e5592a74ea5f520055dc05a0935f080519c1ef011585f8d26fe30da0cd6c71b8

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
Size

4.6MB
MD5

e4a6f54cc1a59929353452324b8ce997
SHA1

8e66bd8e6aa2a20a28ff9b7fc37a5dfd0dba226e
SHA256

e5592a74ea5f520055dc05a0935f080519c1ef011585f8d26fe30da0cd6c71b8
SHA512

36956334016632a0f41f18eb3b244bfd95bc84db2f74de79d801c8b0e9b7551b9a03a458f286a954d15c21f4871bba5bc047ad2d18d4080d7cae3a641478c58b
SSDEEP

49152:rndPjazwYcCOlBWD9rqGfi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAG3:T2D86iFIIm3Gob5iED3R83Jd/IZ2v

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3760	alg.exe
4548	DiagnosticsHub.StandardCollector.Service.exe
4828	fxssvc.exe
4468	elevation_service.exe
2772	elevation_service.exe
988	maintenanceservice.exe
680	msdtc.exe
4088	OSE.EXE
4012	PerceptionSimulationService.exe
4568	perfhost.exe
1324	locator.exe
4080	SensorDataService.exe
956	snmptrap.exe
1672	spectrum.exe
4436	ssh-agent.exe
4412	TieringEngineService.exe
1880	AgentService.exe
312	vds.exe
3196	vssvc.exe
3492	wbengine.exe
3132	WmiApSrv.exe
3684	SearchIndexer.exe
5592	chrmstp.exe
5700	chrmstp.exe
5832	chrmstp.exe
5944	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c05c66e1ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045c0068d1cc3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000224c4f8b1cc3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000baf36f8b1cc3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000727e0f8e1cc3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4928b8b1cc3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a376038b1cc3da01	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2408	chrome.exe
2408	chrome.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
2660	chrome.exe
2660	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3000	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
Token: SeTakeOwnershipPrivilege	3896	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
Token: SeAuditPrivilege	4828	fxssvc.exe
Token: SeRestorePrivilege	4412	TieringEngineService.exe
Token: SeManageVolumePrivilege	4412	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1880	AgentService.exe
Token: SeBackupPrivilege	3196	vssvc.exe
Token: SeRestorePrivilege	3196	vssvc.exe
Token: SeAuditPrivilege	3196	vssvc.exe
Token: SeBackupPrivilege	3492	wbengine.exe
Token: SeRestorePrivilege	3492	wbengine.exe
Token: SeSecurityPrivilege	3492	wbengine.exe
Token: 33	3684	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
5832	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 3896	3000	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe	81
PID 3000 wrote to memory of 3896	3000	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe	81
PID 3000 wrote to memory of 2408	3000	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe	82
PID 3000 wrote to memory of 2408	3000	2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe	82
PID 2408 wrote to memory of 316	2408	chrome.exe	83
PID 2408 wrote to memory of 316	2408	chrome.exe	83
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2228	2408	chrome.exe	110
PID 2408 wrote to memory of 2544	2408	chrome.exe	111
PID 2408 wrote to memory of 2544	2408	chrome.exe	111
PID 2408 wrote to memory of 4424	2408	chrome.exe	112
PID 2408 wrote to memory of 4424	2408	chrome.exe	112
PID 2408 wrote to memory of 4424	2408	chrome.exe	112
PID 2408 wrote to memory of 4424	2408	chrome.exe	112
PID 2408 wrote to memory of 4424	2408	chrome.exe	112
PID 2408 wrote to memory of 4424	2408	chrome.exe	112
PID 2408 wrote to memory of 4424	2408	chrome.exe	112
PID 2408 wrote to memory of 4424	2408	chrome.exe	112
PID 2408 wrote to memory of 4424	2408	chrome.exe	112
PID 2408 wrote to memory of 4424	2408	chrome.exe	112
PID 2408 wrote to memory of 4424	2408	chrome.exe	112
PID 2408 wrote to memory of 4424	2408	chrome.exe	112
PID 2408 wrote to memory of 4424	2408	chrome.exe	112
PID 2408 wrote to memory of 4424	2408	chrome.exe	112
PID 2408 wrote to memory of 4424	2408	chrome.exe	112
PID 2408 wrote to memory of 4424	2408	chrome.exe	112
PID 2408 wrote to memory of 4424	2408	chrome.exe	112
PID 2408 wrote to memory of 4424	2408	chrome.exe	112
PID 2408 wrote to memory of 4424	2408	chrome.exe	112
PID 2408 wrote to memory of 4424	2408	chrome.exe	112
PID 2408 wrote to memory of 4424	2408	chrome.exe	112
PID 2408 wrote to memory of 4424	2408	chrome.exe	112
PID 2408 wrote to memory of 4424	2408	chrome.exe	112
PID 2408 wrote to memory of 4424	2408	chrome.exe	112
PID 2408 wrote to memory of 4424	2408	chrome.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x298,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef941ab58,0x7ffef941ab68,0x7ffef941ab78
    3⤵
    PID:316
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1836,i,779199448442099149,6382734019454148697,131072 /prefetch:2
    3⤵
    PID:2228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1836,i,779199448442099149,6382734019454148697,131072 /prefetch:8
    3⤵
    PID:2544
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2232 --field-trial-handle=1836,i,779199448442099149,6382734019454148697,131072 /prefetch:8
    3⤵
    PID:4424
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1836,i,779199448442099149,6382734019454148697,131072 /prefetch:1
    3⤵
    PID:4496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1836,i,779199448442099149,6382734019454148697,131072 /prefetch:1
    3⤵
    PID:2072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4328 --field-trial-handle=1836,i,779199448442099149,6382734019454148697,131072 /prefetch:1
    3⤵
    PID:4992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4672 --field-trial-handle=1836,i,779199448442099149,6382734019454148697,131072 /prefetch:8
    3⤵
    PID:5524
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5592
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5700
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5832
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1836,i,779199448442099149,6382734019454148697,131072 /prefetch:8
    3⤵
    PID:5732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2464 --field-trial-handle=1836,i,779199448442099149,6382734019454148697,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2660

