389e8915f0c22a6cd7bcaf63630b9f0ac10e6f9a4195c2cadac4d876e5af916e

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 10:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
Size

4.6MB
MD5

e309bec6b3ea4fcf8e1debdaafa5262a
SHA1

dc26961a313b06540ffe0ef61406706d2fbb7fc9
SHA256

389e8915f0c22a6cd7bcaf63630b9f0ac10e6f9a4195c2cadac4d876e5af916e
SHA512

e1768a9e15207b5d41f6b53a8cf37890e6d4c997ae7d5809505f19dce555f8371b3261876cb720228ebd4b182ba538aca9450223badfbce784e823836d78c865
SSDEEP

49152:KZZ3v2piy/Gjw12Z2KWUEC8s1gDK1zPuWDpXGMKpBQ8iBjcDoDLNnrFclC/qtBGN:6QC3pPuWg8h8K6GhDb0

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3356	alg.exe
1416	DiagnosticsHub.StandardCollector.Service.exe
1804	fxssvc.exe
512	elevation_service.exe
1608	elevation_service.exe
1128	maintenanceservice.exe
4228	msdtc.exe
4896	OSE.EXE
5028	PerceptionSimulationService.exe
2328	perfhost.exe
532	locator.exe
1756	SensorDataService.exe
4196	snmptrap.exe
1332	spectrum.exe
4272	ssh-agent.exe
4684	TieringEngineService.exe
2732	AgentService.exe
3232	vds.exe
2808	vssvc.exe
2896	wbengine.exe
4848	WmiApSrv.exe
2152	SearchIndexer.exe
5148	chrmstp.exe
5296	chrmstp.exe
5384	chrmstp.exe
5488	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\35d42710e703f493.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\java.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b1b8814ebbbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074333e14ebbbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025bb4714ebbbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a34d3d15ebbbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b816e514ebbbda01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133625757138775136"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d0a5614ebbbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb920516ebbbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4548	chrome.exe
4548	chrome.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
4484	chrome.exe
4484	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4176	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
Token: SeTakeOwnershipPrivilege	3612	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
Token: SeAuditPrivilege	1804	fxssvc.exe
Token: SeRestorePrivilege	4684	TieringEngineService.exe
Token: SeManageVolumePrivilege	4684	TieringEngineService.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	2732	AgentService.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeBackupPrivilege	2808	vssvc.exe
Token: SeRestorePrivilege	2808	vssvc.exe
Token: SeAuditPrivilege	2808	vssvc.exe
Token: SeBackupPrivilege	2896	wbengine.exe
Token: SeRestorePrivilege	2896	wbengine.exe
Token: SeSecurityPrivilege	2896	wbengine.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: 33	2152	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2152	SearchIndexer.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe
Token: SeShutdownPrivilege	4548	chrome.exe
Token: SeCreatePagefilePrivilege	4548	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4548	chrome.exe
4548	chrome.exe
4548	chrome.exe
5384	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 3612	4176	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe	81
PID 4176 wrote to memory of 3612	4176	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe	81
PID 4176 wrote to memory of 4548	4176	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe	83
PID 4176 wrote to memory of 4548	4176	2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe	83
PID 4548 wrote to memory of 3888	4548	chrome.exe	84
PID 4548 wrote to memory of 3888	4548	chrome.exe	84
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 2324	4548	chrome.exe	101
PID 4548 wrote to memory of 4800	4548	chrome.exe	102
PID 4548 wrote to memory of 4800	4548	chrome.exe	102
PID 4548 wrote to memory of 4360	4548	chrome.exe	104
PID 4548 wrote to memory of 4360	4548	chrome.exe	104
PID 4548 wrote to memory of 4360	4548	chrome.exe	104
PID 4548 wrote to memory of 4360	4548	chrome.exe	104
PID 4548 wrote to memory of 4360	4548	chrome.exe	104
PID 4548 wrote to memory of 4360	4548	chrome.exe	104
PID 4548 wrote to memory of 4360	4548	chrome.exe	104
PID 4548 wrote to memory of 4360	4548	chrome.exe	104
PID 4548 wrote to memory of 4360	4548	chrome.exe	104
PID 4548 wrote to memory of 4360	4548	chrome.exe	104
PID 4548 wrote to memory of 4360	4548	chrome.exe	104
PID 4548 wrote to memory of 4360	4548	chrome.exe	104
PID 4548 wrote to memory of 4360	4548	chrome.exe	104
PID 4548 wrote to memory of 4360	4548	chrome.exe	104
PID 4548 wrote to memory of 4360	4548	chrome.exe	104
PID 4548 wrote to memory of 4360	4548	chrome.exe	104
PID 4548 wrote to memory of 4360	4548	chrome.exe	104
PID 4548 wrote to memory of 4360	4548	chrome.exe	104
PID 4548 wrote to memory of 4360	4548	chrome.exe	104
PID 4548 wrote to memory of 4360	4548	chrome.exe	104
PID 4548 wrote to memory of 4360	4548	chrome.exe	104
PID 4548 wrote to memory of 4360	4548	chrome.exe	104
PID 4548 wrote to memory of 4360	4548	chrome.exe	104
PID 4548 wrote to memory of 4360	4548	chrome.exe	104
PID 4548 wrote to memory of 4360	4548	chrome.exe	104

