e01c6734e5072861cfa000b82ed11b3297f1e796b3f82195d3801b2d83788a77

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
Size

4.6MB
MD5

a321fde0816d50950e48f18b014b0de8
SHA1

109ce75f4a9bc4d19d71fff7c1519e187d91f84f
SHA256

e01c6734e5072861cfa000b82ed11b3297f1e796b3f82195d3801b2d83788a77
SHA512

31fa235ce88568028dc9c8cb0c0ed28afcfc8e4021c2a85b0ad7cd2a7bd3c01ff8adc58d1a9e6840c140937d5cb253a06673764d713d3a3527b4b4b52b27a30c
SSDEEP

49152:+3Ncw4INSd5Lk6iKpssiMQIYB3Dpd84n8zonABGRzaDh0QAOnLSNQUo6VuoQDmgo:EGixpMQIYB3dZqLOcD527BWG

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3204	alg.exe
3788	DiagnosticsHub.StandardCollector.Service.exe
3476	fxssvc.exe
1824	elevation_service.exe
552	elevation_service.exe
2840	maintenanceservice.exe
4468	msdtc.exe
4316	OSE.EXE
3008	PerceptionSimulationService.exe
4048	perfhost.exe
4072	locator.exe
4804	SensorDataService.exe
3548	snmptrap.exe
3112	spectrum.exe
2904	ssh-agent.exe
4412	TieringEngineService.exe
4312	AgentService.exe
2008	vds.exe
1292	vssvc.exe
5008	wbengine.exe
984	WmiApSrv.exe
4548	SearchIndexer.exe
2712	chrmstp.exe
5264	chrmstp.exe
5360	chrmstp.exe
5448	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1105467c1ed82f9f.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea16672f31bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ccba712e31bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4f21a2f31bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002fcd642f31bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f697c2e31bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004aabfb2e31bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3792	chrome.exe
3792	chrome.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
4408	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
3788	DiagnosticsHub.StandardCollector.Service.exe
3788	DiagnosticsHub.StandardCollector.Service.exe
3788	DiagnosticsHub.StandardCollector.Service.exe
3788	DiagnosticsHub.StandardCollector.Service.exe
3788	DiagnosticsHub.StandardCollector.Service.exe
3788	DiagnosticsHub.StandardCollector.Service.exe
3788	DiagnosticsHub.StandardCollector.Service.exe
3608	chrome.exe
3608	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3792	chrome.exe
3792	chrome.exe
3792	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	592	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
Token: SeAuditPrivilege	3476	fxssvc.exe
Token: SeRestorePrivilege	4412	TieringEngineService.exe
Token: SeManageVolumePrivilege	4412	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4312	AgentService.exe
Token: SeBackupPrivilege	1292	vssvc.exe
Token: SeRestorePrivilege	1292	vssvc.exe
Token: SeAuditPrivilege	1292	vssvc.exe
Token: SeBackupPrivilege	5008	wbengine.exe
Token: SeRestorePrivilege	5008	wbengine.exe
Token: SeSecurityPrivilege	5008	wbengine.exe
Token: 33	4548	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4548	SearchIndexer.exe
Token: SeShutdownPrivilege	3792	chrome.exe
Token: SeCreatePagefilePrivilege	3792	chrome.exe
Token: SeShutdownPrivilege	3792	chrome.exe
Token: SeCreatePagefilePrivilege	3792	chrome.exe
Token: SeShutdownPrivilege	3792	chrome.exe
Token: SeCreatePagefilePrivilege	3792	chrome.exe
Token: SeShutdownPrivilege	3792	chrome.exe
Token: SeCreatePagefilePrivilege	3792	chrome.exe
Token: SeShutdownPrivilege	3792	chrome.exe
Token: SeCreatePagefilePrivilege	3792	chrome.exe
Token: SeShutdownPrivilege	3792	chrome.exe
Token: SeCreatePagefilePrivilege	3792	chrome.exe
Token: SeShutdownPrivilege	3792	chrome.exe
Token: SeCreatePagefilePrivilege	3792	chrome.exe
Token: SeShutdownPrivilege	3792	chrome.exe
Token: SeCreatePagefilePrivilege	3792	chrome.exe
Token: SeShutdownPrivilege	3792	chrome.exe
Token: SeCreatePagefilePrivilege	3792	chrome.exe
Token: SeShutdownPrivilege	3792	chrome.exe
Token: SeCreatePagefilePrivilege	3792	chrome.exe
Token: SeShutdownPrivilege	3792	chrome.exe
Token: SeCreatePagefilePrivilege	3792	chrome.exe
Token: SeShutdownPrivilege	3792	chrome.exe
Token: SeCreatePagefilePrivilege	3792	chrome.exe
Token: SeShutdownPrivilege	3792	chrome.exe
Token: SeCreatePagefilePrivilege	3792	chrome.exe
