a67d1ca68c25e22703335ab60bd5694670d7d60d3a9794d568b8cad061a4dda2

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
Size

4.6MB
MD5

5aa029f64555c66380eb1b9e957b6692
SHA1

63e60460cc6b66742dbe4a58aa0eb687ffd14ce2
SHA256

a67d1ca68c25e22703335ab60bd5694670d7d60d3a9794d568b8cad061a4dda2
SHA512

e9b26edae0590dd22561526c95443418bd0f2ecd754f65cbc0341159ba5460ec1ba342720c30ae03f2bbc094b3ae9c7271047d48103b4b9a7ef53134fecebfb0
SSDEEP

49152:KndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAG9:A2D8siFIIm3Gob5iE2ehgL5

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1672	alg.exe
1052	DiagnosticsHub.StandardCollector.Service.exe
3996	fxssvc.exe
2036	elevation_service.exe
2124	elevation_service.exe
688	maintenanceservice.exe
4528	msdtc.exe
976	OSE.EXE
2384	PerceptionSimulationService.exe
1632	perfhost.exe
4428	locator.exe
3344	SensorDataService.exe
4880	snmptrap.exe
2480	spectrum.exe
336	ssh-agent.exe
3000	TieringEngineService.exe
2872	AgentService.exe
2288	vds.exe
544	vssvc.exe
1644	wbengine.exe
316	WmiApSrv.exe
5128	SearchIndexer.exe
5980	chrmstp.exe
6028	chrmstp.exe
5096	chrmstp.exe
5228	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\84319ab54bebce60.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bedb1bdc12cbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a4c72dd12cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000196344dc12cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3dcfcdb12cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f29e3fdc12cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
5040	chrome.exe
5040	chrome.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
4700	chrome.exe
4700	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	404	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
Token: SeTakeOwnershipPrivilege	2160	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
Token: SeAuditPrivilege	3996	fxssvc.exe
Token: SeRestorePrivilege	3000	TieringEngineService.exe
Token: SeManageVolumePrivilege	3000	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2872	AgentService.exe
Token: SeBackupPrivilege	544	vssvc.exe
Token: SeRestorePrivilege	544	vssvc.exe
Token: SeAuditPrivilege	544	vssvc.exe
Token: SeBackupPrivilege	1644	wbengine.exe
Token: SeRestorePrivilege	1644	wbengine.exe
Token: SeSecurityPrivilege	1644	wbengine.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: 33	5128	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe
Token: SeShutdownPrivilege	5040	chrome.exe
Token: SeCreatePagefilePrivilege	5040	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5040	chrome.exe
5040	chrome.exe
5040	chrome.exe
5096	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 2160	404	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe	82
PID 404 wrote to memory of 2160	404	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe	82
PID 404 wrote to memory of 5040	404	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe	83
PID 404 wrote to memory of 5040	404	2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe	83
PID 5040 wrote to memory of 3444	5040	chrome.exe	85
PID 5040 wrote to memory of 3444	5040	chrome.exe	85
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 3964	5040	chrome.exe	105
PID 5040 wrote to memory of 1032	5040	chrome.exe	106
PID 5040 wrote to memory of 1032	5040	chrome.exe	106
PID 5040 wrote to memory of 776	5040	chrome.exe	107
PID 5040 wrote to memory of 776	5040	chrome.exe	107
PID 5040 wrote to memory of 776	5040	chrome.exe	107
PID 5040 wrote to memory of 776	5040	chrome.exe	107
PID 5040 wrote to memory of 776	5040	chrome.exe	107
PID 5040 wrote to memory of 776	5040	chrome.exe	107
PID 5040 wrote to memory of 776	5040	chrome.exe	107
PID 5040 wrote to memory of 776	5040	chrome.exe	107
PID 5040 wrote to memory of 776	5040	chrome.exe	107
PID 5040 wrote to memory of 776	5040	chrome.exe	107
PID 5040 wrote to memory of 776	5040	chrome.exe	107
PID 5040 wrote to memory of 776	5040	chrome.exe	107
PID 5040 wrote to memory of 776	5040	chrome.exe	107
PID 5040 wrote to memory of 776	5040	chrome.exe	107
PID 5040 wrote to memory of 776	5040	chrome.exe	107
PID 5040 wrote to memory of 776	5040	chrome.exe	107
PID 5040 wrote to memory of 776	5040	chrome.exe	107
PID 5040 wrote to memory of 776	5040	chrome.exe	107
PID 5040 wrote to memory of 776	5040	chrome.exe	107
PID 5040 wrote to memory of 776	5040	chrome.exe	107
PID 5040 wrote to memory of 776	5040	chrome.exe	107
PID 5040 wrote to memory of 776	5040	chrome.exe	107
PID 5040 wrote to memory of 776	5040	chrome.exe	107
PID 5040 wrote to memory of 776	5040	chrome.exe	107
PID 5040 wrote to memory of 776	5040	chrome.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404
- C:\Users\Admin\AppData\Local\Temp\2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-30_5aa029f64555c66380eb1b9e957b6692_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b1a9ab58,0x7ff9b1a9ab68,0x7ff9b1a9ab78
    3⤵
    PID:3444
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1868,i,6782701188733430037,1111973453961963701,131072 /prefetch:2
    3⤵
    PID:3964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1868,i,6782701188733430037,1111973453961963701,131072 /prefetch:8
    3⤵
    PID:1032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1868,i,6782701188733430037,1111973453961963701,131072 /prefetch:8
    3⤵
    PID:776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1868,i,6782701188733430037,1111973453961963701,131072 /prefetch:1
    3⤵
    PID:4844
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1868,i,6782701188733430037,1111973453961963701,131072 /prefetch:1
    3⤵
    PID:468
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4404 --field-trial-handle=1868,i,6782701188733430037,1111973453961963701,131072 /prefetch:1
    3⤵
    PID:5284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4464 --field-trial-handle=1868,i,6782701188733430037,1111973453961963701,131072 /prefetch:8
    3⤵
    PID:4332
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4648 --field-trial-handle=1868,i,6782701188733430037,1111973453961963701,131072 /prefetch:8
    3⤵
    PID:5384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4896 --field-trial-handle=1868,i,6782701188733430037,1111973453961963701,131072 /prefetch:8
    3⤵
    PID:5784
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1868,i,6782701188733430037,1111973453961963701,131072 /prefetch:8
    3⤵
    PID:5872
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5980
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:6028
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5096
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x1d0,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1868,i,6782701188733430037,1111973453961963701,131072 /prefetch:8
    3⤵
    PID:5496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=1868,i,6782701188733430037,1111973453961963701,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4700

