09c86ec1b3b8a2adb12d1e23052d7b4f63904c8e79c7419e97fec4aea4f2369a

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
Size

5.5MB
MD5

eb11832361cd9d82620969fb0acaac71
SHA1

0c94a68ce2cdef659b2835a0591649bd0de0af2c
SHA256

09c86ec1b3b8a2adb12d1e23052d7b4f63904c8e79c7419e97fec4aea4f2369a
SHA512

219f6261ccc03de6377b0dffe1b8403d6f7740871f4f2c0cdb46fd641854ef8685b7861b2018811d9e09aad577de4d63d8704474aa26f1d5409fab96e4796559
SSDEEP

49152:YEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfJ:2AI5pAdVJn9tbnR1VgBVm+PHn3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1520	alg.exe
4876	DiagnosticsHub.StandardCollector.Service.exe
4392	fxssvc.exe
1540	elevation_service.exe
5072	elevation_service.exe
3900	maintenanceservice.exe
2824	msdtc.exe
2112	OSE.EXE
1300	PerceptionSimulationService.exe
3668	perfhost.exe
2560	locator.exe
4464	SensorDataService.exe
920	snmptrap.exe
4208	spectrum.exe
4284	ssh-agent.exe
3920	TieringEngineService.exe
1332	AgentService.exe
1772	vds.exe
3052	vssvc.exe
1540	wbengine.exe
4892	WmiApSrv.exe
5128	SearchIndexer.exe
5620	chrmstp.exe
5732	chrmstp.exe
5864	chrmstp.exe
5960	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6e7189c41ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaw.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000762845ed2dcdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013a9e9ed2dcdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000477cb8ec2dcdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c47553ed2dcdda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fbd2b2ed2dcdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000472eaaec2dcdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b9b79ed2dcdda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0c442ed2dcdda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f0dcded2dcdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133644736035017115"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000807815ed2dcdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1112	chrome.exe
1112	chrome.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
2840	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
5672	chrome.exe
5672	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4540	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
Token: SeAuditPrivilege	4392	fxssvc.exe
Token: SeShutdownPrivilege	1112	chrome.exe
Token: SeCreatePagefilePrivilege	1112	chrome.exe
Token: SeRestorePrivilege	3920	TieringEngineService.exe
Token: SeManageVolumePrivilege	3920	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1332	AgentService.exe
Token: SeBackupPrivilege	3052	vssvc.exe
Token: SeRestorePrivilege	3052	vssvc.exe
Token: SeAuditPrivilege	3052	vssvc.exe
Token: SeBackupPrivilege	1540	wbengine.exe
Token: SeRestorePrivilege	1540	wbengine.exe
Token: SeSecurityPrivilege	1540	wbengine.exe
Token: SeShutdownPrivilege	1112	chrome.exe
Token: SeCreatePagefilePrivilege	1112	chrome.exe
Token: 33	5128	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5128	SearchIndexer.exe
Token: SeShutdownPrivilege	1112	chrome.exe
Token: SeCreatePagefilePrivilege	1112	chrome.exe
Token: SeShutdownPrivilege	1112	chrome.exe
Token: SeCreatePagefilePrivilege	1112	chrome.exe
Token: SeShutdownPrivilege	1112	chrome.exe
Token: SeCreatePagefilePrivilege	1112	chrome.exe
Token: SeShutdownPrivilege	1112	chrome.exe
Token: SeCreatePagefilePrivilege	1112	chrome.exe
Token: SeShutdownPrivilege	1112	chrome.exe
Token: SeCreatePagefilePrivilege	1112	chrome.exe
Token: SeShutdownPrivilege	1112	chrome.exe
Token: SeCreatePagefilePrivilege	1112	chrome.exe
Token: SeShutdownPrivilege	1112	chrome.exe
Token: SeCreatePagefilePrivilege	1112	chrome.exe
Token: SeShutdownPrivilege	1112	chrome.exe
Token: SeCreatePagefilePrivilege	1112	chrome.exe
Token: SeShutdownPrivilege	1112	chrome.exe
Token: SeCreatePagefilePrivilege	1112	chrome.exe
Token: SeShutdownPrivilege	1112	chrome.exe
Token: SeCreatePagefilePrivilege	1112	chrome.exe
Token: SeShutdownPrivilege	1112	chrome.exe
Token: SeCreatePagefilePrivilege	1112	chrome.exe
Token: SeShutdownPrivilege	1112	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1112	chrome.exe
1112	chrome.exe
1112	chrome.exe
5864	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 2840	4540	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe	81
