43c3738e8d149bfe6fd4f6b5c7d61b278833de64745a1c5ad417e8313850e4fa

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 11:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
Size

4.6MB
MD5

9238341c12f2d276f59640da3b3e692c
SHA1

2776a05af4c39e6965c89d57816adf308f982609
SHA256

43c3738e8d149bfe6fd4f6b5c7d61b278833de64745a1c5ad417e8313850e4fa
SHA512

fe2a34db4a955350235b73cc1ddb76a554fb45a49ac04c566d394fc9489568461973fbb0512607da49f092575863603e0f7b16ace527cb897aa2e4fabab67da7
SSDEEP

49152:endPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGz:k2D8siFIIm3Gob5iEkQWdO

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2052	alg.exe
1228	DiagnosticsHub.StandardCollector.Service.exe
4020	fxssvc.exe
4024	elevation_service.exe
2348	elevation_service.exe
444	maintenanceservice.exe
1452	msdtc.exe
1528	OSE.EXE
4384	PerceptionSimulationService.exe
4400	perfhost.exe
228	locator.exe
4152	SensorDataService.exe
4576	snmptrap.exe
3460	spectrum.exe
2824	ssh-agent.exe
2936	TieringEngineService.exe
2388	AgentService.exe
3220	vds.exe
4676	vssvc.exe
4188	wbengine.exe
5156	WmiApSrv.exe
5268	SearchIndexer.exe
2032	chrmstp.exe
5508	chrmstp.exe
5700	chrmstp.exe
5772	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\64bd240c8beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaw.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008541c46f98b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a15397098b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e9771c7098b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003df18b7698b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007cf26c7698b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004164287098b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3688	chrome.exe
3688	chrome.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
4892	chrome.exe
4892	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	956	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
Token: SeTakeOwnershipPrivilege	4560	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
Token: SeAuditPrivilege	4020	fxssvc.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeRestorePrivilege	2936	TieringEngineService.exe
Token: SeManageVolumePrivilege	2936	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2388	AgentService.exe
Token: SeBackupPrivilege	4676	vssvc.exe
Token: SeRestorePrivilege	4676	vssvc.exe
Token: SeAuditPrivilege	4676	vssvc.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeBackupPrivilege	4188	wbengine.exe
Token: SeRestorePrivilege	4188	wbengine.exe
Token: SeSecurityPrivilege	4188	wbengine.exe
Token: 33	5268	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5268	SearchIndexer.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
5700	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 4560	956	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe	81
PID 956 wrote to memory of 4560	956	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe	81
PID 956 wrote to memory of 3688	956	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe	82
PID 956 wrote to memory of 3688	956	2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe	82
PID 3688 wrote to memory of 1456	3688	chrome.exe	83
PID 3688 wrote to memory of 1456	3688	chrome.exe	83
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 3176	3688	chrome.exe	90
PID 3688 wrote to memory of 1972	3688	chrome.exe	91
PID 3688 wrote to memory of 1972	3688	chrome.exe	91
PID 3688 wrote to memory of 4052	3688	chrome.exe	92
PID 3688 wrote to memory of 4052	3688	chrome.exe	92
PID 3688 wrote to memory of 4052	3688	chrome.exe	92
PID 3688 wrote to memory of 4052	3688	chrome.exe	92
PID 3688 wrote to memory of 4052	3688	chrome.exe	92
PID 3688 wrote to memory of 4052	3688	chrome.exe	92
PID 3688 wrote to memory of 4052	3688	chrome.exe	92
PID 3688 wrote to memory of 4052	3688	chrome.exe	92
PID 3688 wrote to memory of 4052	3688	chrome.exe	92
PID 3688 wrote to memory of 4052	3688	chrome.exe	92
PID 3688 wrote to memory of 4052	3688	chrome.exe	92
PID 3688 wrote to memory of 4052	3688	chrome.exe	92
PID 3688 wrote to memory of 4052	3688	chrome.exe	92
PID 3688 wrote to memory of 4052	3688	chrome.exe	92
PID 3688 wrote to memory of 4052	3688	chrome.exe	92
PID 3688 wrote to memory of 4052	3688	chrome.exe	92
PID 3688 wrote to memory of 4052	3688	chrome.exe	92
PID 3688 wrote to memory of 4052	3688	chrome.exe	92
PID 3688 wrote to memory of 4052	3688	chrome.exe	92
PID 3688 wrote to memory of 4052	3688	chrome.exe	92
PID 3688 wrote to memory of 4052	3688	chrome.exe	92
PID 3688 wrote to memory of 4052	3688	chrome.exe	92
PID 3688 wrote to memory of 4052	3688	chrome.exe	92
PID 3688 wrote to memory of 4052	3688	chrome.exe	92
PID 3688 wrote to memory of 4052	3688	chrome.exe	92