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1672

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2244

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2124

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:688

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4528

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:976

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2384

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1632

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3344

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4880

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2480

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:336

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4524

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2288

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:316

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5128
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5236
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4f10107e7c57ce8100e6e931ed1f4c3b

SHA1
191b3eb5186532e650902e4e72922bbd5304dfd2

SHA256
07a590fe8a31842e910f95e8f1b29c6f7d66ee9cf5aef6e61241fab7836b48fd

SHA512
769e9c89d89c1be1b98ab8dd7eae6485350e4daf4477192bb3b05a13937f70a3592a51fa2315624516d5d6ded4ef6d5010cdf434878cb688da02ef6a9cb9f338

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
46680539f0658a0a40c070e7d19453e8

SHA1
6501448a6e49aa9f93dec73e0b890e9a746212a0

SHA256
a3901b22c1c801ba20f76d91e00c6c1d8b8d52738afed06c709524a32f9d8019

SHA512
df2685c60ea1b6c9afdff2cc7c36f177c4e4a53504d8356f351c508b7b9381f7e9785c7690876b3ee076096d349665a0eeb315b9d525179b7597e08598f472dd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
26b11f62fd70c36775025871a7f13891

SHA1
3409b718c649f91d19069629e03fa69bd39d6215

SHA256
8e9761834b40cffc947b8735697c16bd67e3bc96f3da5b22af772d0049223f7a

SHA512
798a9dbb1569584a6967bc9b9993d36514e01c8acdb71b670192c25ed173e2781ab0dd862d4004798f31a0cc864f507c2347d7f02fc16088c62bd7c425cbe135

