950e1a75d14af545fe55a27d299d9eca6a094cc88a230b6c193847fb528ac71baaf87ccd41d0e0c9e552e4c44ba85f056eb264a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
fc92f3f1aabbf4c22565f7ccc8a3b652

SHA1
7e74c20b3b902821fef9ad9bac053bce4908661e

SHA256
991073863fe013690a172cf0d3f3a921cbc7aad992901aa37920194aa25865f9

SHA512
65c4a022d7ee5cf168147434b94bd3ab6b88d8a3bbf720d7bc1a13b84fa25be1e0724f5cb54dfd95cf87e2660b801f50e142aba1733c5a9267981137f329990e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
0afc7d8afaa282ca74541711dc91dfae

SHA1
3b571b977427a10ee38e7a7cfd025094134f82ab

SHA256
39b74f3f9962fdf8e6dd269f0f2b66d26ad7231286a610db3bdfdfe744d9d40f

SHA512
59b797e1748983bbe976b7350e8276041991b4426751b8134436372e08983e259f96071652d57a651e2ebb497f3a113350d93b14d1490deafb8edb9d63d4f4ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
09c8d10d53eab3107d62eed249162617

SHA1
70bc3854c31e6099610a3a6e6f55cd090c9e3af6

SHA256
3f759ec630c8947bd0dfa5f9444b1d4ef9cfbef3c5b927c1aacc0d02029e491a

SHA512
7ca40bb7a6ee37ad549cb3219034903ce6550bfabc1312fdef017ade6e94a022ac44f6284aaac4cf9f1336e872f80ef45e03833dfa4f465a704ebd897e07ec39

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7cfa8aede17c30f36081062b256a2e42

SHA1
904d728e9fe8eea67f80b131d72995008c3fd9a6

SHA256
6529c4565f6701320f217b75d0d6f3e9f7e3fca6a91bd90f4c88171260a0d929

SHA512
4936aca1f3cfa1528d10c8cd1c2c18d56ae303b71cba31def2cebbbd02cccc6fcb75c44caa97bcf20acf5c82bdc7be20a3dda035ecae318ee2edcfecb331a886

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
dbd66034a443b30576147822c89535dc

SHA1
6c97daf5b52eeb6ff5535ab78962041e34d331f8

SHA256
4df9d5fd50c22a2d6637ac3638b6686cd130f044f0c172fd1af85b7e00d52209

SHA512
f4bc625cde7a6799270406bc511b29f286b53d95263a72e669a67407f355ad77cad66d8ccec9b607daac2123ebb73368332f0bf880d2273c65b9a319d5377637

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
44b2b186f160f83d295b0617c905117b

SHA1
1bc541919f1d0e120d242ece6431061383f592c8

SHA256
ba4e5c9cbcdd4b15ab868491daa4b294268f270360bbf37b4c5df93debf1fdf8

SHA512
e130dfcdef8f8e0075bb09d344c25b19afaa9ef4ec380832689c86325d62f66fae2af1abe27229f4e84371b4bb43d58445a8264bac7ad676c8ad527dbe483681

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
5d5bd32caede19ff44654362293a63f0

SHA1
b99918de37d1b6ab8ab51741b0516afc7b10b9a1

SHA256
7c88290402fe925c7adc424a48319e4c90683a85677a3ce988cb9699b45e23af

SHA512
4036ac077a9dc6516004a8104750aa0f7ef838c7e27e225160ba7ab8d75b0deec8b386e08373f70ec5357b7b25cd201d066cf3ee92813a13d459b9ee3dc68fd7

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240608031341.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e5310bd87f842d0aa85cab8d83ff66aa

SHA1
1a10c0f4036406b9b68fe2eb9aedba0979eb4dea

SHA256
642e9ff519cea1725e4592ead3f2914d4cc15a7f7090e2caeeb08de7bf7fa93f

SHA512
82b2985c1fdd94389288983d86adc884c4d071bf9d290a0a4ccaec10739d127886bd7288d698583a8bab5ad4136ffe2705c11aa38d7159e8b802f16aa4240de1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
757f9692a70d6d6f226ba652bbcffe53

SHA1
771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b

SHA256
d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad

SHA512
79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
751b4c6e299107ce80550985b7c3b2ec

SHA1
5f929596586212f8bedab8d109f501dec6e9ba6f

SHA256
d4bd5055aaf0bbc8338fe5d2ebd442e543ae5d7e9d8f470748bed8caf5e749e7

SHA512
ce0badf2f826f5ff6c1538d417d3a6fa4bc7235d3cdb12358db6027e3d62a1813e46bdde2136adaafdddb395a5a88495fc2c88a00c65c34f152fce0f389e1e9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
811fcad3107b5fe65427e1b7ea7595ce