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Local\Temp\2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-08_9238341c12f2d276f59640da3b3e692c_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd5e2dab58,0x7ffd5e2dab68,0x7ffd5e2dab78
    3⤵
    PID:1456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1908,i,9105226314031001250,13521155198222248754,131072 /prefetch:2
    3⤵
    PID:3176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1908,i,9105226314031001250,13521155198222248754,131072 /prefetch:8
    3⤵
    PID:1972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1908,i,9105226314031001250,13521155198222248754,131072 /prefetch:8
    3⤵
    PID:4052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1908,i,9105226314031001250,13521155198222248754,131072 /prefetch:1
    3⤵
    PID:4952
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1908,i,9105226314031001250,13521155198222248754,131072 /prefetch:1
    3⤵
    PID:3520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4388 --field-trial-handle=1908,i,9105226314031001250,13521155198222248754,131072 /prefetch:1
    3⤵
    PID:2088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=1908,i,9105226314031001250,13521155198222248754,131072 /prefetch:8
    3⤵
    PID:3436
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1908,i,9105226314031001250,13521155198222248754,131072 /prefetch:8
    3⤵
    PID:1964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4732 --field-trial-handle=1908,i,9105226314031001250,13521155198222248754,131072 /prefetch:8
    3⤵
    PID:5640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 --field-trial-handle=1908,i,9105226314031001250,13521155198222248754,131072 /prefetch:8
    3⤵
    PID:5764
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:2032
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5508
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5700
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5772
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=1908,i,9105226314031001250,13521155198222248754,131072 /prefetch:8
    3⤵
    PID:5252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1888 --field-trial-handle=1908,i,9105226314031001250,13521155198222248754,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4892

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2052

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4492

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4024

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2348

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:444

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1452

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4400

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:228

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4152

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4576

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3460

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2824

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5076

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5156

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5268
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6060
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
04410195af92da50b2294f3dcaa3503f

SHA1
67e289e3d99ac72cec28e8c45b048d6c98576e0d

SHA256
9110f50026afd6eaae3173cd06f3f14f79f79e78ebaf6f6363c7dff721df60c6

SHA512
36f3abf291fb3b0491710cd5411c87c11a9c124ab72762b7dfbbd0423e535b147e6035fb652aca66b498d0c652021bffcb7d9971e4575166bee927449464d274

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
6302c6ebfe1c736c0f6d627ee72426c9

SHA1
0b6601d1a699a086ee036af77f4100ef33c58137

SHA256
a16fcf7df81f037966fe01f1ed98f71dc7a0a0366e4f3b666f49cadada9e7b7e

SHA512
34334fccf30a9110aeb944ac12a4ef4495f82da560a28384b0a165c538b419b73564e15a598c76c2bd506e49f0eec391580aadab1ce2cea12eea76780f173f67

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
387b7d6b1b9884ac0a7491daa17a7ae7

SHA1
729ca112c9d88e106297002fdc32290e1f506881

SHA256
367c55b742f4249c5b1ce609243807baf7f7cf92f1cc7c5a9b4839e05355c7ea

SHA512
ec8ac2af0584feff0831b7c45769c317da11666b95e9ee718e35bad3e9acd8e8988a2aee27dcd337a1082526fde375eb9a5937826cf34a84030bd0e969c59efc

