89df094504f435ca8abb157fbbec2b5707042c1932061c2bb9b099ed43657610

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 01:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
Size

5.5MB
MD5

65f62d940fbe1a8548b933d3f9a92656
SHA1

6923dbfb68cc249ecc33101ecb5549f652fda286
SHA256

89df094504f435ca8abb157fbbec2b5707042c1932061c2bb9b099ed43657610
SHA512

f4eed2343875599f93834bba9d3f7ec23f9c8f0ad2877f28980a3a22bd0a288e884fa2d2b1842a1a5351ba9bf6db75c5485315c752f68d914705c07b54f88519
SSDEEP

49152:1EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf1:pAI5pAdVJn9tbnR1VgBVmKZmemT

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4000	alg.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
4596	fxssvc.exe
3000	elevation_service.exe
3812	elevation_service.exe
3160	maintenanceservice.exe
1652	msdtc.exe
3212	OSE.EXE
3988	PerceptionSimulationService.exe
4976	perfhost.exe
1448	locator.exe
4564	SensorDataService.exe
1436	snmptrap.exe
3584	spectrum.exe
4332	ssh-agent.exe
4636	TieringEngineService.exe
896	AgentService.exe
5072	vds.exe
1728	vssvc.exe
1320	wbengine.exe
680	WmiApSrv.exe
5212	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\316b6b9c92be0f3e.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a75cfeeb9abbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4852	chrome.exe
4852	chrome.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
1572	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
5472	chrome.exe
5472	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2628	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
Token: SeAuditPrivilege	4596	fxssvc.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeCreatePagefilePrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeCreatePagefilePrivilege	4852	chrome.exe
Token: SeRestorePrivilege	4636	TieringEngineService.exe
Token: SeManageVolumePrivilege	4636	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	896	AgentService.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeCreatePagefilePrivilege	4852	chrome.exe
Token: SeBackupPrivilege	1728	vssvc.exe
Token: SeRestorePrivilege	1728	vssvc.exe
Token: SeAuditPrivilege	1728	vssvc.exe
Token: SeBackupPrivilege	1320	wbengine.exe
Token: SeRestorePrivilege	1320	wbengine.exe
Token: SeSecurityPrivilege	1320	wbengine.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeCreatePagefilePrivilege	4852	chrome.exe
Token: 33	5212	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeCreatePagefilePrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeCreatePagefilePrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeCreatePagefilePrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeCreatePagefilePrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeCreatePagefilePrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeCreatePagefilePrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeCreatePagefilePrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeCreatePagefilePrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe
Token: SeCreatePagefilePrivilege	4852	chrome.exe
Token: SeShutdownPrivilege	4852	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4852	chrome.exe
4852	chrome.exe
4852	chrome.exe
5132	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 1572	2628	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe	80
PID 2628 wrote to memory of 1572	2628	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe	80
PID 2628 wrote to memory of 4852	2628	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe	82
PID 2628 wrote to memory of 4852	2628	2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe	82
PID 4852 wrote to memory of 3344	4852	chrome.exe	83
PID 4852 wrote to memory of 3344	4852	chrome.exe	83
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 2508	4852	chrome.exe	90
PID 4852 wrote to memory of 1544	4852	chrome.exe	91
PID 4852 wrote to memory of 1544	4852	chrome.exe	91
PID 4852 wrote to memory of 3592	4852	chrome.exe	92
PID 4852 wrote to memory of 3592	4852	chrome.exe	92
PID 4852 wrote to memory of 3592	4852	chrome.exe	92
PID 4852 wrote to memory of 3592	4852	chrome.exe	92
PID 4852 wrote to memory of 3592	4852	chrome.exe	92
PID 4852 wrote to memory of 3592	4852	chrome.exe	92
PID 4852 wrote to memory of 3592	4852	chrome.exe	92
PID 4852 wrote to memory of 3592	4852	chrome.exe	92
PID 4852 wrote to memory of 3592	4852	chrome.exe	92
PID 4852 wrote to memory of 3592	4852	chrome.exe	92
PID 4852 wrote to memory of 3592	4852	chrome.exe	92
PID 4852 wrote to memory of 3592	4852	chrome.exe	92
PID 4852 wrote to memory of 3592	4852	chrome.exe	92
PID 4852 wrote to memory of 3592	4852	chrome.exe	92
PID 4852 wrote to memory of 3592	4852	chrome.exe	92
PID 4852 wrote to memory of 3592	4852	chrome.exe	92
PID 4852 wrote to memory of 3592	4852	chrome.exe	92
PID 4852 wrote to memory of 3592	4852	chrome.exe	92
PID 4852 wrote to memory of 3592	4852	chrome.exe	92
PID 4852 wrote to memory of 3592	4852	chrome.exe	92
PID 4852 wrote to memory of 3592	4852	chrome.exe	92
PID 4852 wrote to memory of 3592	4852	chrome.exe	92
PID 4852 wrote to memory of 3592	4852	chrome.exe	92
PID 4852 wrote to memory of 3592	4852	chrome.exe	92
PID 4852 wrote to memory of 3592	4852	chrome.exe	92

