62e655236f8793f8c5995e4b0888504ce40f03a876fe9b6224d65d307bd3e07e

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
Size

5.5MB
MD5

40f729b9fdbdd681e6130193ed551ab7
SHA1

17e3dc245fcc27bd36a059e127ac351e069e0148
SHA256

62e655236f8793f8c5995e4b0888504ce40f03a876fe9b6224d65d307bd3e07e
SHA512

323f2dea29ddf64c5ad69d7e7b745011a9be6f2afa5ae05f67d76ca77363bd4312c2d3b1b235027954294e3605fc6643a6cb39962c7d8a0d201341dcf5f40618
SSDEEP

49152:xEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGff:1AI5pAdVJn9tbnR1VgBVmzQWdO

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
3252	alg.exe
1676	DiagnosticsHub.StandardCollector.Service.exe
1484	fxssvc.exe
2080	elevation_service.exe
3168	elevation_service.exe
3796	maintenanceservice.exe
3364	msdtc.exe
4244	OSE.EXE
4668	PerceptionSimulationService.exe
1876	perfhost.exe
4868	locator.exe
1960	SensorDataService.exe
212	snmptrap.exe
3704	spectrum.exe
3896	ssh-agent.exe
2996	TieringEngineService.exe
896	AgentService.exe
4204	vds.exe
2016	vssvc.exe
4016	wbengine.exe
2936	WmiApSrv.exe
2576	SearchIndexer.exe
5696	chrmstp.exe
5788	chrmstp.exe
5916	chrmstp.exe
6028	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

alg.exe2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exemsdtc.exe2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\be1a18d4b4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exechrome.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610503528603943"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000087d9fd8b0baeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f831d98c0baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dbc0668c0baeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

chrome.exe2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exechrome.exe

pid	process
4636	chrome.exe
4636	chrome.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
2952	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
5968	chrome.exe
5968	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4636 chrome.exe
4636 chrome.exe
4636 chrome.exe

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1124	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
Token: SeAuditPrivilege	1484	fxssvc.exe
Token: SeRestorePrivilege	2996	TieringEngineService.exe
Token: SeManageVolumePrivilege	2996	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	896	AgentService.exe
Token: SeBackupPrivilege	2016	vssvc.exe
Token: SeRestorePrivilege	2016	vssvc.exe
Token: SeAuditPrivilege	2016	vssvc.exe
Token: SeBackupPrivilege	4016	wbengine.exe
Token: SeRestorePrivilege	4016	wbengine.exe
Token: SeSecurityPrivilege	4016	wbengine.exe
Token: 33	2576	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2576	SearchIndexer.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe
Token: SeCreatePagefilePrivilege	4636	chrome.exe
Token: SeShutdownPrivilege	4636	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

4636 chrome.exe
4636 chrome.exe
4636 chrome.exe
5916 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exechrome.exe

description	pid	process	target process
PID 1124 wrote to memory of 2952	1124	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
PID 1124 wrote to memory of 2952	1124	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
PID 1124 wrote to memory of 4636	1124	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe	chrome.exe
PID 1124 wrote to memory of 4636	1124	2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe	chrome.exe
PID 4636 wrote to memory of 1104	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 1104	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 3772	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2604	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 2604	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe
PID 4636 wrote to memory of 5060	4636	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

C:\Users\Admin\AppData\Local\Temp\2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_40f729b9fdbdd681e6130193ed551ab7_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e8,0x2ec,0x2f8,0x2f4,0x2fc,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc2745ab58,0x7ffc2745ab68,0x7ffc2745ab78
3⤵
PID:1104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1836,i,8898642754911347642,3780156938257643651,131072 /prefetch:2
3⤵
PID:3772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1836,i,8898642754911347642,3780156938257643651,131072 /prefetch:8
3⤵
PID:2604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1836,i,8898642754911347642,3780156938257643651,131072 /prefetch:8
3⤵
PID:5060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1836,i,8898642754911347642,3780156938257643651,131072 /prefetch:1
3⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1836,i,8898642754911347642,3780156938257643651,131072 /prefetch:1
3⤵
PID:320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4336 --field-trial-handle=1836,i,8898642754911347642,3780156938257643651,131072 /prefetch:1
3⤵
PID:5372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4448 --field-trial-handle=1836,i,8898642754911347642,3780156938257643651,131072 /prefetch:8
3⤵
PID:5480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1836,i,8898642754911347642,3780156938257643651,131072 /prefetch:8
3⤵
PID:5500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4676 --field-trial-handle=1836,i,8898642754911347642,3780156938257643651,131072 /prefetch:8
3⤵
PID:5348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1836,i,8898642754911347642,3780156938257643651,131072 /prefetch:8
3⤵
PID:5384