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
eff93172c4c6574bbb97260afc92ab11

SHA1
030f277bc428845c94928ff6e0751022b71fa5d6

SHA256
cb8726c07c98c46b633d8392750867509a158739555ed20d4b036cbd74db8a2d

SHA512
807d7046235c22987080be04a28e1893f3a0fc5f05d769152103235bcf04875c875287e990d2791a6e57203d57b5ae9455d18d6a92241f82b118ac353b1490e1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8496ad94967f250ad499fffa6d5d2cab

SHA1
d2095640bb7aebeead2c90cd6ea64be4d29b086d

SHA256
ffba249119e21959aba84e12a72ed02a59353e94bdf56373e8d31eb280ae7421

SHA512
64b8973dfe82283fbfa529960eab4608b0fd7590b24c633409f4a58b4f6f19fca36fd331ab57f76e0c42af90562252ef868a2df200ec48445b7b164a127e9cf3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
9b4a71a32658c83f95a93d1a2fcca40e

SHA1
dc52be06d6c4b5d9a0eff446028683acd80c949d

SHA256
41717a4c7120407f41f7f9d98e210f40c2499bf3800fb8c05b16d8ce25b73060

SHA512
26c247e48c3556d82248a3a3eecfbc184d4d7883f48a6421398a0506b093fae608fc2d4b8b3b69a50bd02a947928fad1c85dea041a715290aa832a4db264ffbd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
27db5a4d77bdd46f56bb727659213383

SHA1
14ee6e6c96aeef215d950550e00169f759213407

SHA256
74347d2675a8cb50b72faa0029bec29a7535886821cae436ccd13a9b7adc511b

SHA512
c7c507bfb5bbfc72dec5c0c073f4b077119b1748529749fd82313bee289148631323d20a0fc9312dfb6d0121b5a41ce61cf151eb4ceacb2058c7319127983680

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f4db808ef69e3fdacc336e988367cbf5

SHA1
9d60c71e76685f30567b7bdcecdd238c239e8037

SHA256
8921df07baeb30b779538ac4ba981ea8f024f684e2f8cc42d077b1cb8edc49aa

SHA512
5c1937495e69df071b4137a6937ffb97312d8bf6a0d44109b190e5ce0c695743e1b15d7829c4ac5b84042b0bbc46cee241859990fc54878559b716abd8f896f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
b04ae6784236529a40a905bcb62cf43e

SHA1
d83b020bf0390084459a7ff147811feec81e5ba5

SHA256
595264ea14979c8b792010b2f4ee2483903256df4cc7ce50f0fe71c9c000b0d4

SHA512
8b2e056dfb174ef4bbf6a330129f31ca065e019ad2ed4ee969cfc93f9b3471592d7853a809c961c680e6183c7f4be52ab1ec269a1ac5ded03ba2140a727d404c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
103bb485c43b8058152744a67e0fe4db

SHA1
b9aea02dbd9fbd4f7d18eb4c6558b755acd1d252

SHA256
0bfb0879a6eb72369c839b871319cdf1b842b180c0cb3a33596ab3e23c4e0270

SHA512
201a247bc7d3adb2772c8b6ae1779bde9bf9b3a40ef2e468b10a338dff41c68b90e58b078589b1f672196766b6b9bc619dd448e132f219d05ccb693de1f88456

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1f569d9d426c7b58b6ce3180f5d7e373

SHA1
c11ead4b8c257f53d75dbfd99bf9d301fdc91cb8

SHA256
13ca6b065d9412f2325ab4db75dc08c8129c2e0da99dd48edd8af37222cc1b55

SHA512
30c5703607e374832b300d18ba5c2a5c1eba8af3eaf7c4d770f68d1b0eb0e1af88af108371bb8a43f556b7e2f8f5606489320d705c421f92964cad062a1d04df

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1a753aa4d9655fff705f8afbb588fbee

