26b5a47242a126eae5c70e08c01233717a7598daa2fe4d8fcdec206168efe3e6

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
Size

5.5MB
MD5

c7efaeca80497df48c238c0a548f6104
SHA1

22d5d1dfd9e30e7a576527f46538c3cd3e957c55
SHA256

26b5a47242a126eae5c70e08c01233717a7598daa2fe4d8fcdec206168efe3e6
SHA512

31b1ad768182efc2921466da705d956bb51fc1281111bb6a82a52c3b29418f46c156a21c5a81d3f4c6af263eb80ccd3878dd4c00bc1ad6b45ca19c7b7d8bcf8a
SSDEEP

49152:kEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfy:CAI5pAdVJn9tbnR1VgBVm5TjYvH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4988	alg.exe
4488	DiagnosticsHub.StandardCollector.Service.exe
2912	fxssvc.exe
2540	elevation_service.exe
864	elevation_service.exe
4860	maintenanceservice.exe
628	msdtc.exe
4116	OSE.EXE
1472	PerceptionSimulationService.exe
5140	perfhost.exe
5212	locator.exe
5424	SensorDataService.exe
5668	snmptrap.exe
5788	spectrum.exe
5940	ssh-agent.exe
6080	TieringEngineService.exe
5264	AgentService.exe
5324	vds.exe
5228	vssvc.exe
5728	wbengine.exe
5564	WmiApSrv.exe
6132	SearchIndexer.exe
5372	chrmstp.exe
6252	chrmstp.exe
6352	chrmstp.exe
6420	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c5a473bdc3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000384c425a2b3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b4baa25a2b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2878625a2b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2e6c625a2b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059c64325a2b3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079b06e25a2b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096311326a2b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084802126a2b3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4936	chrome.exe
4936	chrome.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
5008	chrome.exe
5008	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4808	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
Token: SeTakeOwnershipPrivilege	4796	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
Token: SeAuditPrivilege	2912	fxssvc.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeRestorePrivilege	6080	TieringEngineService.exe
Token: SeManageVolumePrivilege	6080	TieringEngineService.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	5264	AgentService.exe
Token: SeBackupPrivilege	5228	vssvc.exe
Token: SeRestorePrivilege	5228	vssvc.exe
Token: SeAuditPrivilege	5228	vssvc.exe
Token: SeBackupPrivilege	5728	wbengine.exe
Token: SeRestorePrivilege	5728	wbengine.exe
Token: SeSecurityPrivilege	5728	wbengine.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: 33	6132	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	6132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	6132	SearchIndexer.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
6352	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 4796	4808	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe	93
PID 4808 wrote to memory of 4796	4808	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe	93
PID 4808 wrote to memory of 4936	4808	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe	94
PID 4808 wrote to memory of 4936	4808	2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe	94
PID 4936 wrote to memory of 2840	4936	chrome.exe	95
PID 4936 wrote to memory of 2840	4936	chrome.exe	95
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 5104	4936	chrome.exe	101
PID 4936 wrote to memory of 2804	4936	chrome.exe	102
PID 4936 wrote to memory of 2804	4936	chrome.exe	102
PID 4936 wrote to memory of 768	4936	chrome.exe	103
PID 4936 wrote to memory of 768	4936	chrome.exe	103
PID 4936 wrote to memory of 768	4936	chrome.exe	103
PID 4936 wrote to memory of 768	4936	chrome.exe	103
PID 4936 wrote to memory of 768	4936	chrome.exe	103
PID 4936 wrote to memory of 768	4936	chrome.exe	103
PID 4936 wrote to memory of 768	4936	chrome.exe	103
PID 4936 wrote to memory of 768	4936	chrome.exe	103
PID 4936 wrote to memory of 768	4936	chrome.exe	103
PID 4936 wrote to memory of 768	4936	chrome.exe	103
PID 4936 wrote to memory of 768	4936	chrome.exe	103
PID 4936 wrote to memory of 768	4936	chrome.exe	103
PID 4936 wrote to memory of 768	4936	chrome.exe	103
PID 4936 wrote to memory of 768	4936	chrome.exe	103
PID 4936 wrote to memory of 768	4936	chrome.exe	103
PID 4936 wrote to memory of 768	4936	chrome.exe	103
PID 4936 wrote to memory of 768	4936	chrome.exe	103
PID 4936 wrote to memory of 768	4936	chrome.exe	103
PID 4936 wrote to memory of 768	4936	chrome.exe	103
PID 4936 wrote to memory of 768	4936	chrome.exe	103
PID 4936 wrote to memory of 768	4936	chrome.exe	103
PID 4936 wrote to memory of 768	4936	chrome.exe	103
PID 4936 wrote to memory of 768	4936	chrome.exe	103
PID 4936 wrote to memory of 768	4936	chrome.exe	103
PID 4936 wrote to memory of 768	4936	chrome.exe	103

