bcf0bd3b5866aceef8fba54fe6f4449b9ccc882b159e68ee7914a0eef40d7611

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
Size

4.6MB
MD5

40366d9185a6d59580f523fb3d2bf6e3
SHA1

7edbda821b6229686b4d86f649afdf8398624d35
SHA256

bcf0bd3b5866aceef8fba54fe6f4449b9ccc882b159e68ee7914a0eef40d7611
SHA512

14743afb96ddcf733fd756e5ac3d1578ed86cae301802c68d2374424aa229f4f7646e4dfc09872e964b3bf69729c1818e426385961442dbe2c4c86679df6505b
SSDEEP

49152:BndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGE:d2D8siFIIm3Gob5iE0C17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1920	alg.exe
3680	DiagnosticsHub.StandardCollector.Service.exe
3792	fxssvc.exe
3372	elevation_service.exe
4108	elevation_service.exe
2296	maintenanceservice.exe
8	msdtc.exe
1568	OSE.EXE
2520	PerceptionSimulationService.exe
1936	perfhost.exe
780	locator.exe
4152	SensorDataService.exe
3248	snmptrap.exe
2264	spectrum.exe
1500	ssh-agent.exe
1968	TieringEngineService.exe
1220	AgentService.exe
3280	vds.exe
332	vssvc.exe
3348	wbengine.exe
2080	WmiApSrv.exe
2956	SearchIndexer.exe
2024	chrmstp.exe
4172	chrmstp.exe
5504	chrmstp.exe
5576	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c0cd5307c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d20dd7b4acdda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0a6de7b4acdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133644858699994353"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024de957b4acdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0246b7b4acdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd42177c4acdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb7c2a7c4acdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
1504	chrome.exe
1504	chrome.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
1504	chrome.exe
1504	chrome.exe
3192	chrome.exe
3192	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1552	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
Token: SeTakeOwnershipPrivilege	3356	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
Token: SeAuditPrivilege	3792	fxssvc.exe
Token: SeRestorePrivilege	1968	TieringEngineService.exe
Token: SeManageVolumePrivilege	1968	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1220	AgentService.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeBackupPrivilege	332	vssvc.exe
Token: SeRestorePrivilege	332	vssvc.exe
Token: SeAuditPrivilege	332	vssvc.exe
Token: SeBackupPrivilege	3348	wbengine.exe
Token: SeRestorePrivilege	3348	wbengine.exe
Token: SeSecurityPrivilege	3348	wbengine.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: 33	2956	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeCreatePagefilePrivilege	1504	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
5504	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 3356	1552	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe	81
PID 1552 wrote to memory of 3356	1552	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe	81
PID 1552 wrote to memory of 1504	1552	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe	83
PID 1552 wrote to memory of 1504	1552	2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe	83
PID 1504 wrote to memory of 1184	1504	chrome.exe	84
PID 1504 wrote to memory of 1184	1504	chrome.exe	84
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 2560	1504	chrome.exe	105
PID 1504 wrote to memory of 392	1504	chrome.exe	106
PID 1504 wrote to memory of 392	1504	chrome.exe	106
PID 1504 wrote to memory of 1812	1504	chrome.exe	107
PID 1504 wrote to memory of 1812	1504	chrome.exe	107
PID 1504 wrote to memory of 1812	1504	chrome.exe	107
PID 1504 wrote to memory of 1812	1504	chrome.exe	107
PID 1504 wrote to memory of 1812	1504	chrome.exe	107
PID 1504 wrote to memory of 1812	1504	chrome.exe	107
PID 1504 wrote to memory of 1812	1504	chrome.exe	107
PID 1504 wrote to memory of 1812	1504	chrome.exe	107
PID 1504 wrote to memory of 1812	1504	chrome.exe	107
PID 1504 wrote to memory of 1812	1504	chrome.exe	107
PID 1504 wrote to memory of 1812	1504	chrome.exe	107
PID 1504 wrote to memory of 1812	1504	chrome.exe	107
PID 1504 wrote to memory of 1812	1504	chrome.exe	107
PID 1504 wrote to memory of 1812	1504	chrome.exe	107
PID 1504 wrote to memory of 1812	1504	chrome.exe	107
PID 1504 wrote to memory of 1812	1504	chrome.exe	107
PID 1504 wrote to memory of 1812	1504	chrome.exe	107
PID 1504 wrote to memory of 1812	1504	chrome.exe	107
PID 1504 wrote to memory of 1812	1504	chrome.exe	107
PID 1504 wrote to memory of 1812	1504	chrome.exe	107
PID 1504 wrote to memory of 1812	1504	chrome.exe	107
PID 1504 wrote to memory of 1812	1504	chrome.exe	107
PID 1504 wrote to memory of 1812	1504	chrome.exe	107
PID 1504 wrote to memory of 1812	1504	chrome.exe	107
PID 1504 wrote to memory of 1812	1504	chrome.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-03_40366d9185a6d59580f523fb3d2bf6e3_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef993ab58,0x7ffef993ab68,0x7ffef993ab78
    3⤵
    PID:1184
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1920,i,7016602743834682757,13346997239948057032,131072 /prefetch:2
    3⤵
    PID:2560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1920,i,7016602743834682757,13346997239948057032,131072 /prefetch:8
    3⤵
    PID:392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2260 --field-trial-handle=1920,i,7016602743834682757,13346997239948057032,131072 /prefetch:8
    3⤵
    PID:1812
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2908 --field-trial-handle=1920,i,7016602743834682757,13346997239948057032,131072 /prefetch:1
    3⤵
    PID:1344
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2916 --field-trial-handle=1920,i,7016602743834682757,13346997239948057032,131072 /prefetch:1
    3⤵
    PID:2212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4232 --field-trial-handle=1920,i,7016602743834682757,13346997239948057032,131072 /prefetch:1
    3⤵
    PID:5016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 --field-trial-handle=1920,i,7016602743834682757,13346997239948057032,131072 /prefetch:8
    3⤵
    PID:5136
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:2024
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:4172
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5504
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1920,i,7016602743834682757,13346997239948057032,131072 /prefetch:8
    3⤵
    PID:5600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1920,i,7016602743834682757,13346997239948057032,131072 /prefetch:8
    3⤵
    PID:3408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1920,i,7016602743834682757,13346997239948057032,131072 /prefetch:8
    3⤵
    PID:872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4496 --field-trial-handle=1920,i,7016602743834682757,13346997239948057032,131072 /prefetch:8
    3⤵
    PID:5464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2376 --field-trial-handle=1920,i,7016602743834682757,13346997239948057032,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3192