SHA1
4b55c10897404d447dac782708969eb1a4560af3

SHA256
4fe2846712943936600206b02827a87a0739c523ba74a2085a42607fd8d38f04

SHA512
09491a5d9835410c6c4e6e99433d22958b8339ff9e87bb031b94dccda11b0f0aed195c96ae00d90b00e4b1ef069e7b0e86331d328ab6b3fc00451d126da89fa9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
6011aa1e66f3d254c401881536ea7c4f

SHA1
48080dfb99e317b210d7eb550dcab500b788d644

SHA256
a14dd481757d95ded60852999b81f4dfeaf1b9f2be82ff67c4e4f86c9accddb6

SHA512
d6a6b135cc9840a5ec2f5f51877836ab5c970fbbf80a19627cc47924471f3e902738dcc3b35de298728ac7b42a33384477c6e7ee97b152d3e3a612d6b2a72fb7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
5061fb6bafe1fec3ab25632a3bbb3bca

SHA1
3f7328bdb68a5fafeea729cb2532ee8a1d0bebf4

SHA256
10c160be3a769b69c340e5e12a43dda3884e32c95ac3d92e44f9caff22df06e7

SHA512
bbe4565d72cfed1c28ad09ea4a98e68feab48b9282f6f2978efccbde45c87f369e2764883c82e24d68674560453c797d97de5fca8ff7e87ae4d9477581977937

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b72ffc1ee11f415b616a4ed03e62df99

SHA1
f986581f926ec7e8af7c4115873c5206c376ddc9

SHA256
e9eac3c784ea9ad7a808152c60fbfbe082bb6fede27a9a77a839b5f7d7a19298

SHA512
6366204f32fcc908cab23504f9db3e744ef7417d723e03ff5aafc06f4d1bc2535de1d87edcf76516a74b3c28357e7fc875feb46520183347c0f5bd7cc98ac3f9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b286b60d0fb6bfc3070ff5ac4352dc46

SHA1
95e3643a18df64878437bc217e3a886713cc060a

SHA256
b9b8cc0b259b4b868c334b4aca6df259516fbe9a6f6348dd8844eea386625738

SHA512
d74ac7dcf121e8f03efab4aea40727b0290d04eadcc250a9e94266733f58b7fa6420a134311ccd78483134f48763b79e6b6f46547b739fc2c9cbf2abf070e744

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\3b40c9fc-9f2b-4c9e-9ba5-08a51fbbf724.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
284e589c203befd261afd8b7e18584f9

SHA1
46649b9ce5e88d1db0bf875d7b2d9483b6ae70f5

SHA256
3091b640df091f18a97ecc62bd3cd107194484997465b70cedfe22eec904f075

SHA512
e033c3ce99e8bac5ea0f1ed31280e8330f428c26cc42882e673388aa3adc85868d5500c0df9ce364427c3fe74445045756aca8e84a37cda92b1fbc43b9a89659

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
f1cb6eb85615264698cd313da19fae86

SHA1
55581e411623719737c11a0b5260f6ef73443ec0

SHA256
6252472607555b34f96870c1185db68c66c59e715864c19ccfdca3ae835a9684

SHA512
071e7a33238aa6cd4002ce6088b7de8eeb32861056e46a3a45edc819af9992b2d784432553db08c799b71cee591ef86031f73d497735a8259145ce09b07a2d76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
90b8e3c077c7289cf4b7078243e26f76

SHA1
c8e3387c59c20fcff770b846e972a52f7f93591c

SHA256
001c51870a28710313d50d9037f261881517a384d3e502d9112b04ea2e8538a1

SHA512
4461003ce00d03608509d7ab645b933ec95c398623a1d8c6440c8a5b069d32e73aff391a1d3954511dfca7da698c0820970017b66629e3647800e5cc3920f1cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
81d1aa96bbc46962856b732a63aab796

SHA1
7a2f8ed1184f07f807e0c6115c46f54ec2b82e28

SHA256
5ac05b03381050166b9d55b774a04ec92ae003a1097ec0c4058f7af0968e73bc

SHA512
35874eb522cbd5380f0b768fb81fa795ad35ff2f497265cfafadd0cf7577baf95550e06c3c277deb796c3d3ce67c756c1d8b7ec2ef07e4eb921690c400cfe300