SHA1
924f2f905b306a1e6cdcf56b2dadcdc51a1658b2

SHA256
08ddcf49ccd54820525a517e45a97de7b505225cf3a9fa7429843032635dd235

SHA512
d0eb79c82c104b2b768be585357b6df77cee5930fa2a45c282d51e7fac11282c35b39e58245b4e63369b835a928c91b352e807e2de4bda6ac7a41eee9606c3fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
90b7dc90289b3100a5c0733f637f6d55

SHA1
0626ecc78af0ec1b0a53828d05a095df6ce0d44f

SHA256
daf118bbb1781cef33d1e333e600572650bf3f96cf7ce910589ab1db26409719

SHA512
0c696a5eea32cf3714e6ad823e32c7af3a4a3eb952238b4c371bd8ba46d3b5f938b72a44d51ddb361454f274284328ab33dcbbfc8ac0433e775f3326cbf801d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5780d8.TMP

Filesize
2KB

MD5
6c38709f2b92b4197d45f6df3df81cb9

SHA1
92d1adb3512f085dba8c03ea68d926704ebbbda3

SHA256
d5bb9e1c53b6d6dd67dcfdf3963d7d8b0dd3094ce6a86851e8b8ab7d3d6f235a

SHA512
3cc01f22a75c283dd55a4fc9b02211776bc1246ae7787ffeee21a25d0ea8ddaafbb70cbe8d0976356fcff59c9be8e9c178c15264d2a44df3653bb1e03fe41bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
698a4c579be9eabda071212e6add56b4

SHA1
593ddb6fc72bc6d9cef5057e3c6d5e36722cb400

SHA256
2003297f7416f85c748d33ed6344ecc68563161f2979e9f9c42056bbda8ff2eb

SHA512
25406048932ada4f87b179176639ea437d9757d8a02047ac3e64af1540b53108d12b2a4b156b7209d13724f60d8a28f26b3e4a1083fc7013f7a8e2f815fc4c2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
265KB

MD5
57e6073a1194cc35eb734b8d8212cac6

SHA1
61e39f73d3148ac4cb521585370ad3a9c81632c1

SHA256
08de34102ad071690259ed118f14cdd46dd13b6516e9ffefb29368aec5c172e3

SHA512
9ee56ad835d22239b9baa15a7134c85c09b4b04b2b61f3931751dbf4139fab8957c351f2fe406eae9adb948be80f23a70fc968f09010b52d2f5490e2b57be4ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
265KB

MD5
92d87ffe981cba705158c55f7624a10f

SHA1
a2fb4e13ea9db6049121af201d33b6c06db79524

SHA256
21087bd81456dd4dd685fcf72045ba8ee9800d42fe4dd85e6c641f4eaec994f0

SHA512
216a726e50e20f724125e95a65f007fd5f3b04418d6688e5e5b01060f7a27aaf1afa8159943f4571b335c550efbba12f99fe76689dac925a8977609db6753778

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
c57afabddb044884d4d196e987e99381

SHA1
141b06c2a9debe1fa1ef93e70d665999f3d41691

SHA256
84a65323131aaf92abb37720640d6a34bea8075eb30c66c60c4cc8e3ee1656e9

SHA512
323bbb57f9a40d0b3ca486999d9b271800d5befb235935e1327e4ff4fd732caf6d8cedaa4d168f8f9cb137a168e8ac60c356acd3fad51d24c1496b1031fdf399

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
9f4fa12183f85916e9ca5242c05b9402

SHA1
1370fe80f65c0287aae06fbdead20704fe47f49e

SHA256
3c081f588273592dbd4ae3415dc73c5f0b58f88320bab895c8da5cfb4886f107

SHA512
8f5c625f1c12ee649fd29e49f51d622fde0de8bcdef1130c06d63d97c54d7b03c81c65bf1b725194b538a9785d70b6d075f4bca35abcb83598e2d93db7cc3830

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
b0e2362a96bc2af3691d33c5a114782c

SHA1
b18692c71f78070805c6bc472e7972165447760a

SHA256
4e0fee4d1d2a791cb0a6657ac4143ca2c51c87e56ebf031f28460caa28d7650b

SHA512
0f19852cce1a1be4f37e752cde7c6b97c168cb7fe7ba9033b85064c63025341255c66aeddf571ac36225bcaf476a1e0ceb2b3bccad96703dafbcc1f2586ecf9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f618.TMP