PID 4540 wrote to memory of 2840	4540	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe	81
PID 4540 wrote to memory of 1112	4540	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe	83
PID 4540 wrote to memory of 1112	4540	2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe	83
PID 1112 wrote to memory of 1988	1112	chrome.exe	84
PID 1112 wrote to memory of 1988	1112	chrome.exe	84
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 544	1112	chrome.exe	92
PID 1112 wrote to memory of 5096	1112	chrome.exe	93
PID 1112 wrote to memory of 5096	1112	chrome.exe	93
PID 1112 wrote to memory of 4688	1112	chrome.exe	94
PID 1112 wrote to memory of 4688	1112	chrome.exe	94
PID 1112 wrote to memory of 4688	1112	chrome.exe	94
PID 1112 wrote to memory of 4688	1112	chrome.exe	94
PID 1112 wrote to memory of 4688	1112	chrome.exe	94
PID 1112 wrote to memory of 4688	1112	chrome.exe	94
PID 1112 wrote to memory of 4688	1112	chrome.exe	94
PID 1112 wrote to memory of 4688	1112	chrome.exe	94
PID 1112 wrote to memory of 4688	1112	chrome.exe	94
PID 1112 wrote to memory of 4688	1112	chrome.exe	94
PID 1112 wrote to memory of 4688	1112	chrome.exe	94
PID 1112 wrote to memory of 4688	1112	chrome.exe	94
PID 1112 wrote to memory of 4688	1112	chrome.exe	94
PID 1112 wrote to memory of 4688	1112	chrome.exe	94
PID 1112 wrote to memory of 4688	1112	chrome.exe	94
PID 1112 wrote to memory of 4688	1112	chrome.exe	94
PID 1112 wrote to memory of 4688	1112	chrome.exe	94
PID 1112 wrote to memory of 4688	1112	chrome.exe	94
PID 1112 wrote to memory of 4688	1112	chrome.exe	94
PID 1112 wrote to memory of 4688	1112	chrome.exe	94
PID 1112 wrote to memory of 4688	1112	chrome.exe	94
PID 1112 wrote to memory of 4688	1112	chrome.exe	94
PID 1112 wrote to memory of 4688	1112	chrome.exe	94
PID 1112 wrote to memory of 4688	1112	chrome.exe	94
PID 1112 wrote to memory of 4688	1112	chrome.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Users\Admin\AppData\Local\Temp\2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-03_eb11832361cd9d82620969fb0acaac71_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1790ab58,0x7ffd1790ab68,0x7ffd1790ab78
    3⤵
    PID:1988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1916,i,17481719290129500518,10701559532660321451,131072 /prefetch:2
    3⤵
    PID:544
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1916,i,17481719290129500518,10701559532660321451,131072 /prefetch:8
    3⤵
    PID:5096
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2264 --field-trial-handle=1916,i,17481719290129500518,10701559532660321451,131072 /prefetch:8
    3⤵
    PID:4688
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2920 --field-trial-handle=1916,i,17481719290129500518,10701559532660321451,131072 /prefetch:1
    3⤵
    PID:4672
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2944 --field-trial-handle=1916,i,17481719290129500518,10701559532660321451,131072 /prefetch:1
    3⤵
    PID:764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4280 --field-trial-handle=1916,i,17481719290129500518,10701559532660321451,131072 /prefetch:1
    3⤵
    PID:3152
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4180 --field-trial-handle=1916,i,17481719290129500518,10701559532660321451,131072 /prefetch:8
    3⤵
    PID:4332
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4480 --field-trial-handle=1916,i,17481719290129500518,10701559532660321451,131072 /prefetch:8
    3⤵
    PID:3364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4808 --field-trial-handle=1916,i,17481719290129500518,10701559532660321451,131072 /prefetch:8
    3⤵
    PID:5764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1916,i,17481719290129500518,10701559532660321451,131072 /prefetch:8
    3⤵
    PID:5364
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5620
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5732
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5864
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1916,i,17481719290129500518,10701559532660321451,131072 /prefetch:8
    3⤵
    PID:1928
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4036 --field-trial-handle=1916,i,17481719290129500518,10701559532660321451,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5672