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
5cd5621aeca2e1a407e3784260b013f7

SHA1
b2e89d053ab392fb52a985faac313b42d82dee8c

SHA256
26cd727dc6b8c981c0035a255105f272343ee141cd3e2cd5165b5b230a787019

SHA512
5814e4df546fcd632a9b5ae70c30b9134a5ccf193a2bb6d2f69793227a61238572451c2e29e9634084daea26f98841a82a441cc4c7912b78c281179d4be3e013

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4ce337bb939974d11cec02e1a07fff17

SHA1
424e790de5c9792b5a814a764055cec753701115

SHA256
900933b3c21adf93da8bcdc29eaa3ce43e5a8bc621e556308d970a41e3e13e1e

SHA512
53a85d1c379e8b8766767b3711523edee927bc25ad75d84624292b2d22ef07e3dfb1fbaf8c58bb78a014eefbb1ee4a13b948c2f41a16c57f838a8875f1ca0fd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe575fc3.TMP

Filesize
2KB

MD5
2439032641f0c53dcd64320bfa02af0a

SHA1
a1820031d22a713be8ff0a020783b7bc72860ae1

SHA256
13f018fd7e8d456a16ab52c9430b449ed2f126386dc10abb8d01ff752f92db72

SHA512
d9e02ab626313b138f721b369d987f45e68682f6cf2d76138195cedc75cea2237cf36677173a82672bf54ae9fe480b54f42c76af18e8e4c6cad76da85bc178d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
e754696d12987262b8d97e674fb247bc

SHA1
1c81cc81a80a0b8b5038ac9c998351261e2d8970

SHA256
a565de011b07fb76263a4dda08811d1b5bb7d744e003214c55cd70e2929f0dff

SHA512
0b74bb8e094b44a0462ceaded0ab8769180dd609eccd310926eae99e9d1e3926e8d3b276c9cc4384b90135dce852f2015df170c520464860ca2a01dde9266dce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
263KB

MD5
a5537bd35fb5237012aa2336445c6027

SHA1
e9ef610437c87847a1fd823ff93e5990b70df1f4

SHA256
73a5bbcd0b92cdc73f8e1e72363daf2d94feaec3f56ff0fde29297e7e569b94d

SHA512
08011984674557936c06015083ac3b71d07547eae6a9abed57e3cbd18b0aa364eda83e6a68d2437e353e734053ee02004ec141cd6dd692df81ecf8a51aa41d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
04a59b002bf69e02ab63ab2a74322c41

SHA1
e28462f9a3aec21630835b70ffdb1f182113d90f

SHA256
3429a7138d6e8fe9bd233ac202a3d21b363596d4f898e416453cefc7ddfb826a

SHA512
95ffe616847ebf8407ec68522944e32561d7451179138dab5aae07b67e043fbe5733bd7ae01cd9435e20fdfd2a9e0c154487b940d8922872554e1cf3ca76fac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
e1e542efef4a2967888f058027d16e24

SHA1
d948712edb7acb4e4e375a5cd6bd048fcb46c1a7

SHA256
7afb4e233b90a1e16938541d0ad0366369b2da845dd8897540ae37562c037242

SHA512
87e92f37b2dd7f5b36275bc0dd8c77c3c4ef7a62a9a7ee6fed7f8d422b0ef1bbb9e1319f9c60d826067b9e669eceebad6bc0ba6d8595bb1558d084c46f282bd6

Download Submit
C:\Users\Admin\AppData\Roaming\64bd240c8beeeac9.bin

Filesize
12KB

MD5
df267369c8f54b9194d37147f037e917

SHA1
4a8862054e54b623cda30111336ce93e6e6641f9

SHA256
f8ac8fadf5c5a20912d49268a47dfb66e3d1ce6435e3aabe1a83cf3b466ad990

SHA512
7c56c49550c7e162757c863d84873ac5bd7a53c3c107476a701e13f3af0784e762d5cc222f7a68565c5d210349ab27088675d997ca591c978d0ce8a5695bd562