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Local\Temp\2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-11_65f62d940fbe1a8548b933d3f9a92656_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb820bab58,0x7ffb820bab68,0x7ffb820bab78
    3⤵
    PID:3344
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1932,i,8712186663073844779,12248786913286554343,131072 /prefetch:2
    3⤵
    PID:2508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1932,i,8712186663073844779,12248786913286554343,131072 /prefetch:8
    3⤵
    PID:1544
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2260 --field-trial-handle=1932,i,8712186663073844779,12248786913286554343,131072 /prefetch:8
    3⤵
    PID:3592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2908 --field-trial-handle=1932,i,8712186663073844779,12248786913286554343,131072 /prefetch:1
    3⤵
    PID:2884
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2920 --field-trial-handle=1932,i,8712186663073844779,12248786913286554343,131072 /prefetch:1
    3⤵
    PID:2548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4264 --field-trial-handle=1932,i,8712186663073844779,12248786913286554343,131072 /prefetch:1
    3⤵
    PID:1164
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3896 --field-trial-handle=1932,i,8712186663073844779,12248786913286554343,131072 /prefetch:8
    3⤵
    PID:452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1932,i,8712186663073844779,12248786913286554343,131072 /prefetch:8
    3⤵
    PID:2732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1932,i,8712186663073844779,12248786913286554343,131072 /prefetch:8
    3⤵
    PID:2908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4908 --field-trial-handle=1932,i,8712186663073844779,12248786913286554343,131072 /prefetch:8
    3⤵
    PID:464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1932,i,8712186663073844779,12248786913286554343,131072 /prefetch:8
    3⤵
    PID:4604
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5060 --field-trial-handle=1932,i,8712186663073844779,12248786913286554343,131072 /prefetch:8
    3⤵
    PID:5076
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5900
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6668aae48,0x7ff6668aae58,0x7ff6668aae68
      4⤵
      PID:6128
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5132
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6668aae48,0x7ff6668aae58,0x7ff6668aae68
        5⤵
        
        PID:4356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 --field-trial-handle=1932,i,8712186663073844779,12248786913286554343,131072 /prefetch:8
    3⤵
    PID:5512
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=736 --field-trial-handle=1932,i,8712186663073844779,12248786913286554343,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5472

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4000

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5004

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3000

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3812

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3160

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1652

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3212

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3988

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4976

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1448

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4564

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1436

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3584

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3564

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:680

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5212
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5932
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
15ffba0471b596a8d06f1d6e76c0443f

SHA1
fbd8ab3d8a94f8a6433e9bef38bc715ecfe3f1df

SHA256
c6ec72ff47a156d83c89fbea5258da2735468b7b49d3bc40a76c7b45cf466087

SHA512
edb12ea13c9f43b22a13bb3adeabe37e07b41b4b6ea3becafc830e999c6cd73223cc5529de9bd908b31107ee635a75b696fae66c41737eb69934cab8a4d03b27

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
54072e8960a55d598c3b3aae3984f94f

