df5ad028183b96372948730a110da58eccfdd3eed49347e6b933a8f61e2a7556

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
Size

4.6MB
MD5

27448139e176aeff7232749072ffd2a3
SHA1

b3fcf7db154f9f664464111315434e94993aaef4
SHA256

df5ad028183b96372948730a110da58eccfdd3eed49347e6b933a8f61e2a7556
SHA512

772afb43fce9b4f0d5857812cbcb9e6a5dd4cdbd2e123a0faf405e27a7d3a20cbf19912d2d54553cc322c04b2c2277c7a539bf8e41164f4d3e67019cc3d26a39
SSDEEP

49152:hndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGg:92D8siFIIm3Gob5iE4fEkKK90

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2892	alg.exe
544	DiagnosticsHub.StandardCollector.Service.exe
3716	fxssvc.exe
2560	elevation_service.exe
3224	elevation_service.exe
456	maintenanceservice.exe
2572	OSE.EXE
960	chrmstp.exe
3240	chrmstp.exe
1804	chrmstp.exe
5116	chrmstp.exe
3760	msdtc.exe
1116	PerceptionSimulationService.exe
2380	perfhost.exe
4772	locator.exe
1576	SensorDataService.exe
3500	snmptrap.exe
1772	spectrum.exe
4860	ssh-agent.exe
4564	TieringEngineService.exe
4176	AgentService.exe
1488	vds.exe
4460	vssvc.exe
1776	wbengine.exe
5176	WmiApSrv.exe
5316	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fdfd94021ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133630181561242142"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f07425ef1bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d8bc75ef1bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094dab65ef1bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030a27d5ef1bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d55505ef1bfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca3f7b5ef1bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f69cf95ef1bfda01	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4648	chrome.exe
4648	chrome.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
2060	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
5892	chrome.exe
5892	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4000	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
Token: SeAuditPrivilege	3716	fxssvc.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeDebugPrivilege	2892	alg.exe
Token: SeDebugPrivilege	2892	alg.exe
Token: SeDebugPrivilege	2892	alg.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe
Token: SeCreatePagefilePrivilege	4648	chrome.exe
Token: SeShutdownPrivilege	4648	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
1804	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 2060	4000	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe	81
PID 4000 wrote to memory of 2060	4000	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe	81
PID 4000 wrote to memory of 4648	4000	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe	87
PID 4000 wrote to memory of 4648	4000	2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe	87
PID 4648 wrote to memory of 4544	4648	chrome.exe	88
PID 4648 wrote to memory of 4544	4648	chrome.exe	88
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 4844	4648	chrome.exe	94
PID 4648 wrote to memory of 1944	4648	chrome.exe	95
PID 4648 wrote to memory of 1944	4648	chrome.exe	95
PID 4648 wrote to memory of 4496	4648	chrome.exe	96
PID 4648 wrote to memory of 4496	4648	chrome.exe	96
PID 4648 wrote to memory of 4496	4648	chrome.exe	96
PID 4648 wrote to memory of 4496	4648	chrome.exe	96
PID 4648 wrote to memory of 4496	4648	chrome.exe	96
PID 4648 wrote to memory of 4496	4648	chrome.exe	96
PID 4648 wrote to memory of 4496	4648	chrome.exe	96
PID 4648 wrote to memory of 4496	4648	chrome.exe	96
PID 4648 wrote to memory of 4496	4648	chrome.exe	96
PID 4648 wrote to memory of 4496	4648	chrome.exe	96
PID 4648 wrote to memory of 4496	4648	chrome.exe	96
PID 4648 wrote to memory of 4496	4648	chrome.exe	96
PID 4648 wrote to memory of 4496	4648	chrome.exe	96
PID 4648 wrote to memory of 4496	4648	chrome.exe	96
PID 4648 wrote to memory of 4496	4648	chrome.exe	96
PID 4648 wrote to memory of 4496	4648	chrome.exe	96
PID 4648 wrote to memory of 4496	4648	chrome.exe	96
PID 4648 wrote to memory of 4496	4648	chrome.exe	96
PID 4648 wrote to memory of 4496	4648	chrome.exe	96
PID 4648 wrote to memory of 4496	4648	chrome.exe	96
PID 4648 wrote to memory of 4496	4648	chrome.exe	96
PID 4648 wrote to memory of 4496	4648	chrome.exe	96
PID 4648 wrote to memory of 4496	4648	chrome.exe	96
PID 4648 wrote to memory of 4496	4648	chrome.exe	96
PID 4648 wrote to memory of 4496	4648	chrome.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Users\Admin\AppData\Local\Temp\2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-16_27448139e176aeff7232749072ffd2a3_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb5336ab58,0x7ffb5336ab68,0x7ffb5336ab78
    3⤵
    PID:4544
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1888,i,11386934806483812384,17239263761159663368,131072 /prefetch:2
    3⤵
    PID:4844
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1888,i,11386934806483812384,17239263761159663368,131072 /prefetch:8
    3⤵
    PID:1944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1888,i,11386934806483812384,17239263761159663368,131072 /prefetch:8
    3⤵
    PID:4496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1888,i,11386934806483812384,17239263761159663368,131072 /prefetch:1
    3⤵
    PID:1252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1888,i,11386934806483812384,17239263761159663368,131072 /prefetch:1
    3⤵
    PID:1304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4240 --field-trial-handle=1888,i,11386934806483812384,17239263761159663368,131072 /prefetch:1
    3⤵
    PID:4692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 --field-trial-handle=1888,i,11386934806483812384,17239263761159663368,131072 /prefetch:8
    3⤵
    PID:1076
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:960
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x270,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:3240
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:1804
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 --field-trial-handle=1888,i,11386934806483812384,17239263761159663368,131072 /prefetch:8
    3⤵
    PID:1988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1852 --field-trial-handle=1888,i,11386934806483812384,17239263761159663368,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5892