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1920

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1056

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3372

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4108

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2296

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:8

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1568

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2520

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1936

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:780

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4152

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3248

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2264

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2448

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3280

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2956
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5884
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0e3b8096fea5c8247ef3e5973d8a7790

SHA1
2614c89e17b8c6c7477964c2d463395a60743ced

SHA256
7245fd2843dcfeb452cd9809ed0c35b80bc4fbce2afc7d5870ac9701efa23b13

SHA512
9252f105af0c08b781cb590514413430aa07ef70cc49627cca34d36f21d44fb3ad09ca77c70d45d5955dfb543e20fb484312d755065fb06e1210e20bb1436b5a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
793f8877e29698dbf42fd703937542e8

SHA1
e66d06134c0c1d56acd4e8582b84851e7dcee956

SHA256
822c9bd3826b81ca5464da972f0e208b2c15172f01ac3983a666dc736256bdc8

SHA512
3e572e75c4b9e9f2a2c7f3db6076d7a369313fde6772c9142e5e9bf1148867e1b6f1d18b45bd86f65ad27db4bd24dac503cf0a8978699089df332d32d0fe0e15

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
730f3579a47aeddb3a88998aaae6c1ec

SHA1
1568d27342f07d1896901c0a0366f7d8bbc5aa8c

SHA256
dcf00ca27cb1010757a3053fdac9e7c1175fc8580499b4d33a2791db1f3777be

SHA512
8a07091215f8cbd1fee693ae15b374d8999e3a1b8cb2cbb20fe96790f043bc1c760b765740db3f9409114213b3fe52dd7293a817fc663dd24731703b5694a3a1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ba908fdcb909a02fd0885762df6d2cce