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5696

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x2a8,0x2ac,0x2b0,0x2a4,0x2b4,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5788

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5916

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:6028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1836,i,8898642754911347642,3780156938257643651,131072 /prefetch:8
3⤵
PID:5820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1948 --field-trial-handle=1836,i,8898642754911347642,3780156938257643651,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5968

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3252

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3652

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3168

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3796

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3364

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4244

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4668

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1876

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4868

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1960

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:212

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3704

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1620

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4204

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2936

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5884

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4216

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
a33a60140a2b9f3cfe44e19320b5576d

SHA1
7a535d658f5ad06faf41ffd0c813addd56d79ae4

SHA256
1de9efccdf2987e74068e8c8e507ed343b4c48656061deff8331d31c9d340e5f

SHA512
4a039f46b6069c2f10bae67c9a2f68ef86e682d94eee7834eb6349f307522a33c7d2f00bd9508643ac023afffcbca12d94a4a79b65cacab118c0aef70a581659

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
2f3781d55943e8c5dff723be3685e001

SHA1
2e573b3c852fa934c42b0d47b26517c63c52ce93

SHA256
35e23e54644e15f7bc7f845fe937f5e296c00cbcfa464c83053cdf8db6698260

SHA512
3702236a6f8440af9d0ee64c7fddac5a3e4e883c83dd899af72c3790d8d4e665d81cf72adb81db5f67f9db9b92f7dcd312740420ded565dcab159356730cf80e

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
4259875feb8d0db278c9d5d140a40c36

SHA1
125cc599e3e98b8a4e8a03392ec8e4c7b2a97476

SHA256
2b03e2b82f3dcdd92941c6e1fa0ab37b2d9f62fb96971836884ddc4fe563c398

SHA512
d7a2630467cbff5ddc837627a9f73586216b45a1696eb241770ea91a0ed6072db21aa8835429dc1fdb8448b49b4322d40a571ccf6475bdbf4dfbb3fcc14da530

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
62f1e05fa922d62c298de4c199f9833c

SHA1
084914120707a13857e94dc536d635aa4af4b0fe

SHA256
776a1f21d34382f128957fdd7213f841af5d65f4037172773e72de6bb7583e7e

SHA512
67311f7ff65b27a4afdc8d5272fece95aa921233ebab40e1b8b7747b3ee794e5f642fadfd541257cf36325a7cb028cdb394bf3f78f5992b2ecb797719b2e8be1

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
eac3cb26a4ef1f9455e01f6056627e8f

SHA1
430a64eb88a6cf4f4d4fe659b22027e69748651b

SHA256
24214cfbc2decba3225123b13581fd5edba1190377c08b5c5dc90960ddca9210

SHA512
7ac9426ac1d20ccaab8305fe664bd17339eed0294a4cb57ce7f300234b9108cc80c1be57295ca4d25363346ee192c7d6f7c4ad5833f0560ccb41b95fd119915c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.1MB

MD5
422557087fbcb4f97d847fa6e7f2e959

SHA1
fd850079da8248b3214146c99d97e192ea996ec7

SHA256
275d081714c3fac4d04e01e37a8270eec79a47d3920acbd82878e2e020c24c32

SHA512
f04589867202b6287eeb5b163706892c33b6a95dc7233a890561e9917a6c4c947bda1ec715e173a34d0ce7322679957372ef49924dd356a3269dbcb5d5d14ac2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
7509b3ef4131ca1d09f835f3113ad8dc

SHA1
286b9b870ad220e9e99eed4d3783e61c4e309c73

SHA256
d054ebaa8e1a752e46100b160d76038075ba5dcf3c4c0846ec3ccdf53df75619

SHA512
bb38c42fbb41e66947d234840dcdf11a44845a47d24546d68bc55c6c7dea3dbffe322e9b57b4dfec14a7e8b657d218b69fbf50aece0ab1b2a5409c24b9da3670

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
e23b551d923f89d3b7a4c1e0f126ce8d