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1520

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:220

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1540

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5072

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3900

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2824

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2112

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1300

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3668

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2560

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4464

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:920

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4208

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2104

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4892

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5128
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6112
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
33ee3cda60cedd050ab8ea5e798223ce

SHA1
bb23d7ad463a861dc87e653dc85043b7abd655b6

SHA256
a413de74a23f852fb7d84dfec9cef8c0e45e671205b4bec43a19e6bbc70cc00d

SHA512
bab60cd1dd3e217e46ae7de1749d6bee56ab73f311a4a775b854d2747597a04646c951ef7b05534d3991e0f416bba5634da54ce45d2f03b1de1e9de1b35609dd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
fbc4b046fe269eb32bff8f974b21f0c3

SHA1
aad0c0111f313bd4ab12f87de014c75827673712

SHA256
71a9fdbdff8ad255aed5ac44b9733cd3e7e31bee19abe595e543dbd6af1bc0e4

SHA512
8b8989a16946673a44ef68390947d3a5bbae522cc61e120f7c5ed7585a181f5153b31d94228e658e49fd5ce2db5567161acd620e4ab485048e6f02ea23ff6125

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
86cac00a8a255024b42e984202fd79d6

SHA1
a35f7e712a2104129398e6a9a4bf8392fb1b57a8

SHA256
fe1bf8473f76a35519b40c10a52125bdc27e850b71f98c2fd20c1a577e6fb30f

SHA512
8aa67f053e794976b6f2660de512367b64fb3d36e6e56d74758e3a2921fb1b51ebafc9ba5e3a226d6044400818ec13572c541016c0693ddafd99a7c1ac168c9c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b7fcdb431c4f54b6abd67a7837c9e9f3

SHA1
53a8a1692bf985d4210592a8018c4d0dc989d395

SHA256
879768e9e4355da3769c9940a6805f0bd692b12ee465c6fc05c4783cf7926939

SHA512
dd0b4ea1a73460433aad8f71da329c01a0290aa7a25e5eeff5e7946afb8a6fc76b2da29159965d2ca0b5b4e105ce9517257f4f85d508e3fa0a597320551f1cf9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
fc2e8e72cfde0d033fcacee713192e69

SHA1
83efffb16128abae59372682e3d7659b07e6ce40

SHA256
21ddac67dfa9c9017eeff5c0081d8187b74b5a4aba2a17db86b034f71b883960

SHA512
a0154f9bca55100de64474759315a43036358adb444d32572a296b2baf8415ba607538083232641b4dfc3743c7c0091900329ee609bb821ac074f37dffd82e36

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
9024f51cae516a86219eb0e8d9c44942

SHA1
0df01a8bfaa90b2e07fb5d7ed3efd78bac76eecb

SHA256
077efedb92864ab663f6c5daa34afc546f359536f2a5afc393c82e2b34b9476d

SHA512
ab74b1e4ce4230b14af7c7d0d770b0d194a66a0602e3e4e52d2b0c24ccd15f713b277ebc5a982a6e27de2631273aa29ee6599e297b89cb9b0ce59aeef49d8e38

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
edb83a30940be0d4f1de992eefed6802

SHA1
d9fb8b392b6f68e40dd070f88d81c02659319737

SHA256
5c22b85ed15a6661e21a7f37171ed8d6d67949d6d54c082643fbcd3db00c58b7

SHA512
77b60eb26f159e8fc3739e6a0584e730dc36254ee0e3c0a9962ab7ca682c11805493ec3b63dea9e49c49d682769a49de6eac1180a72e46fedb3a67f85aef1a3e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
55f18410bf4fbb640b541b608c558b32

SHA1
f0d65c23430e6b7994c6f6fa2a1056023b04f6af

SHA256
8f7a590c1dee5bcd55bb8d6cccab786b047d40932da102859db9e47f80943cd3

SHA512
5ffb9cbc086a971ebd5136b2cdd29f3aefae6e6816e0a9c312d20be0a62810ffbd5c05fe6328b5853e4b9b8e7289ac79215f4d18763eb3fc6d2acd2fcc36e929

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
d148f639bda0060633c6bfc39a87ae0b

SHA1
15b658d18ac39566c70f65e48013d060146a28df

SHA256
6b580530bcaaa360ce90fefa39fbd176fc00acb7224c1e27ca1e0d5e2cb44e52

SHA512
086e7736d8ec8285e1363db5ef78619eeafec795c97e5aec67001e84ca106a72f76f87074878ade9d601eef9b455ae3163719662f6e219944aaa615fa7a6afb9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
99f79860b0eaf71b5fbe6f23c8cee5d8