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Users\Admin\AppData\Local\Temp\2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-11_e309bec6b3ea4fcf8e1debdaafa5262a_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=125.0.6422.142 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x140382698,0x1403826a4,0x1403826b0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee174ab58,0x7ffee174ab68,0x7ffee174ab78
    3⤵
    PID:3888
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1908,i,12943475527482717596,11824347857255139365,131072 /prefetch:2
    3⤵
    PID:2324
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1908,i,12943475527482717596,11824347857255139365,131072 /prefetch:8
    3⤵
    PID:4800
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2136 --field-trial-handle=1908,i,12943475527482717596,11824347857255139365,131072 /prefetch:8
    3⤵
    PID:4360
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1908,i,12943475527482717596,11824347857255139365,131072 /prefetch:1
    3⤵
    PID:988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=1908,i,12943475527482717596,11824347857255139365,131072 /prefetch:1
    3⤵
    PID:4992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4332 --field-trial-handle=1908,i,12943475527482717596,11824347857255139365,131072 /prefetch:1
    3⤵
    PID:3420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3940 --field-trial-handle=1908,i,12943475527482717596,11824347857255139365,131072 /prefetch:8
    3⤵
    PID:4604
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4528 --field-trial-handle=1908,i,12943475527482717596,11824347857255139365,131072 /prefetch:8
    3⤵
    PID:1400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1908,i,12943475527482717596,11824347857255139365,131072 /prefetch:8
    3⤵
    PID:5944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4676 --field-trial-handle=1908,i,12943475527482717596,11824347857255139365,131072 /prefetch:8
    3⤵
    PID:6012
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5148
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x26c,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5296
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5384
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1908,i,12943475527482717596,11824347857255139365,131072 /prefetch:8
    3⤵
    PID:5128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1000 --field-trial-handle=1908,i,12943475527482717596,11824347857255139365,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4484

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3356

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3988

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:512

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1608

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1128

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4228

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5028

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2328

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:532

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1756

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4196

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1332

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3688

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3232

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4848

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2152
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5704
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:6012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
cd53d290ce0ea2be19bdcfcfbcf9f21a

SHA1
660d1d5ee6d527a3b506a0bc1922b355d36624cb

SHA256
372005da383fe74b9723a72a7718397c5b99ebf78abaab32279ee80aaddcc2af

SHA512
574825b02c5f0818fbcd7d2b930e50b8a577d54fdb5106be7e104470f7ca381b7ae0d2846087e4f130b1008f928374e51dabe7477a551633964b43a68b28704c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
2506a3a0605c370e8fafb3011ff1bcce

SHA1
f8cabc34aca898908522a42fddd3c6f762d131fb

SHA256
9ee8411a833834a573a9ab327fdef7db1adb00fc7761a2f7b19d1d23d37a946d

SHA512
c7d28d05303955d7db7354f3df66091d39f4ebd49f710bd721a19d6d783170d6454fc6c95ee56dcce96b902180a152a71f6738d14720a39adcc2d94e1fe320c0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
4e6da4e46c6789046a19c3973a4a206a