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6b889111286fff589844fa06d4c508b2

SHA1
d2f737f496b3f551659a0aa09e378c249a0cbe67

SHA256
cbb22bea3142f6c88cb22022117c0c6c0e58facb960fbebef1e85d544ffd30b2

SHA512
54be8aa77ddc6d0601e88bf1dd533dad59cbe76a710335d7f4a93721d7987802cddab5bfd26bffed6317b2afcf7a7beb7b1f7a562871e4d915f0863f2516f46a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
df78a0df424757c0689b06c5c42bca51

SHA1
c5421cd7d13d1d5317ca6e995f7c999627b3a71d

SHA256
7bf7577b57a043f563176b4b50e9b0da7fb99dd6a03a3d72af92b2c89d8f0270

SHA512
0ec885453634a4b0b70fa2f444ec8add396f1af8955434f75a251775d9d6787647bd0e5c868e77a841d10a627a25e54b27417a3fe426359c39073dd6e8950cde

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
77659ca32ce667cb04fe382f735dd170

SHA1
81af20cde62da895804502ff1a5ac1c637ec68d6

SHA256
b59042b1007df0bb45a91da8828f99eaf1c745144bbc04585c463a163e30dab5

SHA512
3ef23ba7369908a4c8c62d244761dd88165c64259199b9eb0181cf2c26d986866e3bdb9b0d8ec42c15384ee1b179dfd14c14d5d98101a688891e05ad3d364b7e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
5246b65335a915a37a70f7feaa3fef03

SHA1
c3d5940b844c465d8756169b1c54beeaf1dc2c5d

SHA256
53a1226542d3b03d795ad300e07d90f3a360e2ef16c5e89355ed3a5d0bafd985

SHA512
16f01bc1c0ebc48e7d7a9f3fbb5ac4f41aa3c2bef21c6defd82a6fa125d50216f43be93e1598ce819f311212f6c62c1434aa4598cc8607a2def2332b6db869e8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
642fcfa6d36ce6e19a9caf0bd8230fca

SHA1
4e4f19caa7fd9b7030efe1e01a32f7fd1d615eb9

SHA256
68dd3ecf7b7926d86fcc9cffca0cba37838de18c88089e2c1b084bc51414e9eb

SHA512
b70c1952ab5788209b56029df2d9080a2f4bfd9b1d948fded7eb923b60d8fdbe4fd128dc17d619014477d51f876e76571a1d65e364a59337b572b052c8b1537a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
8f15ead64f54ae58cb4a05bbc9cf0464

SHA1
e79e1bce430d509212bed77cc3bcc6c9b8687566

SHA256
965ceaca80cb56d1cc7ca38bbd23c6a91b3183a92d16d2714a982776ae99596c

SHA512
c7914c4d2b2d20db06bdfbd65e9491cb29b66972d0de287d315bd37b36965d09e21a977bd52d9c59e9fe8e79e2446f00d7853381ade9b286a6d511b4c6b83e2e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a93d53ddaf70fc54b22c97c144432a0d

SHA1
7dea378f509a514c3d7ae78cc73f40606b940abd

SHA256
ddb06d04cceb8b0cd81b0eac7a51ee2d8c18cb258c26f0cd880daaa346ffbeb8

SHA512
5a81e5da9e37e2f9b596a5c24d6053925fd020fcb17ac92c0e8fda062e4a46e9637dcf05cb6d9f724f35946940afa7d8fdf01071edd2bad3a3d542b5884125d1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
219531d724d08ccdebe15a42a641def4

SHA1
503b1bde0ef51edddbb8955ef9c1e883c000690f

SHA256
0613525bb32820c86a9ee1ad04e9f33830cde431e6c43fba5e503b7cbfe73579

SHA512
1f85560d10ed8d80d465b1441004ff15cfb288453a6f6cfa2a2cc8f13e2abf6459b2376ba224dbc31a7bb3d0d502c9b967e5b8e5734b027c97ae331e614d0fec