SHA1
544e00162523432e2072e6a2881dc43a281534b2

SHA256
258de057a197db56a8b4751cc8d73c5e5fbf793373f23b7e76f60a04ce04204d

SHA512
5c34b552dcf6f26f583096d9adbf9be194c448133221a64b65e671f6603b17b8f8c737657a0768788676c2db0bb2e0d2b0e3dd849f808d1441262c0c994298c6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7bc52db4e5a6d3346bc242e8ee2e12dc

SHA1
de8fb3e3259c326103c60a5214c439025563e1ac

SHA256
626c2e4e2944d9ee581eff4bfe91ba9f4a5d8541bdb7552a890b92d4a97eb8a6

SHA512
8657a3b3ed1a35cb5222dd976a36b315630c791a8037dbf1b8ce9c4fb2131bcb4f03344f3adb1e277ba36143ade59be80b9bcdaf328ef062fade225a3011a5e8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a1a4b9230a861a6ee70a0e121e871eea

SHA1
2488b7ab1dfdd1d6a39730847e3dab42f190e433

SHA256
c613899629b01b9af0f23098ff541d923c2d02fa0a543cd30d7763155cc75c78

SHA512
85197c7fb217553e4d6251098cabe3690323ffc599fcd0e10e908a3718cb4d7dcaf7b4026cc8dc58b50a69d9473e68c5ecb95d0fd9575342b74ef5f300beba14

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
199fc0eed7bce2ae26d149e130a3acf9

SHA1
adc597adf197211c282913220f40e1dba80cd297

SHA256
c5fef47d38dde13274635ba69658ef194afd118b23c8754a4a9c33b83276b609

SHA512
11cb1c951d07a73a49994783e7ee927462a8c515ffa59ff9149400c66ea4c0d2f8bd68eae7165ff1b175ddf3a08f99cdb0948dfe2ede56d29f5a3a5706fdc78e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.4MB

MD5
8bf0403cd838cdab109e35e2a7e4bbff

SHA1
6885f14df4034b9220cb68f6d7c3d25bd61bd9fc

SHA256
ea6dedc39c9269d7545e84d333205d64ecec1b6e915b2f13cee107976c1b6517

SHA512
106868c8e430d2885c9e743739164120ee4612acc54e045b06a1c7bb81635b39b9498247f8900fc93adb5acc9e4945fee3f3b53096b4dfb3b2638eea01b1872b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8354d49b037a3b4856cc4a67d3f786af

SHA1
9b8a5a5c222470db68db9f178c0d7e38d018f9c6

SHA256
41a641158b3a10c8466f70a1b30e71eb61fab37787d25e3d5bb2915cb838a28e

SHA512
e8a566867fc53cb5b1f81cf573f1c58f6d39043b807d03400ef2ebbe7fd37a3f72eaad4f9efc5aa5aae661c5b969512841ad0cfdb0a87977b7c243e2e07fc394

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4ff804a59ee4850f80cc20301c63a395

SHA1
fef1fd8e10a869fe6aae8f63e9f0bd90ca13493a

SHA256
699808bb6cf5fedcaf2ede312acba69e38e449e4a811f586db9a6694e3e18648

SHA512
3ae4b27d68835ed664f300cd4ae7a7e5936c70b673387568e6a47ef19702ca1c5e01ab7e323d23748e90b540bb927204a8a67cf7eeb7c271787618a4f0d25e10

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1cf4a4aced853f1aa6c8756d43eff762

SHA1
68ab8dbabf26168fa2918138d73f4fa8136c4846

SHA256
a1b1f3216f0e51eb670d17ac00bdadeface5a55599d4cc342a35ded495277247

SHA512
d387d992c770e73508451facd2bb9cd697c3a7324e87c59aa0d199d7c33f01572fb3892cba09e4e149881caecc2434d39174d7da8fe64b467a637edcde725305

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3d3e3ec8907e556073eb122832912c99

SHA1
6383247361cbd784186933754bd1db4d79b4a4fe

SHA256
b6a5b132987ca58500acb16ff2bb6f2ed71fcf3bbb93fd7f6ec75c42dc832d5a

SHA512
d87d06e1d4c50f51c0e31ec32cf13f90c69a6a1ab58859c101c2304b32642b670ae88bb94e5a4df56c61caef14f445bab24e17966617d15cb5fc905784898afe