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2464

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2560

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3224

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:456

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2572

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3760

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1116

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4772

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1576

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3500

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1772

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1396

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4564

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:4176

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1488

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:4460

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:1776

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5176

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:5316
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5700
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7f3634dc97eb66eed720116b0bbecaa2

SHA1
7b1c5a249565f178bc213a9765cee4f09e0df70c

SHA256
73d0e10a26797d79d02b478d1054ea99259fb142c3cd1bf8dd9671a6dff6570a

SHA512
83f9f55f79b518eac3e3d224a604f8976d0de9c53a6909b22469beb79a98fb6c72410b398ec3cd3335f4479d89b910d6a2d18a93c24874f09d2ff70116c78915

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
da45764f1ba6a0c383331b42e1726c09

SHA1
2e2b646f288226af28c2e379835be7a51ba6f1ba

SHA256
dacc34747f0a063ad3fde0f46d812bb483eac2f57ed03c9ce04a302f96178a41

SHA512
7a35d40dbae52458841666bb54dc5a23b842b3ff56a71cdf2251091ca0cb2d155563184af9a8af4b5bbeeec4e1fdce2f7a06327780232fb3300f5faa0af755c8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
296507b70483bc8fe8294b83342ed95f

SHA1
ae5a07cf9e4354d9f2005d5582ddcded9dc29770

SHA256
b58e533d760eb5f338877256436f6a2cf2d904b5775d52b723d2fcc56c740b7f

SHA512
8275da64181db59857844042afc29aa1337f8feda1e10bb19aba416d96ef992cd82c6e0b3db3d21166c3551ae51ae171e2e9c91d78a84614bd20cc865b812a6f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8c23bf2b08dde67f8700a3bdb418b6d4

SHA1
df7efb7e4467b3d7a0b745420b8abd4bc0354a27

SHA256
85da66b0557ba03aa537afbc2adfe74777670f25bc030f23c7650a870a18b6a4

SHA512
fc8c29d50609017501be761723f8786e07ce5e733f406f721e2f00aed8c338f7031d11215035a23c3974a22ecdfb80558212227c5d994e939dd08cc115fcab24

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
591d1d3f5deecb11c8bf4d7c7a93e6f8