SHA1
6451622605b81ca7fd37271ed827eea0dc688aa5

SHA256
d6835985aa5fd1f8b7bfb1c0233c5a00c9b1e627404e759103bc1094dc7eb321

SHA512
e408de8d7f42282d4c280f127ab36e211b975c04eb5fb2caa157e028e6b8d1057b1fe3c3cb540a788cb8e5a007506a2a57a5ed560ad58493d79ae6121f1e2914

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
07da86042e74b3a9a0d136d039fe72fb

SHA1
a7434253270750513347dee04ea3ca7c5525eb29

SHA256
85f7c38bb14f4d4fad83bcc65fd1cd07f44a2fbda69cfbf7a363e238f69a410a

SHA512
9a67fad746d813a0c16076ddb20e5267b5e762d697f3e4d043fd8c696259efb6996905eb280b1243d5d1ab1655145dbf1625c1464c31b39aad9e1d26dde4ba00

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
43b8ca2c2aed5559f3478473c1e6f222

SHA1
538d353aafb9327ca707e5dd18375bd8db449d19

SHA256
525308e674ce8ae043200cf9aef16d58031b943d3554410ace0045e2ddd68e19

SHA512
0afe15bc4d36ee709d65aeee1711881dca69fb28dc8334f71f49460c8ddb2b94a9a859f88ed24914fb0bfe80008013a0199764710743b82e6d192f6d4cc7874d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6d02567d0ffb937c4757eae163fb0ff8

SHA1
eccc885fcbf52ba1737d38422bb45bf06c822a61

SHA256
6226be02df954e22bbe0d672fee9520e74fb8cb2fa297d0a24bb86525f9f8d32

SHA512
de1d0b859c1fd620fe63f72d3a331838dc1b841326b827e9b6db47dac9ea598ce793a10cb8a9c61f06ef21218ca0c7c0e04861a6884ca623e3a69f0bdb504813

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
3ac87a152b57fc4600ca3ddfaded656b

SHA1
018a432c861f52980236abc811caa4fa2c43b76a

SHA256
1e4fa9d3a52ba06b95c82a51554448ed862ada6177585fad779e685ab4d8937d

SHA512
89de5742ac8a60e316839bc15003f92ad83a488fadcf27292c6ca0160d5ed815d752f5013f91b279475bfb0c2975b44f03fc14e561ebbe76db5c4bdd5c739cab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
0871b4ec022f9126abdcb3a98263bee4

SHA1
88f880413ceae6dac2c3951a7b09f4fce6e88cee

SHA256
beb3144a45ee820e263d2e381c2263b57402f97b6257ee8452a85a59506d20b0

SHA512
189dc40c9d55454237dc608826f2b2b645b52ca8b1f49a149a949fe42907c1099b8211543ff03a97b890ff8a4fdf50c4865728f76d669e9a2c926abaf2aae25e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2c1ce503b9f3ab81cbe3ca9dfdbdf5c6

SHA1
b069e2c7bd96c2dc298b1e10d8fa5f9b0918ee82

SHA256
2bf60ffb431189b2d5dbcd27d18ce477ab61465b3814bf3b5ede825e2c009873

SHA512
e8483bb6dd83b705d90c2def89cef3273ce8750145140d5c1c28bcd316a13f1642cfa9e066d9cd6cf1a8b9a6fa1d1ded904c017aee8c522787d44a8d4d623d9a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
fe1683a19be5a84d044ba7aec9d1a468

SHA1
fcee207685ec19a4a094e68a7a34ebee94eb66c9

SHA256
e7b5f8427645b212470a835e7576e480080fec983ad5eb9f7428253fed6f1e02

SHA512
6cbff81c5dc233d2b520e8632db9fb5bcd50af1d3ef9f5f42e553c5acac950023adb2f679315801b98fd5a97e0fd1ef567bba656377add153f546ed8fdecb3b4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
55bcfbba6dac0dd0533e2b0cfd0d19c4

SHA1
91a648e6a5bbcfa6eb3a92463b374f0a3396e178

SHA256
fd5ba12d9c71b61bf41a025ae65f73ea3477038bbf1f329cfd9548aae6edfc9b

SHA512
c3db9acf97e31cc7b0e61532fc49f8694af50b3dba28f85905f6438a34904e10c9685314bebb247ae6dc33f8d10e2f9364e2b6dbd8e3425461ea29097c536424