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3760

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3580

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2772

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:988

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:680

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4088

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4012

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4568

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1324

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4080

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:956

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1672

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3280

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:312

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3132

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3684
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5228
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a073d35aca36131f0654ddbf1a6476f8

SHA1
0cdab97e230c21df5eb55f90da93e24071347b32

SHA256
8866badf391265c76f3192771700506461cfea1ef30a02d2f5d490f95b0bcfe3

SHA512
81be6368e1173b85d080bd63ade98e716e8d216af9fba547b12ac322886031764801f6b42f40a78df23abbe119d5c9aa7b525eed5464b5825074187a6ee20954

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
7eb3a2be2bc13136a15bf2b72031f255

SHA1
57399abbddb48c8cd1f1985a45a2085eb2c843c8

SHA256
1022971ac7215392c6090240b2b919ac35b009b974ed441adcb41474e9bb760e

SHA512
6b76358c1e16b58a895e4dd3e7a4c009b9ad0639d99d88627158e59c7da62ce5c8f31acf2de3b1c174acab4aab0c72e5cf8e79521ab644aa6f2ad51fc6ccf353

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
3dacc1c8ebf907a07c19b0f4a7cf6b98

SHA1
21cc285f1e1ca9544c617389aaf0434d35f636cc

SHA256
3b536b0bf97a776ef9e82945df16012d104216a6beb1e42fb0a66d76a3cbb0b5

SHA512
41486cf254efaf6b7336fb7f58c43051c278fab1f3a043118b8d9d8c0a61b7f8b5e87fc3626a6b014259dca604d28f3a7455e16fcd3e2d44599f0a75360cedc5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
96fa4df8652bd2126f2c4203d6a781ef

SHA1
a95755fa4a83ab502c2793c811c6e452473b8d36

SHA256
dd02487395ed221071245e173a7834e49db7d3e1959bf8fa802a7db8dec46246

SHA512
66838d801853de67de3d2fe02c9b18c2c6d59ab62b0b817de3cd861d7d4c7052486eb4456d3050797eb40a9fbc219560924d5432a0af11c6fbbb00c5cd1f7275