SHA1
5195f00a30c0ca2f3ec00420af128a780e7234aa

SHA256
00f20de34f14e5a252e4494bc2b8d1affda874b64315d3ef2a5cad13fbc0f56d

SHA512
5b6322642fd7d4ba10ced06a16731a725dcb8707796ccc3a0bab6e894b14b8fcaa89677ba760148286cde6597d1073cc923861511d2bd5ba126887361ee9f2b2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
0cd4f3db855fad4ac6b30f24e6b16914

SHA1
457436f317154a1ade59363fa73ea519b90ccc88

SHA256
9c07fa663261a8544ed9e176a94abf69c68f80501fb0f559001da4c4c9608c40

SHA512
9ca405aec708e432097d467c7c451272bbcaa21bd1e2f6d44ebf58cc261b8e22fcfc51e9aba9454b2a0e4d711fe2f33b3b7a1d5cbe5f2dae4e316184a5131166

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\111f4a83-6190-4c49-8298-35b192019739.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
53354d4be35ed1beeb18119dc2be0543

SHA1
a5a99fd37948435ce41f39f3f5d5816575fb392e

SHA256
99a0764397e8c86dcbe6b83e7ef90ba999ee39d4f38095f73d8b357e3c309c1c

SHA512
6044c82b242f365dac57899fda4d871df680234331b41c253be1d36c589ccb6f5b3bea1ddcd96f8d87efd5a77a31567f23435ed1a3c0b8cb5da61e382d971bf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
2cd879c3b1b25f881f4b7ab71b67a095

SHA1
e8c477526bb5bdddd659fdd44606060d83e703ad

SHA256
d15ec0b42a1305238584533da0ddd5ec2959a76896cabc74599185af8af9e92a

SHA512
95c25065ecb23b375e233d554beb9c5fb61d877f6b5586155d5b5931d270cedfd4508a8fde3dfee5073af2215b256d7cffde9f77923d41909d4168d9bc61123a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0
Filesize
44KB

MD5
59eabea2dab0bcf6841a0a60aa3b57ac

SHA1
01858f314e144e6a074412e89ca32c1252aea6ca

SHA256
f3bc61473025b5a7851a226a0b3136f8c1abc39d8f2b00e50c189576d68d8958

SHA512
d77dcc81e9896c57e863aacdf6bb99f7e234fd5f858906301eaf9e2883f581c19b36db01de731264e1a9d0adc6b4f669b3f601ea5cabf3a2d4d4a62700596bbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1
Filesize
264KB

MD5
ffc35ba593656490fc85127b2045baca

SHA1
1fa93efa8821c5df25eaf47ff78e9f8298c212be

SHA256
5af884d049479c34dd922e81ede56bee1d9a90fef777819fb16fe9b7d922ebd9

SHA512
8ce5d4b0ee5f3a35e929bbbfbda6fe7f1cfa21dd5c8633949261230cbfe87dcf9059161e4696ea60327479ad3d5752e96e78de28db98fa3b946e6d2a763d3c1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3
Filesize
4.0MB

MD5
5595cf8989d825da40d8d368dcdc55d5

SHA1
dfe153cdb853c39f3ea5a5e7df1dcde160063f67

SHA256
7e363f9120c2467831e68ecfb431a9beaba54d43b34a78d7132c58eef6f817a9

SHA512
9e0439e2533e0bf1b10bb71ee1d6410019b97f67b25d47f298d34e7e7a133edc0bf9d77a14769d71f307260a11666a07b36b6c63d086fac0369ede5d55d5e751

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
Filesize
34KB

MD5
d894bd6f8ecfa4700fd3a89220684fae

SHA1
8fbc7fa4d4a94f8e867e31b5dc31bbdec2067cbd

SHA256
0049188274acf92003ca99e5909b9e28ab61e0ce1147aba6f16fd641b64c5b72

SHA512
ec96a7fbca21a3d4043fb40712a0261b8d8677c13fd00ce79f9fbd655270c53fe4b3d4e996dab3b9100f916ac027fc87c46bf17e00b4e3b8bd7fe00542f2b875

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006
Filesize
59KB

MD5
7626aade5004330bfb65f1e1f790df0c

SHA1
97dca3e04f19cfe55b010c13f10a81ffe8b8374b

SHA256
cdeaef4fa58a99edcdd3c26ced28e6d512704d3a326a03a61d072d3a287fd60e

SHA512
f7b1b34430546788a7451e723a78186c4738b3906cb2bca2a6ae94b1a70f9f863b2bfa7947cc897dfb88b6a3fe98030aa58101f5f656812ff10837e7585e3f74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
90caa2ceb0591895510c1407e45487d5