SHA1
0294bb382302527d54212f33a1242786b7a85e27

SHA256
78c2107c2c87d5c2bab5eb18c427e2527cadb9a8c5ea80ea6d0376da400815b9

SHA512
158a6ed839cc354d2cf6501411d1ae05cc5b0450ec9968da7086feb0e4cacda952f63f3944d6e1a78f5abb7e4f0f87edda529b52f2c2d2677e08d28577279044

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2d4f4d51a79a378bda563ac8a69e93e9

SHA1
d811199e4fffd0279262c5e412166816a36257f6

SHA256
eba1cda87b9aba52b21f4331a3f16e51e56810e0ea5fb8d9c153c607ff849cd7

SHA512
bc47e9af765c9a68cb856d593679b0c46b7af29bfcdc9f3c01423701b84d2808d1b0cc328b4201393603592d99a6db243ec9341bf80a50c3c86d80c3140d42f6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
330ecbd775978eaf628a425e65d6ec44

SHA1
eb91d05f8fc2f30d5cd44976492477267d319ae2

SHA256
6d39b079deb8eec5791c47a45d73f65428c1cd3a78edaa3f726c703c50ffa389

SHA512
1e2f1931a196966d3a16c8baf89b54d2ff53b484c00414def2dea1da79822e68f1c543d12ebde734d4ffb5d585744acccd8fbd96e1693d2ef3813d06029457c1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.8MB

MD5
ab15fccf86e78d37859433a1c21fe8cd

SHA1
b85c18b272866c7ba7abef8b9ece2dc54da8ec7a

SHA256
44a7a23ed3d485167aa87c58cd77b67ec73f822b91dc4de1932a903128f77b05

SHA512
a5a5411ff4b5f8fc1aa340b5463f9d1653d25e33419b66464cde9146f557684ec429d550cc03582467b8becbb9171b4642288620bb58832a03bf1d9f1c9a8526

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bee420d8a05697e89e881d7cc8ffa325

SHA1
0f4782dbf895083d611fa4a7dc03a5db3bc21096

SHA256
0041855e9c732c81f6029ccb0a80c623d359132fcfec1205b47c8704f1b9ad17

SHA512
72bcec040a5e8344111a418812f7c45ad54d80362be50794ff3014efbab69d136aed9e384dff8a15f239d1f41c2274348ffc6f8877608bd50c1b8281db1ad081

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
39654adc210f6f0eefb43ae228bc9731

SHA1
44eda8c23ad19f2fa83c60f8f034823d553cd783

SHA256
47c39982f28adb2acc2f4e60bf9d5ed30240d0c5f8235f94d2db80703276722b

SHA512
c7320fc84538828387a83545b0a0ea8a28638ca381b63780dd0019a033bd012ab3614f5f348adf40255dd0d3f75e517a4789659346b075e18f3639fcaee954cb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f123dcf74c5a0d44407e01c979e3ea78

SHA1
867ee0b51c7c9abfb24a667f9e75db803eeca809

SHA256
b11a051e283e7e35becc553a4f371703e85bfadd6c9ee1d0fd8539dc5d4d6eff

SHA512
74d14217c91aa967443abc8983888d30d474d4ad5ff332474969137b760fbc2439502fdbbc02b648a76567ce20a0534fa3089cb566aa448330dd11dc2ee614d0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c8c28b91335c13632dce041ccfa8b3c4

SHA1
3875cd52473efacd95ed84d28e3f8b1936560dab

SHA256
8d2988e3135b585d971bf3bc3d63c5a61086c82b6c6b7f4fee46252d75a9adc8

SHA512
3d3ee2d7266954a5b056bec721d9c0300b766d9bea3341e65da91d67a90f02115d0080b9f5e4346729e031fba5adf25640b94994f548ae69e5d103604ac3bbc9

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0f583013141ee2c3f6df9158c7a3a57b