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
5946370e53d156ed7bd48afda3a7f1dd

SHA1
aeaf9eac9ec2cc7ea7a573dec0c608fd3bf5c647

SHA256
6633616c707d28ed53ba65ce5837f9b365296f3075114d45b241dec21c3f0f5f

SHA512
1d5faf42ce7d250ab7f6a13285cbf02daf099849f6a4f3561c03d50e4f9b782897164037a677131caf80ee0d888aeb48e66100b46c913a8afa3b80cee5feecbd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
586a4024b69fc8993eb826c90b674ad7

SHA1
7ea8eab73a8e2ce30f78b4f03fd5ccb17bb43eed

SHA256
f70b3a2d7dc2319cf16b6d031aac15499804c2b91d1fac070187807405a7b894

SHA512
e7a4df8b2cee6e1cb790c27c3e58b2b722cfc9aaa88bc1383e821d2cfcf873ed5a8972c3761ca36e4a282574abdc2a19ad583aebfaa6d8acdb0617e329d5d063

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
ddfff103fbeac75408a62ca32ddab118

SHA1
18cafc69f4df4a7d71687079068e367ea205ca46

SHA256
d9b8152c69bbed429b7ae01aabf2f4553cc43c9e87fee986edb0322661c481d7

SHA512
2c29ad482a70012c7db628713ce33ab7533812b18d81e29f70a230a54ad6f2170924f29697ec6a1d0ddfe50d8fd1308ff705503e7d41baf1d5b4e9ebae0f82fa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e6cf574e15e94eeb00603fad0079cb83

SHA1
3b5a9b3b2670dde8d281aec2ecf87e13289aea9b

SHA256
f4bfc1864848fbd18f33446b704d018d9db2552a0193f3f2c46cacced4cb5e5c

SHA512
68b5574ffb9d8a68138d5c9f7352ab544d13f7dc0d1834bd3a5faa1d9656db6cf71aa9e7f52e6335b1e3db1a4c94fbd3f23e203a8b3f8befe6bfbe30ca00b383

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
6d85dc8a4aa4d4d6fe94103549827b2f

SHA1
5baac50c97dade510ff4a6860717b7ea627dd8a7

SHA256
0955c70432951176817b6447f12df62fd018714c9049d4bd45667b8c894ae2f3

SHA512
c55a739e47a1c34a21f135c055bbbeeffd061395d04abab52652126c91514922a7b55cc4dd4d8c1ccdaa51a49c64578ebd1a6dc2200aba6ac7d87a3986163896

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
77fcf8de94be240d2be197e38ed0bb2e

SHA1
baf8f02ad44263dce5cfed33ace2a5ef6b46ffbf

SHA256
dd769c3e954b0430acabaaf15d427704d37b15a8ec9377be8bcc18748ff59787

SHA512
685c3ffa64069df0859502206694cbef20114688e36ef9772a78fe20ee1d1607e19868b85a5e3283774509921bac03474ab9b91cde3190aaeba10795ca305b6a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
966a836872a7b4aea64c61bbc5d0123c

SHA1
ed7df9f8ef2343ca0747a0eee44a1e779b2d68e5

SHA256
82aaea7feae950ba0ac591d9864447af757f8f0cf8bf7d0f58c040e903ef4d4f

SHA512
c8a6863cc31a798986988389cdeaa8509b35d4569eb049ca100def1197a26eed78aa3acd6ba7f8c777801810604dcf901054ddc5972abe445214fb3077c952de

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
cb8ffaa214dc00c480c0517599d164c4

SHA1
952947757d79345fd5ef1ca81ab0f40d1b1e8f3d

SHA256
e23af8ea064a58396269311db38d58f6ca26e15c1719fd6cd46fab46e03f53b3

SHA512
a88b50656325dabd3e3716dbe5a74ef7f31fda2d9abff2f546bfd694c03cf1bbdb3d24e66df792c6a9feec6662559e65eac4b78bd71ae56a6b0b591dc44cd3b1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
cd697ba394d4ffa548420968e23dfba3