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-31_c7efaeca80497df48c238c0a548f6104_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2e4,0x2e8,0x2d4,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc15bbab58,0x7ffc15bbab68,0x7ffc15bbab78
    3⤵
    PID:2840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1884,i,17941957965666228883,4077928290524187835,131072 /prefetch:2
    3⤵
    PID:5104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1884,i,17941957965666228883,4077928290524187835,131072 /prefetch:8
    3⤵
    PID:2804
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2080 --field-trial-handle=1884,i,17941957965666228883,4077928290524187835,131072 /prefetch:8
    3⤵
    PID:768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1884,i,17941957965666228883,4077928290524187835,131072 /prefetch:1
    3⤵
    PID:3024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1884,i,17941957965666228883,4077928290524187835,131072 /prefetch:1
    3⤵
    PID:2348
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4220 --field-trial-handle=1884,i,17941957965666228883,4077928290524187835,131072 /prefetch:1
    3⤵
    PID:380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3936 --field-trial-handle=1884,i,17941957965666228883,4077928290524187835,131072 /prefetch:8
    3⤵
    PID:5204
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4484 --field-trial-handle=1884,i,17941957965666228883,4077928290524187835,131072 /prefetch:8
    3⤵
    PID:5220
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4828 --field-trial-handle=1884,i,17941957965666228883,4077928290524187835,131072 /prefetch:8
    3⤵
    PID:5744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 --field-trial-handle=1884,i,17941957965666228883,4077928290524187835,131072 /prefetch:8
    3⤵
    PID:5244
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5372
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x2a0,0x274,0x29c,0x270,0x2a4,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:6252
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:6352
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x74,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:6420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1884,i,17941957965666228883,4077928290524187835,131072 /prefetch:8
    3⤵
    PID:6772
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1884,i,17941957965666228883,4077928290524187835,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5008

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4988

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4488

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3888

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2540

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:864

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4860

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:628

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4116

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1472

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5140

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4176,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
1⤵
PID:5316

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5424

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5668

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5788

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5964

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:6080

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5264

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5228

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5728

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5564

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6132
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6052
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
b063f76a214f561f7dd795a3d037266c

SHA1
0266cffb220d5858f424647b35897f06db07e682

SHA256
3c9569d2c2e3537b5cadb6018a9a10a607725914ea00deb875e9a80ef2e703cf

SHA512
3facae10ef491608df305ba9e6871e3b4e82a58b7ef594b35f9c91cb08349b4f96c18936ece8aaf4a094525820349fb8f7d61c66baf866a523e6502e3d151da2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
3491d23873bb0b15e0e13cedd249330b

SHA1
e77776b8de788f459d42d965de23c05b322a7205

SHA256
a121ace895825dcf2d65526c5b4bb95d3fbd3d9edf7c72c403e658d9b253234e

SHA512
85cb2f95a3bd1f6fa2c5571230dcd625741cd8e620a33ca2dc9830a7eaf64cca6a392bce6d52bbbf42537235f6e52ac9a57945a627838425b0cc8eab5b1690e5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
07f857484b535aba3aac13a5831fe0f9