SHA1
8b1658382462d682b7fa7670756340abba204693

SHA256
7c15a46599ee5a7ca2d96f84d7774d80d7b2b91cccfa07903340df0649c76701

SHA512
662fc2c4a4c2ec737ea7b00a68d15bdc6db1b438bebb1fb91faecee7047598ae4d893fd715c56a80c93589dbd49f55fea59b4ecb5c837e92be1799f937ef5a1b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2b97ea26fca4f542b12dd059b53d8ff5

SHA1
9f2f532b568cdbdd41ba21d345d77b06bb60cc39

SHA256
051e6c7002be041a7f119b55d6c1c4d167e6fe93e080709ee8a27db4c33bec3b

SHA512
07d1e48cde2ceaa1ada971c9e47c8262f0b01d4b94b303ceee46d2c0f5b7f8ef9578b4cd30457b277ea345083399fa9db243bd2d38e0fcfe013dab1070feb270

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0ede323bb1eb1061a18e1a20db443b73

SHA1
85f7f99b5dbc772c6cb5fc6c6a8d019d084f2119

SHA256
1dafc7e5ec2c6d5aedef14e8d65ba4cbd6f1ada8e552247c150f8415d58ea0b5

SHA512
f9f21d7f8274b712c56332429f9b3b3fb2ce246d2a44cac62722d73e2901ad958a76fdac79124d591ecf3d11a4d9f2a844f258a483a22b1efa4132edb026f0dc

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
f1db40fea0bbe2c63c61339155ca2067

SHA1
18ea34ec99c7702a0df95e1a8732774445e5fb96

SHA256
f8d94ed65ea51a5fe029ab39c335ec965c093a7e7cdaaa979ea58dfc2038e6c3

SHA512
f91783cc0344f62d08889072b8a72cd42ccd50972a7282cd0ef78b9c22b2763cdf2b5ec3746dd233f2ef3cf28a54dba866504f281c81f48d5513a47d9874077c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
09a79c4586251a8f8e19009324405f89

SHA1
cd0fe2b12f8021b5a1df6194d5d4e8558b00833d

SHA256
49354c3dc80a6e6b208ec65e3948b1b28cade5ac3c9a9efbe86ccf212b6ee757

SHA512
d7d28378d3b16e3138b2eeac2107fe2b65588888e60a9e751c386ae2a3e4b7f1386aeaafd7f3a99ff8537e668c817482c3c9627086cf3afc5317f607e9fa1ace

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c680b168aa0e1241e31ab7120047bb7e

SHA1
348f875671bbe9c18c441f52252c0e3afa475907

SHA256
cf705043cc08c08500b0a9ec46936fc360e925cc24d17cbdd45d4f096973c773

SHA512
8f8fba4c9b94899a189cea709f72dedb5588b037627110525ea1e60a10881138d7019d903cd0ac19647cf0e0053c13a671bd0fa91d6a0aef335bb95675503710

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
a6dc8b829d1b65909a1e933e0e053ee4

SHA1
89ef81200e4e71e1a8390167a073777dcbe738aa

SHA256
494dbbd0b1d26290061bebb0f070a57d92ea4237d0cbdd4fcec271494640aca5

SHA512
78883db915f5be3c5126dd85a05f423d2d428986b134c27d6ed66c95907c62b934f91237de6951924bb9eae8d6816188712745ea4e194c775c3ebec5b85ee245

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3f0416bc581bae3ed417b14d7bf30f08

SHA1
6b6d5c06ada677ebec925092bb8746f450e66abc

SHA256
c6ef38d350e6ea2d27c002a165cb83ac9f7e4864f14a01a6c934aa07871c0ffc

SHA512
04988333b74c59728404ea2b212d00d9887abb1d9a8721c74de82d042c06005b02a1f1138214bdd7543e00ad7359d45c5669aefcb58d3e6e5ff13e2f42cd8c06

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9a0078d839bbfa180a560eeaa1a16956

SHA1
d4d905c0f2b7dd45b6271c417aad6e5087574095

SHA256
582d24b6f70f53f5979e9c8db4ef6798bd540d4d27abdd4001a4bafa505e9df7

SHA512
5eab87c8bb4b3642d05fdbf601add90cf3786e744e7c19bfd5b738cee3af59d6a95f7122c920fb7bd7ff317fbac66f42d9627b626fdb93e8205a055560b74bec

