4635b2f222c1f51ad05fdbaf26ca600d68b4ec611f4b3dd61a9437a8b3be1cb6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
Size

4.6MB
MD5

7b0580a8a0fae971ca9c65d5d35b7236
SHA1

6fa670580956d1016453df9eeecefca599d130eb
SHA256

4635b2f222c1f51ad05fdbaf26ca600d68b4ec611f4b3dd61a9437a8b3be1cb6
SHA512

b791c102a5499c0542f036b07ff8d47a8f47605527bc0156c2d9ab4966ed2bd718064f69a01e6359a9c954deed13c2129cef968739ef78babac74081ac50aad4
SSDEEP

49152:YndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGB:S2D8siFIIm3Gob5iEbB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4888	alg.exe
3736	DiagnosticsHub.StandardCollector.Service.exe
540	fxssvc.exe
4648	elevation_service.exe
3180	elevation_service.exe
3748	maintenanceservice.exe
4092	msdtc.exe
1748	OSE.EXE
1164	PerceptionSimulationService.exe
1656	perfhost.exe
4628	locator.exe
1668	SensorDataService.exe
4144	snmptrap.exe
4984	spectrum.exe
2108	ssh-agent.exe
3648	TieringEngineService.exe
1500	AgentService.exe
1128	vds.exe
1188	vssvc.exe
2840	wbengine.exe
4412	WmiApSrv.exe
848	SearchIndexer.exe
5916	chrmstp.exe
4648	chrmstp.exe
5392	chrmstp.exe
5332	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\535a7d2e85dff9a7.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95953\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c924d53a77bdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ccec023677bdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bbfd753677bdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f532453b77bdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000416d5f3b77bdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cb2e83577bdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1872	chrome.exe
1872	chrome.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
6732	chrome.exe
6732	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
644	Process not Found
644	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1048	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
Token: SeTakeOwnershipPrivilege	1424	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
Token: SeAuditPrivilege	540	fxssvc.exe
Token: SeRestorePrivilege	3648	TieringEngineService.exe
Token: SeManageVolumePrivilege	3648	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1500	AgentService.exe
Token: SeBackupPrivilege	1188	vssvc.exe
Token: SeRestorePrivilege	1188	vssvc.exe
Token: SeAuditPrivilege	1188	vssvc.exe
Token: SeBackupPrivilege	2840	wbengine.exe
Token: SeRestorePrivilege	2840	wbengine.exe
Token: SeSecurityPrivilege	2840	wbengine.exe
Token: 33	848	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	848	SearchIndexer.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe
Token: SeShutdownPrivilege	1872	chrome.exe
Token: SeCreatePagefilePrivilege	1872	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1872	chrome.exe
1872	chrome.exe
1872	chrome.exe
5392	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1424	1048	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe	89
PID 1048 wrote to memory of 1424	1048	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe	89
PID 1048 wrote to memory of 1872	1048	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe	90
PID 1048 wrote to memory of 1872	1048	2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe	90
PID 1872 wrote to memory of 3912	1872	chrome.exe	91
PID 1872 wrote to memory of 3912	1872	chrome.exe	91
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5608	1872	chrome.exe	118
PID 1872 wrote to memory of 5640	1872	chrome.exe	119
PID 1872 wrote to memory of 5640	1872	chrome.exe	119
PID 1872 wrote to memory of 5712	1872	chrome.exe	120
PID 1872 wrote to memory of 5712	1872	chrome.exe	120
PID 1872 wrote to memory of 5712	1872	chrome.exe	120
PID 1872 wrote to memory of 5712	1872	chrome.exe	120
PID 1872 wrote to memory of 5712	1872	chrome.exe	120
PID 1872 wrote to memory of 5712	1872	chrome.exe	120
PID 1872 wrote to memory of 5712	1872	chrome.exe	120
PID 1872 wrote to memory of 5712	1872	chrome.exe	120
PID 1872 wrote to memory of 5712	1872	chrome.exe	120
PID 1872 wrote to memory of 5712	1872	chrome.exe	120
PID 1872 wrote to memory of 5712	1872	chrome.exe	120
PID 1872 wrote to memory of 5712	1872	chrome.exe	120
PID 1872 wrote to memory of 5712	1872	chrome.exe	120
PID 1872 wrote to memory of 5712	1872	chrome.exe	120
PID 1872 wrote to memory of 5712	1872	chrome.exe	120
PID 1872 wrote to memory of 5712	1872	chrome.exe	120
PID 1872 wrote to memory of 5712	1872	chrome.exe	120
PID 1872 wrote to memory of 5712	1872	chrome.exe	120
PID 1872 wrote to memory of 5712	1872	chrome.exe	120
PID 1872 wrote to memory of 5712	1872	chrome.exe	120
PID 1872 wrote to memory of 5712	1872	chrome.exe	120
PID 1872 wrote to memory of 5712	1872	chrome.exe	120
PID 1872 wrote to memory of 5712	1872	chrome.exe	120
PID 1872 wrote to memory of 5712	1872	chrome.exe	120
PID 1872 wrote to memory of 5712	1872	chrome.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-13_7b0580a8a0fae971ca9c65d5d35b7236_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffd6429ab58,0x7ffd6429ab68,0x7ffd6429ab78
    3⤵
    PID:3912
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1880,i,16269274348789852251,4648738803007551328,131072 /prefetch:2
    3⤵
    PID:5608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1880,i,16269274348789852251,4648738803007551328,131072 /prefetch:8
    3⤵
    PID:5640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2184 --field-trial-handle=1880,i,16269274348789852251,4648738803007551328,131072 /prefetch:8
    3⤵
    PID:5712
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1880,i,16269274348789852251,4648738803007551328,131072 /prefetch:1
    3⤵
    PID:5900
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1880,i,16269274348789852251,4648738803007551328,131072 /prefetch:1
    3⤵
    PID:5908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3556 --field-trial-handle=1880,i,16269274348789852251,4648738803007551328,131072 /prefetch:1
    3⤵
    PID:5212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4468 --field-trial-handle=1880,i,16269274348789852251,4648738803007551328,131072 /prefetch:8
    3⤵
    PID:5296
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=1880,i,16269274348789852251,4648738803007551328,131072 /prefetch:8
    3⤵
    PID:5304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4568 --field-trial-handle=1880,i,16269274348789852251,4648738803007551328,131072 /prefetch:8
    3⤵
    PID:448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1880,i,16269274348789852251,4648738803007551328,131072 /prefetch:8
    3⤵
    PID:5512
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5916
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:4648
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5392
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5332
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1880,i,16269274348789852251,4648738803007551328,131072 /prefetch:8
    3⤵
    PID:6264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1880,i,16269274348789852251,4648738803007551328,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6732