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
77b5ed17fa09f8660025819b2533ff2f

SHA1
146d0a199dd987033cdd834932c4c20517077205

SHA256
c6744c8c6cabb737dcf34be69737f3b97343781b5d4403ec72faff01fdd5d7d4

SHA512
5f3164ea874d89366d0eb7743f8560724cb3f9ef9d8a01d848f0825e1feefa8d6abbbe40d5b8287a377ce30403397c145e3d0abd4cc68c8cd2da2ef5bc710e9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
0cd429098412849541cb95afaf497de7

SHA1
34fcdc8c1708981ab8e69a9ccc50ab898d7f7df3

SHA256
d987cb1f82d1cfa20deebd5947b3ce1b9ae9ca25cb7df736727c507a3a17700a

SHA512
955809ff9150048d9b739222dfe4c1cc7b4f330cab2858b74ba1b8af8514f1d97268812c0ef81a3d926c9928fab845515a0fbd834a8dd1d0db39359001ce5f03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9ac8a96e1b098b7e4e3ebb4718f08302

SHA1
4ed46fca659fdd387b9fd65b0235fdd2d2516344

SHA256
13aaea126e9566860406b0f4dff9c94264a55ffd3426d8734cfd06ea4860c6cc

SHA512
67260833948401dfe87d75c30aa312e1ef7803ed8796cd887a8512fc5908d22539bfa8ebb67d62714738fbc9db730dbc08d49ed99afef264b97897fbeb6fd614

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
093c44b99c691e8a0f26cf003fe1889a

SHA1
487c5947513144bd66c95c35f371d88897f8582a

SHA256
fee2f05d2bea33842ae4bbcf35a1b02f9e155c909fe3c4064e07db6b8ac92785

SHA512
59330fe279af40a706c53fc6ee3edb9d5e893f075aedf320f82f93e9be22634add571f57610cf20c869d71698420d595e85b92210971180361e61c782f09d056

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e2f2d2485e5496b1d7df278f2f888497

SHA1
f96947a1d13f5fb8598f60858329156cf255182e

SHA256
7b1f943f04f9a7cc25c35f45462051cb67d76b0d0152ab45c45cd5ce87878648

SHA512
2b36be456bc5e35fefd5937a92e558d5f10747a0e0fc5e6c79873fbb0909f5aede1dd79cb9e3faf89eca591221fa3f32884da1a7ea695908b2b6893a28a88e1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578944.TMP

Filesize
2KB

MD5
411ac782e18a3f8947b5bbdc13773829

SHA1
d9a709bb6b79ade9df4024e8fb6e36190070bc21

SHA256
0217b1195d87db614149675e331d00b581206641c58f6c7cd8cadb92e718f8cb

SHA512
03cff6f4f72f375b34a35df614de1c0837ec423b3b232e5b863a2d85ccb2f2bc025d1954ae0ba9d117930a84e7fd1b44bc82b488e5acd58370c36e9c24717d5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
e73e3dda634dda24f4a1ee4d174037aa

SHA1
cfca1d28d263b7926aaa1cf1bad351d38a978fad

SHA256
aaa404559c1f81c54783a2105feae86b3a8b323c27cf63b9d02e458feb568d32

SHA512
6cf95a5715fbab71bef73a39734ea60513b42023da3774cd3a41bacd4c9929cc863eea9db8891ff7f26ab469789fd1b469bba3abf5c6fbc2a0c3f1f87725334a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
270KB

MD5
a38806f1193111191a96d2d0ec1b3a69

SHA1
5c754cb8809824f0fb2cea83156fe296548d2649

SHA256
13c0624a3a396c877a0a14938d85dd43c8c75a77aa33efb045ccf530dbce7328

SHA512
29e4e1ab2a7605863a780841a5c0c00b2023761757b31fd0ee403920997d15f5a8af571c7082251253f07adf420c460591c8bde11717cacb2d900cead11238fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
f8ab50a8340fadaceb49af229ae4f6e4

SHA1
fb4a1e84454c6cb1b1202964e75bb1ee1de6c4d1

SHA256
1f784cca562ad854cbe8f9d286443cba3b5fd32bcd936db46237ed6b60d91dbe

SHA512
57668c30ba6119d7cd1c032b3c115f79e570ae2e34f3fe38d20b93145195d974fc2f93977c3eee01e48b732e1b8c16afca6ea344f31adc236130d72898991ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
9KB