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f19478f4dd8980a62798ead23b047e4f

SHA1
98bea2d297c71c0aaa542fe25ca8168ae3e53695

SHA256
b933690258392d7d3fb1c220074c59c772a1f50452968b3b1c7ca9b7bab2ae52

SHA512
41d6cffd6f5b48ce0b0e25e1ad5fe5f3c803a1f7204941782c184c30d80d42ce614e949caa5eca4c6593635ec99f0c8fe115a07f23fe72d6833c5dfec8da4bde

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
f8c005af52f96fd9e8f809399c714cb3

SHA1
7534a3ff26d0f0caec1d75ae97154bc8f2609d96

SHA256
64a926280c48cdb80cdec25ab4f5320815f42555683d429475dcd595683d463c

SHA512
868c9b7b8bcd2d1fc581c141dcb74f4e5d13b44f293b671e3aa1b4f6334e2fd6e04e03bf0bc772030e86f636f4dab22c1614ef041070c2034a5145b732fde31f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
c6e7702436bdbe0d05dc92ea5a3c7e93

SHA1
ee20b06b66126ee4fdbce990505e407f7a075760

SHA256
53942b0247a24ebc24a50cf6c163061b8f469b63806e1fa63750429a09086e87

SHA512
f3fffb17a7bddb17b11056ed82f375bc2ed44c2ed01ac6c4bdc363bcd733f77c1ba11150e59ecccb8397cce22b460c34f825a4fb5a5c20fd1d13731a6d0442c6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c90670aff636c2c6d8bad0a32f3fb761

SHA1
dc7c654bcdc0090ab8accb5257bd0c989fea0483

SHA256
6fc0760d6ca465699559a753603bebcd89dac476bc17e58810de63dc5dcb282d

SHA512
75796e3c59e42280f017382b7eb52363a1f99e8c9e8c71592509fa4ad64bfdd4f8e02d39cf61f80efe5fd93e042e234f7071b2a37d25cf13207a7e8dc003d7c5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
9e92b08827f9c7f3062be0229955a81b

SHA1
9f410cd95596a53d7147b738625c6c18879e1c1d

SHA256
e80d67920b068189cd3d81dbb9abf7d60fd2468f84fdd501b2acc42b1de159e5

SHA512
a909228610a3d2e6755b9093bec5ef04555903a9216783d7f1b96011c60132be46d6b12065a241ed8d32716db23423592164c38756f0e3308c0428ea1dea9749

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b2628436b950d983a9cb3550b9b01e08

SHA1
2e41103229e6d471efeada8c256d0d1380a75868

SHA256
ab953c638b28e97fa471d4f6667a0afa7da77bf02bc3e4d4a4dfbf60f2e0061b

SHA512
30e780e80472b3188c593edddbe40f15568b77c41f18b4214ee0e63ab34f692ad4bc6c098c7b28991f321a69b5c278246c23d1fce2190dbec7652b6154d41978

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
5b2fc5de85e76825175f4cb5f04b245c

SHA1
ba39a4fecf3645ab6160b1dcb3253f9ba2ddc688

SHA256
7a085ac995b98c126f61093e6a74135cbc8f5d54c59e4e0d7e5bcf640ed48162

SHA512
2ad2ae0ffca0cf9c5f79e115675731d0e267daef161c75e05082bff27bc9b0b35fb263c17c1100578646961b6772cf46cc76ab7bfae7a3e962bc80635624dfd2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
bd44ff4746f2f0dbc186366e02015055

SHA1
67389d453ef8cd5dc93b0929ef98b7fd35da923b

SHA256
e3b952f625e03b04d322731bee181b8758b8256d5e6eec898970c3bd5cde04f5

SHA512
91c0f8922f8748392d6c1a6c467ff6b6ca151160f23a609b976e609fa53c74b827ce21a528597e25db8e71ce854dc7e400aeaea418f6136dc98e3e774ed024b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
d0df793c4e281659228b2837846ace2d

SHA1
ece0a5b1581f86b175ccbc7822483448ec728077

SHA256
4e5ceefae11a45c397cde5c6b725c18d8c63d80d2ce851fa94df1644169eafc9

SHA512
400a81d676e5c1e8e64655536b23dbae0a0dd47dc1e87e202e065903396e6a106770cec238093d748b9c71b5859edf097ffff2e088b5b79d6a449754140a52ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
83b4a7b345b25bf7e6ef924b867d5e50