Token: SeShutdownPrivilege	3792	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3792	chrome.exe
3792	chrome.exe
3792	chrome.exe
5360	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 4408	592	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe	84
PID 592 wrote to memory of 4408	592	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe	84
PID 592 wrote to memory of 3792	592	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe	85
PID 592 wrote to memory of 3792	592	2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe	85
PID 3792 wrote to memory of 2200	3792	chrome.exe	86
PID 3792 wrote to memory of 2200	3792	chrome.exe	86
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 3876	3792	chrome.exe	113
PID 3792 wrote to memory of 4340	3792	chrome.exe	114
PID 3792 wrote to memory of 4340	3792	chrome.exe	114
PID 3792 wrote to memory of 2564	3792	chrome.exe	115
PID 3792 wrote to memory of 2564	3792	chrome.exe	115
PID 3792 wrote to memory of 2564	3792	chrome.exe	115
PID 3792 wrote to memory of 2564	3792	chrome.exe	115
PID 3792 wrote to memory of 2564	3792	chrome.exe	115
PID 3792 wrote to memory of 2564	3792	chrome.exe	115
PID 3792 wrote to memory of 2564	3792	chrome.exe	115
PID 3792 wrote to memory of 2564	3792	chrome.exe	115
PID 3792 wrote to memory of 2564	3792	chrome.exe	115
PID 3792 wrote to memory of 2564	3792	chrome.exe	115
PID 3792 wrote to memory of 2564	3792	chrome.exe	115
PID 3792 wrote to memory of 2564	3792	chrome.exe	115
PID 3792 wrote to memory of 2564	3792	chrome.exe	115
PID 3792 wrote to memory of 2564	3792	chrome.exe	115
PID 3792 wrote to memory of 2564	3792	chrome.exe	115
PID 3792 wrote to memory of 2564	3792	chrome.exe	115
PID 3792 wrote to memory of 2564	3792	chrome.exe	115
PID 3792 wrote to memory of 2564	3792	chrome.exe	115
PID 3792 wrote to memory of 2564	3792	chrome.exe	115
PID 3792 wrote to memory of 2564	3792	chrome.exe	115
PID 3792 wrote to memory of 2564	3792	chrome.exe	115
PID 3792 wrote to memory of 2564	3792	chrome.exe	115
PID 3792 wrote to memory of 2564	3792	chrome.exe	115
PID 3792 wrote to memory of 2564	3792	chrome.exe	115
PID 3792 wrote to memory of 2564	3792	chrome.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592
- C:\Users\Admin\AppData\Local\Temp\2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-15_a321fde0816d50950e48f18b014b0de8_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.62 --initial-client-data=0x298,0x2d4,0x2dc,0x2d8,0x2e0,0x1403846a8,0x1403846b4,0x1403846c0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff6dc7ab58,0x7fff6dc7ab68,0x7fff6dc7ab78
    3⤵
    PID:2200
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1908,i,7350086930282621349,10973255668585839657,131072 /prefetch:2
    3⤵
    PID:3876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1908,i,7350086930282621349,10973255668585839657,131072 /prefetch:8
    3⤵
    PID:4340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2196 --field-trial-handle=1908,i,7350086930282621349,10973255668585839657,131072 /prefetch:8
    3⤵
    PID:2564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1908,i,7350086930282621349,10973255668585839657,131072 /prefetch:1
    3⤵
    PID:3056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1908,i,7350086930282621349,10973255668585839657,131072 /prefetch:1
    3⤵
    PID:2100
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4296 --field-trial-handle=1908,i,7350086930282621349,10973255668585839657,131072 /prefetch:1
    3⤵
    PID:1756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 --field-trial-handle=1908,i,7350086930282621349,10973255668585839657,131072 /prefetch:8
    3⤵
    PID:3760
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:2712
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5264
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5360
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 --field-trial-handle=1908,i,7350086930282621349,10973255668585839657,131072 /prefetch:8
    3⤵
    PID:5384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1908,i,7350086930282621349,10973255668585839657,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3608