SHA1
33590ebcebcab7bfe20252feaf1c1aa4c4f46ca4

SHA256
79f67ab5840137ceacc4cfd8a5c89cbbb62685a372ea884743b8cee36b84af14

SHA512
a960be0df89e5a45a7085f13dd0381dd284e957c91f4010e4e1c6c9f7eb71e8b44c4df3982f1fab41be064192c86c6ebdc227500a3405d3278e75bad2e4d8dda

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
42e3c58c5d55dc25b371c57e7e70b421

SHA1
a75637d7767fcdf79ed6539f243b65c4f49a9c27

SHA256
d9fb29837f697a771a7d61ed64f39ea70e910fd338635fd3302dbcd38fbcfd51

SHA512
908c87d6664fdeaa59b58a266251a61cc69b5c5a0e4a00465debbd285872ed3238cfdde158640481cf797461579380940200da74934271fd4c9defca4033102c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
99f65e6ee13829b6202e4b58067fc8ea

SHA1
199b87d47c16e8817f31640a9389a3ff1bf86d89

SHA256
88ff260dd721024fc5e9e2940ee677d3910c268375678c8262d3033ba8320064

SHA512
a8fd769e866e72dda78bcc23591725caa2e8d7b2a448d0abeae5066fa9aa78d5e91bd5099fd6dfcaf38959ce5dfded47cfad3dc994075087776421beddbe529d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
f1b7bd7befbeb004cfd5c885bc65a76e

SHA1
0a3e901d7fc8220875f1584c707a5837f895f5cd

SHA256
4df3d6c21503b01381990766782b585545bbc3d28f0922553627f9cfe687ac2c

SHA512
18ee8a21e5c6b6b5d344a41009f60266c7dd02ffb3f2ca3e0474e8741ff1ef30ad482695554d9e7a003d8c38b57e84125bd3d4131aaebd8b529d1ff3d673c882

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
fb66ce6ae91a4915929e0d9728b837ee

SHA1
684d2ba3f5d856595c9e457e69068ef239ce8efe

SHA256
43d502e872c9659d963eb3ef1e127c97a14f1a220f51e8be52e60cc18b5db283

SHA512
aa4cd74ffd45422a19e78e32223ab41e1def82f3eec2e7d6d17f6790bd8d04a0a866b13b2805d98ffb01fa5dc7a929e0bae167883cac76429114bbac1ee3953f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8643f2b3dcc4944a85d1ae3c17dc3156

SHA1
119629f0f5b7f397194b094ec261b64855588ee0

SHA256
9d3dba071258add58a37cc68a18c0b0a7192d4fe5419faaae6d9b91b559cb7d6

SHA512
93b7d2fa8856002ff3c599028e9c220948b92838d8a275503fc1ced81e18a141bc71242ac27d6aadfae59f401242ed584c08d500496f21a1fe1868670921bfcf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
c81da4b26602a63fcc7c03eb1a349e23

SHA1
3de7d2129f017e973b14a45c0fdbff7b394d1585

SHA256
134d56df5c2f47ee2d0020b2077a31376e24b9122e86bfda7d77eec56db0b547

SHA512
fcf5c92d8e12c8e0dd29ec76254ec157084254d27c6653561cc1abadd0ba67786df16038730a9e25f80b052d38017dc5d289db3fe9d199f48ce737953e31dbd1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0ba0f7ac68033fea594a08cc6ea3e0a4

SHA1
79842564423f145d15c45633741ab103581f7dc0

SHA256
f2507542062ffbc36f8ab1d727646d37ba718e3e86110c71c2b99e7043055105

SHA512
0c90ac46ea44688967383cb293d795bca1e0ff6d4302dcb72bc1610eb3a67a056d1e6aaae4f609da0fe27fe7108f660788fb996df1a7cd571f4f2043232d4c07

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
65a0bd17deca6a97a192f44c7b13f5ed