MD5
ff4859b9fa8e1b0f501c8f688876cdd6

SHA1
1c34e914fe0fd86b504de5f8315aef5580165d94

SHA256
2972daeb0a9cfa14c3d1811e65c67dd00395a23eebdbfc34f304c9373d17425e

SHA512
63fe0b75099382357345a0b4dd28338297cd6ccb8660719e615baddbe53c009d51af19518ba28fbdca38b7315eb9e43822f82e4fe2bad56a73afc85282b473c3

Download Submit
C:\Users\Admin\AppData\Roaming\6e7189c41ed82f9f.bin

Filesize
12KB

MD5
fbae7b323f0847ec56c8e93fd426113d

SHA1
777ea812651182a024fff4d5a500b0e8b2bd8fd1

SHA256
d1a897577798206f6c05bcb6176a065a898dd6bd614b2d04b71815cf15dc97f6

SHA512
37ce66b8672cddd986c7513657bce7bc5aa549864e818d4c69ef104b62a7a48cd01866f70947b78ec7e10490300337895464dc544615ef37bc3b37b32888c7ed

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
d6325baaf424cf062fb80a779d05591b

SHA1
e4931024aa5d3257b43b0159d1efb16092f4c87e

SHA256
0ed7d27d35a966ed2277962cf6167be188dd5add303a3cdbb05b033fca4bd872

SHA512
88eb9c0ab28d9cb5f9013b993beddc0c02fdbd363883b939f9dc025780c7b9ea23babc7cda8d86b1f9aea1f5c005bd7760f44e7844d05550e49dab21ccc676bf

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2f75cc0ddaaf620a839f27e5fdf61128

SHA1
a17e3e50ca70944e1c2bf55d324c62325e34da7f

SHA256
4688590e5fa1c49ca1f0ff70f08cb2297abe4159039f9c91f05cd6cd26e2edaa

SHA512
b2246f37cb72451e250ae08a464b7fc968b12a915c21a1fc32517e510a2d1716cdd196d80af483aab800595bd5710130e4b7476c2f8ba586744bf3f7072f6b1a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.4MB

MD5
c1c01bebb0dae16e954fe93f450c3c27

SHA1
82e7e1995fe1b87280087d5c3ff40bc20e17e101

SHA256
de3f9759e7fd53fe7bb3f607f5e4214f31216618e3006498a6b4a15b0c75fef2

SHA512
011b09156c7950453d49d53dd924bf9092496372c556df16a9c4691f1eca42ebefac65edea30602f9381158ccc8f24eaac34f9661eb28e045273cca7f2d81071

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e7775c584af257e5e92c680771f5ff11

SHA1
fef52fe4147eede82462b8dcc454b1b063cff02d

SHA256
4c98c32990fe28b83d25b6db07bc0cbdba4ccf73cb9754eb90131eaa6725e6de

SHA512
8eefe5c074711265eec3985ac03394e192a7b45633895ee5eccbd954a3cc8018a17c13c6bb2edff56fe01e8661d09988e9c3ff7de55a1e9b1b1ab8f94954b50f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.3MB

MD5
920cfb9c44fc176c0608fa89dc63065e

SHA1
c8c5610953c3bd94f38b9f141559f2501c039835

SHA256
05432a4256c43218daf0334aa9ef7295ae948bc9338dcdf79ac5c7e7cf92fcbe

SHA512
0f2aeeb49777a6fab286e86b4e71f9a86e8ce69699254a3ca4000518b1e1b9b24371b0d8a1bc8b399e646776204e5e36934b8af2f36e4798cbd72f4c5dad8687

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
14934d063f4345b9adf12376550c24a5

SHA1
90a9449a07b94f82e86995bf6ad8bf3fd08ef516

SHA256
db90f6e434164977da463e9469b953db4afe581f9f045876ff350fc61df7a358

SHA512
e93b2e28f45425403ceec3a30af6baf2f19cc639f9b30f39dfe36198c950b3867d48589c108bf02e114d945a9000cb16dd7b454e3d5ff48f66b0c90b6151424b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.4MB