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3204

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4012

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1824

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:552

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2840

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4468

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4316

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4048

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4072

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4804

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3548

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3112

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5004

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:984

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4548
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:328
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
658f011356285f5a5c40e48345f81d99

SHA1
34338b00cf9d52f58d0b645ef0723243213532e2

SHA256
444526b8cff07ee7bb296c106cea5d314972bc5011fcdc6165c44f1c74c80fb6

SHA512
6cdfb4951d1900fe53808103aab986a3b308e97d3d4cc9b86fe044d830fa0d66361665db2adf342621d539e91d4cc2d4fc1b805ec0b943e80864e9014f7e2422

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
eccd39ed2dd61339e997c49bf8f90ce0

SHA1
72e6a7fe4394d661434f3335ca37f5ae4f933f00

SHA256
7b686fc337c7fb87053bcc10de7036248472ec5d450ab5a22ce7f6d2472f9be8

SHA512
4888b667d1f15251d9e64cd9d637db9eea8b3175bceae559942e16c89bcb8861caaab19ec0e69fff8735d3368b824b551dc57b7713718399d1bd4e1e64bde7c2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
dfe2aff506e13f31338415b4219e3744

SHA1
31131583db762be5e6d19a005a9899a64a1fff36

SHA256
f8f28e3abebb0c3ae58cfe52b17d94db2c77520157407cee121abada39f769ae

SHA512
a70c6f791f364a1e0209d03e3be304a4eb2578ad5a0513cd2530267879cd84d8932a78e60d6ecf4f9f62024f07c2aa7b7b2bfd6955d34d814fcf03fb7a646d71

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b873644479a89d95996f3d0bb0e71d90

SHA1
2c21aee4685794f247400028c87f632b253db513

SHA256
07988954fdf30687a5329406a7fce538b5d2848f46a6543b998c99e8d0309bf9

SHA512
a40d4a1bd66fba25bbae259d8e5bb72637e7b20e3d50f6b656d4ec02016964828adfd96f35b4d6e0f93e3b24bc1af9a9bf930717ca6a4d77248a904347c50593

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
54156acfec1e9f1b7d62738de6c21ed9

SHA1
898381d33d96528f6bbde74c2a763cafc901800d

SHA256
1d87fd8bffd411da1ed3d26340ab3c454112f25e2f2dbb980a0f139b4d7591d9

SHA512
9a2131a990bd64b0ef1777eb900b16b8f575b486dd44dca644937862dab5218e149d8bfc24b75a19f0b9c057bfdd850ff39c6d0572fdd3596d2dcb215c24ff38

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
9e6328df978c6c6374da10db0b3c7ac0

SHA1
8880d9e333001446a53a53aebdfd5ca0fb0ba97e

SHA256
cdcd4029abd0bf1f6a2efbc70d4b21502f036551b674e6de64f4be9d4cac0733

SHA512
6c4903731b16f2f403356e8aafbf49329b03acd129d9c88f09f45823d66b198f69767cd5c3345f7710f670880342c53c0f47c44f189b1d59d94a56608520aa23