SHA1
99b170376b8cdd9310dfef33b75bbdf3213e5c00

SHA256
ba9d7893abddba6922747c4d3b63dbb0626a623680cda8d826adec92b6dda801

SHA512
6d5687b6498da4f7c49b7c3ab89c93d3c68c1e8ee02a1cc0edd9498cf7cb4bce3fe5f267e6c2b900f09616d76bbaf9b8589c8811ec681c3c80b94e8afaf84b13

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2fad9d94c6149ab4f4eb40aca3c130e2

SHA1
afd78df2f2180ed6f2072d9ebc667ec0802baf7f

SHA256
c61c9021dfdf0e6770290763da3806ae2b9a393b0ee9d4d47d414077604ceaab

SHA512
d0b40d355b472799d3c2ee38df8109b199b44de353238557bde385e093170a6e28a180f3947b69842c8c9ae9e80708b7ac174625024653e0b4c0440144293a85

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
00f314c5f9da0a22cf867768118db12d

SHA1
5428c5a91fc57aeec301a2b5df143566b363f7c0

SHA256
9b9015d7d9cc1ae16e7d71413d7221469433c96f3d74fc9ed51eb2e1add2711f

SHA512
3978b945ab08fa33c7e0a88df509439a56c710d4e37586d606fdbc5b2496989d8852797c78340253a22423bc6534be0360e2ea6b045d4272a099282ad6e45c3f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
33c42d8f93df8e7739fae2b594ed8c74

SHA1
a4908e7f96963f0ed1ef1c8a3b4210e86e42cd63

SHA256
893aa77d3dfceb291d2c98ac13427e076cbb7561a0bfa19c8257d600e14b4620

SHA512
707998031f4a386aa5d813c2c9d373db2d00d1e43c447da1bea07012eccdd64d7196e1646478a2897f7aa16cf037dd4873743ab9f45a2876c8cf490fa10fb054

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
22e2f73ed26aac0150be0e8debc41ae2

SHA1
16aca57ec27d23aa8bb8a31f2a7c85caa4d50cde

SHA256
d2f0387a85adac650c79a90269015500bda73565b49fc8458996fc25ff777811

SHA512
f5158e95a32f28b17e8105048b10ef3b9ccc3a78f9f0f17373c5dd256833e50e55882f5330bb75004f70f3fea7bc06d7c52d38feacff7b1c12d2e44c9da3835b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b2414ec31fac0365e20ec4cd7ec2ab73

SHA1
8cccc243059c1f0ce95cc6870478d2b1748d93dc

SHA256
15713a3797f6dc73cfe1fc44d45065ba1c9e94c62fb70c2ff34353bc7cd7f364

SHA512
2f24750e48d7e1787c32111830948fc5118728cd7f0a9a2cf1d00ec226ca8798f1142b5493876f0fde119c7f80d1a111b8b0005228d3e23c2012f676ba8048fd

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\1931477c-e667-4017-b723-269b6b38d242.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
63428c2ead73cf0f4f1140027f115e9c

SHA1
2791eb50ea22d268a760ad2a08cf3fb06ce6a474

SHA256
d3fa9c80dd1be32b4655430e7878a8ed534c6cc37d45011bff4cc84c0816e0e1

SHA512
ad64165592f54cf86882f7473a02532146f9140fb95d6640d6bfb93ecafd0051726db558f946ddd576349153d49d7b5b71681016ea610cd7305d8904d446e65c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
e646991f9b7863013f4543e5deea2d49

SHA1
7d3ab1c249b15c5bc5761baef819fa96b043539a

SHA256
0cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07

SHA512
8b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
397e5a2defb32a58fb216cd0bccd8f7c

SHA1
8d461661716d92e2db9bdbefa2f1dc85e433c05f

SHA256
39d44181c2361da960301ef6c4c06ef8647c3b89c5b6a96a89473da861f5543c

SHA512
28a52cb9066e74706aacd6c6953672f92cba7c5909ccde7306c856461935edb4f332d1af5436e74fbe7712f2cf8491ce3604be7a705e77bf5564ba64fa0b07b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9abd5d7b4f7ed85fc5e013f737717772