SHA1
5a620e9cd6074512bc1abb3f7657387054e2905b

SHA256
39cfcb1feb3ef764c36e85230be53f8577221d4bf445f5a18cf755d6b84a8b4d

SHA512
d7cc90c5c2731251cf1ebddf0cc30acb0b8c64d0905677e29e6c13d312bdaddd2d1756ff422fe402397b0f3ee4dfbf24f7be7d41ccbb24ec5755a4a55eb197f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
309c2c9fba50542e240c1626374c709b

SHA1
6a8ed7eb7fbbb0a0bf33b7d9228fe954b1502a78

SHA256
7cd80823e70480839fc5030761c6c58f833e8057376d0376eeeee4b1329f786b

SHA512
aa572d89c2a54f0fb479c1d5a6e06b74253e05afda33d02263ca4fc98e07b2dc4c523af019ab7a58a8d7c185e7fcdecf8f0bbd4ed4c4c4481aad70423ef39c8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
02650c76b99a28f5ece92a5c6eef2866

SHA1
04e3a92413bd80e798917a890a1a664a96539752

SHA256
57797b7592a52beada2a46df203e73c2c4d61ebe44ebd4837316313ebc2e397f

SHA512
91d3cf7fcd397e2d4ed62a2b3c968ed146122a63afd326e37f9c9bf1f043b641d1b8637335c576fa1163a1d3b960fcd4fadfbad33099b749c407451a0b774c5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578656.TMP

Filesize
2KB

MD5
1d0245a0816fd932b1963600bab98460

SHA1
82d188a3a5fd107ed83000e16e41e0d67eed941b

SHA256
b9d8f68c1f5aeadb1748f8efa21c33a4235cca822bfdf19951d296b2f29944f6

SHA512
febc999100ab08b73d52fa2a08f7c09cf2281c420762d121150da6cecc922372a9591619163881a5d2956cc20a7bd6d1b5017b6f0575b55ca6baeeaa604632f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
88d0332c16b46b4cea10c98264c89e79

SHA1
c09ee24c7f2c15c3a7459e38d53a40294025dc1b

SHA256
c13c4679531f9b36f131c6e4cf42d607694c1d94ffbb755c37bfc543dcb5ec98

SHA512
8c99b1d19476fbbdeefef836d1758c073d3e84d68f76cc5f7cb1e0b36dbf808d016c69479e72aacd765ee02de1ac088ce96d6a91030f9858938734b550f5e1c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
263KB

MD5
569fd14dd3a71980e82ab5aec2d95f53

SHA1
bc53f81472953dadb974fe4f11d1ee71fb503421

SHA256
b52ba624b80a11447ae6d4f310ba56237ce3a8763c790d2bc206d6d86bed5961

SHA512
e05f7db4a1e9302f185fc65b6462e29e1cfffd734560d7653bbb9f85e3fc3c7bcf655a49c73028f79babb53aaa2355a76b844ee68a578e478b0a0b94d3cd757f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
9fc4ea9a8505765df3df81bdb06f9545

SHA1
d18f8ad8f8db0763702cdc78c303c95406c3b147

SHA256
ef8ffbd927c6395b50772c04d3e3d03976fbdde40434994abe7cdb5e3f327503

SHA512
20469f8d0172c5a0ae51644eb24ae81657ac77dd163a8dd0d5aa164cdb8bbd8bc0eaae9b18ada02c07ca136fdd862851902be2d673144e07a3bb4e23ef43608c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
9KB

MD5
57285cb44a370d05d23a6bb0e73691f9

SHA1
af384eed3785321fe0bb98e74604da494d87dc6e

SHA256
77836cdcfbaa31c7d9db352221536d16cf55fe215446091c83f84938c284e08a

SHA512
d42670b3cac4134690cc1116141ef770df95d1e15692a67979672d990b7ea89469ec8fdf92578e102efacba9063c16a183fbdcdec9322ab2e8057acd3e02f033