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
4574bb94a9d04f3e42f99f0da69da406

SHA1
09b9b32a6ea754e75640b78a84623e7717208998

SHA256
c8ca2b7b04c7410d984601db37958abd4ef0913ccba7aac4c43fda5b4c3b4665

SHA512
e223cdff66ab2c05dec29d0bc6f17696f40ff71af351815d6064363825b2d0e4d87544c3ccd65b24a4df3f06be7649ec50a7d5ff671a7f04573cc24511481143

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
722d6fb8ab35c9c90ea09cf344a9cf8b

SHA1
194aef6c01259417825d2b2b952cc72c66a9c4ba

SHA256
8e8306560b8343ca5fb5ca1d71f5523df154c7d96bca5dd7de5d6f8fc8db2d5e

SHA512
ae39d10b8142bbfdd250b60aa584cbec7332d2a0279d05803e019b90de0c9b8bd2ed62ecc5fcfb8691cdfc68efeff96d840a3c27f044cbe5804b400faa032159

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
e4b47b830671c59d08f9bc97d537749a

SHA1
cabebe6318437b54c185f31c4af66be6a320d11c

SHA256
89c282a2436ab9a17ef0f1b039a686f66f3193e1350edb15fcccfd31fa02a2cd

SHA512
28d87b3cef73942717bf9376d04b56ab446c665cc98bff1169f3507eb4ed619f1e3bbfd447f031a3ce659e0a13eeff9f665459e9d9e3ed4ec1965cc248dfe697

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6e34bc40f25125497e3ad84050053595

SHA1
ecfc9c4a872678f497fb897007a6339e8555c134

SHA256
3b76a8e0c46a6dc873f45f017f629bb1342d1ded60b75bf700066d04fbad1904

SHA512
dab5c52c64083108e132f7c106768eda3d8cc15ba5715e7e4251c9258674add98555f0c7992c554a8ddd1a4e351d17873b9f453319ab4fbebe229bc66b16dbf6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
76a005d156bbebf75b32906a55f744af

SHA1
57f9f87d14aecd3e4f7c8a8ee904c9ff5bf9d749

SHA256
3d6f1968168e08a6a495807d435ab4f4118d7f6cced7261b0c71d7015c86995f

SHA512
098ac6addb6edef87108a630a5116fd0dbede8749b5713912374ea6ebe7e770f293ab88298deaa76764a35c37004046d84a2dd9c8f47cb89c6ecca028a0a211f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
91d17df634e94c8d1e77e9fb5d566f79

SHA1
f20bb4ba57db4651bd1bc6a56498acca6c5e01ef

SHA256
557959344f2240daae4609513fb5fc048d6d8e2bbd4e3a8a7ff6b5480b80f918

SHA512
656f102f79c30aa36406473353c39eba5fe5c4b4844a8b5556ad00a0516b61055d02432a26e17e582b795993ae13f5e5e3334fd9c7f1f240191655133244c9ff

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
f030172336ea2db4aa690273a3ea17d1

SHA1
b0106ed49ba5c00ccbf5ee9a557a8a1963782e42

SHA256
b6e3e81319058200e0bdf3a0ddf5cea56160216e32be4d0b1efb3d0a32f2c484

SHA512
c54a2e91f30730c6045bdee876caebf8dd4a16d88c23b70a3d0b359137532c928125ab3e5928b5a2aa9d4b3d5e319240eb4414cd98e5ee5894ad89da4ce7ca0a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
58e3467b620df0f2a538d3058f79c0d3

SHA1
f5de359ba84b1b2ed0766fcbb9bd626acb30473a

SHA256
055e19d6cb5b4d03b8764ddc5aaabb307b87fb19d113bf59b36943c9bc5f11c0

SHA512
c5c8c765986a8c83014f89a84564a023307d7231a1c9159e0ed3a3a79d5f83ebb90a5fd9b8d62aafbefd08843ac46e95ab2242b36e5ef3dbe3703b58f7e89994