SHA1
f78393aa39f7650c8e83cb044cddede490f64eb4

SHA256
8b93087ddf3f275570fffbfd61f8335895ee5fca577bd99759c358e697cd0143

SHA512
28058fa8942e3f6f152e773137f7d2b47b863c7ed147172a6b4310e655a570f7bd1ef37cf4ace7593500a25301b949880ca2eda35a179c30eaac31ec646eb8b8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
d5d316617630b71916815337480e4819

SHA1
02e96f7a8af6449c098576d5b164811d81facc32

SHA256
a5a6a53268e181567fec09e6068182e25427a19c79708057bf1501f1adfccce9

SHA512
774b2fc94642e656dddb107308da4360eec17734c1ab3a070f8895e59b0921ba313d8ff6940a2dafedd989729872c47b90d4831e991d3bb8b4b07dad30d852ba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
89dd76784d224fb7fa3a4e78bae0b817

SHA1
3afc08c06230a8bc81d74cf62d178b3940bc6c53

SHA256
19f41a2ba35d4ecaf409c6a0a6b86ed65b96c429b7f5c586e509922ae9b22dd7

SHA512
0c82d9f9dc708bfcbac7edee19b359c70eab785912947174386507eb704c03af32b5aff1fefd4952151ac03ca6f848d1c2cc4085bc12486942465f497e230f2e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ff7ff3a5537b01c41316a86ba1f4b9f6

SHA1
34335b192f8ac4f629005e8d05788b5f594c810f

SHA256
36a5208a8ce25b3d7420a82d8f6019c9fb2b47281b5694215fb14ef6370a5555

SHA512
55612c7f811cdd17e131934f8b997d52abf0531b02cb5d12f38fbb197a6adfd5e2cdfc0540a4aedf316d7119f6512a10c7342f6a85837798fd6d6668f4a093b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
cf94a002539f50f19f4a04a36a74f715

SHA1
89373a53511bb6bb04597677dfb8e0805d78d8b8

SHA256
dad4579f8c06cba372616d9a4893c8e44373c3908b4ecc1a4382eb8625f1c825

SHA512
f34b722588f89f0996d4f4e77f9950a223a9258550aff3701a5c0878ebba957a6cf56e1bd831274d8b4ddef982a74df413bef61bb3b87eccfaa73eb4fc26dff8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
fe43df9f0e9d77a484eb3ad518412d61

SHA1
94e2e3633d3f00cc16811a0dae82294b849601f1

SHA256
1ef9b1bab3669f8baa275f19cd957243b6cbb8cb8550b4a572ee7f5cfa50eed6

SHA512
66bc6cccf4156948313b0fd496ee1a6fb8b8fce33b0d8da14114027d8d211b6365371bdccd21df35bcfb146a2978d7621d9487b8359ae9ba9dc93cc2072c61e1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d1fd679d7fc01572851327445e807f7b

SHA1
7d749d37365ec572a7a6285133d802d6934d86f3

SHA256
7feb169be810012e05ac4aae068d48a6a9bcdaa7d3d6fbe5c14d4f60f838e41a

SHA512
0449f0499aff31d1a08011472996cb5fba90de3607503a4238067f8d5b89e3c7db7aa1e461e55ab34c0562597126ef643dd31e57a7c4aa23a4cb6179868bf9db

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
501684c4296396c62777e5029bac50cd

SHA1
8ce057dca96d578f4bfacd7c916cdca927dbcd39

SHA256
7d7535f07506df599224e29331c85ff9143ae525be5e9772845fe84813eadbc3

SHA512
5194bdd3760b033119f01e6a8ed6971b55b0f112164a0a7454d887d2ee955d65f89ec57983d0997d6378a5c37c4dd9905afddee952f713f2f885a654700f62af

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
5d5c5fc460a561651a8869621f79b726

SHA1
a213d162ba6b911ff0387efcfb3c17d2f94282e8

SHA256
c89bfe66af656d1f6a5e4eaf80124b6346e2512fca236a106e9dcabe9fd1e4f6

SHA512
4dc128b8d7da6200f4d454e9ebe7014acb72f284359a5a47c3256b531bde19e004aa6e61516b3219ad916b3d35e6deb399048eaff2f2040af747a4b7fca475d9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
eb9b31433e4ca010be90f570d1f5321e