SHA1
6250cb81e804542b451e8ae4bbf73d64eaaf18bb

SHA256
592b62a632e90755b5d33c1910bd94703141b6a5185cb786afeae234ff93c3ee

SHA512
ea416bce1f4c194141382e65611e2906c63dd100e7df2cd9ff83785029a3614013bcfb2d2a5ef6b001b3c5290a59e05ebf09f6a340a49c8388d302bd7d3a0c4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
341e284ae663bc981cac067c89dd456c

SHA1
f3ac2503011e920faaf1e8548a63c2a288dcc71d

SHA256
7e4505fa01b4d62c599c11eaa98e938a11cdebcb69890f45bdbcf50e415c35af

SHA512
c3d6e5a087fc6a8f9914f64fcfadaba441e1a9a02806f36199b4fd7267727af16b7a62994fc9707294fba001ce63fa35e78edb7e6309eb1ac97a11b68bd03b11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
079930379ad760df1e43079e901d1bdc

SHA1
f9fbc3dc4860cf32fddb434a8dd2cfc10c8a9f70

SHA256
7904ce9494031bd1a62dcbc3a60db5c74535db3dbe51bcd7be51fa5ee6639351

SHA512
af33cb9cc03f6b0c3bd3a091828ab3f0923b6f07666b907a13041533fdededcf577625e31b62a71dc0bc3bbd717d39090795e4425a9bc0e85d1397193110ac26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe580de6.TMP

Filesize
2KB

MD5
c4d12c24a85b7e1aaf85cad983fe7610

SHA1
00bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb

SHA256
6568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337

SHA512
0d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
757dfb28babdc5f3d4c8a2d87531ec64

SHA1
32ba38adc89c10b081b758bbaef376a548c93f70

SHA256
cb52c2bf50aaf8d597e1defb77e6082b59525cbf58f2707fc72b6959ffc54c3f

SHA512
ff69742b7b1509f8a8a22d16be495c4c5d60e16ed1c0e50931a04067b74285b242349708cda44b045c93a167c13f8689ada89a32e066e139dfd3bcc881154781

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
23a2378f03d6458243a2b5ebe42deb5f

SHA1
9e2d0e67cffb7b41b66544c6e75154d035430be3

SHA256
f22a051676aa911b9949f514f1db6f6734da10a2f6328ec1d7fbc549c11de8b4

SHA512
962f128742367811501ed0c9fd29ea6f4cc04b259c4552b459005725eccdd8762128850b00dc6d50f2763f48d09529c025cbfc5bcd4310d008d8add6a01f57c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
ce7deea3252feb17308606d6f7f255fa

SHA1
5e55424bad794584abf369644dec59f2195b1e36

SHA256
b1603a1fa9adfa676d19b69a8bc8d951e556dfc79dda7c694ab9650524c9c14a

SHA512
3ce1374c2bae2c0823baa1c89d060e90e95affb17cc70df345555be8875a4ac9d12899b8a33d7a9ea26bbba1bf910c542aacf11eb7cb6aecf6af1aae9d372493

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
cd6a08335ad6c71d602b40e5c6704fbc

SHA1
8889ec806eca4e6a9a8f9fa44a5cdf7e4469d915

SHA256
1bd0cb3a00353fe111f1b80a7784916f3303c472e68a0d14bf341b6327ca6c3a

SHA512
dc722d0590940e06d0bbc561631eab635ad3a18388a0ede638038a491c18dfb113051da5e8f6614e427b31788f6f374c12f40d7b6205b258cefcf63d8e89af8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
86d1b0db9b1dffd64886d9282ca3e161

SHA1
57d9ec2f22871234d049ac032983584447cb8a58

SHA256
e2309f46c2c64b0c324935e7ec91c343792de7e93d008633ada519b84d5dbb6a

SHA512
d584e5e4dea49987d7e06694c5ae9cafb2ef8809709d76089b7b8d80bc9eb5fcd33684fd64c67eb72dc570625eff2c947fc909ff41490457e6b88f6a54fa7159