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
85e4706e6d01a166816451f8faf58476

SHA1
f733c4cf03df1dd21de5dd7c1403ac4d58dcac25

SHA256
23716ab6dbe15588bf0c15b3944947f7f365de167586571c0f4be017a1803920

SHA512
162429f5fba8f54d6346ca93822ed6d4c634e18f0e8fa80767059c1a7efafec988dcc6cdc0a8ff50fc15c0644a38bff9b0a240ba3fbf9b38ae90b93412e2dd17

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
325e16eadc712f839a9d795e8c7bfb94

SHA1
92d4e262de62881645cc0f70667470c75586612c

SHA256
cd2c413560f20178a49db2c35348e1ccf476cb4027a546c792b51f72706f530f

SHA512
6d8b8bb3d07009d85ca2e941fd776c4b7616c7da5b365d9a70646c82c45017aa9d09eded4631e43fde52f5ab60cd8dfad0666c8fca119f54b0af4647548771f9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
3cfa35b4e3573cf4df1f56249a23fa41

SHA1
a51ef4970435b6bf21ef18887129499d29dee070

SHA256
b4d679a6f08d6b1287fcc279cca1c6c1f5ad50b000fb84397714ba4d09a35df7

SHA512
e88f77f462ade4eaad68a0694eafe50c1e57efe02d8a328c220bc95ea25c9c130db7295c2c23cb34c39e59ba775e03cec4acbddb4cc940d9e025928d49b10066

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8fcd8e0a137de10cc1d4af51ab8c476f

SHA1
7a56d492b929b40eb04ea3e00881d8096362cd48

SHA256
db787d536c802c5ee130c53003e2e8334f6872cb72ab88eb12943944db776e09

SHA512
add426fd0bf82dfc1e92da2837c5a1f96f44493918427b9afbff9c5052124e0ac84e73911d90eee3d9d954c03fe3ddbd49919688eaf36a8e55419fdb59bc879d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
67f91c8feb3996df1d7c320293d65114

SHA1
1b0cd2bec5527723798cd341121777fb2561308b

SHA256
8bdbaf88a5ffd8da58049f0428ac26552badd0edb8eaacb74c8e89c22d4eed81

SHA512
4c0cae09850b9ac86f24fe8d273514ac435d6396eec725fb730fbdebc1ecb07ae8559e1e4a43d2b73ffa8e448c773b3f68452e3271abd6526d0373ade89629e7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
a627b2b7683d0897f72fb9cebfcd3dcb

SHA1
a97d44231d5561db7448c73fc6de15d19b0fc338

SHA256
916ee87b44b53f61963b31bcf46869fbdcdd6e2ef7b2ed2e9704f49c677f74cc

SHA512
0a6ae00841c63b53b1c5b194b12adf39e7a9177789b5c56e7bbec9e252ef7f39e101cdc2847f769ded254ebe745cc31bd9dfa95d7fbee771ea514246df4b801d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
20e839209b9e0511d9a0d9f86ccdbd62

SHA1
22a2bcdbd571e4364a070ae79c3733fbfc87cf2d

SHA256
d5d159f373157c17cc220681cdfdbe179286a7dda6ca5f85afd760883968bfa9

SHA512
de288d29f1e2c7ab624c81aa2cb69ea419b50bcb3038f2b03977c8aa53af95ac60ea873195e43d2d414f6bec91183b04ac252590d983052639efcd6b36634daf

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ef0c15bea050a6962a327b2f7b56493d

SHA1
3e85fcb360edff1c1d2916fa49696f38e253118d

SHA256
b149cf5dcc57b786ce88cdd149c50ef9cb17c02d21edec21b58893b4e784a710

SHA512
dbbff50ce90b55e83b69b3fdf82e2fa2c8cd0b71121995e96e7a1ba6510f558af0dc38454224b84dd1f84ba8b26ee73d03956c60fd8292a14f9441fcafc13d41