MD5
02a4f1f4881305437c62593bf18a653f

SHA1
c27840d8aec0848d0e855de296d43cf55365698d

SHA256
a55740d969c79c3899cd232b73c62d2095a60c994420ccea4e5799a1aebb68ea

SHA512
8e5bbc76b4164846fe60ff0d62c4709bd3759189d728ef5842eafb5493fdbfb71861f8ec316375e3d8fedee79871b93a8a129d570ddb3f43196561f190cfd08d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0687728f0863ae0b7b2c574a562dbbd3

SHA1
05f1854c7e43ab2682d93e37a0b88e18842a1cd2

SHA256
8d40df783b0f2393143e890b94e18753c63391df995934d7753e8d1a795c2019

SHA512
fa938825944b61844076f3be7176edef96956fe5324d67ddad71145cb67937f5262c96f7253338479eff3724cbe1c14d49b10a1f35213cfa35b5edc1605cee11

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
907b5c3b2f22677a2b8eea88a730615a

SHA1
15daef6c65eae84b338e65e9fd496fd26c01280f

SHA256
e6a627f90d3ee89a66f4c27eee77c53d4a651ebd3656eee5d2d6326f98ac447b

SHA512
c903573c1fd2afc2e7f7152e27e813a77dbf9ef598e9a63656ac63ffcb8afc751acec1c970dd1853f37ee5c53e1e701c94b988f71ed31998387d4a5d1ea7b808

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b535ebabe1f83a3a993f0178f1e7016a

SHA1
518ebe1e06b12e7eed79a9308c886feb9675bb19

SHA256
fdca53af47f2eccc3689012d382421c6f86e60b1170ec120b7c02ea5aab463c5

SHA512
5189738eed866f746584b48380497de8e56dd644c7e10001562646169f6d6c851e8534767d3483602fcdfbf156bc4838d04374b3f2f4ed38cb6498d9299d7ad2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
c9a21b46c21660892f80d5e5259c5831

SHA1
79aa4b330bfc7379952e5f2b0ccff2e52ed45d3e

SHA256
0f203cc016a1170754dcb6d399d59b72710f73fcd606fd3811bcc2d53c63e896

SHA512
cda14b81fd55f3cabb21aecf9487c503f1c5c58a3a4cd95ac1f35fe6a14c8170e0583e88818a2c66e0878ce2a0dbf2f584f458274a6a5a688507c5e1d9cb17ac

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
339a30a1893f214efd95edd8143a7540

SHA1
0ca1715129bd3ef5a06716a929390ddb73e4181c

SHA256
8f102f599988d6c76f8ed29d896c193c08e802515031846f426aabe4974907d2

SHA512
a036737220430aceef8883f090b614502f127f27729d2e5e66b92493038077a3c1640a6b8bf0f99902ea155281b7d6075586b0be7572203df36f31e29c91f8ea

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
dfea7a60b742cbce315199468b91f215

SHA1
e89c97681ce32ef8b5339c919d00f4b40e271e72

SHA256
04d19fdb835aa726fe6dfa6abdd3e8bde6f6b822e357ad7a7d234b4b4f9cf5e3

SHA512
cc212a1c1687291a834463c1172b5a5d660ad48f371de19cfa51a26e50a29be416d58cd220564ed3f3dead0695a6cae1903fb27e37f94066a8baccb74c66dd89

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
ab7be3466f593c8308810824e161a7c8

SHA1
82f68fc40182f5b303e6a0990ebe32baeb7a92f9

SHA256
4799ba2c9d8e24f384098d3ff6408820606e28be9c253cc55301c42f3806efe3

SHA512
5ba4d4cae57abf7b432589e6d9b7e9744e12d708250f12730e147c92f0632f662912e5bbd9629c8393bad7ea266098c2874e9522588642ed7f3deee95f11d186

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
0c645063f2c06d98fffb97e46bc95216

SHA1
e426c2eecd35c0fe2bd0b4a4b22f7d10f25e783d

SHA256
d781a53a8150024c7ce111300d0c8d9ddc867277538b04d3ed3cda55a0579906

SHA512
ee5c3362d57d4012031e7c68a2cb2412a1e0bfdd3d5971eed167bc73f877d17e481dc53148873bd14c5651999396894708ab6afff2ba45c32e9d8786bad25f6a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a390583685bcd87597cddb4700a5524a