Download Submit
C:\Users\Admin\AppData\Roaming\35d42710e703f493.bin

Filesize
12KB

MD5
0ccb328b3de8a8a717625d58f219e1e6

SHA1
e9d781e15d7eb2ab528fd5c47e74346084e9e62e

SHA256
4873bb946ddd63fa0e9df0d676d49cdb54f3af386d08750348859fca852691cf

SHA512
67aff089504cdf7b7531aa05be34ce3c7ddcc9b8247cd2b51fc8761cc63a566b085b08b1a14963b2ec7a5b8e1877a1492036f58af4265cbefc76683f24febe41

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
05e81e582ee72c0ed52b33613a50ea95

SHA1
03a5259369be66000413b865eac680240cf76f43

SHA256
d3f84868d7910dc43f6d9ff85d59f9b32f4d4a562e2b22fce9c44ed292111d73

SHA512
9ffdf7ceaccc89e1d67e600c2ab5f05c163923da9a838e432dba9fea85da17070e202184643573d2f73542a6a51bb6fe83b6d01ce273ad711e939ace55e98a31

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e84a8ca3f92aa6c1f2f8e18c9ce301dd

SHA1
9341dd54930a41396421f5efc2ba9ef852209439

SHA256
c13a68c0264ec2a174d9134a526280e7fd36b9ce0c007c5c3092e771466588b8

SHA512
f71f9c47f2324a495879dc701ec463b7b21ae82322240419fde1b1614d3aa5444d2a4e1a5fdb8a6a5ae377b7fe0252c7d4deb1cd78a8bac35142368264fd0929

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
e6399a6ea89228d4d2aa4dc0e2efb93a

SHA1
08b49d78ad8fa04522e6d336e42a5f05a32caf15

SHA256
6ffd8da5580cb5e9d576db70135f65d37ea61ccd25ff56b1ffe2e6b2aa09105b

SHA512
b2d806b5ac942fb624e488b35cf4def527c0dbb78481c0fbc9d32d2b0ce2cab93d0bfecf5bed4519098a046a5e78c0622e8132bd9c19a33af23a316eaec2e0cb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ddd04320b411466429660066009f7d50

SHA1
8c2d713d558697d0227a46e472269aeddfc5dbf9

SHA256
2f0ee19de08aa0846a0401e687530e658c164b496244d8b39f13c87a490148f4

SHA512
df2ecd8efdac5631159790db9b606f18acd923ebbcb6f8e619a569663e4a95fede07b86b9ca5ee1af9f7d937aa0fd9f06b594c84d587f527ea5f0f8d8ef33a02

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
6240306ac84599718691e6595fce1b96

SHA1
2961dab2cf58ca14fdc263a66b2e430721e84eb9

SHA256
48322fa28a69f4f456293bea8570229d62394a3213de09168cb4fd5d14e75a1d

SHA512
0cbfd17c762617b1f93c2e066148c5216a6e71bd862bb38958708bfded162972720147426b7f366d5993b4cae332e95d93894ded1b69174b1d5e5110404d8e42

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
fe06c184842e8fde337033316308b603

SHA1
7185758ac439249dcbc4a8884a10ffcf36c5a000

SHA256
e92fbecafb02dc8febe6983d97c47a7da00bd0c6a0ab6f23e7bce812dad9bc47

SHA512
4978b874623cd8f39d80a642a084139a6847400f6eb1b8420e8abbc967f271ddbdf977ac9d594d9f0a4b2b75a813864434910c33673c29e62c96112ca619cdb5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
6b9a2242a2c9586b75c0d88f51e1d0bd

SHA1
3e4f67dd899922752a40e5b86e3b00b28784a89e

SHA256
a5082f2d32362659d3c431e52e6096c87e0dcf265cb16b258b11207f6fb6f0a8

SHA512
2d378c8da26070488c98103a85722c9d9a2520a4dc6bb73e348d3ed996531ef0364de15c582c4ddef3f67ea8ab3d6328670eac3a6cbac84bde963f8e94e057da

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a74c89646d954b1ae39c3d5819833913

SHA1
29713184f7c10cb2b86b3a64ec87a708196920c7

SHA256
53e4c3d46696de299f1e54df3877ed8b36355883085557b004194e96ad594888

SHA512
e1dbd569d312286ce84dff58a7b1a372ddd77f6d1eb76094d0bf6a1302c6662e1a3506072738aa8d98450fc48a0d7955da4b5ea0d01c7753df27154c324b40aa