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1fc46d08288252fedab5797b849fef4c

SHA1
88bb1a2bed3ef28ba25e8fd8550073f4ee29e2a0

SHA256
aaa16a21058f717cfea8c041b21c673671f21ad73d508ea731cd4c8c460acd30

SHA512
1ad193a19fbd24aa792e503e91ad11471ba9bf0b9c95dae477b3ee09c977952de200256b8d8054edab681fc4931dd5a1014ab67beac243d39e742aca793a7ad2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
2134b6fcb2efc39e984aab7cbab72513

SHA1
b0cfdf1ecdac088387bb18177532b7674973c098

SHA256
87cc77cdabf0882278cc83658b2a82c3e0752ad8592e67f22ed7a0895eed76b5

SHA512
4556328839765afe50b8e7effcb48c1354c482083968813713e3db3612eb6dcfa2c249799f2b77e4d217d1870f00c49a86a02512f3e9b13740654b5c5b4c8f65

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
c7f74235a5e1316ee2c762535510c422

SHA1
e15e3dec883935cbc81a1b1446c409ca11275738

SHA256
439ad66feaa6cb46754c8ae59a9ef6dac0e1e3ca97fffaa7d8a57545b8a776f1

SHA512
a751999e719d08bb02f2434d5dab6f5df6ec92c799fc04692d71466ab13a3d2ccd2ddff4ddc7203b5494ddd8903f34b39422cbb22ddf237b058e54e6efea4cc6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b531af0ca99d260e6e0b8ba5e92f8e68

SHA1
66356b75f71148f4e8b0b5956f0a9f31cb9449b8

SHA256
5de99f373bc3b432b1193ecc2e60ab53cd0d42f429efea95b5b6c659dc8b8392

SHA512
107db5be91dbdcb2eb8227ca7965e4e4cc64f7bcc9e963a1b35cbbcb7b642cba60b194f6bb0a1fc38ffac88ecb26d2e0ea291a417bcbfde7a900eefbbcaa76ac

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
2e9b75dfb4d272e7dd99cf0a7b15f5c4

SHA1
339e8c5f5aedacbaa5f669c2ce20017f708b8b32

SHA256
5d65538b112624c3f012bc88dbfda51c30fba9e51e5c162c4cabdb68d65aacdf

SHA512
94750e5e0a2c6632204462da56147150957fc53c276b24f99d566f2e022be23f63d169147e7e65f888a06b8dc11bbd421f852ed54e34bff7a1272e849f15c21d

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\faa60aee-ee00-457d-9be1-c37cbb8f92ac.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6add99136c43f270fb09e7ec1ee0f4c4

SHA1
974c82bf0bfd1f544bc6360219e5cff036ef061e

SHA256
31824988566d0d1a633330c8b694dcb33038ef48097a1b3793cdc73c4c1e54e4

SHA512
fb6787ac2da54e754f09b0158f91ac1bb7f03930c6a28ac9d5fdab3f5dfead54ea0c68a8cbe3ab856cae6c1ae017dcc4e0556aaa93e7812062687254ec23f212

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
a4222d518ce481b6dd9e6d2f3ef26ab8

SHA1
6694137e560632989b19ec9e550112c44554ada6

SHA256
5573d7d1f998aeafc2788e90e03d0594c2c79a518b2871db8c11a078efc21172

SHA512
73f26eb8f69a6f0b39c2cc93cff5b427fbe8e1b76d9274bfe30ba321d3e8a0b0c121007d4aa7d740ca04a709cd5db17b86d4c293bc0b9041d3468ed773f7b144

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
12b83e989851738f4289adcc37d5023b

SHA1
dae4ffd3ea26a44812a491b93fa1cc360c63ff12

SHA256
0671e614cf8e13a6f5c0785637d353773dbbf4c3e127fb463ce099c79c8f5950

SHA512
c4f3930765c45d90abc5c2a5f5be42e6d4cb98f533a8c72f8fd9c4ce73156850f1482f103584dbda8aa911568dcac35f8322cd27083ac3ad78132e6af8857f46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3b32921f56f62363429f187b7555567c