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
102ab3d69f2eff2fd5ddd47764fb9609

SHA1
43ab450dc30bc4866542504d57c8c6f312d16545

SHA256
4252f78669dc99bf85aaa934c3a9424488d1064f9bb4b233f0fc59f0c1f82142

SHA512
7a8acadca4047cb8544d75a4ad76cf7b1669de3e4c28e8efdf2553abb3d0219543187394bf9a2906ecf9272e58458acd0f221804680897a90ceff5b8f6e17012

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0f4644ce36457b7b5b98503247e3c942

SHA1
0a22e454fb849b03b649101977edb8777f71a02c

SHA256
c6e07a2ac446d0fcaddcc62d6fdcbff6d7efec81dd9ebfd2f289a24fd5018ebd

SHA512
4d6bddd76f68b3c50bd79ac3150586b4a4ed389c10a91ea54dad6ccd2297369629e04b58d2bf25e7d8c56d9300ab3092d1f36ece29ed2eb56ffcc5b9b41103e5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
978c67593bd24a5234b5e39693b69197

SHA1
e003f6e77940cf71b8d8eb425f45cceb4a034b0b

SHA256
bb37bf360970f8fe20a9d07f96c1a603ff6edee60308cdb3f3f132b12f6068f0

SHA512
bcdf2034fbff8006f1bd8732ce11b3ba37119a4fd17cd68055046592f2f440bdb66f001634f398436cd07b5549ca67f25b6e4511b8254965a8242fa0188d13ac

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
2f4adabb5e8f6bd34b82945f4a588733

SHA1
cd6ab766985ae5381686cc999984af01bd3944b0

SHA256
43d7845591b5cbe712ec05fa4123fcde40c181794ff448c93393f3febda96273

SHA512
3b698ac1223c7b41d0974dd71a209f6a305efb7f495627b06db3348f370a026836eb72c608db6adf1e31eada0e605098f42492b918de021bea66d9627c1d0dc8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e00de019815a506fb5442f5cb3df2c35

SHA1
a700c4545551c6011907fe0086c327a8af51cb8b

SHA256
dc3b99dd87a4e31d324ceda00c6b899d232c5d744734876fdc6b738992623ea4

SHA512
6b7e7c8c6e2264339971cc797a27183b85eca9be8b841bb759c02f9252a58deb76c235e9b34433f215b7ea09311e9d2e9532ab4c977c2371553dd9ad68ecfb03

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
079ee1821932e563cff804fa49c5a9f4

SHA1
59c48d2f77cb50211a77bb7d7a03ed76091f2095

SHA256
77064ff8fbe35ff18a07289cd856d5e313273b099e2b333080a8bac68656801c

SHA512
b01fbee9adb6c19ed7eaaa527f390fef848e597ce8459824bae34f71136ed1f4924c2b76fac9f480fd03e8036296ce4fec81dc08631ade0eeba53f097430b95e

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\747a91b6-c373-4b44-9bec-d6685a4de870.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
69cfe7da4397c46662d1ee1d23004983

SHA1
d508d905b12ee02f862414617f46dacb22441f15

SHA256
396be7f1e8f9be00ccd531a6f9e8815ffda255b69048f7d5204cc908cb86b206

SHA512
ddebae2ad7970d4ce35846b006e2ed38e975f3d7f804bb4cab9b88653b96819a3fecc047510b2280380dc9dfca53c7850a1474f30f8fd7f9c16ec5ea032f9784

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
c55c2456e2abc72a4983adfb321f822c

SHA1
44c27df468efc5b6015513ac1412f0c4fdfa222b

SHA256
903ffc6d77f3e3f837000a9ea56b898f1db34198b4e91dfb2d2f0ac5ca4694c2

SHA512
598a3156fbc2e6999e419bfba4b9da9a5fe3e98d2c85560b5bd70dab7365c37829e10b35865308cba0f7f576afb2b3318c3056d0ea542db37fd370957e585eaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
6123155f7b8a202460ac1407e231fbf4