Filesize
88KB

MD5
3b598f2fbb79da0cc3ec018e0beb8184

SHA1
ced5dd5a1614536b1cb49e00894b6125914af76c

SHA256
659bc4a01ca9652cb7a9aa01386c516bdff937065cd01c97ae275f0be1ed5910

SHA512
e8d271cd7ae0e07cf0d326c95cf379d36e59ad3d083ecc5e16bac67dfde68f846faace72386833ba71934fbf919478489854c10987c65252dd12e87aa08a407a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
b9be66767cd0b3cffe1ea7f1b7d71e05

SHA1
d0d4828aed107ad76bd67eb623504af0d9b17d5f

SHA256
0a2c2abf97e0d311c8f29c76eac1ebd30bd2613dafaffa9acb3fb2e6f5fd86fb

SHA512
aeda82fa7de4adfd448e40e477476f9a35430687f1fd4c5e1f49218d30ed0f724adbe53edf0092a2e216a1e133b21558f8ac8bbc674b1c3a439ea85822692aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
9KB

MD5
ba2bc8810ed87651d407e296e231d186

SHA1
64bfeb65c28e517eb4d00b94259b3afc162f7b3b

SHA256
e0a0d28c95e470e49f94a27a610561c255cafcad3c12f9593c27c955e3689edf

SHA512
32d2e78c59105f375a318ce0eec53bad7fdfb2c0c2e98d7a932031c5d28018e648c1714539bb8b15b6cb4a0611d7ea0fc1417b50db9e29be9714d30371548c3d

Download Submit
C:\Users\Admin\AppData\Roaming\23d287a3c3136770.bin

Filesize
12KB

MD5
afdfd0f03dcf96958cd55919d25b26ed

SHA1
f301561e88fc2518cac41f80af9d34abe6523976

SHA256
bed1b72e19898d988602d04d92c1775ac73209935e37dad71fae284aca9752f4

SHA512
7a755973d2fba16f02c7459b9d4aa315bbbed96a6ba80628ecb2278f251cda5af1648ee5e5ac041c26d80f1046287413eaf79698a116042ae651da3c28732987

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
cd813f5643b595c389adf8885039ff3d

SHA1
4d541f8da629210298184e67d492e349ecda47cb

SHA256
b6fbce037d233770e2afe14ee860d88489f0ae416efba637cf799a1760425932

SHA512
629465880565b36448e5b41fb3ff191df91bfe3587ff60bcb5e6b36c9364a17c747ed0191f6bd2b85013755705d18dc986c860b0ba72d948f6999694c0a08fa2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a40d18e18a8bd881483eab9cfeffa791

SHA1
7087f1d24cfd99bb7becb1b058bd347d4c6d1f5a

SHA256
6e01f994a1f69824c02abeb8548fec4b19b02db89fcbfba0c2ac4517dce45969

SHA512
1bbfe53a3e723b20f9c383107120fda08b05e830ce6b2726ab6ce10717e811d2f3b5f3a34a8bb04a785eb44a404fbb392dbf5abc5fc3eabc90bab7a1963094f2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
2a10c7f078d14ae092d2179764d9cb8e

SHA1
e45f9051deb4cfd8ea26dc90c0a49508727ba36e

SHA256
b460b5e83e50b90523e375a88337fff05d7fcfa75f67b911b4e490b35cac04f3

SHA512
3d68570f27c0021e4321fc9d2f1e09c84e7dde1e0109fdcf47e6d3f00167af587f32e110aba893be8a150b61292de0abdf43d75be9789b26d41b48f3cdb39a60

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
56deed836a57522e40d0cba088b19123

SHA1
f3d6cf25e28dae6a2ec3309c9d8e78fd58e4c552

SHA256
c32dbf4089cb560caedf0ee2d3b07f6a16afc4a7e1841e0763dff5b209cf8f5f

SHA512
608d615e95117dd0d17554ccb2100374d64d560877d6a294a2862401f235eb31d3ae7d157e95c699bb0e93ac49b0aa6b8e10cdff11631518a0c0af51ae1d7ec5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
b83ac89427da5c1fd310aa389f226609

SHA1
cdcb27e6492ccc4f79c16dc4b795535b28293b26

SHA256
593f355695895f02eda74d46349989749903a0ddf8f2f349d5b13e4c29c84a91

SHA512
cc662508e902fe2885ee79c08d4f987a4d324a9d9733930def946c8e9b0cf73a198f0f4b0dcf6b4c920cc405652cddacb60b218d49344c46687186a53e44229b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
b737dc519a817a0431ebf8dcbe7f533a