SHA1
53211a4af159c8ec115c38cc65c2ba641cd70f34

SHA256
3120c48cc3bce617982414d704ded33f0d5c687242b8f8ad051a04f5dab4d4aa

SHA512
7ceec75a1654d1cd0c5613990776f547167324a451c9e7ac3da713e3559f851325814818243ebd7cb06c39d69883141cab238b83758dee55ae7cd4983b8d67a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
58ef51634e05e0bc36cdb1aeea75e593

SHA1
122de37882c0cc95d4575ffe86704c718e80b89c

SHA256
4fc417d250ff5258a822bdd15f8c917e90ffcc946ce62e47b75bf2c5bc5f233e

SHA512
3ae59fce187a7b57b4d99047dfe0b6e79c412f33c091a11625a189e5b330900329ba3fef61311939706dfe34374e83d2d6a5b22e6b6b7f7122fd030e6da43601

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
29dbf9f5cb804c09348e8a0f326ec005

SHA1
e239a9e093a5a5341c2ff286d4c2dad6199612c1

SHA256
4399f798661bf1f5d130bc9e1719a6e20375fe496b2f6d207cd4065c05d3eb67

SHA512
9dac114af155bc4d2b6451acf865b236204bb03b5c0cb5276de7327fafd1b62b629ee59ed46c37156b97fe32bc96733774c606c6c7fd2cc4b4510033e23d5396

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe575ff2.TMP

Filesize
2KB

MD5
4d9f9409a83eaedf129ae19f52020b6a

SHA1
cc3fa0ec8a8902487b43752522320e749cfd13f6

SHA256
d062f973e1d03a91206bd6317cf2ec9c69ea064d0fe95041f06975bf9e3d1a93

SHA512
8f93adc4e1399a5802dfc89ac8140ce5eeb8809699c0c5b58e772e7bef88505569f026535d3570e9168a774a825d7ed85f2639b069598c16b23af329ad13752b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
42dde8e7325925d6eba69b39c65e1571

SHA1
e699673573eb4cbe10fa8e48d0fcf59fa55d51c9

SHA256
adeeff3bd8460df65211bd9099d72878b16fadbe4048d5ff4bc90e5ce232e221

SHA512
f11f7b62471f55b332a9386d4d19d79b56bd301837c0011067d3b2f66e82acc812b2c4e8e00f8e24f6a52473f5c96753669ea4f6c26885ff763910b16867b5df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
5242c9b58c97685bdb33298d6f9b83a1

SHA1
8d4e0768aed14f9e2b1fb51e39100ecead9b0036

SHA256
1e64804ddcb927efe11f3b05e65ef8aaed9056dacaf244dea73e48b1bad91b44

SHA512
478010373f4a7057aa218397edf73a3cdeb2c3743f0944702dc833000c99af5cd133b5737b40453eea2d0ee9f0f7805c529f82d86f0c7550d4d48eca218673dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
146f7e900e0c0ae80e8798de344530ba

SHA1
05ae37f1d2ef69566e5689ea02d12ef6a5e6d683

SHA256
1700466a00ca90258d874418e3acc33451aac6fa5950088f307a2ca23bfc0f4a

SHA512
cccaa01f1f8772600a18b97bd768add52cccb85b126ee0cb49d6b2b40df1189d3519a10843bda70498e22bd44ca2e7a8067c80173fdd535d057458a7e7e20ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
278bc86ddfadb02377b88b92c559ca0c

SHA1
4a62fd81407738ec077b273827b1adb2902e85cb

SHA256
d67c399c91ccbd179985ef58154d6b603bf7dd18793987724a0a7ee34db74f98

SHA512
e4df82d054f6b8a10fd2eb3821fa33870ceb7c07d87d48debf0e4f3f397967426265007eda4cbe911b25552e9f51ffbde15403cac7bdd11dc015690ee5c6731a