SHA1
13121f6000a380f6621bcb8dc7c83f9cd10ab626

SHA256
dc3766fd1d9f14e305d5483a9e886548c3ff3ad2d8497e26a04c6d8c31e7be6c

SHA512
ef2e48a3517f58cf068d2ed9e202ba4d2a54afdccd4937c74b5c84d5c4fd47d9b92ddcf3b842a102b426dccae53ab3bc9e571a5cf27cb315be4dc58bdaad34cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
961e64fe226703640e47267864367e14

SHA1
5ebae7ee093b9fa1dee079dc8471ebe1d1d491ec

SHA256
de7eca7f6000e7ff5c4ba56b8ed6d052588ec3dd51563d4adb078fdf99814b0e

SHA512
42c0d23f9c7f679a13ff24aad2a0f7501e01e13f23e94d7020d94ea1aa15c9b108bdc3ddd06db76a17f98aba6613178e4a4cb4037070e7f48c2de1ea55a5aa09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
164f0af48dc079e73b951bfa48fcec11

SHA1
01718aa8a656b28558ea2a53eb83162bae4d6447

SHA256
c2c31834ccc5f3d41e650ebc33101c8a1a7cbc3c917f1c3f73233de97c6606a4

SHA512
3a9726d4a6dca462bc89d5244b4aef874afcef07972d06818f05732f2f3692a9132ca456c84fd955d616821c2494ae2a2e5455d9a0c39974b2caa6fee256847c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
60333d5fb48e6cc98896a282783a4076

SHA1
97f7af39857451d5e42ee5210af84bc3406031c5

SHA256
ac7106bc4f882e579d190863a182ccef7c9c138184de93c0e3b95c73b8333a09

SHA512
b64876c170e147929a61d20cd5a371a551e875a8d3e0a952d1653b8298c97bd2bcb619bc455923957910a6301d425a2bab168a06c73e3939b65ec9af06d5fdc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5763da.TMP

Filesize
2KB

MD5
80c9ece824708be3255fd46fed4fa84b

SHA1
6ab10396c88f4760224c2820d198207c54f01266

SHA256
1f8af8464e8755fd26db7cc2bf44b59934126100a43b00a66da96ef4bac4e336

SHA512
c8e8c5ce9c0607264264ceb4ccddc869543fc5b9d3929ad42904cefd147938d6523ee61e5ed2f6f46fba1e6c92f8b6dc14300f4c6c7cfb295fe3274677d9ae2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
5343c1cfd9844509354022789471e24d

SHA1
a0e767d3399724405ce270839860da9e687c17fd

SHA256
aedbc2e429ac78b9fee8fa554fa32a8c5b0e56fad057aff306fbfe4787e7d30a

SHA512
c06b97443c366c3e87cc13235ad69817462049d5f0282117267e97dee3489cb43d525247dfa38788dcdfb25b75bd7651ba0cab19ef3aa767534602ba7f04f217

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
263KB

MD5
7f875783d62cf030da19eeea9f546497

SHA1
06718a576eafbc1ab2564099be5d5aa387cf1239

SHA256
027c7c277da8d93f88474531873a2a7b61143a01adce7901bc81dfd7a00035ea

SHA512
2b9cba87c9ed6dd218053a728a5a044aa696f9e4439b2a7dc2f1ee53e9cc320163985bf3f6a32d04f8af12960eb5e38926d289efcf3baff50e3fe5ce099b0476

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
84ff74dc238432002f8b469e16612a9c

SHA1
4abfa9c70b5d15ff3cd8f9ba8860fd431834ea65

SHA256
379801189ddbd17426bd3130fe4817da39ad4bdbec0dc32b1ef7acaddbfb246e

SHA512
f30edc7dac50e93d8909bf31c5b75b5ff439e556b4e94df60096c82c58c8b4dcd3f59669be8a6966a19c62acf4b7b33399b8d30d5ec3af1b4a989d99876393cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
274a670e1fe1c8a17d5702b7e23ce4aa

SHA1
a90071aed83f16cd4fbe54babd293484bc70f507

SHA256
058d9f56783dc806a6eb2a36543b7d87da222c7f44e9b12f92318474e2c72e3b

SHA512
490e0bf3d228a7b3e2856cdc450b38f692272fa9b47c3f8b530192b43ae140b0adcfc9dfc953786d0adedda907b8334e2fadb0a252c0ffee3e3c076f35d615f9