SHA1
db07c981e5c18bdb8b957d07e0adb820e2a547af

SHA256
a4115a509bfd51140485021662a31b15bcc7b215d893efbdd1a31ffe80fc8fa6

SHA512
836dd72f16ce3796cb327d5eef85d90097f365ce247cf8c666249a4fd525fba86ef56cb847212a9b60287aeacd90028ab8889d51c92f522f177a7e857d846ddb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f296769f4b0447745db6d9ed21b41cb9

SHA1
9dda47f545670c470e2749cfc55d41b2b2d88972

SHA256
bc6d375ce1ee7e22e954b530eb63a940ec38d63c0ca93ef7bb6c18bbf013f7cf

SHA512
1de1f5119781ac3cfb644604d480e49f0cd17f3199170dfab60eb54ca6abe206bd1871d7a311ca24079433bad54abf16ebaca8cc004db1da738940a58c968c1e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
92189a31f76916c853c805462015dd99

SHA1
be913a4b2ffd9796ed30134eec7e27344a0440d2

SHA256
43430ed6f1415909e734ede7bda5a5815318d49c7468c453edab5fb8fa840ffd

SHA512
836afca8fb64aacc88abc05dc280ba02fa5674db047c9ebc3cf513dc650c9da8dede4755819a27f175f501107a226d067a999f17330407de818c4c313d8ac5e4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ec2c264b15dffa6cd0b8cd4bbc81e2de

SHA1
6280b4e260499beb48209cbd7567db6d1d73e803

SHA256
835f63c91b55a9f61ac83935b9732739ec996c46d26e5a53478daffeb2d57a88

SHA512
7c47b50a9e1b2ba5bdf117dfe7aea4acdbc01d1fc5eb9e6379d4ba9efe54059195ae316049a1dbd375a285252bf5291f3e5f42a214b42802dbf3f5dad0bd04a1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
40e574d78758293d488596aade3a085f

SHA1
4ba98906e2f8f7d417c59cf4a95a4b73888577b4

SHA256
e8e24d5dbdbf86a3c7671ad935dc5fd6f92a41a20a7d52eccacd42456019df56

SHA512
4cb94a2c13760ac0db7e0ce7155e2efceb2370c706b09267a07a74823a37efee58f632c92acd3c98f2f12492f6fc62902fc04f9d78230bd3359e2a150b26ae3a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
976a2d1f943f2ec14ffd9e1dc1b0f5e5

SHA1
95b1a7a6d3c94eb63a19146241a3a2edd999ace5

SHA256
0b9a1866bd000932e479aa719b1883cf3cf657d04903ffb10c23aaf6b0124155

SHA512
e7e9cb4423b977b5f717d657e39b907c3cd75552b1cda3eb16cc939ff78244ba95dcf9f17ad433be07aaa757c31aa3120d577a46e202478535b8b94cfcb6c787

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240616132918.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
0280933bac8722e4eef06d76e7892b11

SHA1
80bab2d0046943cb1d85875d8655294df4a9deaf

SHA256
44e7d06c061fbcf4b6bc4bf45e936e64d3b0c75b96122645a1a49d582af9b1e6

SHA512
ffaa7199e420f980031a4ac57e0355a070069f490993a56a0b85cd35d32e473b1916b4c7bc8cf97195ece39a6226f115d68564d820a19fbd897f60c12fee38ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
21ce929915b41f0ea90b2bd64153889d

SHA1
a529cb378f18a46ed2614659e518930104d39960

SHA256
3376900028fcb3516ecb93eefa73c0ac18eb2a864bd0f7547e5656bcc3d57e24

SHA512
be3f1ed40816169f3be812405ad560fd2a46a0ade4e87204e7209c155c17d69ed356880789f8cd99e3b5769f6b6c5beef3bf8c80fe1733d3d129ffa0079e4af7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
3f678a045aa1a343c9b1f856c5ca7daa

SHA1
01d64392e000b287dc948f075beaa539b4622e6a

SHA256
8f6634d5ea003d37b4b4f88d32453c49860e968b5e32cf0573ac89150c94a7e9

SHA512
eaa36d30fa889b1c501090d86eee3087bf7e1ffe0d0ad446232424201e4650c9a6fcc698a97a67c4423e289b70e4e432e85630d014d0f355560143ef23c86ca5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
a97f6f48a720d8d93b0a72ca586be5ea