Download Submit
C:\Users\Admin\AppData\Roaming\c5a473bdc3a5208d.bin

Filesize
12KB

MD5
4529d0b6cf4bd1240ca4072fdf625e23

SHA1
da3cbdd2e4a98ec0a5577c58340ae1a87bf2d3cb

SHA256
29340b1b10b91b1ce67ac381e877f92b3e5592320176b003c3817ce3f9f7ba6d

SHA512
05ad24f4e7c5c74aba3f595c4ae3b5e8da7ee266e2b9730c1aeb42b089368cbac9169775fe490853393a4fb3fade0dee8a5d0f2e7cabc5c83fcecdfd3abce022

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
94cc3abad88004eba7d017e77596d150

SHA1
5290753f19755f7397e1a4062b13670e19f429f4

SHA256
193e51b0da811d4c8815efd3e9503cd376eecc58b9de941ea87d8afe35128778

SHA512
9205721ca79cb557a24947e0a7067937dfc4dc6fc04fc0d4cdf91d196320cd38dc2c2def93bf9bb64f134326c0be65b5f6431e8cd9436532971be0c1f69001b1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
864687f9a1dc7604a60301a190457cab

SHA1
53963ace87980d52cd6b6b4cee898695a6a5a9ac

SHA256
ee9f385f3b5f160f2374d2af9ab77fb9fc67f0929ab34500eee3d04c5c9c4ed1

SHA512
7187b26b4ebb33cd224561fa2da4c4b7693eb3dee55f71d158fd4d7cba0601f7b7fb10b5b4d22f3dd4beea58350e67594b78fbf7ffa934ab4500473cc9a268d9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
6920267579341eae31f2832a17d81043

SHA1
35885665fcef3e79afd275f3ab91058b51e804ec

SHA256
ae2dab28037fc78cc2a726c0078100a598afe8a68539f4d80719a9c6903ba9a4

SHA512
d4c5d04fdff5c3c5bf52f893a97657569568df0ac411c128f0f955915eb36cc9355a565af9cf42c31ad90f7efdd94e047f52a57c46586f776c7743833fb5d0b7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b7134d33af7b8a515c6a39c5a2d0e4dd

SHA1
368b91108ee3f723c4cafa3ac23da003cb692215

SHA256
3d2180fea16ea138838e62be77c0dff09c29de9db8a967efc9f1db1620d1e778

SHA512
905756eb26dc391569edaf02c81473a7c8dd399c2830ba6a5e5b8b62e01c4bc387e0dc9e2da6bd00d0c20f09bf010437c8c90a9b006b171882914fed64313816

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
6cdc7e763c7a98f75f710a5e0f26cb59

SHA1
0c0eff9e9bc30471171bac9f46fbe7118c2d3b73

SHA256
1e71f8d1f33b6691b2614608f177cb8e5f9865f509ef089b389ef5183570aed1

SHA512
14ab7a806b0d7393ab3df9e81a72450eec923785dfe95366414792a9f664462b029a686faebb907745e2520b45eee5be7c4cf0be24c23314f6fbdd2022c10540

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
ec09b4bd453cda4d46f7f1e449a177f5

SHA1
7c4bdfd1c7ba23ddd8e2ed6e7b7227f090256072

SHA256
3e64c9b6a59c9e5172b3b728198b0c93626108b325da3988469d558ef6a2882f

SHA512
cd9e485e1a1f78fe3406aab19dfc738036932e7b658cbaa3a3cb34718f3d91f9cdf35a69e1713fb7136fff22e5fb90d565e56fe2047faf127cef147e23b2874b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
c116ad7f29f09fa4062f49f1c88c0026

SHA1
0fcf548791c8e6fcbd5452c3983dbae68e1ad125

SHA256
1131f8272d86d7ec6b6e46d93a31b75b24f878459a4b2e6284bd5fd0807d508a

SHA512
6385ba3f5cb97411326c808c2414513b6255ea5e2ae562172e32537c2b918ac55cc93cd607dde20b7b6c63a0eb00c8c9999410bee05ee223782ebf0b621a3bd3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2f84e59d84bd568e4342bc41ea76bb8d