Download Submit
C:\Users\Admin\AppData\Roaming\316b6b9c92be0f3e.bin

Filesize
12KB

MD5
e6dc4dd1e951a9f5a1ddd49923d82121

SHA1
e5c05eebd906327e0172428cb3352d52666ed1fa

SHA256
a72737543e3393bd1cb862f520f898fc2ed8ee18e31671b89dd0990510c69399

SHA512
f5c4eb6549e78108eee88f5fc76998b0d54830f5e45b5db55d50aa94d9950acafc2d2b6fd4f995e554dc1a2aae459274ab7e87bca466ac611b402f1d69184668

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
d2dc3f16f84b8e5920f2e5d01ab1a3d1

SHA1
1e55982f231ddd060fd69535080ef36ab8051517

SHA256
81e436fa9e5c8b7646810189d2f9b2220fe405dc5c64f8b96eca9a22dff15d43

SHA512
ea784705f884103162a5e4b093a66936c9322768c71b59852f1c8a3796b9eccdc1cc99134421068467c77fad4c0f1c7c79968359e7a109f346814139f2268c9a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f2a2d05cb08d1630916bf6623ca02910

SHA1
811b5742b726f64ba440bac71f9db82d88a68e93

SHA256
f7f307bab2cbec3179e079d557824632bee58ca34e09e26a32f1f254eb7299b1

SHA512
b4adae1cb874b2e6560aa0bbf263e0f6433ec36ec9f47efc819c11ed5ee6d1cde84ffd07394c542adcc77ef2d93eaad565d6c4fed1edc866ce3ec7eda54d68a4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
9140619d1f7d05e0bdf9842489612831

SHA1
5a1ec15a0799df2407d42c0c2a3edf02752a77d2

SHA256
23d13a0203d22dd9f315c7cf2a1c061516550a7de1759c5f775144b6b4adb0f9

SHA512
15708b736d6429539449e8899d51e1e94b456ce20d26daf2c086680c0f1e81f11f36474542452a79a190db6f60825a05723f156a84329c70b247441953de0950

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9132242cf8abac091f1a143e899bc8e4

SHA1
97dc6c86f287b75d69703544002671831ab800f2

SHA256
7877724c05653aa02ae0fada523ac41a226bf8bc75bd925c74adf10f45477cd7

SHA512
d613a9bee0a113a4b43ace4aa8cb9876eef59f4bf071246c7ee81d695c20cb061b078a5c1f5a7f08c0940220063587879854b10b17a1eff85aeb6790202a2eb1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
77c286262d58c1c1875ba999b4c222ab

SHA1
07dc1641f9b976990cc9a1a4ddb75e764cec81dc

SHA256
ed029b493216a328cc855d16608686dc644641b92dfbe1ec88eeb6e9550d81b4

SHA512
641109d261793ac9bb29cd35620b97408835d88ca9b40f45fda7dd4bb79fed3b53d540f59bb35fb37ca6964ea375252d19703b4359f0b4ffdc0f4adda9e750a4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
699c5880fdb2835f4529243ca262f335

SHA1
e398719a96e7b1c8df3b2ff05d6e33f5fa7c777b

SHA256
729f8cb9f20a7a8a7ee2fd7f08bc7084edadc4cb0f8ba0a016f475ef45fd85fa

SHA512
d8331e58a9a225174ee63b5205118f0bdf636e138f3828c0b7803f156a099944dee9871548c3915793016408d9550dc61915b1abebff70f5f75db0df2cc9a632

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
2c276f34605e34dad0a7b3759cef437b

SHA1
f75a18b1d8a87ec2b04ef82d9fb9a2f319e32457

SHA256
a79e2299ac7e9acf93afa5d8029b062ac1c639f6e49e5aaf7423e6d362e73283

SHA512
0dbb8927a88d255fd5acfc8f3b7e279c08b986d679b66243aacb1884773d8ec9877d0baebf23affeb70e2e3798adf1d9e395e139f5440ac2ca878e9e95bdf800