SHA1
bc007c76615554f0174b8f82b55b538143ed52de

SHA256
a204ad970ab312cb2bd59d367c7a02c91097c1ef04917daed7a6e49062e8343c

SHA512
fb01869abf7aba3ce91c40bf569830489f6cfed9f23dea20162c641cf54f4814954792ef6acd8f29a4b076263b9e0a1515889d16a812f1533b10530855e2ca91

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
f9faa59f12a4d1829e4950ab7ce7ded7

SHA1
757e886639c8d3cff7dca2b80837ff73893bfe55

SHA256
b33c5295a7a932d3571f6d86cf9a1771f0868783a2894b17c4514742536a2ed6

SHA512
b21762c16f0935f5b0fa751b7b34958478fc02ec9b4df594d4d7116d49ff337efda70725634279c463f05a4700132bfa44081998c15447abdd57e9da878ecbe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
0cd429098412849541cb95afaf497de7

SHA1
34fcdc8c1708981ab8e69a9ccc50ab898d7f7df3

SHA256
d987cb1f82d1cfa20deebd5947b3ce1b9ae9ca25cb7df736727c507a3a17700a

SHA512
955809ff9150048d9b739222dfe4c1cc7b4f330cab2858b74ba1b8af8514f1d97268812c0ef81a3d926c9928fab845515a0fbd834a8dd1d0db39359001ce5f03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
49f974e2814ec93dbec3bbf5554ebae4

SHA1
ca9daa050342cd530eb64033ec9cd927ac07f8d5

SHA256
01dd63b47c4eced25b83a8d97e31d8f1e8620c6bd3358ec617a0756a8e46c2fc

SHA512
bb11a16d29da7b1c2d6a5844cb2f8a7b8a19781c9efe248229ff9d6ed7fbcb46cbfb7bdbcc0b6e8ca76259d5b948bace3c2fb9425f3c7bb0f2c1e8ff32b7fb55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f7919c5e9fd6219e651e45dcabbf2cc8

SHA1
3895d9875db41aa1fc140670a0920a066feb6922

SHA256
00f9f06b1126c6cae0917c63adee10d3c36e0b7f5638388ae0ea97f2a778bb7e

SHA512
55eb40391b7e3fd54ac535e87a3d452bb9c85d68b3e4ac96d2cb037873fd589966032d4d9b98b1cc771eb9ad087b98b0938fae5e856b5c24541f11a5fbcabb0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2e6f1dba714259f507fcce1aa05e2214

SHA1
d8ce070e74bd02fc7b751814e66427d25ea4fd50

SHA256
988cc6135b6fc97425afab1d79c17a41664004915b67555ae68dd60d76a190fe

SHA512
1ba26f1a7e84d2206ddfd3814a568be9f0d7d0ca087a41cc4cb6e9f88c57874713e9638bc831e8aa7f82ff4862832133dff185438ad3f9398314ab8d5bbd8a37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577251.TMP

Filesize
2KB

MD5
411ac782e18a3f8947b5bbdc13773829

SHA1
d9a709bb6b79ade9df4024e8fb6e36190070bc21

SHA256
0217b1195d87db614149675e331d00b581206641c58f6c7cd8cadb92e718f8cb

SHA512
03cff6f4f72f375b34a35df614de1c0837ec423b3b232e5b863a2d85ccb2f2bc025d1954ae0ba9d117930a84e7fd1b44bc82b488e5acd58370c36e9c24717d5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
cb7b12db190afac8b96698178ec4db1a

SHA1
9f069312e080e146620875becc033066b9a13d5e

SHA256
8c89e8ed8534c0cdff16b23b0ab184efbf53b6854e5f7bfac3aacbd889ee18f3

SHA512
1c7a8f6090a47c59a94b6edb948fb54276ddb6c6aa0630e3dda3003f776e179e0c34e8850d7b47f299cbba1ff8accaf3110daf6affd81610de69ab5bf5e47309