SHA1
a1d03ef5b573167148c4d3594bddfb044dcb7b34

SHA256
9c0bd4b22d5bb3471ae2ebc3883f0d82a0ae6d67714c2cd64d5da4eb57c191f8

SHA512
9bec6cbc012ebc09f9fda9a82db7c5ce33c22ed994100f4c013d446e50eebed443ec5c636e6a1dc8d24490f3a7094d263f36732150792ff9183b8fc2c341a218

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
7c0c0c0fc8b42279403a788de4ed4bea

SHA1
2c529adf2f539322d16e7f08918b90d02766316e

SHA256
3ba8c57b2911f79117906029865d92701d80d82b9bf35f44beebb7715c8529dc

SHA512
f27e8a6fa403a6937697c6e227694ff3dc07d3c2cf7e380fc8c8e19504ed175e339db0664f1567f4473eb75a5fbb119b9efb5f63725291d7d431cc972a22711b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5e8540c542ddff52866f2bd805562ed5

SHA1
0e92281388b2eb2ee0f6af4fb33911d8cb0dbe5a

SHA256
c1b9827ffac26e0fac4f20605a5e394caa8d5532620579c46412deb95a477066

SHA512
f7b86661789432691e44631f5f9f0e5b9935e92ab3aa3d9b1e36084f767d89b606a3a74db04a4ce08338b89207472cf76ae815fcc52f61ceb533226fc52dfb71

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ccf9aaa5a1ea22fd2ad134bf9542876e

SHA1
7879bb9befc97e7b941e00492b6a36911a4b2f72

SHA256
58a1e92ad8fe1b854278b4a44f62e47568bc13e0c07dc765e9c9e706b7d334d8

SHA512
66db99184a41b368c587fe425943af13d37baf943d738e239e48a538b778fd6d307d3f1515d9bf34c6a94e262c1636f254187522b858c8c63f5eb769ec876545

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
01a018c1f8676c496afc0f0b95a4b0ce

SHA1
282d9e76cfc81dae7ef536713a4952a9b6cb8f8c

SHA256
bec3117ac02e7ee2cc5b4b00ed229f990844abd3039ada4d57c5fba94fdc47e4

SHA512
6ca5bfb2e0601ac31cd6d19219b44dc1af134ae834c6fc7f9f12b4927e41b56cf69619a9f2108466b3927debbd5385ff36a35b4a6b6d0d05314ca5f21acd828e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
d7b448861a82761cac474230580672eb

SHA1
449527901c924b39e1d5ef9fac599800a7f8d05b

SHA256
95447c5de11d989efdb1da60da0cb98a048946d388bed5421e0e2a7ceecd977d

SHA512
0be60ba0e5e6ce64a29dcb24bb16b2961385d62bcbc28287e49e2b13adf4912792a8ab58ea9fa5661845429c7d71bf13168bcc447e34436639c6d6f2d433fdee

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
42f64bd5506a0c7719afcce130302ba8

SHA1
87e9ba55d6ce2feb35bfa2b0f229b73adf4876f7

SHA256
7e2c05e3c25b6d246020ade732d20b9eb0e233ec739225eea691ed0a9981d072

SHA512
e6dcd8030c58e98dbda855c61333ad59cb15a83b5545d13f4aa85ef9116a5b1fabe18f562c22ea95d6000cc122af33e9c865b1ec6b2af7ac649b536022d315f4

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
ef05cb1942f59dd9d0f7990aae1f2bc9

SHA1
2058394f21c2332fb86a7ecc5d15bcd6bb5b9bfb

SHA256
e400ba5e7ad500631904d3d8ff208d7ed2faf647e0b12d35997cb5d0316dfff8

SHA512
a3b21b3d92cadff110c3dfcceb9a410605732fbed8e6e457432fa33b8729c8f84d030ea4d6efd57a144c87c4a7e48d963d67f7d37596a36adadac2792eb9cdfe

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
28875fb27f4a61809e2a34f953673fa5

SHA1
713353ac19ed28babe5d7352f6fd437b5d222c78

SHA256
3ad40abab0fb1d39fab2eb97f34be29db7ce130de2cebfe9e001b910da778583

SHA512
26252b7e0675e9b9a8d2e6c334c11b339b04c8c16f0ec52e7f94ecb506d8d878c6c1650dc0c8327ba24d94fd354b8d3c00d11f1fc5d2762ce8b572f033b2e953

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
aea9bd7725177667eb54b034c8fdb470

SHA1
688cd9ed1d7c00944b6382812c414bf96d2b82ae

SHA256
11e06fa9c8370f2208f7a3b741326639e2cea4a81705ace3caac7dda5ad37edb

SHA512
e6798f475f3009b57d8b529f68264db54d29fbd24e1fe068aa9a10acd46e206a9d703525e3aadba6dbad6173055ec19ce27756cee6056c6c7dbdf8cfaa00cfbc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f69c7113248b896db58fce48619ed5ab