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e0f85a1ca36dd07e03fd0fc692f58a2e

SHA1
9b4c8d415e3285209641206741f8ca06ecbc0f33

SHA256
70ce38e3d968e051f9f60285df6689b2e90f5e593e85b8c251a3d8816181c740

SHA512
98c7358c7887315f709883d152863a5f6594621a398c17827ad6849dca5ce640eca59dec35682333e44f463def82577cad7184cd84167f95e941d35c09d7318f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cbbafefcfeb8e93ef1cfa606769b6f43

SHA1
d6e8dfc17cc64c861f0105d8582227fb1acf5728

SHA256
ae9707ef0b327fab13ecd007929c0fd7653dcfe3f8cb2dc36589aee979d3cb3e

SHA512
fe642d08ab8090501d8e5408aa6621ca0ad7bad9f5099f31d98065ad0797b6f34b144b52356825ab84c1dcc0987baa93a8f33b25ffa0baf40fea38952fc081eb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
19abf0de4a9a67913de758f81c82cf06

SHA1
619201594d28a48351bdc97baeb28218543d3315

SHA256
1ca4fca2de2aa53c0faf37f031f589c150db79cd9eb7baa7c8d58451df9c5a3a

SHA512
9b87be784053a09e9a0a601601ef8ead8e92756aa655721d18a1c975eb00d1339baa2acf5c18fa1d4c56fb4aa2bf90f92ff680573bd9fd1d486171fda6fbd299

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b08fb63c30fbb8e7a8a40da14ce17172

SHA1
5590d04092ee0f4eed290da91b3c98eb090832e6

SHA256
7d12bfdd77ce196a23a1de7ff4aa325f49aef435e25d095580860199224d044e

SHA512
d1fbd7ec7d191fb0aab56e2a94061f7e59c35afae9f70719711ac740e52577ce60765bb68209a24e90fa98b430a2626c598dfc8924f6cbefbe91c334434694c9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
0da0bdabc5e54ff853ca17aa785c4ebc

SHA1
7b3bbc1fee0197800641211e6218b6715dc21155

SHA256
c32b2f3f6ba644c4585dedbe8dd53794e54d0e5ae44f24f496ada9ab7319a611

SHA512
c640bc3d3ec4caf0c199c15541786575464ed75a90d1d430e5caa11b4accda13f204f1f065a756c32472bbb6ac83ecfbfacf9237812bedba13a0060e66a49fd8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
9b154941428813213a667aef7371b454

SHA1
d9da33f2c671c81d95ef7e3e8e3b5552cca9a88b

SHA256
305d767f9a0e4489fb2bd75504667ac9e46b67d46edb2294a95219717525327c

SHA512
ddb5f831bbe13c904b8bfd4f05938cdb5b581ad5225da803eba80737a93d57275e4a6998e20dd141df72cb15e70defaed56d09cb70551996c75a0d2aef360bd6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
5eeeff15102b55187c7ffb3d63b635de

SHA1
2ebd78840b275f5fa38c4fdfb11e691535400a57

SHA256
edbc9eda1a7bfd3ca87a76600357eded8afa8036e8e8e24c69aa719561c25600

SHA512
2c1ca89009c2927297d987f992d55f6e3935465ac1d0d16ccd6c6818bb27a6491704488034e0577f47665a4aeefbe001844db91c85a4d86405db8bb332b86efc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
efeba086c832bfe73ac96a19c6aa0410

SHA1
f0232e0b69e3391213cdc92f7d9ed4fbbbc7b1e1

SHA256
772953c4862a9c272597532752fd99e40a4a1b4a5b1a75718be57105bfcdad6b

SHA512
aab0f454eb1ca560145010b8bb77855d3211c62a6363dc44ca598cbfc7a49bb2ca03b51a7c2a8ea467113e5d44c863590adb58f41d996f8bce3640d105c57c7a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
fbf2132fbc9156880903bb674fb4857b