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
35eee7bd012dfd62403a5325d4d67e3e

SHA1
f25202c43db17cdfbc72e3f1b3b29ac4d67f3fd0

SHA256
96e03d6d5de5e54a4d6a2705d1f2b533b3c1d55346608e79015c1d5582aa1ac9

SHA512
52132150875014414351f7013fdbd18022f9679db03a47a84dc05424c754256d1aa5d279f0a4de2e02d0a007cf2d052b8edf03ac072d552688d3217574b45642

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
415ffc761206ae2fe46e40bfbff4e860

SHA1
640bea7cd93ae260b8070501f65e9d9701ec165d

SHA256
6ebd3ec7933ae1baf659b7ebb05e35433733dd1f54c0a746de431122ca94090d

SHA512
db0c01a53504ac2c9c247cd95325f1fe04d4624a3513d609a99ab061eb92ce1f0c29a26c32e63eb96c58f3054f424714aeb6fe103a3052883fc53dbf87d20046

Download Submit
C:\Users\Admin\AppData\Roaming\fdfd94021ed82f9f.bin

Filesize
12KB

MD5
48e6bf4537cb4cb907ff52326b60e14d

SHA1
db982c51af70984c5df688b4ed21c54d8850c0d6

SHA256
0611567117774c37621cc86841b0a43411e9437de8ee7001ddbe3e4d949a65eb

SHA512
25fb085950232e38a0c4458212cf29de93fde62e7980f4107d5e6a1a66cdb0a12a5a746ed65bf26f859de4a0cfa23ecd199ddeeb14cd138e54a7c5b4d6c3453b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
a645212fe741f63729df52033f8c9a30

SHA1
db8768c6a578bdca8f697829a4084112ca0806e7

SHA256
e929b020f7f272914d53c36fafea22f286173bf959bf5615762829fa998ad279

SHA512
10b4765624857530db5f9e148c62d6b04e9186681e3e48b80f92ecd4e60ee89bb2651fffb4b3089938ba1be4b9dc5730dc80ede0e6c4c47e6463420e34bb7d65

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4b5d80945d65c82a57d7fa8b2bbe98d1

SHA1
8c711c33925dbd7ed69eec15fcfee918a1833ee3

SHA256
fdddd9fd6392ba7a3ba13f47f921f3c316a1bdff0b0b9c721435719d22923bed

SHA512
c9c08496d5c9a5e49045784a68459c31f504b43345208b9be9df58a89a66d2ad5b7b9d20b10ffde27c8c6d0b9a63a546797a42c344e1b08f5739efc864f25ee8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
a556316c276f91107d284fdcf38eefc9

SHA1
c284edf6c2da172479de1a7d0e39b93e01f17def

SHA256
9c9af216166e9dd26e0902ad7917d68851ca8c09fcf0c4d6f0af83e6d2842624

SHA512
e4fc1a8f50eced3fdc7573ef48072b45c7946806e8f0acdb1c9ff2acea2185f690b7678d504eadc2e3a453b937d9137fac638f321559b4115d0708c55a81d2f5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e20946b733cd105d0e84dc4b4045f14b

SHA1
643b4b00d492d5022c58f40c5b4805dad1cfdfcb

SHA256
f31d9df085d935660382c4d4f7c3b5c718d8294f884ad4fcb2a781b5d17b40ae

SHA512
983b1d65f2d5cc2ddb47ce0565d75dbd4cbde1b506c49567d0afa7d6a3d9f7a6a2a0cc4b21fe0f52fdcfccccdd2031f128ca897a3f0ac3b7627b0dd70f19de7a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f9d5baf7aaa76276744e75ba4f21fc0d

SHA1
c12314c1b006c6a010c99c184a9562703742714c

SHA256
3e7006a1716a26035585ca17354483959df1c36b7c50fbae613f2ecdcf33cdce

SHA512
3a1f6d4e4da5b8e8211641d9f9180983fd727405d256d6c735f1e3601a0b172bfec4eeeb56efab8d1ec2340214b32a68b291f99018ae3bd29b6d6ed403ad2e20

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
09e5f001e65809e3126da705873694a4