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4888

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4896

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3180

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3748

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4092

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1748

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1164

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1656

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4628

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1668

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4144

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4984

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1252

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1128

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:848
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5600
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1292,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=3028 /prefetch:8
1⤵
PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe

Filesize
2.4MB

MD5
fe6de49b8fb04b720d613206aba0b4e2

SHA1
af4e860581c9a8488104a48c398cb23e47152d6e

SHA256
7a1719857cd9c1e45278e8e10e2bd7cf7dd2fbec59c702513054f77500d88599

SHA512
888e781fb53dff9df58a09a65e7ced4ea7626c42164729544d44ddadb229d191e52f6c4b8ed5a665e7262bd01fb903d00fe6fc0c507fa7c7a7467a5f5f84809d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
152012a8c81814ba39dd6b937d986823

SHA1
9824c7802dbc621eb9e2389fe2a6c094975e7d20

SHA256
00f6929b7cb2ec441e88e3ccc9b0c62a0b0545c332c31bb44b1ab401e4aaa264

SHA512
d40f3adc0dc626d4da07aacd6b65e7762e9a4c7ff6193621c12f0de8d446c897b708dda40c606309ee5bb48824baa750eeb75246a00f5a7d597670cf8f2129c1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
8d192b2bfd4cb85da796d461547b3236