SHA1
0747f5c70b7538ba366a988f8e9dffb091e76612

SHA256
cfe62eaec4eacb7ab03e40d2173848c276d570de6dcd77afc05b962fe20a8ee1

SHA512
fb11b0effa09c6a60e3d924e09fca5469885b5aad152d303aaf8f1610e0c42618548b47ed3550d6d4e6cf665f53a947e2e0044bc621698dfe5d679c9d5f79c90

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
3b2f66d8f08f6705ee2a275a80faf64e

SHA1
2a1f39020536127fd0faf23d4e85460660882937

SHA256
87dae242cb1997093c3fd5c6e71cdbc86cd784bf6bc80339305d64ee45e23b0b

SHA512
8c7e79dad67614d9b1b8971fcd83ec13c0b5ebc79e7f5e39dad75485223afc86371792773c2d9640adaffc763d880f216ae423ce041563903cc09e29752d6e7d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8a5134e59bdaa6a405e773a5fa7e8cfc

SHA1
ce4fd225fc1cdfe7936dd24e4b147de205398403

SHA256
12c4e2a6f44c2d0997f8e9cf2602abe827a08cda5f1cb625f4343f902d9881c4

SHA512
a4efc7e1ae2443c0e525aba53438c81dae021b5b8f31e80d27a3e1b701fd8064f1f806d7acdde62530237c3b5ac5ee0aecb15f70e4fdad43a107dbd600185096

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
8323eb783d4b3475bc1107f7b22fe30a

SHA1
8b61ba2d4ceddcce64913e45b0b3aaedba641153

SHA256
b04e4a8229ad76f418899a184586a34f1da04653efdd8f0386b76fe7282bd7c4

SHA512
a6e5fa59549dd9f848741b7c5e0e99e3efd1ac639e61a1a430fe7a62e6f13bf625fc22d619b29e9319f0bddd46eda6bd61057d4afcde7c846a72bf6e4ef79972

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
425ad21c6d5bcc8405c3404a9fd4f42d

SHA1
1fc4933780ae970f9ec41ac86467d3d531087895

SHA256
3edd467300d2db073086c769aea0b7f063883eb0a055ea427fae734b0ed9c882

SHA512
2b3e207cb48365d8befbe74b427178ff11123d0e0fd7e57ab8df356aaa30924772ee01a2b6e1312d18142e72bbdc63057dee69cc9ee2c2611109338aad71ed91

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
ca6c6493766e99e748e73cd0e48b349a

SHA1
ba0a6c312aabaffeeca60ee0427d7ff1eb5abb1c

SHA256
c3cfadfd8be80104a8dcb008b7b2948c72180301ed5fe1bc2fdda7d19ccf4ad2

SHA512
b0ce0c5ae1c366870b66280793f8f5a1025f515e94abdbf9c941888fc45751d988575c8fd442205ae31bce851d181235f7d917affadfd02c39c1a3f8395c4aa4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
5e12d30a2810873d66d67377f65bfbc2

SHA1
62c1549896f580fdde40d60510f76a9a763ee880

SHA256
7dc9e80a830c81792cf3497a452f93a9cb21032e505498f63e5b46daae6218a1

SHA512
61043a8704050ad46ecfe82b48e794d0feea4aab4e19e12df6fb16e1d313792ad375d02633ed8f1f0f8c3644a15d64635aa3d7c86ed4579036245f6408a99a7c

Download Submit
memory/228-221-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/228-532-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/636-637-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/636-215-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/768-178-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/768-29-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/768-37-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/768-26-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1040-81-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1040-58-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1040-79-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1040-64-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1040-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1824-551-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1824-245-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1876-0-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/1876-24-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1876-10-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1876-6-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/2064-301-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2064-154-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2100-278-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2100-274-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2248-112-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/2248-122-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2248-126-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2296-179-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2744-321-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2744-654-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3016-192-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3304-262-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3304-566-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3340-103-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3340-101-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3340-95-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3340-253-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4060-298-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4060-648-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4092-142-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4092-69-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4092-77-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4092-75-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4288-11-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4288-20-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4288-17-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4288-129-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4296-651-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4296-310-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4300-168-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4356-216-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4356-519-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4412-130-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4412-297-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4744-44-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4744-53-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4744-52-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/5172-332-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5172-655-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5316-722-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5316-344-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5596-529-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5596-607-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5856-541-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5856-741-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5968-599-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5968-557-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6064-746-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6064-570-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download