SHA1
12aaa16f36dc0a5df1df2e6a16d7a94889de819b

SHA256
4f7bd3758c3e997d8c54e3ee8373524de9ae63f4aa5d2f3757a307db94190690

SHA512
e13ea99d5363731f9acb3f5078e5f28d3a1cbb63d0b6423c040fccb80bb00ba5698e156b8ffaa3f3fa69681d216960aac6f6d73a32521c648d58f8be52d4793d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
44c116e4efd52e2c72932981cd66221b

SHA1
3416b8660e62ecb3717693ff67052e2073e898f4

SHA256
7bca18c90e23a5b6ac30a0e0607566154e474062677b19050687a7ddfae7ed0d

SHA512
63f505139e9e4031b1babc355aba924e6813a8bf07327d0d4031b3a084ead82ea10971f1d0ef335aa313f2f294be8fe387493eaaed9bd94f9ba7bb8151ca33ef

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8b5a15b423e649888657aa2435fa5c2e

SHA1
7b3739a0a65e0d2b3050bf6e7bf1ce10fcf9d16a

SHA256
fb11ba723cbfd32c9a393c30fc44b85edaf588014301c1dbca246b74cc96ba7d

SHA512
21f3681b00b8462fbb3249cb31c28fdaec7c314477e0c4c5c0436296ecfacc776ca22bf7381020e57e3906aa93a5784d53f9c6b67ca3b00101f86330ec1d873f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
10a6a1b3cd29ec294c12673e11b528be

SHA1
9cfd4878b25298c85ddcab634edc9966665a43ad

SHA256
93f84caed24ddb78395f716962fdb806fa3eddb594273c9f2400ec444deaa0a9

SHA512
73774631e8935a9940cda3d3496d72af81616bf66d17e7db38da432e81c64552852faf8012ecbd18d9b3caf6c1748a7becc175d220beda9208404f9e2ef85bc0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
423ddf7f5972138c5512e0fe17ccfc2e

SHA1
c4147d6e4fa36a55ef04844c1cfe2b4dc24a4d15

SHA256
96f3cde341b1793ddc8dbbda40e099eb3dd7405bc84eb87f45d8c1e9db381c6b

SHA512
11fa04997148a1a0298f8c7340ed4a2f55cd829359fe8838bc3acd1b6344ec4159aa7d2842a321222da3339734e98588564dfc2fcce10ebf52f759bff7d51ab7

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
2b32a86caafd7ea0ac4dcb1724219324

SHA1
21eb65f0ff0d01ac44f36a484efa30a1c7dce960

SHA256
fd0a1ca67a78e0fbc93757659ae9c609fb59efa1e4437983b87b72b0f5bd2e8f

SHA512
7f7ae4fc36a202c4c555542f923cc135e754d5578ddbd7baf7e3147e2ccd2eb6c46a2b68ba668b43c5c81dba8574f36b286b3343562f571404a0a3bf9d182511

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
23e73b9c8927386e7edf35ac508f5daa

SHA1
6428be516a0a738597fa146a4d5beda1253afa0e

SHA256
28275e9d9ce69805e53fdf3bff85ff67a16acc93b546db9b19a6661495ffd53a

SHA512
2ede873f2c75a15a9f6eb2f304ac72425b7429714b345a1f23ef2b9d8354974aa56797627646c394c231575e1675d89f1165fd557ddd80a14095531453fd28be

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
3772ce9da7fc0019d68354cf23476cbd

SHA1
31007d25b42f301b1feb98b3070f7f8da1220e93

SHA256
3b7c63e2cd9c86a8e36a1b04bebbceb1b08c3e142b5f7c1c465ccad159591c21

SHA512
b4078a5ae3f3d5a93fde0924a470f1df746ffd7eb11b402b52cd4c31cfaada69be24a401f3e1665dd9ec631f4d38e0a8802dcf9ece4d9bad5fdb464b55959601

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
dd52d94ad84585f2a340fb06f404691e