SHA1
5d45b61630a55f7fd013a4ea44a975db19e685f1

SHA256
1b35371ea01e4d6096e12d81c189dc565077b5a4c26990880efc3797ec4956ec

SHA512
ffa9741a782893905e3d35caaa0798cd61c1222b42da2a8b834fabbc62112956247a12e9c2298764e76fb5a96a6830c9d7a1ea9da30980e067b72ce5509cdaab

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
98c82f042997e5ef5bb5dd95c56ce7c1

SHA1
f726cb00f572f36a1027c103df71161f899023e8

SHA256
ddd1060912c83f31a6a674836a4e9942e2e244abbba5c25b290d4213f059f8f6

SHA512
6976d5cafd7af923f330105f4193ab4f7a9e3bf1797b3f18d673c5c2dc3a8dbf693d1eeef6d363cd94bc7b4ca4618f9842ddf15c47185dd3aec322232ad35e05

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
77a7b230af620168c269292179f0d31e

SHA1
d0e15fb34819dc9e5dfc82b52abd68ef6e3cee99

SHA256
8797022bacd7cb4fcae4c669d9bfb41c87810371c85dc5345e90fbae6e34a157

SHA512
5c6e61eb568ceca4709287bf6d7ef71bb48675ce78d5056cf4821d18f0c11a149c3ead7feb36d477d368a16d88cf989c2694887395103b627668238305d7bf28

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4438692e71b2fb6956de057a07eeb12f

SHA1
397a8e7a25506f43ba8998c3226746d8ca347d0d

SHA256
3a20d67be45b4197e87b9e5097882b34a06dbf523a7becd36f69cf190e0b9b35

SHA512
2b571ae9675d2dbc281c982b34ddb282e332787745b7ff018eeb910d8f5d70cb8ffc68d15f188dc69d52a0ee9ce07b15d1438eae9184cb23833ac1ff5e71aadd

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
72f67f10c2ee87cbb2a5325af2649b81

SHA1
8503c86c2882eede0bd30f94a0be0a7fdc9a68b8

SHA256
79705f82b0603b873fb12132db92805ae1053cc31681a23cf2a0ce361f75b87b

SHA512
792ce0c0605a3e8832399aece5c38e638b237074a70b2366b0be3d64fce62c7e4d493079d3183a2b89aa2a9ee25609bc55ed6c2b50648906227bdbe6bdc03e0c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
1c92b779195fc5708288d7a9097454c3

SHA1
ce4381f88610d2fe1c4fade9e6e905827a104c49

SHA256
3a2aaa202116e80973f5a5faf6ca369425727ab562f66b65346a4c05ada2da1b

SHA512
b3eada8322a98b6f40b711134cfc7e8460b851154afd0681dc4b2efef950e36c7a30c2ed0d80c7c97f3b2349c8c738193f1b5afd9d6aa2400e5f1bc2ad4e31aa

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
cc6e2e3768ada90af0afdfb645e05be9

SHA1
372bee53a95f791ab1f734ca0265c75dc9108c25

SHA256
a433a915ddd813bb146dd590ae94ff9bf5c6cf375b5807d84d7f9e0d8eafbedf

SHA512
ee4ba2ea671f1a9b35f65e4093b4aee5fb2c21fd45335d3926f919104a10a048933cf7792fd3cb9ee9b221f56d84f4995c303724ffef7170fe8196c01d03223f

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
6abaf931ef512cf67952e062f9c2fe65

SHA1
5285f091d6d707a3a595c9a67891502e39ade8fe

SHA256
5af0c6e256df2f6e492e77db2d06f7fa80c8efdde4eed91375f9d5ebe10924b9

SHA512
05e93a5bd3408d7ad9cd9cc156e8322ea960165707204aba2aede3343c81b79d9c4f8e9193b6a3c88705d28ae953f0c6e9af9bd4d3b0058af7476cd13608212e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
2e08c5911720989ec2f632d723841e55

SHA1
3ea7d879978f12c3b68ce93ac9958d6970b185d0

SHA256
ed8a46d780d235ed75ab174b1053997a8a2974f74d853bd9100298f667540481

SHA512
65fa890a5fc72dbed7132f35b6ecef0e0ed42fa83ff5be141777fe7f8cef10017295c1aae2ed532ad52eb0e530d44930340f3ca4680eabcf561ab3248586670e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
8690a4e83baa5aa43151e2e94f60aa1d