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8d6073bf51303142fd784aad634cafbd

SHA1
6c92b6a849fa4edc3a732b314dc00434edbc8b62

SHA256
d3abab3f39262c5544853d06b22c94bbb5da84a9697939acfd72913424a5c82c

SHA512
69b02a21aba7f14e9bb7499f57a1e3c6a07ba6d8f51e4bd611f44c456d3b2340ab3adbd0eedcab45cdc3e207822c1a1b9b25a557476a9653e2be72811f45da2d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
c67e85889f38f7f934f25f7de2b7778d

SHA1
533b728aa8aa5b16d1baaba161b0e96d13d892ce

SHA256
9d1d6f86f1e1a9165b1f2bca116e87b3d483496ca3eaec27cf7c56ee7df3ee45

SHA512
1fc3b14b8660636a67909815ccb8fe9fa69d028c209bb9d196be0909380501cbce923a1a25b3b5ded81015c24de986e2a5997e3d4efb199c3316e200a1520380

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a16c6c83532df14828933031c6e4d636

SHA1
4548297e5e9f634167f7df812c3d2a86cc76ccef

SHA256
516ea9e3faf567c98b337281e7f8ad205e4d3434e45d16cff558d58866c1509c

SHA512
5cb201418b06860aee677737f242b35f34a05c63f131185fc63f01370236a6f336255d75e74cb346f1483188ac2482327f9fec9557e5b665c781b5be2d3c2086

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
42bcdbc7d43527cfcfa7f15446165f25

SHA1
d8d8ae569b2a2a5678a5552f4f48e7c93dbbfec5

SHA256
39538f68782e455cf43d3ef72b38ffce7c417b9ae6b32a5f21fd9da91ef9d8dd

SHA512
37fa2df09a96a4ba4919e73f905ee4caa6297660111cd4aad58758bed6facc984030cc1b62dfaca1a5d7fe19814fae2f5a0b94b13a1c8f15b08a69d1cb4cca3d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
1d945396e4354f4c23c297af005cb5a5

SHA1
e53c9fac7746d017fd1c120a64164d73171cff30

SHA256
d3604d0565e8d1e78d8eb055b1e8b6ffa2c6210f1a5af3b27f0b1bf07ff50d2e

SHA512
4c060df390f09db9b273aa3b1ae62cdbd889a3fc8d92136c8ff02ae783d2347738eca15a2e25fe9b46e7125ffdfe822af217fb0d43bbb4270fb577c57f154eb0

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\7ccfcbe7-b586-4cec-accf-dd282f1a68c1.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a4e06574d9362ea8b0ff7aa42f03298e

SHA1
0752a6511117215c7c0b612138916f6de1899012

SHA256
3e58d2f9268cfa04656852d7bff157ec29d72088ba2ed2c1b9d20aa68a8efd1d

SHA512
bd1fa74a977c5c1d1427babdf9b1fe04d0c95cd5e43fbee0a3f988d425134dcf02da8f6b58f1c69c8c978f71dcf5495073ca7caafa5bc9b1879286e2a0e45964

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
42e63473e2cab4ddf60bd73cc354836c

SHA1
1f593a6b05b27de16de5f365bccd7f0f7226d6ab

SHA256
e08428e661685c8bfb464fe749fdc2a6d64afab98129488d8198bbff52a7414a

SHA512
ff521bd8a287df2803d4f22485132aa6334d302184dd121784359b24cf6273c999c681da976f1c5ce9e8a5ddccc08d1897acc652e85b47b8519f0d2bc9ec3263

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
0cd429098412849541cb95afaf497de7

SHA1
34fcdc8c1708981ab8e69a9ccc50ab898d7f7df3

SHA256
d987cb1f82d1cfa20deebd5947b3ce1b9ae9ca25cb7df736727c507a3a17700a

SHA512
955809ff9150048d9b739222dfe4c1cc7b4f330cab2858b74ba1b8af8514f1d97268812c0ef81a3d926c9928fab845515a0fbd834a8dd1d0db39359001ce5f03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
37df33f138576b2b10fadb3227ef542c