SHA1
9cf89b6f7614387f343a4646ca69087c1cee3605

SHA256
2576c04f5510b0d48d161fecbfac324b7a362c6ffba1564ec69cee94b9696de9

SHA512
36c0f2d363853d85069516e676c5e59223d10b92fe6ea6e287b7013645ce0bc767bb44cb91eb6eb373fc76fa7ea0e5611ab86b67bb254d0e690f5d972ff4d9e9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0e8ec2fe722b2858a057821d9e987949

SHA1
a376d358d0feb5df953d7c8c85940f25b8889122

SHA256
95ae0783e5bcc5cab0c36e4e7abd607e6deac8e0c11610c717d916dc8574b58a

SHA512
73a24ff0829f8bef871051aa6518510d8fde1566a900a03ed884f3d8f20de3f7b2e76de31891168e72c5203d81994055c75eb12f35d6d89dde9e85733796a695

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0a8c17e97526f751a8aa475e8c8b7983

SHA1
2cb070d16a547e867aca22af457f13c44c17d0e2

SHA256
81519c37e7b764606c063607c2fdc287f28845aed7cce899222c4f714f16f860

SHA512
40a71708d63ea949f7132ef01340b3202eb349119623aa849b0e103e4b7ddbea543ba7ebe98b255eb58e26ac050c09a1dde89327f31deaa77f483dcf16136593

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d3111b3b32151caf5887f85bfed25e83

SHA1
db35480b12763ec31457e8b2f71d41cef42c8704

SHA256
922aba83695d8a1ec29ba81cf5a468f8f8feaf7dbff19ab608202f2603c3974e

SHA512
2b9e656ad1d689cb6f9526fa943f2b39e447959a7c984cc8f01b5c352b5d86039434ce558c69064900bbb70686000804107685190aa04aa7d901d64669a0cf4a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
d6b6eab1c1e31781bf65152bcaed83bc

SHA1
9069151a923d596110d10150eb4e3e17ee7ac670

SHA256
498d267b6e9090ae9cd3e27fded3f9df5aca5d3f4790330b51b099e206621eec

SHA512
fe28318c37d81c0eb2f57edc51ff3e8828d660c4d403b447eb83d7eae05b3b2827ac6103f2b5a6e6746c5717dd00e40aed2433ec71d37d19ba0251b5aef61c68

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
430783ef98caa3558108d33ebacb75bc

SHA1
7c882731f5f3432931ec50a2486e295442779b2d

SHA256
661c8321e4679646c0bd64dbde49c146eda4107c8538ede2d309322fa02e6cb1

SHA512
08d4f012a4253277493baf9b8b4d477902962cba3a93c98c1bcf5e3cff3cce904f866717bfe7cb1d7ffb31cf10034d46e6daf08ccc6d7d6429f37b15acb63970

Download Submit
memory/228-488-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/228-179-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/444-109-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/444-101-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/444-120-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/956-28-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/956-6-0x0000000001F90000-0x0000000001FF0000-memory.dmp

Filesize
384KB

Download
memory/956-0-0x0000000001F90000-0x0000000001FF0000-memory.dmp

Filesize
384KB

Download
memory/956-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1228-50-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1228-52-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1228-165-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1228-43-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1452-131-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1452-288-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1528-144-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2032-565-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2032-490-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2052-41-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2052-40-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2052-164-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2052-32-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2348-268-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2348-84-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2348-96-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2348-91-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2388-273-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2388-269-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2824-225-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2824-522-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2936-249-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2936-531-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3220-706-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3220-285-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3460-224-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3460-520-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4020-80-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4020-63-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4020-57-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4020-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4020-77-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4024-75-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4024-147-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4024-67-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4024-73-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4152-501-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4152-190-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4152-714-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4188-308-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4188-725-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4384-160-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4384-311-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4400-324-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4400-166-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4560-157-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4560-19-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4560-17-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4560-11-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4576-223-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4676-289-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4676-715-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5156-726-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5156-320-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5268-745-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5268-331-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5508-507-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5508-762-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5700-554-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5700-530-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5772-763-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5772-541-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download