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f7487e1057fd7b2f718d62641f701d8a

SHA1
b4ce8ae5559ca62ae141d8f9b53a3943d00e14c4

SHA256
b1274dfeba1ab57d1454173cd28e34af3083831a397b39a33ef804bc5453caab

SHA512
d1f518c83f6a2fa6593ef2f65cacbd2ed2712b0ad57523a2c7a450e2346949af6b718cecd1e3b8a078da6d1d8b4c21554ab6d7a5ee804a5212638b2677b5ff00

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3a8939ef9c01b8a45e5279399a6f141a

SHA1
284c3ca9f359959afc9e3d249bd3cfbce0d4db0e

SHA256
23be5e624fada9d8d9de5ab1e7111d3faa2e59a31375c28d160f4789e21126f3

SHA512
d7cba30200474d968283cfd0953018c6aa77a258d40143084629f7a18b4b46b63047e05e69a0b19b472a2379e55a27825386306ef67a320d6efe112ceb8637f1

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f70ebf40903b7666f8e1c9b2f4527f45

SHA1
84def772684346e9d92bd51a6bb0e3b5b02c9efd

SHA256
58f798ba50037c029712337e702cec68b26a684b8f6f6de2f050dfa0d7263630

SHA512
798438fb903db51149122c9f523d308ba58952010dec8e04aaefefa3d90ade808e8fc8e9dc09bb8bffecae3ada2a716213c9adca1d02272a6b0ca6276c15765f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
09a2c8c4b35441d3c2b01ad860f0a250

SHA1
e5e8a2f849e452183b1803831118626d5870ed24

SHA256
b3de2bf19e1582988c9c5abae4d267bd3aedd04f7b3071811b832ff1d58aff46

SHA512
a1bc8a35c41bdb316e6dea6cd33ab94ef9f36c1d98887f7d3fe34f6a3c7c476726a313639e8477de2e6a37aa7dda9dc21a524d89306050ff571c02b42261c3bc

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
46b41a60df431fd8e267ba484bf5948f

SHA1
aa5acd546832f8c9a9d31df2ec9e71171d6ca66c

SHA256
4a52653c4e0b2fff7bf26d65a31c481d91dc69dbc2fb34aa195971c75bb9ef68

SHA512
a2969792964a92027d84a9163159f52689b9aac5689c29198ce80db52481f29ba5118ad679174669e02c5134056e04c8555190fc6dde20e8c15e79e4f673fb37

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
cf0a1a33c1a288268d09b63340be6390

SHA1
d1f80966e54ce892663a506ee00575c412b8cf75

SHA256
c3fca2516d644ff76f1251cece38549de71d2ad177c51d699fc082d1628b5d15

SHA512
3272bef03272156c8bb8a05ed715ea5e2c5f64c6e200c9e0aab01a5a95d9ea460f19a2208b0ccba89c6141ebc7fbaa3cd72a3fd8b6d747ff6552ef5891547b83

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
84853f969815599d5393eb85e8a4f9de

SHA1
79e90a8f42ceca914512b7e5390e9656fa9b3110

SHA256
f07edbb4d11a1124a34f3e2419faed60cb7e8f8988ee0d34baaab53b7d966bde

SHA512
d81cacf0af1fc394aa6c2cfde36b7519eed1121b9ebdd705b73b332b503b0fa983bae65c8737ac5ba98d08bda69d28d4ae5bcaf7222db668755e71000f74fd6b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
f778e794e0337f62a2496a5c5b2b1027

SHA1
ae04423d5eefd943902da7b9935a071900b3f38c

SHA256
1b620360878217fed50159e0b7ffc1e75d31e7b756fd2630e0bc16e28d66353b

SHA512
49fd8df65bc8191ff12224cdf820b0a0ce5156c324fe928bd5525662c73e4e2099b5ca5a86c54c2b28b1760abd567fd416c2ce1c18086950230eb7bd1140032a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
52f82d7c693f38a57dee0b84bba2bce4