SHA1
e38d2e2a21d482e03d25d1bc95e183b8c62ad168

SHA256
d53e0c73023055b1d04454d03fdba67fa902fba1b614bcb64e954e8c22ca41f7

SHA512
7bb4380b99a1adb3a16eacb24acfc097dea9bef9ed4c80ffbb35628e18ecf97724100b4fa63ae3493885cc7ac67c6221ba5ea6fce463e27fad1e9febd8b939d8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
cf02fea299a2c1fafb6ce575feb69421

SHA1
ecff5e95fc56a845d4cfadcc954a609594cad044

SHA256
27d46196c2753408e389f167cb48e69177cc6ef1a8857c65f770b752f76a60bc

SHA512
172f30172ecff07ccb40704f23e6968d41f2efb1bfcfd952991f81806a4b6b3d53df6105c9fcb321fb59d6c9ccb9c81b3df06007548108845965bd7bb559ed5e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0ccebcfb8b73f34e4eddfa5177277337

SHA1
e18509304aa83aee51a56cb9f4c02772550b3604

SHA256
68f71a7979cf1af4055c972f9d1281a19bc720a36317a95f37749dbad67ef624

SHA512
bc1c5417cf76378b441535594218deb00f8c1c12853a2b5a8068b31bfed866703c6453f2d78fd4ae1fe8435bc1090c7ba9b8656f4a98de403eb2bc0da655c733

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
36597f120dc567578480d5c45c96232e

SHA1
68e07b4b9bb8981feb6b07cb6dfbecf77df6a369

SHA256
1e06c168722b304fcfab90d8fc3231a7295c79d141c81417d2b2226aab3b36b2

SHA512
ef196a60dba1c23e5acbdde37e8ce0eae0f6dde157bef873be5c2db53328114c5eaeab0f1cb0d585ed1e90103e636da370568b6d5ab2b0d80ceefe2a71f46d69

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
eb6915934b8f01f97cc542257d9a3692

SHA1
907da43ff5ffffcbe56f29e95b6ab00c4ce057c9

SHA256
13ee5618cc9ad48ec193a1e647976542b33aaa2e9d1b5748f4e35b7a475be437

SHA512
e2125bb29201f66da9893a2461b01a543f9a8f29b2be35f575ada75eab8f7889d5ee5a30831d426a3da041d3b49944667a0feff0057ef4e2de52c58a0dad57e8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4b3295405ccc0b3c9a3c7cc0ee5dbf0e

SHA1
af3951f83c4148fdf72c994542ca221a918719b8

SHA256
b8c57b2aaf28b43540c9faebd93b75cded99bd2ac7cbd92e3314996e8556078c

SHA512
ed715e331209298cd28b4dd682da438d674bdb4b66d8be640577c73a29bef933a0a22e3e35ff6dbb243130e75cc478942115c35ed40f7a258e0edbbaa3a60a8e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
620e977a4a901d91ad717923ec24d154

SHA1
768f58481f879a48752568994b8c1f34ec56f12e

SHA256
4dbba4ef25abff4a5a614a84fa41a8fd7093a245005ceec063e1eaba8373b99b

SHA512
eb7cc0a84d9197b0a0d8d27b8d456ddcaec86e999d6e5514c9e719b337ed14e7cfb2100b6b39dc57d352b4829c98e5c6c07dbb55de8e11f8c5e67050579f341d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5d3256567e71851baeb6460dc9d10a09

SHA1
c0de8a1eb7be85c0fa61bf7f309d89d695b64b3c

SHA256
b1f76d1a54a84d23317181f5db05d3102beb543c8893581791aabefc52e8f208

SHA512
1a104414efa82894f60ceb90b4eebb369b30402aa0b8e8c8794da1b772398b3f1e1d4ae9abcaff5225f1584a816722c4346f1cc19a78e724955c67574f4a703a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9fc598d95c8ce98f36c6adbbd1b6087f