SHA1
04716eae3cbacaa72f6b7c64179e6975e26a36d9

SHA256
daa96b4298b3c05aad38a2a6a27d5c372d9e36df87fb5baa0c0136fed49a1c0c

SHA512
673554fe415782e497ca751e0ff2eab423d1760d5f82ac83d234a22a789b7615f8d07dc9342262cbc9437621c06fcf17856b414c93117c5017233c85ac56d0ec

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.5MB

MD5
9206b25078626df23976da7976d63f38

SHA1
3da696864d306700ef24a1a190835be89fa5ae8c

SHA256
1f2b44f3ffff8fd7ec3eddada225262f9ecfbd059f532d78608f7e252a58bd65

SHA512
90d40783632f99275fb28e638ecbf07a0e04e583a338da1904bcfc18add6c1626b3b461ae8a07fdc75a121d053d13994f8e2ec2b19017dcba453843b276972ba

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
89f405df2c3650926af68dac3944b0b0

SHA1
0377056ad7fc3d8231228647365cd5a220a14c01

SHA256
0f403057ed0fd83626d79d3569777f318e2cdb1312595f3d6f3ceedd7efc4e5c

SHA512
2535fe0b22d9c5299861d395c7e43d869443ea1b1e3aaab08485f1d514a57cf821985c6e23c5070cf0c6a524e3b16e0f0ad4fb8e010432b7390dd6194d2ce951

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
4d858969f9b63ec4e90b337affb40980

SHA1
c5f517b47ddc66cf8fe32495fe14e425f905c252

SHA256
d228412aca7296096c2db6c01dfe1e83ca0db6a7fc2512468473c94bbc3e50f9

SHA512
df058b39862395921f86ab56ac87eec0ed1adb201b988f3bae0fb037e14a1c33d842b7fac2354f0daabe15cf41c5b6757ed9971dc8237e7a5e9377314c6b972f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
114348ceacb34dd16703c4e1588197c7

SHA1
8c3bdcf97918ac194b482ea67eec3df4a1a3429c

SHA256
66a67f64270a705f6a262392df98dd2b4ed514fc0a9fcb102501459ebd4347c7

SHA512
4e99a16cea43faa8ba0e608fa711fc38f97eb83083fae2fde9ed2a9685fcd725699c80b4235e66c512dfbfd8eae74d6afd6f5cea394651a3ee85eb0ffe3b33c9

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.6MB

MD5
b5d9797c379994973ad522fb926159e9

SHA1
d66981eaeeb23f82f728b24b64e78c56a8ee1c36

SHA256
1fbd2376b69fa300e700fc1f26cbbe6798668cfb0d8854ec964d8efb333a6ca7

SHA512
feaf77e70ef2fce3566ad87c9f33d49787cf5138c515543255c0dcc17c6ff59278c45426683d881c9cf8196cb79c07a7ab57612a521081d0161521e453209a20

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.4MB

MD5
4f02370bd1d564a03da300f1c4d84b83

SHA1
840d7757270b942e1cbc4a22e06c5cfb3af12a31

SHA256
d239863606135f550a4218346e72e4f216a18a1125d0ecedf412c59c51e19872

SHA512
ee2519921df4e715fb79c206632e7a2cb0dd0d153cf2e1333cbbb2c9ddafadc7cdb446a40e76e9824a795364e2a03af2e19538f5eb662f2f9b72a8dd7b143a13

Download Submit
memory/920-244-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1300-163-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1300-729-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1332-249-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1332-252-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1520-23-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/1520-34-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/1520-167-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1520-33-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1540-72-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1540-162-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1540-78-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1540-354-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1540-71-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1772-352-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2112-146-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/2560-242-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/2824-110-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2824-614-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2840-20-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/2840-153-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2840-11-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/2840-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3052-353-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3668-168-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/3668-732-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/3900-108-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/3900-95-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3900-97-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/3920-247-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4208-245-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4284-246-0x0000000140000000-0x00000001401C6000-memory.dmp

Filesize
1.8MB

Download
memory/4392-64-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4392-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4392-70-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4392-57-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4392-68-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4464-243-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4464-622-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4540-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4540-42-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4540-38-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4540-6-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4540-0-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4876-50-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4876-52-0x0000000140000000-0x000000014016D000-memory.dmp

Filesize
1.4MB

Download
memory/4876-44-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4892-355-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4892-735-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/5072-90-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5072-83-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5072-84-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5072-548-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5128-736-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5128-356-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5620-589-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5620-529-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5732-742-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5732-533-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5864-562-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5864-582-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5960-743-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5960-571-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download