SHA1
aadf5f41e57f3977dddebba5ad656cfd7a19e59b

SHA256
3553133b5b6144a4e83fbaefed4e797d1daa33396b809fceb46e53acaf015b72

SHA512
f4e53bdca1694e37d64ae6b93d3ab792566437da01f59afb1fca35b104d9cc06382ff1c95e2630f79720f58c99d9e815452de1a425c4d88a97e2514b6db99d19

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
d8ee5027bb6d146dcf1a025394262acf

SHA1
d627dc605f0a01e41ebc1d67912179fc57b495f8

SHA256
8a77fecbeba488ec9cee452396d75b1355d017ff7b123281482a091313cb47e9

SHA512
923d97b166745abeb8020e47d9c73e0fc0f01e263bed5c46fce73e8e7d90cd84d0862f8bbefcb0c4102e67c0d3c47e024c2599c689755b893aa25deca784d7e4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.6MB

MD5
e21982e798838dccb040d0bff6ec680b

SHA1
2efea372d728f8a141a2e2c4bdbec83618d149e7

SHA256
5f162b129e3cc9c071470eb63c7dd5d874ded8a6caa4e6963289aa12eb483605

SHA512
72385d1dcd7b4ec5c34a4751b145b48f6792ccd289c236f4e7b7dce7adfbe224e2720ce51fe50420f7ce10fe636ce3e88206933d4efd177abf6e05fed844baab

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
cca9f59def25e3b8e74b1c71399f0339

SHA1
95a30848cb60d33e48d26c68f969e49cb510b46d

SHA256
7defa580c6afb035eacb1c703c6d1bb9395176dc1e57d852e065bea288053313

SHA512
8b2992b4053b224619aed309cc83f808e6fd278412241ad35c782ee592dc6370b3409eed4b24c303c2ce90bff48536815e1a67d5171d0fb48e4a6ce1815e6825

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b36496fb2d8ec979c46e7919216e3f53

SHA1
c851043fc8fad1f670f9989f4ee75c75aa77eda3

SHA256
c11519cf0321fcc50e82da031e59244e8e4d21c1d43e71dbebbbbabd5be3492d

SHA512
a6c2828b92439c65c6f183953c51482bbbdce22979b1ad93d240f490fe26401f2c6e2db81512a178cc597fef76c17861ab9ea8ae40b7844ba806082ad61ba891

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240703131110.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
81be556f77eda8be77722686d6cd4fd4

SHA1
1564c0a97a6aa89d2e9c4e15d23aaec19947fa46

SHA256
5cd1b6b1c4bf35919c47a21077f2fa1cf80a667cbea465c50b6f132ff66b5e99

SHA512
740ed4898409f7d8fb166c92d7dfd51477ccbbb1c2cceac8d5be69c9837fc200214c8c2918a0dbc9dc850c0955d7f25d76eb41a637f87195a448e0de2582090d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
757f9692a70d6d6f226ba652bbcffe53

SHA1
771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b

SHA256
d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad

SHA512
79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
bff9a4e1f990e2706b8b550a48b65bf9

SHA1
52d2a42a356c470d0cc162b64b37a397da79c3df

SHA256
7bedc153985d21f6aa7d53ff2b1343e1f8cd7eb7d00f22be6cf91a6277d9da4b

SHA512
7fac2ef5a7d180a4745c6c95899422dcbf7f0aec4538e4e11530413979d3142459510021352dda9fc5b4e7066d53e6034a6af039814d351ace9767b264b07090

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4dfd7cf4d6deb3c0ee83407adbb28cdf

SHA1
33cf083c40fdff15ee431b7f2a35116ddefc32ea

SHA256
e57a4c9d629d19fa1d3a98e7cee9712b1b7fcab6b00312c5aeddf47dd359d6bc

SHA512
ada58fec8b13bf3ca8e6632b1401843cfedb92b883ff6445db4c15656e75203490938924c5fdf9d0bf45490ebdbc509f7f47f2ee8fb04b1c67cf385f4ae60b86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f2bb857d8cb26cdc09a22bb6e14dbc45