SHA1
ad972cff37cbdca285edb57753e8744ff00e2162

SHA256
4e8bb45c7b67574322c7cdb66818aff592ec0c486c47f4adb578711615401bb7

SHA512
a31c90814e9e4e4bcd7ce555a9ff90aeab8e5012f7e67c2146e950a65f6d5c39854e3bd4b89eda4f119395933bd3b40b9ade16d71ad96e310bf5885692e8e50d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
0d3aad0252b3acb8c9ebd06d76143820

SHA1
8971f903473767db8f9dc5387f78c67f0fc6e2a0

SHA256
d806c0f09af10c68630c769d043d43aab78e4377ad4185f8d812eb4b6a6a6b12

SHA512
7f6beaf2a51dc8aa2d30400098ec0b66e7a8b7ed0268166cb57ef4636451e071d7b083c0f2147ea679ddde429c3ecf79c506136f0160c6af136e3a68d5e655ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
a0c493ae817103c2db82984a9b5b36de

SHA1
c44fd9fd758cdbf0db7651f86cc862a4ef4921d2

SHA256
644b0e5f9a8dec24931d122c6ee456dd66ecfefe5f03d632efead8704b5e9104

SHA512
0a86009527e490c6e7e1150c285e163029ac7cd6ddc8c48f55e3d02163ea5718c517c9d3685422b0d3b777efdbab93a67e6a043b49cb75840fbab6efaacbc2a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578405.TMP
Filesize
2KB

MD5
1f497c78bb1cefe5fae1f2d3e5c467dc

SHA1
12ec3f79d43fc239252d3812f8f0c2edc492bc51

SHA256
e7fedf1f3f9f65c94434b56a0a6b0be4a9773cb80c1fe09b6391adaec9849dbc

SHA512
f7ce6b59abe22c099ba4ded438dae24ad228fad07f742fe053c580f2c052a91d5af99bc7616681f0f377f8b5bbbe7ae2defab99203bd1af816724a1e63b62e92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
b896184f3f1686979b61183919590c3f

SHA1
d10a0104d657414ae9455860b7ac8c235dfdd408

SHA256
b989120cfe0fd3aba3119df506f7394b8995a4c24e0ef57143ea0fb286e125e5

SHA512
7404a86820d5973d0634a6cfb79bc88318fe9e1c5f63fec61041f2eeadee5f99d0f348d352194df74b06082162a3e4c0edb3f081a823ea36cbee00f5a810e62d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
Filesize
14B

MD5
009b9a2ee7afbf6dd0b9617fc8f8ecba

SHA1
c97ed0652e731fc412e3b7bdfca2994b7cc206a7

SHA256
de607a2c68f52e15a104ead9ecbaa3e6862fdb11eac080e408ba4d69f1f7a915

SHA512
6161dd952ae140a8fb8aa5e33f06bc65fdc15ce3fbfe4c576dc2668c86bce4a1d5c1112caee014e5efa3698547faad3bc80ec253eedb43148e36e1a02ce89910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
1b3bbd8d109ec699a41266b2d22af1f4

SHA1
863b2b05880f57e18985338a471eb898c5148147

SHA256
e2cea9331cbcf18009a1d1dcbf620866a67027f409d2663182eddcce7121efbb

SHA512
cac1d89b6ae1914dd4797a7608aef35705ab7d90e38d400b214082459f49a58a8311385ef5bb9388533f11c4e3b41bbb89bba38bee705fd643d7ef38348e6621

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
1acd770918cef032b415fff55b1603cc

SHA1
da2deb6080440d9f60c4183c30e00b4d14c3547c

SHA256
6599414950db0dbd582e81780860c4516532602fae69a189b4b9208b5310c33a

SHA512
3b9ba1e5f86911f5f371c65d3f267a974bab5d56e0ced9133fe58ca0c8ad2d12649f8f5fce03193e92e332c3fdbda28badd6f7b87ec0d41fe40501c55e77c323