SHA1
22b5805349a8a402c9a2aef2d7fbb389bb2df239

SHA256
5d8fbeb131f36f2d348abe015e00735c73629a51f91695dd6099c9c43566d905

SHA512
8bcdca537aec6d17490a1fd83c2fc3dddd0a5d408832f54c39ccc017a5b74b4c42d7f2e4b29ae4f93093a5244f9bc2ec09c0031130017080f479335b82674e14

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
adeb51afadd00ebca3c3973cb86c2d2a

SHA1
aefbe4cc5d3990be9e65f1745c13c19742848be4

SHA256
d927aa85728573d9f3ca3454611ec7f8bae39b730624cfbee4769615ef444caf

SHA512
38efd0dac0e7f4ffc510ea5487c7265183fc581f845856378e4d46ded07583b32f2ccfb57c6cb0003a7ad7cfa6cfef600856e275c2f388ec864b51876d2d34e2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
233f90625a6127bd40f57aad615892f4

SHA1
1420c55c19784ed6def00fd683c96f182cf7e839

SHA256
e2318f5295c07a5e224ca035d613947b21ba54b819c1e17935daf01e41556c47

SHA512
932124304debbd47ae88db2689def42bcd7743241d5a369f0a0d2ce36cb619787497b515203528575b520df2ed1a5fe1e51036c86aef76dd598d7b014e11a98c

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
de12892063f81f60b11c0497ec332fa7

SHA1
ccfa0530f55d277c3fe6d75260088ae08d5b7616

SHA256
afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae

SHA512
441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
039a361e088d83a2ec84645ced774bcd

SHA1
b9180f488645476e16d826cdd68b8665ca0deee2

SHA256
91cd7b9d20b9bda3252cafac9c8433b5378add4748f53e0a5fbfa7345f8916c0

SHA512
cfec9d2fd226aef56f36ef36b53ae0d308640fc539827fedec4a1978d3ccd9228cf285532ca1d1234dead4b107e9a40027e4ddf9907a9951ea4a2ef4102f1537

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
a1711b0aa256f6f3cd5c5d39c2b0dd67

SHA1
4a2e2d43b0d2ebc2eba8855119607580da47af7f

SHA256
21184c5ed921f17b5ccfd24311683a1fa36d884ea7d2a58b9a04a9a0382845bf

SHA512
fccd2047341b71c15738967ee01020eceaeb725ebb20f2643560b94f79e09fd29cc2951890c0a8d08dcd95963e893a33dbc55cb2897b4272fc8a04d3275f65e1

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
94f7f132843335c238316b81c0f97062

SHA1
0f640a59b45fbf812a56166e4ff53ef0e3418940

SHA256
c92b0dbd539062b0dfed272d34554010233626a5e3dcd30aed4daff0467896b7

SHA512
ef6271c10821924139ed0b20cb5141775e3c23bbb47cbb2fda0b558cf681fb0986c210b58049d1e9fc60b51802099fc4dfdc1cbd7cef707cfc9b9cc7ff973949

Download Submit
memory/628-135-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/864-246-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/864-95-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/864-102-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/864-96-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1472-164-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2540-76-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2540-70-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2540-86-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2540-134-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2912-121-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2912-60-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2912-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2912-66-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4116-537-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4116-139-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4488-44-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4488-50-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4488-54-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4796-177-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4796-10-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4796-19-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4796-25-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4808-41-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4808-6-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/4808-18-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4808-26-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/4808-0-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/4860-107-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4860-122-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4988-40-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4988-37-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4988-190-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4988-31-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/5140-165-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/5212-178-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5212-561-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5228-332-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5264-270-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5324-331-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5372-608-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5372-535-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5424-191-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5424-621-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5564-334-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5564-660-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5668-632-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5668-211-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5728-333-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5788-215-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5788-644-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5940-235-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5940-655-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/6080-247-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/6080-657-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/6132-661-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/6132-335-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/6252-662-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6252-538-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6352-550-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6352-597-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6420-565-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6420-744-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download