SHA1
166ea4abd31b13a58aeaf40155ecde835a0944d4

SHA256
6740bc234fb53518eef5e86a1ee578a1d027436dadc8387d421e19c884371fa6

SHA512
cf45078a3ed178d4e3b2062e80fcb4948a4557c087de6006454a299a007b9ddd2ba30e138b25517c346649273bab745bfce369aac861ec77a3fb39cf2876af07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5775bc.TMP

Filesize
2KB

MD5
6c38709f2b92b4197d45f6df3df81cb9

SHA1
92d1adb3512f085dba8c03ea68d926704ebbbda3

SHA256
d5bb9e1c53b6d6dd67dcfdf3963d7d8b0dd3094ce6a86851e8b8ab7d3d6f235a

SHA512
3cc01f22a75c283dd55a4fc9b02211776bc1246ae7787ffeee21a25d0ea8ddaafbb70cbe8d0976356fcff59c9be8e9c178c15264d2a44df3653bb1e03fe41bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
c8a36eb061e6b7bf77c858738d8d53a7

SHA1
1ebe7b570edad782610a9c40238691d29379addf

SHA256
b6de102fe10b1c9f483fbf7ae806335da828b2f8a2ec99a1c016010e8b9c89f4

SHA512
c6ea66a1a0f42153304f537e9fe239c05b29314c0cc336604c0ec0ae68e1c4e750d132f80808f69fe666d19da3188b405518b300f7b8e78565ae8e6ac6b15540

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
1084dfeb6e15aea816457dce3a2f845e

SHA1
94d40b476b576bf2537879bca7f4ef447b1a42c7

SHA256
986d8ddc2ea3998684a34e34c38dbcbf24f637d9a3bdcdf73a01d8b2f9b134f3

SHA512
b1af427b0379adc78faa8288e1ed438a4f4e03d4ef70456a61e1b04d77346829c7d90ada24eb6540c0ed547f14b9ae4219bc19a75cb1499b208b98610f7f0727

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
975448d2b6ca6b51cae2c6063da160ef

SHA1
11e174b125e04e7d197d9a8a915228bc824ee8a9

SHA256
3ee0358494ee0251245d39410a6a7db0dc11015ec86548ddb120a5952da3f0b3

SHA512
6dc285df63ebbaf76e825009b949cf76574df1d0eb8617c71d0f9d2ed82536f48fa87c0a94d9b85026f18f27d0d181798104981e4fb9cd015d5c48111fa3346e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57eabe.TMP

Filesize
88KB

MD5
29845f5a0c06b39a0421ef7a5a5798c6

SHA1
f63bbad3f25e16bff538315d664a1d06b2e6dae6

SHA256
637d544cdd68a6f444304d2f7c35da01a02084f7c07182f60ff4627a107828c3

SHA512
1a34990015915269c1c425b8694aac751354937e7f104fccb2ea5cd9a1033f0be6d7fd2184eeeca6f8f1be726f1ec9bd481e40fde08b5987a2b2e15bb40bed57

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
c57d899615b934f26b8dd24551191869

SHA1
275588a095d38eac0e8563391a1122276e01acf1

SHA256
532617ed0dc752f4d86c0e6355d080f700ccdf5d46aecd8eb1a16dba36e8a62a

SHA512
ccda80cbfb4c31df2a8a14baf3ca0f81bd67614001991cd5b65833acb8c16e9ed6e7966134297fa865c60cb103f935821616f4438e49f7da0882e3aba4585726

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
663d4905d5295012a2f9a6e463392bb2

SHA1
81965e8c5708c3849bba3243429a9432d152194b

SHA256
fe4a4b7cadbb6974c30f7afb2778c0ae8d461c7eac27a12a699b0b99763e598f

SHA512
474b54846843ca36056cf6b297088c881eb28288671616968197c79513060a7df4e0f4a92bdaefcbedda05bf4d1439dcd0beee74a537288b040243f57ae2717c