Download Submit
C:\Users\Admin\AppData\Roaming\84319ab54bebce60.bin

Filesize
12KB

MD5
60182bf5ab8f67a5b9e4832f1afa658a

SHA1
7ea624498272cdf5c28281e7cea43c345691f34e

SHA256
53ccd1f3392b6a5da0c9ffeac48b3f1d13f55ea10dba7583be10db859408540d

SHA512
99fe70074c6e44f38dd9fceccad8ad8c600bd4ee8e3f4f50d95e925a9f248033cf0cbcfe57afad7f54afb0fc921f94a3a65768e9b8db972a1fa5759ba61b0f47

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b316597fe1ab2afa5b4a76534c3adfbc

SHA1
5a3163cfd0ae3e66e7bf6de8fb7d921b7afdd89c

SHA256
da0274dff07facdf28a618a70d69c9c20377cf9979c55dbbf3f56b94d82fd297

SHA512
3e3edb97b7ed1cf584eccc6ac10622a6b5acebbeff470ff06fd524e9220f20b7a42e303b9263580552993fd5c2aab823f7cf9be95a297e11ce588220514bfcf6

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9c3286e722d9396b6c041130e5b86689

SHA1
352a849e40e405bee744f333685ac1be59903663

SHA256
786cc2b6bc377d705b455a4d5a07dda1061793bbef9232e2d2c12d397a5961b3

SHA512
600f43780b784f5b82c31b37c8f2472a725885abd93a2b7aa34e00ed5f52308c3466f5133f11730299a3c679562c631becd9f37e8f3526d7132df8f2b8c4b80c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
773cf03ae6d52875c365249882240f8e

SHA1
00149073e447e3246eaf00e81a00d4a0035a366b

SHA256
1c42607f11f5b30fa3d720197011bf053d1adce586d91a9e6cb219c6c5cee3dd

SHA512
bf626f0af12fe050636b376cbab6e1019dc15e49b5e3a339455ff392fc3da3709143ba0c5f3ad497c501fbcc9fdbe3d958c7fda0f4fab2b747f094a0b95699e6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a97ea403bb27d3c80326d7396cda4d00

SHA1
cf5ac2f923880a44e55cd7bad68b48b3f877fb91

SHA256
ed30dd85262fa674de336c2a094cb07b1bc9046200ad6e498aeee3c68630a1a4

SHA512
361187e1974b16e69b23aab1aee4395de409ed7b7740a0b45f60fc7aaa80a7594e39b6acb213a826ec474e0c49ff2147c2dcf395407ad2fbac7f71162e23bfdc

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
2077d9421388c52312674b9a55e31d9b

SHA1
3adde88ee53abf05d8629a17283294b47dbeb890

SHA256
ae1e7b8ff7fe3cb98f42faa83379c1cbd91655973e6c276cc22299c55d1dcb02

SHA512
bf3ab792951124b4b89005f3473602ca2813e885b632868b2d356b76ca84b15e8c947a43f95f239846c99186207b53ffe97b42968451d5ba42ecfe5cc3263f32

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
2b93bedd4599532762d4a4ddcacc75b1

SHA1
9214d81bf987f7b7d8f0c22aadb28093d0bd3312

SHA256
d25e7b869433d83c5e69c9fd73495176a5800fa8d549abe80387fc22046fa708

SHA512
603f67df525c1695fa78e71fb16ae6d0a5a948b0b7b9db57a614e5f09864c03505a80e151f849e836c2c16bec1c15cc05ab014f54b3cc3f7347f666f6184f98b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
2391290922f660e84e57c3cf441afbef

SHA1
7eea297caab50e5be06f2d81e6c47a05362e9b56

SHA256
2edc80b7b451f6e9148a0b433702518716ae59ee6ab808e48153d6772a8c5204

SHA512
f847cd6cd5bb437c8d6a7b29e35ec052bb764c483d1c23bcb293f4ed2a56007e4b08fb2e051245b5b40f31d7e52724b31279b04513caf4fba533a7f6d8cd46bc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
cd82fa0360eaf6f737e2c2148bf7bfb1