SHA1
03994274e3780f4fa1c76d16f7978bd1c523eff4

SHA256
4b669cdaf98b0cc4ce3d7421c6788f980759ce1074e1660b761a79f40776908b

SHA512
562dfe819d5c8130cdc2c7cf9686cc2445cc2df6be69b197db15dfb47acb474b989dfe7d44d9427f9048ddc836360f63008a537fb4eedfb8e9d7a7477502f4bb

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
250c1d9ef57a34480c988a045248feb5

SHA1
d23eef476d3fd9a55072c292c0e76e31f0f5d3b5

SHA256
be267a1cabf70a8b97fd0c068dc8c3c9a9cb063505dc9cb9534dd2975b4f2dca

SHA512
157e1bfb2fd19634d19fbc1b1d5cc6baa8b4ca0ce5b2b70a8a3a2b7f80bfdb93d54782a7bf6dd5ba951d93819c9b14bf2b29358577fc451a3b15d3940d3df585

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
65cd38b6f85659f9056765b2445415b5

SHA1
eba8b5e85720a756146c36fd30e3aa4f0e7ec89d

SHA256
8770e6b3129df2b30cb00ab55c2ff568cd003961749875036d39917ccdf0cfa6

SHA512
fd694bf6ca9711620d55549980a2fae1a269f074e4954abebfbf47324da09d7a54fd826351cc02984dfa10769d0aeabd26c42391cda869e66fbdeaa0b2bb840a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9a22a82133b3d027549d6311d90204a6

SHA1
21a71e8201894e81bc49702845b7e368fcfb13da

SHA256
f58367c6bdd34e505936b14ee0369ed9582f9232f9e0fbdd79fb5fcf7843ab13

SHA512
6e5e72150748d582ac3e78de28e5d3af08fc2b21c9434aad7388b368ed9f562778ceba3f7aa8555026c009faab90b992ec5d8ad5395d8d5884f0a6e0956c794e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ef55ea5f803d81dee3e4943ef87a2457

SHA1
efff6bb9ed3c90f57ee1898629ae49dd32c03cb7

SHA256
d501d62941b91018c3694ba61920e81c2e07217e1e786e17e39a495e97dea1d5

SHA512
52ba6a123637d49e9e6c4dacb0947ef0e81d2aa5e4ec66e316635a2157e6f7203fcafef113bdbedd39177baffa019b231e7da17157a65a9050e89ae5790e67f7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e678df3b4ce8357434fc7d9c8956ca80

SHA1
f8736db17581a319c7847d09de0191d2e37aa1cb

SHA256
905e984f81610d4bac38919fdfe3e1068752817466a44d832daebdef4cbcfe4c

SHA512
405770669d942448509534f305ac89f9505c8afc4570b4f4c5ab0cdee582aa6258edf3bdb397ab6ca4c8684ac850d0daa5867c40909850181500855b63a1eceb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
5f10759036081081b2562fee1e82f3a1

SHA1
956cac8fd3206ec46f458bb62ffd335605c6355b

SHA256
a1164810da4fe02c65f2cf195fd22db10ea129c916efd304c72b6b981314f992

SHA512
603b19f308c39f9e0b66f1878595face82ab1dda53d81423f0c931280c9356b548db1d497e42ca652a1d241a69b3b69c76b2b3031bf84232149b87da04a42cb9

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\9e39448b-01e9-4065-a7bc-36aa3cb38f26.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4d20ac8c27135675edeee670e9165c22

SHA1
b5fa3bc52097fdec03709bc82c99ce377bd49a97

SHA256
cf03d1281922b4206318cfa79aab504ee7b004e6235a79ad94f97a14609a4176

SHA512
4b07f6099ee4f7d0887319ce2ace74c3d95d90400b013cc7ef3a0e06fc9a108012bf54ecde2a5dd605fcc29d5f5de718bc233f94b18db295c1fa3dbb0bccf365

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
e46e3f57ffe89de0061f28616c63e252