SHA1
0e9a40589a5110d2fde5d1e482762a4997548c4a

SHA256
afff4df98e1e45869c8851f57adb8d0adfb19ea9f6d21e15ce30f8ea5e31f65c

SHA512
c84d44bda919f4e5d5602ca46d61aef9b77e706e22bf4d793daa3f117a0e242148ee8ac200b4e523198fbad0a1a148f086d9ff9028a5e157d5bfbdbc4fcc7638

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bddffae60a687b125c4caacc5a036d9e

SHA1
eb57007405639ae21a614f28a845c763bf89de40

SHA256
999f143c7f978a198968aeca4111f1102a6982c3bcb57b2acadf8536bd8c8b8a

SHA512
cbccb82a4ed9e1733b85c37e6c2a1bda2da7bed305f370e6855aa110c201e1a8a28499a2e54911bcfdceb1d56ccf2311739cbcf9a6bca212d8c4b8e72335b9fe

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
16b9119174592594b92943f06adb9242

SHA1
9bbedc681d403c6a61967aa78ed22e8292693bd4

SHA256
f40bac9de21336202eec594f61a0a356e3130fc3242b0a957b130ae2362767f2

SHA512
5d58ebd57045ba058c0da6f4f127806760b7a1f96b69e076ff5a8de0cb40b1396e4f7a46eb5ca91f4debbed92cab294100dee312e1d9b98f2ad2e8d054e370ca

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
ed33cfed9e7839d8d2f42ab7b3e89988

SHA1
8f44b27809a26145e3e3f1b8ac3f6c6ec2b0f28e

SHA256
c8e03fae1a2219861e9eb3cf8e5117d25c82657f77a1831d7260235527cc92a9

SHA512
de27adafda66818926b17d18a2646143f30b65ed4d958c129dd180c8cd91a0211ec7329030c6905a515a29af3fae92905a24f337f236bef42345d03b8cf49225

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
df77be05f24321e137cb55bc468ebbcb

SHA1
25a18cfb67e4a1c98214f019865e6c3d09e251aa

SHA256
dbdc6d6a7452294fac6a2ad30ed7d74c32356d8b64827751a60849710c493498

SHA512
f9036bb93558371529d8de6dd83d7699c47a273fca47dc24a6f288f80dcc0ef9dbdd9c036f1c688799ea4ef28a6e6cb82396daba59a9ef59ca782b78b7a75ab7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
66986146a57bd7b16963cc251b270e0b

SHA1
c0c72b4f3b960f9da88f0f36dc1cbbf867a608eb

SHA256
05cbebb2def22531a1323daa408f96ce37acd6f3791b4eca8dda0a98d7498b69

SHA512
f4c177507eded29ee643f4672d981560946538a20327cbb8db8d54cb95be986bf5a70e1c3da2e40c78b480c0b8bea81a4d80c844f9bd13e64bad966c02d4e8f6

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\2e5997c8-d737-4a16-a2dd-9739abb1a4b3.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6a1b19d98643485b8a70c6005229cfbe

SHA1
f930b00a84567ede2368977a57c98d43efed9812

SHA256
b13662769c81af20a63b690f1e9861aeeb2ab700acc0cace72683af93001eb0e

SHA512
ee45494c818182e7b48d1b0cbcf5bcf31e8d03061cf189af3ace537a78500d4eb5044eb2a678cfae6e4947346adab89855b4a1da1d1504b81bcb5d397c954094

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
7a3ff960cae861ae637f983d8e7ac63b

SHA1
834ec275401430e61a3451a38fd757d18ab2f507

SHA256
c423466ca912c4f0838da55f30b7f99cfc940a04769900d74c2d95407a7b0449

SHA512
7f7a8949b8b452b6a71320bc06a5c12cee8ebf431f1d131e386776f57b4ad8793436ed20f0ec064911cd668863c20ce42f91906a2fd922382cc2892e4c48c61b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
64d7569e7e9cd59b61724e5ca8024d2b

SHA1
7e567c8f3a278f528fd7d85d462cce4e56bb8e79

SHA256
8adde9c0e5b89d0b9041d73f1c9ef531e668cdc1d020e7625e45f7063569ab1c

SHA512
b4425d6dea07aaa95039db3491ace66ff0e4e64232309b2c7dfe29200823454c3f91391db09b01b83edeb298dd3a9ff1dd0198c13230763553160e5a2607efb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d075a1d5303332f46eb158a8e725b59f