SHA1
c34979f9977f4ede2ea434f06e249114da165910

SHA256
14bca24687f8462bbfb863c7ed9dd330c6610743bc1caab882053d9c25985d2c

SHA512
8973c35e9addc2667843ec1681817cf39b780f236046c6adf6725b4462bde847be9cda5e56a62eb0cd7d6f60106c6528594d2ded6a1edf8a7df117b46aa84a6b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3006b86750dd83bc21e3aa79774b209d

SHA1
98bf3046c9ae9d1cc548c237200b184a1fc08c47

SHA256
573b3343a5d70c71dbf3f1e3e0f52e1a104536ba53fd4ffe647af4d64e6a40f5

SHA512
67efb13d757ea36f887d147a730d2c84ffb2889239c5355e38fd503b5b28986523a54b985c03f752bfc02a49432a428a1dbb59832f201a41c74fbe7d82ae192a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
519173632818fd32ec4ee7bd255e5d6b

SHA1
926aedd67e6f24f661a3343aabf7590ab0a65876

SHA256
223ca8cb92f5e8b0aadec7b0cfb81f06ef33b47e4b14fa3bb7fd02c6630a3c08

SHA512
4afe7fe92033d5ac00e20b47bddb39583b7682f66de691002310385b51393e4fc743f4b556554432cab0a89cba4a876a160ecb7cddd0ca62671e5c5527783fa4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
9b18c7f9c7853405b3a2c81594f139c0

SHA1
eb047b4c742463dbc7b8a4d5f5c50e134cf091e9

SHA256
a060da2567875be7f76ffc67363c8e2b60d77e41963d9de00da7249e7759ff23

SHA512
15d90f7373d3e4946b4d1a53b9bc96319db241dd1d1f73c43a3cfdd3b434ee4362d8434030985542ca4644b436ae6a0dbc3e41d81941a4d39faec0ab045d4f24

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4d5c43a1745c1fcd4593642952a5c50a

SHA1
7ff09f9bad56fba74982d4428ad339620a9c45ab

SHA256
85eba94095bc066c486d89e79c1e230210a69185b3d53a43f01351f978468345

SHA512
c9a08a02f2073a08f03b423c384b26cb6325b57e588579884b13be172a59aff4b73577d3638906e11ee33b32b0d5b55762b7591f1b0631eb3bd287e52f850de2

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
539a47b479053167fdcf9f94bdc5ed98

SHA1
7e2e82eee3a3aae2b9ed4e38e948c8713da2dd1e

SHA256
bef560c21698e526b2fa538ef4fa015e0e5b95de247edc57270c9959b5451e14

SHA512
6f065b4c44443e7353d0f3255bad81e082efd553423c83cde19f09935b81c6e6231e6d5ed933ed64b92261ca583d1f3087ebb73b948b1971407ebaf03bce218f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
abcfe44c3450efa76f07b526fdb06604

SHA1
1a5ada58f8879188e89bb143d67a6597c2c95f30

SHA256
9dc077ac444bee5234f116a3acafb83e4cf9b71f0ce6b2094cc624c688b0af13

SHA512
3ed366757ef2baec23c57be473f9ad85c0dc26ee1abeb0077432a342e768f13036d8e1c71ac7f22cddc3bc2351edaabab926c47e5063fd08b01a725a3ed7a3af

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a8459210af9d30f42084031beee6be68

SHA1
420649b52ee791bb3eb5051474f6659fdd749e70

SHA256
f9de1eb54d7085bc1257ad45b29d7288b6f22f379d17fb9d1963ec82997cd979

SHA512
18792306bf12ba4aed0e494c3c04a2cedc3763681368a990a0dcbaaa7f9cb6925b3ddff20727d414071a3d909a18a4d3ba8d7f70850f61947eaebe04bcb5b036

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6f4c4e5fc1c6384cb4e870349c12055f

SHA1
3225cb4a8dc35f769671d32d1c88bb47f380d48f

SHA256
e519d6a4e950a8267b6ba71a8b85c9876a0fa37de9856ae69568c4275190c7bb

SHA512
44378a487ab25c9982187abaa9c78269abfdd258dc6b2350564beb0209c3677f937f269dcc8f777b34d15c075bb8f4e17674c3eaa6bb9309788c6c1b0ad4c599