SHA1
6ff63bacb466ce74a6ab8be65d5e7515ed604b9d

SHA256
d18dad09534194a6aef28ea967af0677794013a873dbbb708483bcf7bb45f911

SHA512
6721ef69978a658182fb493b81327b4067a5869baed20d5a6d356a9f5aa8e626f01ce83280632420b1ed9283c6a96a289a0f27b0467315c37a02a67b9345a32f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
0cd429098412849541cb95afaf497de7

SHA1
34fcdc8c1708981ab8e69a9ccc50ab898d7f7df3

SHA256
d987cb1f82d1cfa20deebd5947b3ce1b9ae9ca25cb7df736727c507a3a17700a

SHA512
955809ff9150048d9b739222dfe4c1cc7b4f330cab2858b74ba1b8af8514f1d97268812c0ef81a3d926c9928fab845515a0fbd834a8dd1d0db39359001ce5f03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e7b0143374dbf1c38eb43f6c32c5b855

SHA1
6a60fce8d7d7f197da9786f1d94e31add6808f24

SHA256
9c70ad0657a52ce62ae2d0845170e26591c95dc832af9b454687bfe5ba090078

SHA512
8b14fa4b491916810c66d966292f408bf8b8a0aceea284be82cda4777ffcdd9a292e923b4cf51576780f37616f925b19895cb2cf6b642a62531037b9726f4e38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ad3bad05b87d214ffa63b0a27a29c27d

SHA1
c75bb3f0cdd32aaed47ca9bc3773d16490b33c8d

SHA256
31dadbfa3589dab05ca24b1ab72e8e95c073ea69ba6cb4c6f21b8a439deb8dd7

SHA512
06fbe4b7b21286218396d82a2cd9e5ddfff758fb9c2d5473d90cff0bfa6b2d9ab790099573dfa7a9f1266275ecf61287f2a3d4470010774171c7d043bbab178c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8cce3f25dc2012ce656e2ac26e607d19

SHA1
56f23eeeb36c4d3d56199723ab14d5d7ee0f7384

SHA256
c338395490259a8ba1013b6b5743590ee6a6514b98bc4c3fb3a4f729797f07f9

SHA512
627fe50019599a26940ef56c213ee89edc1dbac0939bbad051a33506e706880e6d9ea52a900d74509bc993e9f4f875832896a922da4101976b3c6c2cf08bd2fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5770cb.TMP

Filesize
2KB

MD5
411ac782e18a3f8947b5bbdc13773829

SHA1
d9a709bb6b79ade9df4024e8fb6e36190070bc21

SHA256
0217b1195d87db614149675e331d00b581206641c58f6c7cd8cadb92e718f8cb

SHA512
03cff6f4f72f375b34a35df614de1c0837ec423b3b232e5b863a2d85ccb2f2bc025d1954ae0ba9d117930a84e7fd1b44bc82b488e5acd58370c36e9c24717d5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
7bfe86cee54673a4315b8f248f9505d6

SHA1
1413684e7d218940bd9e7f92a9fcceb6c1750aa1

SHA256
910a75f64426b0f325d1e904f6164d587f963516124e89a39822a30519af6159

SHA512
99363e0b14b21f1b3b5d7a70502703af67d887eabdcd786c0de4360ea7cf1ac44fa5f0b824c62fa383ac238c276eaca3de1c6a2dc8f9f00822042b50856080d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
754e59a6a3ecf81817ffe99d005ceaa8

SHA1
19053f20670238521bd629204eefae51b784eb0b

SHA256
4e0ba3594f7505efa4b64dc6e5e9435d0e789ec8b173bc9c74b070d655aa6555

SHA512
4eebb376cdfc8f346b1f4413a62f34c20c0739c26d2295d9f027f3c2b5814a73855874be70419438e0ae0edbebbbdd3b76aee2f02e92b3460ff1a953bf1be115

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
6ec4a2368120edb226d3f20664f98b60

SHA1
64c10921125065c05ea104ef5934547a17533c22

SHA256
ec16c8aa8d2f1f230a8b3d83057d7ad2640c9edd8abae8d8e4e3f12aa447f9f7

SHA512
03b8d310d285ab3d73318750739d54429ef619d37cc8d073c0a1de7b0129daf88312a26d05043f2d229922119f75de3a9b74126465e6c814ea434161fe20c9d2