SHA1
defc773ca5afd9ae36d2a2578eb0e5de6d7562f2

SHA256
95c3800a2b4cd736f923a184b9a25660fad98ce9c074c0641d129ef6a0e5db1c

SHA512
aff0e7654cb643d141409ad9d55849ab814f484dede25c1019055a9676141f0d195cc3da6c31c492c85596bf19eca049f2f0a22e48aadda498bcbd88926aefa5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e0b7a3f137d0d1bd1064c200b42aec29

SHA1
d6b0397b87b02dc6d2632f1b8889247aa6f6a412

SHA256
f5c39d1718a2b72be6a853cbc8f9e55075fe3438ac6bb6e8dc3cea0d1b4deb0e

SHA512
33d908fb7a52dd24a36c88848f3e8fa3e322d75d2394a628209c538026fa8295b36b19320cbddd4003f6e35d06f4dc87d79e73380d4622b5ae8981abd14bcf66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5483f326bcb01593ead21b98449aa58b

SHA1
367ceedacfc35110d3ffc269dcca6f5c8df06964

SHA256
6a7b87d627891614a742ad8b7b88d28eb55de11bcc9c5ac83ef5e553120aa48c

SHA512
335c6b0b3a04f6a977978e762d97aebf107df3f4eb0c662d9e5b25177db8af4e3054de9fe7555abacfdc854e3b900a07a4b533fe21a2b7090d06391f034cc786

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe58150a.TMP

Filesize
2KB

MD5
a361d3291546212f08156eae58b34e1a

SHA1
89d7162134759edc4109797677471c64824c4130

SHA256
c94bf51d6a92796deea251ef7bc1c0bad2f1fa49fd8a4f62d6800ba729d275b6

SHA512
1100cf4de624cb6e3030e83629e5574da48e5d498f1ee3508f4b342b3f020a40a58ed7e83db413dda0036f15b81c8945f9491ae351647c579362b09f2654c18f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
dc2ae66189b95145fdfcc30d6142981f

SHA1
0a8319359d6669eeaf6e00534f6f4b56f14ef656

SHA256
422716c0e9267d95bc946b37228d8c569fc2490eea8e1ba495524a26852059bb

SHA512
7b55074fda2415a281979fe59fd249dbdf682ae8248efb9863ed9bce6a4ab74671e13c575267b428f883fa3b38b3d19de7b951deac8b9fed68d8a63bc08d847a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
274KB

MD5
5c0f60230c5509660da30fcc9c3b6db2

SHA1
03e9da6a99ccf31b61b15cb001e5102be93be53b

SHA256
e36871f9de45a54620623d0a46f08e46337d1dae8c13ff38653a5126d03e9113

SHA512
9b2bc99825c27cde3982c7482758ab2ec0d2f09169022796d959c7ec9283f86eea8b7f93e26f53281086436e34f66697f8568d83189c925925ac175632a3118d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
0a90c640881464d6f31016d10899720c

SHA1
5d3ade80da7508d3796fc5398149ce185114a414

SHA256
36a3c6dcd42b2762ac04f8bc723a4268bed95a70e9fac9ec9df1cad5effd392d

SHA512
bb97349b624a7925e9dafb5ad723103c9b4d91700f740a0bc55bfc15477b4f762c3b10468f746d2714462816ed4ad8653cf50627a1c3bc58608b54b25d030619

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
2a0089d01e37907321d1210bb558fc47

SHA1
37199299592728fcee5d191ffb4d992ba17744b5

SHA256
77e8ce711cf220b97dba66d3bc96e9872f15f8a98197af82e48c4277f97e6460

SHA512
b125dbdd034213834e419ecfc47b6b48bafdeaa8c6d6443283500f25290998ea8c0f12cb5a2fbc852920755bca2b6e1570a952663310cf7c6a69137d763e82dd