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
9KB

MD5
ae5f555e7843dfb9fd8fce9cc4b07320

SHA1
9f98e470a2a8bd0e8ed75ac64bd977521dcf8db9

SHA256
7c14e9b08209c63ba66fe45fddbd6420cc93d660b87a7c588163a437a63923a7

SHA512
c4e1ca6bc7080a7193c6ab45e37ca126ad6cd99f77fe4e8398a32be704442c48501f6f93d97797c417e105a3442d7f833236578e58f0f975a70b93d3f109c1fe

Download Submit
C:\Users\Admin\AppData\Roaming\be1a18d4b4b1389a.bin
Filesize
12KB

MD5
b8b8adde895cf2ad28e0773233d4821b

SHA1
ecaec0b606adc3ecba80c15ce88ddae668248bb5

SHA256
f8443302dbcf5162fb45048af077aeb4c65a535d58740f0efd7b7c19054b36c0

SHA512
bf93708adaf99dfd6a060ca79eee1ebb67038b5238f214aaab96f4a52f4f59497df5c33689df6a70a6f11b5e2c54ce6cab5095d39f3da2f3a5f8db99a031c7a8

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
eadf6adea3e82ec87de0b40c1c5e1455

SHA1
c066021613a111daeb006d393b84ff8a30587223

SHA256
8f386c364584e9b1693e637a704a89f95b0935a60a8922bfeee0af20b8a647a4

SHA512
c8694a2bbb523b75b49a35f6d441e11c5436adee232ea5f96eee06695d4e886714c2034db9d019fb7b9f3cf7d8afe11b0c064a961502719d70dd63f534fec4a9

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
d5c48f0dd8f0f69baecf0a743017a957

SHA1
4384a3d36b29b9bf707e158ac654ff13cd9a6257

SHA256
a2e1c1e5729f2f22539c8c2e4be605572932a0244faf65ee903d18e9bc3b002d

SHA512
1f7bf14ba29f5ebb557bcb85e2ee8a4188cd4c3d370144ce9d8304ded9be418fc1961e733bfba7a83f5681be2ec6863210962fe9795fa8a7d6a420441947e6ce

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.2MB

MD5
bee50e153c80929f52c273082736e1d5

SHA1
b56db5a2a6c2125c905b6b5822bd599c8ea3fcbc

SHA256
35084a756c88581a062df7d7b1c1c724d124bb7f33dcdc882848b9605c9a6091

SHA512
a4617268af8d055a74e8452bec22d154fa2fb1dd8dfa1cabcc665e9fdfd4bd8b9c2a76e0245248169553c78cffb1930d3062b6fe22d1fcd41b020d26eff309d5

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
8ad7553f7398fc14ed09479b7abb9865

SHA1
ba16b3edfee471b3ac155296c96165b6c0f3c5fd

SHA256
13c5cd91bcdb41b45eb63ca4a70ddade98df6f0d390d015e3a18702d9787f6b6

SHA512
e9f57853bdabebf548227c1ca55fd1f8936fec3f03099e6f1c4c182bfedcde52ccfb53e7a564c875e091a426769da887f6aa17ed4785854ad8ed6cb5c9fba90a

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.1MB

MD5
35812bc2f4a77eac71dfae5fdfc0103c

SHA1
c5ade4683d7312490ae6a0e48f82b5afaac1c364

SHA256
a1e1ad0417ece43c9695432f9db25c0bb86f9d94b58cbe509aa45fbac65c4082

SHA512
4c658d2923a531fd2a7260b2da5364ca63ffc434abfb5552f6eb297dc3db576f253853336852c7d2da73ff084374e37cee224cc43502c634362d2764098e5a1e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
88ef29ffab8d2278b00cab01bc10093e

SHA1
f27ab0da3dd5fdb05611c7ca6f291df43b98d922

SHA256
da38cf74b5fedbbdeac018aaf3325a0d38394f0b9d31894b5f6150822154b3af

SHA512
4bd96911fc074f2e4ec86f1dd7b5f79ae7f74f79ab41dfe4a2a96ecf5c2c04bcaee89ba6ccd1990322b7e1996b9b588cae7e8d1c3d10396134420794cf1e1675

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.2MB

MD5
4d71846144c6e2e13781f495dc7210a1

SHA1
75190f757f0cd69743f02c3a3de915c98a4bc6b2

SHA256
75455943af656f57368bdeda6624f21e22bb19b83267edb74775af14c22fa274

SHA512
d508b2bfc69c948da5042a0d4c1204b66332d3541f137fe05388e4cf5a7b56add1cf4cc0ead575f9b1916be9f9bcef7dc83a4c371855811f5a394218728bee6e