SHA1
fc8b495e1be56162f5d8bcb3132ba9a899538ed3

SHA256
c996a6db2ec60ef9cb6333932bbcf275e56b0be20648fe484b3db016d0f31e43

SHA512
7683dcce9bc71eac2ee2747dc632632d81eb08a0d2956454e4ba358ef0fd0a1c7e61eb4e9526b09cebb2c5e229e76a8e307255bf09cf0b9c580a8d03c1ea6fcf

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
8f9e9fb051097f4d37183e117f7772d8

SHA1
dc170c39fec51e164380936a3bf9c68bb14db7ea

SHA256
93988a2b5f0c84f8a02ac6ca788c0eaeb137b74b402960c11f807a61a860e7e3

SHA512
177acbc27e5d09ade420aa96f5ffa96e11044a803888a64efc904c779a5c62665d879682c1ed21624455921cf9438a24fc06d89d5c75638bc2966cd7e3ae084b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8202141ab643856b101a00a7c48023e0

SHA1
956e1c54ae6b12411d67ef23d89dffb53c9bab76

SHA256
38ac02761bf57f407f155f91fb1d2d3ed914f08c141fb29f0734f39f4b710a5e

SHA512
bbb7d286327fee26949c8bb8c592494a2a74bf333bfd0aa4a4b54e421594472951586d75146da05dd3be3dd0c449a97c1b85e3b79291ce6f514a1001c27741f8

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
f8da1e3912337378c0f722f616cf6aaf

SHA1
22482c3e69a3b76d24d4e88d30e345654afd0338

SHA256
342768ee193e599905624366abf160660028ba384d57ae4da8734bc9473b010b

SHA512
b72adac4dc3ef8cd0c1275eaf376da652f8aa271a162aac1a54571f6f93c0e5fe9fec69a9cf380f84fa3ce438f06e3c9c2493a1d422f5d1bf4c46d6962ca9f47

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b4ad1af4ecaa2f5319710d837a6b825a

SHA1
c4a3d4058b67b8260247251ff26cae409d614904

SHA256
92fef04beb72993cc591c679aba0697f94bbb992e7fa18cc0026b0b77a45fc1b

SHA512
b1accb582a6537ed0638189e6b414b82164017a2d956594e2fad5216f0765ed7952c41e148a13c1c0791b6c1b6971a6ccfda766511c69c9c7afa538aecda26fb

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
47a51292dc868e0b21e71b42f98f21f8

SHA1
195dec7ba2626f1a9b57b1980d840abedbea5854

SHA256
13b44f813666d20600c98f7ac780d1ec4ad4a3294d15759a1d2a8f9aa89ae549

SHA512
c28273b1765fe3be67250a8b8eb3fb4b7e05dc82a3b68ad9bd09188877f52e247acdb382393bb560de6c5961b53f046ab2c2d834eed50aaecfa669f9d0d9dfd9

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
e56dee18d719ea14faa6b883ce70483b

SHA1
3c92e66805419edc009e0d15e5cfeed37b9938eb

SHA256
6b44fa42dd6553ce7a73898be5680c1b257784e1e09f003f13c21c768869558e

SHA512
13c11af0e98ab569fda2dbb6a498ec6f5ee88f6089da7f3cf0808a7a58d6a342488ededb06eef9f88f7ec60419af2707108c84442a6f2c02ad56af3b0b4b8882

Download Submit
memory/680-322-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/680-687-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/896-259-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/896-255-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1320-309-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1320-684-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1436-203-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1436-559-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1448-321-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1448-179-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1572-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1572-17-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/1572-129-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1572-11-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/1652-130-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1728-297-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1728-667-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2628-9-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2628-6-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2628-32-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2628-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2628-35-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3000-75-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3000-159-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3000-77-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3000-69-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3160-114-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3160-93-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3160-92-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3212-269-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3212-134-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3584-210-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3584-566-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3812-87-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3812-81-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3812-89-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3812-224-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3988-296-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3988-147-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4000-146-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4000-22-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4000-28-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4000-30-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4332-233-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4332-589-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4564-342-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4564-588-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4564-182-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4596-54-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4596-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4596-60-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4596-65-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4596-67-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4636-595-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4636-244-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4976-164-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4976-308-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5020-43-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5020-51-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5020-49-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5072-270-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5072-600-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5212-688-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5212-343-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download