Download Submit
C:\Users\Admin\AppData\Roaming\c05c66e1ed82f9f.bin

Filesize
12KB

MD5
977cec20ad8a3cb23177224e05fcabd2

SHA1
ebc955f161454855a1cd5fe9d54f367bbfc32ac6

SHA256
7beb674f45600a9a21fafcbafbc94d4e2e24f957760a70f29c50e406050b3d66

SHA512
1338dd681cb2cea9687448e1b1739bd88f2aaf269b298503318927a4ba616e2567c8d06d83bcd03a8804c65b8d3b0c67ecdf2c0b9afba5b1b21fb58e38835e21

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
235cb49dbc9df5c70e7400bae3f5219f

SHA1
8676aee817448ba1520f39d06c8aa2c015b3cf63

SHA256
c76555c5e47509204b15fec879d9b7d237dd2edc3e6ae34917ae1a8b46d4eacd

SHA512
a7103f9830b00fa319c862096a657980b24ceb0a43010a40dd4aaf736e6f65e4113bb05a33489391ae6c3defb4c5517b85607e08dae96535cb8268f02c80de11

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8311feb066064dde1734633baaa79b75

SHA1
3e5aa135cb49a89b46adf7350ce881d36ebddee2

SHA256
6739f3f95c711586945c17ff71001a116ff064cbea4addfde478b735dd1448b4

SHA512
06ad1e80fd5daaecce439a8c69ce8ea2d4504ac7485c642da23185be56337fd4de8cb98257759deae5864c1bd17d28356befff99ede04af07b20ef2e9bfd1f62

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
41922c404658383cfa596652b83ad913

SHA1
66e4609e755fb5365365b1d2e62a985c03f4cb53

SHA256
6e86f3bc32c89407a615ed20f96e42577f766e978fc538183256070b92096a4a

SHA512
b1d94eb8f383f341a157f79922e98466bc2a9c72b8979bbd18f388614dda0f227e7cb2eff446f2b1340358d4ca16ebcbdb99d2584115d1f021d6e3ebb075294b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
065294fcf05010b8400c9494bf28570e

SHA1
86c46c0938416e6ace267983fe5d34a9e8a0c4a6

SHA256
42978ea0ba278a51b42a0341f9f8f6e9948ff69a2fa1ecbb6d8697f01d7d5443

SHA512
7b491d0b2ff83823bd7ef55ff2927e41c14a90dedcfb279522025eaa61a8e461bda7c739079259b25d1e85800b08ff400ffea36af11d425c1b0cc3a8b2f5a80d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a3e873ab9958be26897564b4ad5d43a5

SHA1
5e5c5cc6a4be0467d8c37d141727938a707583cc

SHA256
db676673aba72f13c7aa333336ab684d71250d39c3eb7629addb906963a24763

SHA512
77550832d59de6cf7e7ae6fd94760d533dbfff11f30cd5fb5197722c64c5781c220226cffe6126564791e38d55b34fb4a84999c6173bd2d19818874fc7c206e8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
fa307d405c9914d67db596a88f4de78a

SHA1
cfa160af370f4e45cd7352c01a79cd0ee4ab4ad6

SHA256
3e3a9133df74e44dc37ec7879ed297bb1b6d2f97b452ae127f7f0ce4e909c028

SHA512
c106f352a3b452f3dba0d741e02569cf5a7ad51119a1e200bc7179a5bde9901e2936724f018828e562131582bcf75a21f04978c7daf132e4863db8d5b80767fb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
0eb68f021ce98897ec67452b52b9ba68

SHA1
33b94a8ba82ec606fa044f6ced72f466a976f90f

SHA256
007a87dd67956a388144039973dc5d629113fe32ae30446b0b0a48af942e2b60

SHA512
49862eb45e38d0c699ac92604af4c83a1b7937abcee1ff003ba267c40c565ade44940e0673e069e90ba3121430d0dab89e8b890c2a954ccd2d47d5d7056112b3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d3e36b2ff4d5e4f056c499b6972ec1c8