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
399bce9d6b8307e6ef54305ea33a1663

SHA1
1dd86bc3de61e77922eb1e18d2c7729358d86e2b

SHA256
919a6c7574c946e22d653f8206367b40520c62b326e044414b9b02d3c1d13d66

SHA512
76dc2756dc477afd2be14eb37dbdc7242edade70c349fcd5ce819c22b14db4439e7aaa7b6f598c0673f00b63a73d354f82ef13f4aba27f9ad90a1ba594307a29

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
52fdda14f04e3b6c9b43539100be36d5

SHA1
9467ede5f76a54e790d4a1e42f9785698e15b26d

SHA256
e59af569d10431881eeef08a4533584307692ebdc3843d19934e2c0536a5d045

SHA512
f8b875a2a4d1fc71e2f5ab8b0e05c0f3288eeafc8ebcfa85b1d57e344bdf05af47693b2f02dde668eb195ba5f7d1dd730409fe82e200a5f6bf113b9bd7a08834

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
728f70d5518935b3c433786c1595da2b

SHA1
5837141c7141fb28b6af4dbf35139ca028f6fbb6

SHA256
0214496a6d8207b0e66b9f81d301197f3909007513758fcbe462f6b21636f817

SHA512
4045dbb47393e5d9371928e27063c6434095fed571353d0f82a1a4768300a469ac88d2803c11e88c955488d2be60d3bd79e187b1264c9cee5bb36c72d655f703

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.4MB

MD5
9ee4d51e148ac35a105a6d589c1226c9

SHA1
e3fdb8ebfe76a328e3e43d5671e215abf65d0938

SHA256
9476c3bb245ada607681cf30dab1a4cb5b856d86fae197adf25d979991f3a087

SHA512
f4c23f4b37c2dfad464aef3281297ad67475b29801c7501a8964a80c7d7a71c1fc88356c674ddf3ac1d3757d13586f2dcaf0f79505ee970a3b6fb7384dea03e8

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
0ad66a18750d1361bee8353e50f22635

SHA1
8e320a1e9605fb0084e66495f15ed907c43fe651

SHA256
2b164bf920fc1d140d3f6025c5415437ac7c9bc203fe68c9c64cc15386100925

SHA512
daccb98b71230bca0feb3d7afe6e769e8c67b795dede3957dea3627ccaace53d087e8d8e25b0585b3bef26cbbc34c821cdb41dfc19671a82530e76302735ec1f

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.2MB

MD5
c7997e092600b9f681e3505cc03931ad

SHA1
234381eca30a5bf34543f5fe4845672bd3c7dc7b

SHA256
72a44a3f7c202b4c551ea539ff6c0f92267b0b76c7031d5ddc968f05784c7ff3

SHA512
3c0359f78098b1e351081196821ff4a79f9c399eca4557d5cb87c9398af8ccf65494c0edf0e878309f13c1baf38df94eaf812189698f13ae56a1515ab66e3305

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
8ca00f7b43d737f9fc5eaed1ebde8cea

SHA1
8f28b2f5650bc81d70898820bf6907d1ebdfeee9

SHA256
f1352052420f9fe77b3b71d4582803f5e1349d120efa70b822b0db7655be8319

SHA512
3fe7e24fb6b63fae516ca4d6a325eeda9e6537ffa048cbfa3436839b687ae7c258c767674b263436cd70e7c02e36981521033e373591bf11860739527860bc98

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.1MB

MD5
945034d8561ed3bb7e335baa1abaefab

SHA1
f2817d4675361e8191c97572b6ce6811294713de

SHA256
6279d8ecbf45ec09b5c350f5845adcdddf0a16fc03e34cb60ca11e6e70f41ef6

SHA512
26a516d0bc478ecc92d5090dee27cdfc961a037d9e6534196e00e2952a33b7fd38c8d45cae5888de3ece0711a41f5cc5c52cd5b9f09ceabd88ac3f2667f9acad

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
c906eb6da0c29989daeff18241490fdc