Download Submit
C:\Users\Admin\AppData\Roaming\c0cd5307c3136770.bin

Filesize
12KB

MD5
e868d297c9fa75e22862e4b1dd7628f0

SHA1
9352353820005326b30b75b9712aaf821bd06da3

SHA256
5df4df7d2b60ca758d060f57b7c893edfbf5592cbad73f18579fa3dfb7442f92

SHA512
b5aa721076214731789b8adceef12ad5e8d789ed71bf7efde817aa0bdb01d0dc9d32c2834c7b5b0957ad8e1105785589d059c21574ebbd85a9f92e021ae310fd

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
e70289098a7a75937712fae74e12cbc9

SHA1
2e8f98f42fd008f8477ab767d3447ba8b21bfd9f

SHA256
b24e73d85f3b2fff4f01a33540f6607f72787e3babc9260fa45893c886e6854f

SHA512
2110792fd2ff60f8534fa8f8a93c3baa45b1f402961d9f0721c54307728fea448d9411af4c953977c7b9b60654d0967eeb76816c10beac496a23d833affc4223

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5c851417355618903c5372a05a6b3c69

SHA1
828e95a8c2b46380305bcdec90caac9729183287

SHA256
da4f2fa4a1fcf355f4037a31ac1f8c24c5d3c038614713bfafffee3cf30b1ae1

SHA512
c7195ec675cae5a6cfd980a66a2ee3abd05c09d3cb578f662e49b04ad23855b3b6d81d36c9199b472cb0bfb4b9ef4a204233286f1e86fc0a7fa2b70509005e82

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
35b932ab3db840fb53c65862273de040

SHA1
140bbaf5219e930dc3caf39931c4d6ef488f9f87

SHA256
7037ee5ba4e64cccc1990b0b76b9026f7f1eac6debb210d5dcb0e4f0ca771540

SHA512
02416d2a93b7c6140675dd1a8e67864866d6d99d32a1155064ae937734174b96b55dcb687db502095989781e68eb1fe4caaa200de494aebe2e11c2455803380d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0a87c07519febf5e8f438894eb1273e5

SHA1
42b86f1855b24ddb06d08de6ef630ada7785fc57

SHA256
7d1df6d4d3ff32d7335df8975776b40ffbab08f3bbc140143858fb751f6c43f4

SHA512
1f93be89d4bd6c5404eb8d36c7fd9c59a2ea05ddb2f8752aeda8b50e1b793b9ca78d6624eac5f2aca52dcd64b1893b47db070d1756b8f822231d383b5e942bb7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
6eac2077ed85eacf6f165544102e33b9

SHA1
df20be8a67ac7702dcc2c6e20e0cb83e1072abbb

SHA256
4b88434e9a49fa22c49154a96af2fccb37bcca1710da08a72adab996554985c2

SHA512
5ac55c129ae2832fd91e0ca997104ece172708afe02bb3a2597613ab77873def768c5587db9f8004d4c36516069daaabd399909afa68f371182d7b4f1339425b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.9MB

MD5
344024ac4056705b401564b8f6dc21c6

SHA1
1801bc25226b45116a1b366f9f9105e6086b605f

SHA256
02a8cddd33de2d631580ddafd33070ddfee9dda8df23e859ec40e76941769cde

SHA512
8b72503929f6f6a2af0b719076bae395fd5230da9ce4a2e2004136e207cb6e3a97b665b6d5743d840b44a4c315a8adf2ed6b447e42259a8135c3c253ed18c010

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
66d7bcb6be6f8e0a69a623f1b773b7f3

SHA1
2a16894fa4b487eba5eaec69526bcedcf68cef2f

SHA256
0e252f231380561c2f27c874817654bb1b012f288cd0961a4e6842e47212cbca

SHA512
6f8ec30136de5d84b946127ac592ceccfe0aa83843aacc88ba63d1d7a3b2133983f4bc8cd43e60732825cff2c0ad9b6e29ec3ea0686475922ca873f01b2cdf2c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6ff0c55565c9afb063524680ea997ac1

SHA1
a9dd9007d10e58c0bfa5b0ae86fed553209819ea

SHA256
be2f5e3cfab72e3f1b4f11ab691da0ae36db7f8ad0fff5eaa882d456ced90475

SHA512
ed943290f73dffe0624f84f7331decc51a96651690edf63178712d17de9bd4490db4511608414b6d430b79d1b101a005d6097a09097fd95341c5d32b10279585