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4db3a3aec05ca3dc775885e175eec5e0

SHA1
09a3f332ffdd3e1707250cdae30f28f697ed7f24

SHA256
a5218dcc1d30034d5cbdbc3360ef23d124712ce122da1988fb85de56d70e0d39

SHA512
eacab057dce117a62d060953ecbee1f6c9ad677fc5481652ed91f5c299e46fbe68e1c22315b5fb723e8d20312b612f399e7b47c95835e5feae8a20153b1ddf8e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
72da9782da55b5716297ce21976a7782

SHA1
cfbbe7078ddbbf01a90061e1fa3c126246505ce4

SHA256
f3c81ce3f643e378edaae03c3b8c3347e838dede84efe739511fa9e9935cd634

SHA512
1d2071fbe5c825817e895fa3ab96ccbd1c06060d2c07c8c6b8b2a192145f5865eaa7de35940f1566e2168d47f5e1fb0af79eb73f8f77d64d6d73ed6f3f33866b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
43ea0e73b2df80fb72444ec2eae4f92c

SHA1
4269777085981149fa5c7fc1a1b4b0f5915ba7bf

SHA256
928b7f0c7882fc311e7153a86006aeb53f34f2b2c4c9f1bd054481c9e9d2ee88

SHA512
cb9cd9b19545855238820c00f1c1a59bc3a34c2b8785eea75ef081d91eed6dab5e00e547e487d528444bd49136e75174cec400458eaf8cf758c4810aef377a6c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
98f018061b68319bc09cce86ac4e4315

SHA1
d7c6cf8c1e436f28b06b997c3b0325c1f64ac894

SHA256
c36dc59ea727cabc72a5469666d54f83084910b00b2dad5d73e27f17dfe49eb0

SHA512
76a37b7d1cd37d8fd3857203ce0d01ebddbe36d1e1b28b2db24c96c680761b085f6404daf2a4267ab7b0dcc918c306f8b84ee14753e11bad5ce578358add4765

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
c1e969d98bdf6ce30e798287fc89a843

SHA1
509e75242a4d55370abafcab16bd2befada3d8b6

SHA256
f7926f44776769989e68cf3231669ae491e441817a10e1fa5e4ac5aaa7b7cf2b

SHA512
445645cffefa27ecec8c9ea0bbc1ab8ee2b44643b1d7d08b8b281c92fe4cc0bd4fd605f7d652b57b23a1907d1da3523de5abfc237010739b3370575c4dd8c443

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
bda1e58a5def50b904476e99d1e781e6

SHA1
e191195839ef07aa8940d4da55bbe83585c1d3c6

SHA256
04bca1feddb4928697e96451af2f5f1884f56a9e9d974a3a1d2cb41461ac09a1

SHA512
103dc7b77d0af463dfb30c1d7537f31ac1da8d6cfacda4ca95e14c5ea05387529adb4a20c916fc68b36a4a6bd3268df71d05af73baa242fb37e973a8047a7dae

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
965799d53a4c2c68e6a37f59d3b7ec50

SHA1
414bf68a02b235dd3ef841d514deae3fce2b418a

SHA256
ac037820f9d59b1cc66d805f1a7ada75f17b46d68386fc370bd3b977c295dab4

SHA512
89aa5491d7354f5fb6cbbfa4af51c16b72d5b4d7ccb68d82971d418ef71d0bfbd0df393f09ae5e1086288e6502e50160f92db7d806882a4c347253b30057272a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
67bf3bf978437fb86d4d9e4147676523

SHA1
f0d2d493ce8188d2bc180e3af5e2cd4b9be21af1

SHA256
84f2222274182e3b8cd59cf69344ef750154b798edf2a0c3ce387ffa8ad799d6

SHA512
1968fdb608d3d1d011f98ec24b1aa61417a90d9a726cc954745d429aa3e60859d10c193e838f1de6308a7fabc944620f26d6f0bc9de3f9d86c2c98d1f6f8de7c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
3e2010fca49973fa9885dd26351ddd2b