Download Submit
C:\Users\Admin\AppData\Roaming\535a7d2e85dff9a7.bin

Filesize
12KB

MD5
13f182c629422b9c0d47eccba428776d

SHA1
c9f6982a69ce1b9285d0d1e15b72eb09a05c5158

SHA256
f0485594145cd0d80fff4a598f9550ad4b63b0d936f990e3e5da2c3722b751b1

SHA512
590af1f3eb3ca89739e34cf1a1bfeaa0120003be1519b0ad9739221e4ea148298165904d16b2423afcaf8f15284276febe938b07c54d3af7d9cd79fcf4234d6d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f0e86f7e1aeda7b349e3ed3ad552a3c1

SHA1
6f2d42287bca6a0b06dad440279878e677ee805c

SHA256
90847305f610634d53801d13e1e436f553e2fe2c5fb23892817899ae0a92faf7

SHA512
37453f1fbf70f1af97c375ffbaedbc8a857d5aae7130b50827a006add75ed0180dd808086719c5342cf25769689d0aa9a72babae55e0b852f40ff014d00c31d7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2bd8db9a1453b641e0670080c3f39032

SHA1
377cfa6fe312487dd0aedbb9373dc25913f1aeae

SHA256
9b755c19dffcbd3ea03d2d098f594a69a0a10d61bed9433f80ce6e74f3b9bce5

SHA512
c4756e0c6c3c271506d3366e10a8ea9c874aaa4fa98b0a832f27b761b013f7af2dac4239b520c7cd7cf8ce32b6334995a03dded68f9062918fce3974fcb3eb85

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
eebe9fc1eb32d5d7da7587b877a2cd59

SHA1
b3ebdb983af7b83c22b123f954e15881f3fec305

SHA256
c8171cef978bd249c902e108bdd26d4377c38a058d0bb4b7d6dc6009c4082459

SHA512
7294e17b0f82b18e4e83767c99f0cc1dbe7126ee64c81bfe89bb1d711c0fef771e15ba8a213d5e07bcf549bf5a3c01a6495d6566e7b7bdd4fbc4c8b24488c5fd

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c93bd54d88fb71b1b116de0892bbbe32

SHA1
99ffc6d96de92a663e78eb70e3559883e0dde67a

SHA256
d6dde0fc529cbc68b8e1b8e7bb77e338dfaba5eaa74b7917b87d80519dcaf17b

SHA512
fa9a354574a2942ba38d5f449d37221ad5c092377f83d3a2cd29c202105e7397da117147132313c89aed01b140ce8276aa262d067c12d33653e5f5c394bfef9f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
06692aa473247b34e22baaed84f092b1

SHA1
bd7614627d5b48ce39cbdad4bbbbcdc6641fc8a8

SHA256
fac34caa03bfba23bf31e8bbe6472da09b5c6c6753bee2884c58f1bef0e3a0dd

SHA512
cf6904cee12799672a9562318cdeac9158a3caa79be5387842651fdadc5bf9e80fcbd5737d516f047ba68a3dc3fb9fce9e695b5a65c0b448d8f0cc78dae037ea

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ec763e25d3a9bc2b67d0483a9029b628

SHA1
41572a3684b444f7de89dde49d0f3bf1e08d0c08

SHA256
53805af76b900050d4b4991d42420e8463a327f5e21b98794bb9b47cb324fc61

SHA512
3a1c82b1643bd9abab40db7428bd671acfc69a6ef09e045cf34274bedebc33573de5db0244bf30d64b41bda9e5a93448e4f1d42d032c039da8ffc4304a46bbf9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
cb90cf29da569b6277c973e422c1d182

SHA1
ad32d27ec41cf4c269c3f2ea7746d2dd87a76de4

SHA256
075aa4ce9454576f9193fec7af7cbfc94d6dbd2d0a8fc6e1ab74d84a04624c77

SHA512
4e880aa06309cc9e87aa3c8dc75d01c8f6b91f03ad1fca54c3472d413c08b3f3a15681bdf7c5cd8d05399c99638aa738728e8129236aba43221b8740801c18ad