SHA1
5f4cbdda47e2a655b464b9fb5a3654bf0ca72bdc

SHA256
afcfc55e7ffbf58e0b09236929ccbc58f38fcdad8026402c7dbe519df572dd34

SHA512
a8d7bc00605cf3bd21137345c9ad647c9ca3abb0b0fa5f7fdb6cef566a4b538ee42a29b83ee21738ddfc3e775e9f982088cbbe63ee996673fce644eb82f531d4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.3MB

MD5
e26fb15abed6ba5ff1f54a1ecf73d172

SHA1
5d05f1b3dac6998264ed4a153f1abbf2d3dc7655

SHA256
74a52203fa9285afe98021228829c5aab48e02435940e53ac6c13df00de4e128

SHA512
0a1dcfbb298bf6c6ab20195672ef127228b4a24ce0f611a1652c18ad56fe2a94508d6328bab100ff7f2fc64938d180a3fc7605f4408cb6a903e95a9011637f5d

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
447830072ff247f2dad94dd513ebdf98

SHA1
c831b686e8ebc4336ee79a1336dcff4a75734f6f

SHA256
2bbabc05d66ed2637119f026d4be0fd787fdf2ccebd87f45f9f427a3c1fca13d

SHA512
9a65c4ec7cd763b192f56ef72690d4ebdd5fe93100a194095323b1308a293314a812b251e9adaa4f8c678e7b78e299cb3c9ea6c88d8dfcfd822f2b218d5cbb26

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
b2c359ffd4bf582baf62f6e8adf87a6e

SHA1
8e9a26cf9202a00b2f38b9cf92a2cc0fa2e76b79

SHA256
ee8fad0e09119ff89b6f13fc18df351e81b41199adfc10acbfeccbbb88e02a9d

SHA512
1b1cddd7353d0e9300f1c661feda7f8d1a71e6d90279cb72c3adb51a7bce9c64e2fc87777926db50a8d41cc945445821d1b3cc1628f7446a7c03e64bcf8aff92

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
0f5437d4931bb06f38b6ce09b897a2d4

SHA1
5cf9a60af3e9be2676a11db729b8ece7fc46beb9

SHA256
bc51703e9856f100e756d3af443bbd1b79315831cb79397edc1d823bb56b78b1

SHA512
1ee2d486e0234a003efc80fc412df4f5ae1d4298a4d916ce7b34a76a526577f29fc8857c9d6735f6123e5fd03d8de5e866b1a785e9ec50ac4b211c8280633c38

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.4MB

MD5
5b5d4322ba271d9f88405a0bd7728182

SHA1
0d6a0cfd411e7c0820d7c88919315a6db458fc89

SHA256
1ceaad0563278c6cdeb897f5240373a2221d66f47117b1b20c0da15fa2badd74

SHA512
b329366def9aa5e126257935847b447473c025b25dd634c8248189a1e66f4ceab5b80d5fb99db51e83c43e86e9c1da61a009bbc501e7fe32a1aaca81292fdfb0

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
0f4ad35b2ae7dcb474d586c40e2f6d5c

SHA1
b8ce2fa6e7b6d35c3c55395d2e37aa5d7eb12d90

SHA256
f22da1ca1a3174335c3c50d33e9f8063c621b168865b540c9da9981bc5af7470

SHA512
f41f4ea2f301a4abce143383795427a138ed182f9eaedacc9e606d57f46829e211e91b8a40061bec235b4697989d7c77b42c80edfebe7b045038245cdcf106d5

Download Submit
\??\pipe\crashpad_4636_DSIKTRHLADSMEFRM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/212-280-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/896-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1124-6-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1124-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1124-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1124-33-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1124-21-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1484-98-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1484-64-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1484-61-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1484-55-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1676-44-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/1676-45-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1676-536-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/1676-51-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1876-277-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/1960-600-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1960-279-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2016-318-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2080-433-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2080-66-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2080-74-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2080-72-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2576-322-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2576-787-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2936-786-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2936-320-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2952-514-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2952-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2952-11-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/2952-17-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/2996-316-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3168-83-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3168-86-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3168-77-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3168-758-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3252-521-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3252-35-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/3252-34-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3252-25-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/3364-126-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/3704-281-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3796-103-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3796-88-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/3796-100-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3896-282-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/4016-319-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4204-317-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4244-127-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/4668-276-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/4868-278-0x0000000140000000-0x0000000140129000-memory.dmp

Filesize
1.2MB

Download
memory/5696-595-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5696-532-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5788-548-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5788-820-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5916-558-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5916-584-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6028-821-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6028-570-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download