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
2282a9e5e633ff3ad40956b167b6afbd

SHA1
a291b212b5b599ba5e3ea1bfb9f8b8dd9d29b757

SHA256
665754efaf4bc77adc9c39857e3fa9e6afc97362b6452fc3e04174b16d04e227

SHA512
115a26e0a6c882ff8d0b8526e700ebba5690990de9b1bf48bfc87fe84a1c43196f3ec3669dcaf19f208934be97c51a38ede98f02b144560f8f22bdcd524199e6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a968c20193c3619331ba7b0a033a77e9

SHA1
7c6ccc341d51352b1a5dd94d6c7200b5dcb9a587

SHA256
08c52ef73d80603f44da93707e91c1a5122e78e8dbf16ca3d5a11db51a75fcaa

SHA512
dcf9ec249d114eb0e14c9ede9589f05f9bda42e203cc4efe8d0fcd39e9679edbb9f4879679d4f1b173c128cbbc5e9bd825aed4cc6cfdd50ec9cc8933967efdac

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
a6e7bf45c9610ce4fa61473085cfc37c

SHA1
647f7ac0c2f74ac7f2b14f15bfcd9e68b5a8bf1f

SHA256
46a3b3028edf02346302b1ee0be06b5333d8953503cbee641687b7fe49cb419d

SHA512
4bac9b3051935e233ab60baed6facba9a40ce6fa9d00309b9f06f234ab119fb2be4af0b8fa26d24f8f884e7ef018651a3f05aaeda88ab125cddbc980f15eaf5d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
dff108bdbe006b108234c863bf74121b

SHA1
7da94f5d448f5afe672ddaeb930c0975a254df6a

SHA256
54a521faa7af3fc66e321a6284b2410f35c7cd45305def5087c4cc98925805e2

SHA512
858c1e571da0d6865d3ed089b9253bb403aeee1ad606d5eb319b84efeace336a7d70a903ae7587291abeaa95b3838ea90a5034eb1261ca04a529cfb454fe6093

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
5386165a624b9ffaa6f18f1a3cea904f

SHA1
4d59344256983ec95c6d4b412d23e3c0014ec9b0

SHA256
d1faf339be5ec708d8f5f8c75805bb5da801f7f9e2eb264342f054c6ee98b8d1

SHA512
dd39c299146bff646f05cb0864453f06f9c14cbbab783f14696c56a6f8cd1a86ba0f53e6cb8a89ad523e6534e212637eef69fd83165947f1293ca63dc1c23d66

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
25144d506537424c0a6577d58f671b16

SHA1
31200dd86b1584a1239bd41a35ea033ac57ae445

SHA256
ac2410d460a791b53f920427d4f9044a239a9c547c7ad51fbdddfe91d997bb13

SHA512
32ec8ece2ae161f6a1bafffaaf5e594b23fcd3207e50944637ff55c247b280f9b53f4f51739909f876cf9ee345a6ac6234856337080a95fe8c10e0d0200c1c66

Download Submit
memory/316-768-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/316-308-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/336-223-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/404-10-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/404-6-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/404-0-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/404-37-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/544-256-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/544-760-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/688-105-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/976-174-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1052-53-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1052-44-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1052-54-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1632-176-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1644-278-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1644-761-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1672-276-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1672-34-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1672-33-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1672-25-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2036-75-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2036-67-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2036-281-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2036-73-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2124-88-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2124-545-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2124-90-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2124-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2160-17-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2160-222-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2160-11-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2160-20-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2288-243-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2288-749-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2384-175-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2480-187-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2480-570-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2872-225-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2872-229-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3000-224-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3344-178-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3344-651-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3996-80-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3996-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3996-63-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3996-57-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3996-78-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4428-177-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4528-173-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4880-179-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5096-585-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5096-561-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5128-309-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5128-769-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5228-771-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5228-571-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5980-536-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5980-599-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6028-547-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6028-770-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download