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
cab25b23f47c1f167f0b8195a515a450

SHA1
4c45b602ec0c368b3528a6fc3f562da882d684f4

SHA256
f4dbfc67db41ef89ef7998844e19db471658ab3702099558ed0b2471dbdc26bb

SHA512
2c76955f739a80efbe6ef78b0fed811ebf61077bbe2cf5c244cb844ebcec9bda34b93c1a16c34d1f715f28b58239ee3e1d1230483562fc1bb1cfb8702d579d6c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0729f226d61c1fd203e079becd36259f

SHA1
02eb88d6bd747feb99bd719f63bbc408ca3ba7df

SHA256
b1cfe19c8a86dbc15c4b9615a0e2570f38af0b1a95e33f65110051c2a323d97b

SHA512
2550cb9c6e5ca89c0d72dd749a5cbede483d5580398adeb7e2cba4da491ca5fe6b22040edac0c08304dfb926763fb90d2ad81b3683182a65156f11e0ee84d892

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1196f354c6809075bbbd7a260212b39d

SHA1
41df875612b47a2625ea665ee2c059fc56327a3d

SHA256
c27b900902d0ed1086e163c84496d4012e7819ed216c69378b2d2e218c5399c7

SHA512
92c85d10a6e943d42a6326f7a72369f5d60ffb9454999295d66dffd0eda4b8b3f9398f2fb8946a9d09f8813feb392cf9eea2c324c3b966e80e52f1f26638a690

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
8e986c6ef4fdbb9f402cd326530ca909

SHA1
bc3e4516a468f654d260425b1392176dbfc0ed2d

SHA256
ebee06205ff001076d3667239cb87633e194635f6702c59440e8d281ed1080f2

SHA512
49a388c550a075cc7658f6a427965a26ca5647ca819c8c4e66a77da099956402d2c1f8857d53574111ac4f9463d96971076647e0180af583c81a4bfc45cb18a5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e471582cc1da4914722452cf8ec69462

SHA1
2a41dab16685217b26646f62c584fc5136954e7f

SHA256
951971d300fddc3564292fcf6572d70cf18805384242c00ac4a57e81b3c39126

SHA512
720564f52f04c0ef16a74858140ef9cae4c831adefb9d9e1f489a893239537e3ad8b4df391b6593540e39159c12b2b39c1a5f3b5ae73b9676cc896d29a393037

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
4e6d868faee314683144f49219a34a1b

SHA1
daff8434803ebaf1dfdc79d1567e25358a28488d

SHA256
b922232a5b0e406057532c07af679eaefffda37e9b3aa33ba46cd2aad45fcb23

SHA512
e382eff31f142a176489f0e9359871c8ae30666d81988fecf605a9c3964a1f0f8931afb5a0982f0337d4b21169570f34cba6bbd32fec26d3455e516fab3e01b9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
925574f21bb3427ccb87b4711e8a7271

SHA1
33eb7b432046b01a3e360b64d30a50c0eddca1b8

SHA256
1505b31e80b6a012e842806ce214d6164a47a9217864fee55921fc4ce5f96609

SHA512
96dd34bc1d2dbee337cadd7573c95f5c18e926b710868d09c3bb544b4c4e502eefe05621ab5dda91fbb05a23593bd17bcc37bc0aa6347893bbfd820bf48667eb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
1acf6515eb8e2ff6e18bd3651cb44391

SHA1
ae2c8ee3de4992c0dc5a692e66cdd166c05acd2e

SHA256
e85cf0bfd938af4aa0350eb6386b7ad5556325485b867d165657493b12b9acd0

SHA512
8df89fdc1913ff9685454a2aae02fe5fbca95acbc1e868f5acb791a270f5c4878bce1a843a42311a8bf1daf580900b731831dbeccf41e4590b2cc683242f09c7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f31a5862cdc77c92cf7290d97509031e