SHA1
7a753dd8ff8043e0315208b374d7d5b89eccff38

SHA256
44b65f3b43c8cafe5c9a2c1fdeb7fd33f29a100f3aedadb5a894413904202224

SHA512
20aedf0d1cacdecdde13348de019c1cf373887ac53697c0d5af690e1a9bc179e5cb5b40a9e5867f98d3da25eeddb0ade7513521105a20539abcd7be138091a8a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
81dc584ca97a637fc7d7b52252dfd10d

SHA1
83d51dab61e94a8299137967270b8a67591161c2

SHA256
d587e519f043b263a36986d93d006c8028aab3d2a9cf799bdf1f6ebdf5d5657b

SHA512
486a6631cdc68ffbc34fdc5705e78bf70545ed571a7a96cbca4aa9eaf32fe9b8490e2be5ef291da5b09f6254366f9c2b2bf6076a094ccb38df32fcb1bf5ad662

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
dd7a044bb22136e85285d21163fdef66

SHA1
1fcea0d904998de1bdea9cfa654a50c20b3dcc5b

SHA256
b918a44d48859b4ed705a9a7a23d4a816a368aa2161ad495a7a6d1c6992b61a0

SHA512
67afbad0468b8d5b405186c63a0960f5fcda15b2ab73767c292863e221265758001b2e110a3296f5d2ba1463863d556a535850a65a107344ade40a79c33bf358

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b29c1a8b496308a43ac94162f42fdb70

SHA1
be7711a097afb990b96d62823dff5d962d2edef1

SHA256
32315c5bd67351803126deb0fd97404f50c5eac0dcdcbffdc2d4626a18b5ef61

SHA512
dcc1c5b3ab3090b90e8f38513a561d4384b0d0388fa38842c651bb52a1421e348664974baafb09e50e4ef433d77dcec8f0ba5f3a02d5a97c68d49e91911afa7a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
8f58bded74eb7528e82cd0101f6ea8cd

SHA1
2523c058f6cc07260f24f7fcc7bca1493c2954b4

SHA256
fb5c85c23d339c349e314a6893e7eb2dc58ec8bf76d16d107e531a2fa07d4b92

SHA512
bfad70c03f6c3007139797c4042c4dd700ae84a2425aff1fcdfb821452c8327adeae0ebbde57775bb4d91f9e6835d17fbebe2a32b6cf7b9bf7317fdc10511b2e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
9e4cdf950608e25a4f21e8b9500ebec4

SHA1
cd33d2b9c98e18d1f799cfe336f3d1259901a52f

SHA256
f53c43e3bd9e55fbb6b6b11efc5ce3e0c548aa775259dce5540ce2e8bac05a48

SHA512
80572b6e1dcb07f14b575f746dbaca9cef33f23c13404b1ae23f7ec588ba0cdda9948f4a6f9edf9e02e052b32b58cf34ce36e85def42e4ef9006740201692dcd

Download Submit
memory/512-177-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/512-63-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/512-69-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/512-240-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/532-183-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1128-98-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1128-86-0x0000000001820000-0x0000000001880000-memory.dmp

Filesize
384KB

Download
memory/1332-186-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1332-498-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1416-43-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1416-166-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1416-49-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1608-76-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1608-176-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1608-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1608-485-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1756-184-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1756-557-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1804-74-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1804-53-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1804-59-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1804-72-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2152-317-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2152-666-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2328-182-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2732-228-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2732-243-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2808-625-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2808-282-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2896-630-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2896-292-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3232-253-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3232-619-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3356-28-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3356-316-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3356-32-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3356-22-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3612-20-0x0000000140000000-0x00000001404AC000-memory.dmp

Filesize
4.7MB

Download
memory/3612-10-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/3612-16-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/3612-281-0x0000000140000000-0x00000001404AC000-memory.dmp

Filesize
4.7MB

Download
memory/4176-36-0x0000000140000000-0x00000001404AC000-memory.dmp

Filesize
4.7MB

Download
memory/4176-9-0x0000000140000000-0x00000001404AC000-memory.dmp

Filesize
4.7MB

Download
memory/4176-0-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/4176-6-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/4196-185-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4228-178-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4272-511-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4272-199-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4684-224-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4684-532-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4848-631-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4848-312-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4896-179-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/5028-180-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/5148-589-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5148-496-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5296-701-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5296-507-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5384-582-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5384-522-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5488-535-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5488-702-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download