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
56d8b148e62436f8a49d8e2f588f8605

SHA1
611c641a833714ccbad602ba0b5d393d63beed0e

SHA256
e9b64277c1b5cd8fba276bdb9a8839217a946a7710feaef25ab012750b96ff5b

SHA512
f21eee47eb5e2c40c99ac381948e3b0036f6a226e8abdafd1c595cf35283977cbcc50efbcbd82078ee4ac8ad07c164b4f4524fee1c9248b287e6df584fd2ae14

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8050697bd261aac4f99c6b00f6cb99bd

SHA1
7912bde111cf5556fb4e3c64d66bd65d7c9d392e

SHA256
8db2663dc0b801dd15589725d497878542e2a2180e24eca97ca3bb93159f7e0a

SHA512
84ab16bb23dbf5014a5c88a2a5f1cd31d1b9db1499a97d1ea0e8ff8ad5b75b72ad6f2fe5f804c42d2c9a6c1a6fe1ad4edeaa7035617b7ceb5d5c6446eb7278fa

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
45e8a68dc123e7fee9aa421547052b9a

SHA1
406a2dafab6066158e388fb93bd85d126001dcf7

SHA256
bd27a2b5c73fa686d6c5f80f0caa51b8f0dd6a15fdefbbc6a38bcb2da964eaf4

SHA512
edb3465d7769a5f03e6202e388dd2b54fc68463082e08b261ffa819807b4286070249f6bfe364b8a8758e96b5a81e99d81477a899971b478f2e59efcc1e3d679

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7fad69b78e4abce1eb4500b2c73bca59

SHA1
b45ed4584da9025d65420562ffaad6a850f77cde

SHA256
59eea58903a1707456c36fa5abdc2ac216ebe24e769116e5a72eabe6721dd8a5

SHA512
2449ab5d0121f9cfc10518c513e84d13405f8353bad71821f304ea7e02d9d1b733765e3ee495322d43ac7666fdee7a30df8c201a0c25c0c4f2b8c13fa1d3445d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
abed849ea233506371076469dc07abbb

SHA1
1a563bb575024944eb1566f39acf66774f0e7578

SHA256
54cd64122aa9d782e39ffecaea1c7dadca7f49bd03d70bb28c04d782f2b6939e

SHA512
189eb14d3b21b699fcfc717a3e673fa5e547d5fcfd0150c8cdb089c7825a447e49a058ade73fe83d8045c7614caa1069cb563c79659a0fdda6febbbee48eb063

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.7MB

MD5
42974cc67555eb8627094ebe15aced24

SHA1
21cb014922972b4fdb9ce2ce8bdbdbb7efa42b60

SHA256
6186644e713940186f81647da1e797e6ed67b74b685378ab3cdb603d51ce1c93

SHA512
c4fc1f116edbdf4a532de0484ee4aba10e69d9216d905ed61a15152b504d1d1274d54e27341d1aca4c0379184e38c397024680aafaa5e8b4345d75d80d0702ae

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
e58c24692deb8384ba058b7b1e21b264

SHA1
c2aba663e4a22a01d2f474d0628d46e6ab638216

SHA256
1ac4469401d0dc0971c3fa5245392838859d0035d76fc92717c354880a42f10e

SHA512
7ea7b7fdf17cbd2faf435787153d327844a59ea60daeb8f2250210c284094f5c3cd4e682f6348761c78230bff04095c5d6419061ff452cf630d8da441e9014be

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
154705d31ac9101a33d7b9a41ed8deeb

SHA1
bd676cca1b39b4f8c6364d991dcc96c62d8eb23f

SHA256
b0cee4e0a0fb2ec4719e11af4f64b83d9931add590b232eb7f86330c5d390fe1

SHA512
f685f1fde037eafa4ba7df6a8ecc5bec7860c9061c6876ad85f81ccdfecb82148d4611c80aa88c3089a697b91ebe41035acd9978ce962bc0859065d51d01cce5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
9da566c6b64d72c39b6801613f2fb172