SHA1
e4f362ec91e78f5ad12a9a05537349f5f37b3272

SHA256
5d91d4908af8253c897abf45d5ecad79197389de3deee3b60a6109aa57da36b2

SHA512
553c50a93a98048727eddfe1b65c7fc9ff258dcaf99ab07fabe055b492803b71369253a0fe9fd71fe09f73b180e230b5e2664b7a2af8fde88e6a4198b35aca0c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
59be4bab73036fab2233912bab11df68

SHA1
d93c2bc28df00d25b886911ff57f29def9ae12e9

SHA256
c6a7ec5b4309137342a9bfb5190e0a19debc3713987bc7f2bb90c8fce686c483

SHA512
49f87c3b5bf312245c33ed111a4c10a4fb765240d1670f55f012c196f09c00f11284fae35272f9aad528f6094c1bcc5b5fd0151123df5f1d5fe162acc890d55e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2f000ee6cff5cb727e426fd8945231c4

SHA1
043b87299022276afa4f18ce1dd28af30bbe9940

SHA256
ee68078605619c4eae28ee29b0e1ad0a86181e0626ceeb55f60913ab28bd7056

SHA512
e866144d87ba0e442d9ef5d9381909201f7617b6d7134e3271f58ad6a7f68a2afa3220ef318dbc6551c9dc0186569db7c3146e4c0ce90bd8cd4e5277d58c0cc6

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
c75904f52c5a3d06d039d7e29d12330e

SHA1
01609a94c02faad94d2500a526a955eabce1584a

SHA256
7ead57eb6e58b3ef599ff51ceb37d2b3e4355de28713b5cbcd0cf56a442f65db

SHA512
b55a3ff4fb2a25ca29e8a4a562166e5c13a6b63291df4e626bb19d33ee03cb9056dc9348ba28cb35ddefc13c3b162399cb260b91c85b2ccd1ab1a491ea1dc162

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ed5735c35e886d22daefca47dc4e17b1

SHA1
839b72d808e3aaa0fa0c6f800d85ec0e41ddd32f

SHA256
5fd15f2d767e0f9f02840560885eca3cf12027cb05eee3e5c45c4389434957f4

SHA512
4292e17160ec5146cef5e8aea965e6e939250742aaf20d9a2a008ccf63f17eedce9a1e7936e478dce9ecea9b7d8fdb9afa8c9ca576583981aba78453daf9ea8c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
d123c558270e0b2bbf193ea354c9e886

SHA1
1ab814557ff6b80b9f3ce376dedc825ec27e7fa7

SHA256
1628ec759369ba79dddde4431d075ea720849e4053f6b04c94a97f9252b4cec7

SHA512
f8f957c3c1840d26c110c39b8121264eb7bc3f3e0718784dd3f398fabac93a16e3a08ee39b2604faf4910c6c6b745f4e75012cbd4ab3ff78ff57ed5aabd369b3

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
e66b9c0bbc9cad9d3415086767070a75

SHA1
01c53b05d1524cb7d5105f03b8136aceff4bbb67

SHA256
f80f91ba6fd385bd526c38416f90b4000c424b262cb3e273a6bdb62f5e652859

SHA512
4d6143839618255efae18daf81d483f2ab1378b9abaeaac4acf0457f1aa12ff67bfd2d818f168f64a0b4a8ac165122b5b716a6c95e68e7c06e83f3a43dd2ffb2

Download Submit
memory/540-79-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/540-62-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/540-56-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/540-77-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/540-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/848-288-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/848-729-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1048-38-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1048-9-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1048-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1048-0-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1128-284-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1164-276-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1188-285-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1188-727-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1424-18-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1424-21-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1424-12-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1424-532-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1500-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1656-277-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1668-279-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1668-599-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1748-275-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2108-282-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2840-286-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3180-89-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/3180-676-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/3180-81-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3180-87-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3648-283-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3736-45-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3736-51-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3736-53-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3748-104-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3748-92-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4092-274-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4144-280-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4412-287-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4412-728-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4628-278-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4648-730-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4648-73-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4648-454-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4648-543-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4648-67-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4648-75-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4888-552-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4888-28-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4888-29-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4888-37-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4984-281-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5332-579-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5332-731-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5392-566-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5392-578-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5916-590-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5916-531-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download