SHA1
eee3070f9d1ad5b893454c8b8db4f8f4c86277f0

SHA256
7551030627598246e26cdb3ef7d5b0706c31ac231acb1c2c839c41641e3ecc81

SHA512
cebef7a12ec07780a73ce1abd0849e1c2ca416a17287fda46969819d634eaad0f4367932ffe782b1f9f59abc05a3dc52a6c26939eb68abd9e37efbaca6086d89

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1bda5d60326e4ce800f38e1d866124e7

SHA1
9947f6ed50a407eb57631e8f06a906ee09b30ccc

SHA256
23a30f278bc0e2301435192f74def534593979d7f215bda795597fe0ad37492b

SHA512
0c6a40547d0b64f41e40f54dfe84c80e110779e4404d1c60d3b2746140fad30b886681c010e3ab36cd1fbae9a1e02011e071d9d16b1484b20980bb700f68b8a7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
59de6dc432652be0be71a331e25819ad

SHA1
ff4e6ae5546e9a39ed5a2b41523a52391bebe40d

SHA256
212911a4b7b7442abdbdeca35ca02e6b0358d5624ecf40326479d4d925387e7c

SHA512
07e06c061675e4001dedec34916b4cd4a28535a5cd3fc398f10bae023a1ff05c49ddd214cc118f8a23e98006f59757142b9e96d92351972dfac9d8133c75bd71

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
ccb166770928a3705de96f84d812b7c6

SHA1
aa09ec3275402407333200d6f0b6cd07cc615446

SHA256
2e9bd6aee30c3326794a5047673be3a8461934fdab9cdedb6d6c3a386602a239

SHA512
054ac6599704d775155da39b2e10ee0a40492bf3dd26fbcb0e263cec6af1e9e8e854b0ca1d6c253f16fd11a92e0d2ec912769a8b9a9dae5994570482cb78d99d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4f545cf90963d8cc6135988785be864b

SHA1
734e7e6eb90c8341ed5580f339b476dbc0bfd12a

SHA256
bf9c0c299fc0d38e61bfca5c2f7bd4eb1145017c45369b509ffe83b51b747fec

SHA512
339429ca24a7e73a9bb757f77ff9d4d237fafa149dbcf4b02992f5f52cc9db7b3e1dff186a36f54dbb11eabca4c55084fc21f4a9c80eaa3c703ba6550ee5c398

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
0d221de66baba4c7ef06ce86cd73b386

SHA1
b4967df125cc967bbc77745732f4d0078dec3414

SHA256
f0eccff457ee14b9f66b0558a4a3b6d0b1d25d546005b0440e437f3dde5ee6d0

SHA512
17e596e99e724ef37046968a0f1cd77f49a4f5738b70ee3be4e959d521256144974268f2ca9d7b3efd6c330b20b5d6bdced006d29bd4d31a0bfa9f7318356053

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
4958a4d22975e26342aa7c3d1f206afd

SHA1
223b35220b0c7a2ffcf9c68927f7bc39711cb8a1

SHA256
316ef79470aa92e9eeee15992175e5e74d64d7d8ec3c37aeb8a287b4bb0f78a0

SHA512
001a79b588771272906c89fbd70480bbe22ab00e1edd68790ff39dbd101f55a47643df02aa513d0709aef81b108e9da98f0e3c245f49b814e5d1f07892417a8f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
7309c32722a7570149a3e396a2918669

SHA1
399b20245bc237395a8e63d8f61b561f1a2af421

SHA256
7976c75ccc05f53a76ebdc63e8e8254e59a33417e62a35db40debee69a3e48e7

SHA512
22787e4e8f3e8e6a6977e389426c10f911a1c67229a1a6e4fee1197be07cafdd7e9d6168af7137fcf29d286bf8699bd1dc4fbcc2816499498c3de2f88c47a029

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0025a9b27d284b9fd7d93386a5a60fdf