SHA1
f87b9376c0214bae9d5b459ce62b7c99e05b2126

SHA256
bc45f7c716f1296495dc75d53034820f5022dd0e315eeaa837d67349d8cf149c

SHA512
21a6e8171e0b29a277625ba4f1f70f1ff4ca89cc7f06b0af634e1cda197c6321dac444b1173e31375c7956b1b60248c65dfe4c565acb9215bfcfc7e5955c9a01

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e10ef9cad13dc44f9de3755d47f42b76

SHA1
be30dfdfbea144ab9e0f46c24de91e61de5df831

SHA256
6ee5ce733ecc469426e8723dd0b4bfd79eac669e79d7fa5ca5ca6cd1ec3dc19e

SHA512
ca7d5931b3af4c6ee4d5409d8592b1381c49108e90c5296c974070bf824720acd5fef761664873cc7ba007cb473fe78a236107c0a7a17bd2de6bb4f4213d104a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
40ca8b1de62c412ae3fe5ea64888eab7

SHA1
be11363ed188019e4834becf49fff29a05335c3e

SHA256
c4c5683b8abe28efd818073bf216808c1c359cb24494d0b43906edb953b28f64

SHA512
aec0c42925d65d40ae06a40d78cc29fe785f759dc43daea72bfe8321af4ae2a8e31c5186652e0c563ec8c4d5b6443a2e9be5bd131206e490f2bbfb05c2f9cf95

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c34cbd7645a17933b79f1502d1f87167

SHA1
a03ab0549fc13c184a10705f6d0d664d3b8ec0f2

SHA256
71a0dd94227e23ffea4b5ef1c775007dd3514448974b5442f462be2977fa7e0e

SHA512
fde8db40a01c2fa174fe4a9ced78ff2fa2517ec159e34944f7eb42bed2620e2d365e9afd32cdbd3247c3946010e75f21e5f763167269f340e8712bc7e14f3a7b

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
4d858969f9b63ec4e90b337affb40980

SHA1
c5f517b47ddc66cf8fe32495fe14e425f905c252

SHA256
d228412aca7296096c2db6c01dfe1e83ca0db6a7fc2512468473c94bbc3e50f9

SHA512
df058b39862395921f86ab56ac87eec0ed1adb201b988f3bae0fb037e14a1c33d842b7fac2354f0daabe15cf41c5b6757ed9971dc8237e7a5e9377314c6b972f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
cd774f6540132256fef28bdbed5ce74d

SHA1
584dc079c66a2498a76a0e6f8da6145d10ce4a87

SHA256
008bc5aa46e7c862d9ecf1311665f75e7c2eff973b218f2484dba60c27c6c470

SHA512
ff8e4a7aff7694747179036af4814c237b793218a7494d8dad95c2d88a51760ce8822c845f3d1dca52fade49e28e42a7e1bc81e2c6fc721bdbd7075d41c9a713

Download Submit
memory/456-113-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/456-88-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/544-55-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/544-41-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/544-35-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/960-319-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/960-381-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1116-456-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1116-556-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1488-545-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1488-767-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1576-600-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1576-473-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1576-761-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1772-496-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1772-758-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1776-769-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1776-568-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1804-348-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1804-370-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2060-27-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2060-21-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2060-349-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2060-29-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2380-461-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2560-71-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2560-65-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2560-62-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2560-251-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2572-117-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2892-19-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2892-384-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2892-31-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2892-13-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3224-116-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3224-405-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3224-84-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3224-78-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3240-406-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3240-331-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3500-690-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3500-493-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3716-118-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3716-45-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3716-51-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3716-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3760-432-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3760-544-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4000-9-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4000-0-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4000-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4000-63-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4176-542-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4176-536-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4460-557-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4460-768-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4564-763-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4564-519-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4772-579-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4772-462-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4860-516-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4860-762-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5116-407-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5116-358-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5176-582-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5176-771-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5316-601-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5316-772-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download