SHA1
4a716729a9b966dd5310749d0ccb5d70e9984cb0

SHA256
bca4ef56c23e43c72333e3b7d501ab0d452e9f2496fb05b23207d70e884c9821

SHA512
c1bb0e99bf05270eeab65042821cb9e379a986f9a65bb6aa8abd6259e87e37d4fb007289f45d9514fa4b7b188c53972f9a37aa9a797f916e443d5586d820340e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
af159e4343a767fc880bf7d3f506352c

SHA1
1fa5966d9523b9e5b1e0b4b7aa0d0990450cbec1

SHA256
b37adfcf11e2dfbcd8d354e4d2bd2fca5a28ef89d1ea8da8018097ec60463754

SHA512
f1db7e2eca95cf5f29a62579f756c2cd4c4e638de3259ddfdd76863382d0a63862253dedc98864a894f19efc45ead8d441bb2e1c8708218246996902e1131f66

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
8323eb783d4b3475bc1107f7b22fe30a

SHA1
8b61ba2d4ceddcce64913e45b0b3aaedba641153

SHA256
b04e4a8229ad76f418899a184586a34f1da04653efdd8f0386b76fe7282bd7c4

SHA512
a6e5fa59549dd9f848741b7c5e0e99e3efd1ac639e61a1a430fe7a62e6f13bf625fc22d619b29e9319f0bddd46eda6bd61057d4afcde7c846a72bf6e4ef79972

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3df9e104c9d0c58615deb88068c7bbb7

SHA1
27ab0e2fef3d8bfd3be60a7033d486422995cfcf

SHA256
e337396f165b07758817a2a2e2be362cf6d37abfe239043064c4c164e22d2538

SHA512
b9a1c8047e9fd20970a6bed6b5a331eb8af703a4c46d3179562adc9d7dc0009ce2e29de8e75d1a14adfb877c664cfb90e64773208a779d438823ebc46944daa1

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.8MB

MD5
55841f8e1313f6ba8c490b1ad16703c4

SHA1
03e90c4da3b4cceaa32e1500c9e009353fa5b233

SHA256
debbc0f8d1a9b9477c85531aa79d30bbe6a43c4730dd54440261116b589bf86e

SHA512
f75f8fe857ff41683df1dd7ec64e868222bd7e8f2aa5fa1cea45904fe2bcb4a030c2f7685026e30813401ccc351cd1ed75b308f9fd94dc8785ca45695e9d52c4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.6MB

MD5
6e71728091da89291c172964b9ca23ed

SHA1
82111b41bad24e01a448a0d2079dbc67b52c5471

SHA256
020d5b698f6366558581f9900a50b122277052e6418c010dc560e23715a71f34

SHA512
a24176a1a6c9b2acdce1cacfa4dc47142825c04f607606595810be6bb0dbd1c216ea4091a470d8df568099de7bac373a7f673deca890776840626513a654edf0

Download Submit
memory/8-215-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/332-664-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/332-269-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/780-220-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1220-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1500-225-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/1552-39-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1552-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1552-6-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/1552-0-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/1568-217-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1920-35-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1920-305-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/1920-23-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1920-34-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/1936-219-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1968-226-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2024-504-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2024-578-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2080-667-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/2080-307-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/2264-224-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2296-88-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2296-100-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/2520-218-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/2956-311-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2956-668-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3248-222-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3280-663-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3280-236-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3348-306-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3356-11-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/3356-20-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/3356-19-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3356-235-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3372-67-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3372-272-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3372-76-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3372-73-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3680-507-0x0000000140000000-0x000000014019E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-53-0x0000000140000000-0x000000014019E000-memory.dmp

Filesize
1.6MB

Download
memory/3680-51-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3680-45-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3792-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3792-57-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/3792-63-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/3792-103-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4108-658-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4108-84-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4108-216-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4108-78-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4152-221-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4152-591-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4172-669-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4172-518-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5504-532-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5504-571-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5576-550-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5576-674-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download