SHA1
afbf24fd31f1d9fddfb5e49956732735432a9e30

SHA256
514104341f0926929f6b260dc4bf549f33958ef8dd840c1cfdbcf1a2b5ef3b1e

SHA512
35d43ab39e41d7dcdd016d4498bacb91c823b7252b32f301b9d27d16aad92f9df1050ca25f500767ead7e825ed9352a0b14df7ea11c62237048e4d20da46f1f6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
33e40e384f50fd56fef750617a64e2a9

SHA1
27c28fd9aea52677172351c60762193ba355f8fe

SHA256
680beef399ee673eed9751aca110aa3c5b63528c218e24e410fe45cd5de5dc28

SHA512
acbba2416112ddd2ed653a22fdb791f38d2de3710a77f917070cd93c490802b5c0901287cf246e4ae244b677c76fb674f5e788bec39dc3e3fe1abc1464206322

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
78654e16044b49cf19c5fb2a56daed8c

SHA1
3a17e8716d104ce8d647f8b375ef2d6e43784d80

SHA256
2f1f63d5a33e93a34bcf86ea34e4875bc81ac93350c7c022b3b81248e363936a

SHA512
48d144038e6e12269ddd8d5fa699cba3a918c0059355656c22e275cd5e1efbb35dab7fb8d41f0f7e0a8fa8675501cd4ef9beaf823f85b36d8f9b2f4e6076169a

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
4d858969f9b63ec4e90b337affb40980

SHA1
c5f517b47ddc66cf8fe32495fe14e425f905c252

SHA256
d228412aca7296096c2db6c01dfe1e83ca0db6a7fc2512468473c94bbc3e50f9

SHA512
df058b39862395921f86ab56ac87eec0ed1adb201b988f3bae0fb037e14a1c33d842b7fac2354f0daabe15cf41c5b6757ed9971dc8237e7a5e9377314c6b972f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f30fb61e842a15107992c212646ea582

SHA1
8427084b3847d2bfcce80fcd873f6381481bd169

SHA256
aba7d3240898bce7157008059906bac4152f1c113f55373298a5d1b83c785444

SHA512
af25dffcead57e860e680cdb76ccf724f637b9df34720b8f6555e2e99ceb251b8fd5ad442e61abe34c6fb57282ddd71670e20658c9936874c49a13e385fbb76d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
6da436ccabb71ce91db5b3f4327ec958

SHA1
10cdb339174e41bf1e90b8685a2809525adab566

SHA256
c0cda542cad056a7307aa84e4e6a43f7cd476408d44be485dac6c3fd26d758fd

SHA512
e7cce07b8b7ec73214660c6a693c399073cbf0022e4765f892e63be7516a8dbb1e431b11359c20f524b78a0c7e72a8e1cdc39793936a497626d6465c351b0bd0

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
8db5a4d090dff4ec2fbc05c1b3cd9bb2

SHA1
744eb48945c861a4008064779d092dcd0850f14e

SHA256
b2518dfd15e85f212d73ebf197f32a6d42d8cc9c5f8497677775e8c7c3e2c6ef

SHA512
20c88f00a09b57eccfbd0bde78d7d880b0b6726c017a981e350ab26cb88cd42e994a8e93833ef8cb911b983dff84c7442160b15610e5fccd40028be2b4155b37

Download Submit
memory/312-285-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/680-273-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/956-281-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/988-103-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/988-91-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1324-279-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1672-282-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1880-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2772-78-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2772-275-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-694-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-84-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3000-9-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/3000-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3000-25-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3000-0-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/3132-288-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3132-695-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3196-286-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3492-287-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3684-289-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3684-696-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3760-42-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3760-39-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3760-33-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3760-671-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3896-538-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3896-18-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3896-20-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3896-12-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4012-277-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4080-280-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4080-624-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4088-276-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4412-284-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4436-283-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4468-68-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4468-454-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4468-274-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4468-74-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4548-44-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4548-53-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4548-52-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4568-278-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4828-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4828-62-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/4828-56-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/4828-89-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4828-87-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/5592-513-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5592-617-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5700-525-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5700-697-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5832-549-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5832-606-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5944-551-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5944-698-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download