SHA1
ae64600b65e105b048e8b9afb9317d38eda3a4ce

SHA256
6f5606b27003b2a777052aad386667ed70188613db455345fa1b0502f2c0287b

SHA512
e23c5826ce21a754287dfa52d743e8f07fcd89936da1c119d6d3918461e5244c4dc8c95ac4e384ad155b32d1782aca2fdfdf64981011819c221df5c1670e2132

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
460db90d5a01d9ebc6b5a169e8fc1f39

SHA1
6aba17d4df1792bb5edf93f7a34db69b776fc2dd

SHA256
2552994d2ab7d2d5103dea01d2438b502a4b787be7716ec65e895e7d4085cae1

SHA512
0fff9b879e7a78f13b150d4cc1a77792f8a598cd0241f01646b7a28d9f4b7029bfd4a2eca9cbfdf818d88f817a5e9602b5694a4850a1787e50fb28e3812ea82e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
530808a09a9e8cc238212c88e5a72196

SHA1
0672d0404b5550b77a42f363d274006e978494b9

SHA256
6a6f5395a287e5a0db8aa433d51b855dbdc913002e202de776aee47510e1b2a2

SHA512
b68159b6fed4615ea035c9fed22a44e5fb315ffb0a0cdab37661cb9f3aa3f377471e4b127560f3696fdb50c86268eb90d3115ec09b90c14ecc319e2195b6a723

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578491.TMP

Filesize
2KB

MD5
411ac782e18a3f8947b5bbdc13773829

SHA1
d9a709bb6b79ade9df4024e8fb6e36190070bc21

SHA256
0217b1195d87db614149675e331d00b581206641c58f6c7cd8cadb92e718f8cb

SHA512
03cff6f4f72f375b34a35df614de1c0837ec423b3b232e5b863a2d85ccb2f2bc025d1954ae0ba9d117930a84e7fd1b44bc82b488e5acd58370c36e9c24717d5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
860234595b9950a28de5b28de5392093

SHA1
763c09b7c005b1cbf9e241de441dfa09639e4717

SHA256
b39d98176f8367a76fd63a526572a0985a0ee234875fed9c5597a87e300e1ec7

SHA512
149217a10c52ff3e2505475131394cd217494b0bd225e7d49fba4485d2e274de9eb41034e8792a70b2a3b05f0b7a1bc4adbc1583d8f95e44d1aec7adf8edd8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
de58060adc9cc260b39873a8147b766a

SHA1
ee67ca2bd1eecd8bdc9be04b6da45f41b67c43ca

SHA256
4a26a42bd3365d6f0d9c8bf17979d6e8d544c1a87d5252ca49da01391568ae60

SHA512
7de7f1f3c7560d57781d2b534e2ce4cdfe2a5c084dbd75fc96d3a15133266bc543c9eefab5f43b312d395906e60ab4966e930df2d03c8ded78fd9418c570bb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
51222a58e2fedc1670964ceb35c4c95d

SHA1
c13da0bd079fc714a377dc65e9c155621f63dde5

SHA256
927907aa5cb85b60d043b2922be79ff07e3718ed5d572a69644e8680300ba95d

SHA512
d3a7e71b125bb86c257b242db165231abc73529defc66b885b2202a9b69abb37a595a437918341b39f22ed47b9b52b11cdb643afadd67fa0838ef798665747ec

Download Submit
C:\Users\Admin\AppData\Roaming\1105467c1ed82f9f.bin

Filesize
12KB

MD5
4c603238db5ded3a3a1a735662e8ee4a

SHA1
0bc0e75ddbd1529651902d20c4ee5388132faea4

SHA256
42bb9ea32ff742ca6a5539c16ec2dbb61065d383a84f219883269e229dab2833

SHA512
101bf5220cfda69d20c78c6d7f49e99d58383748d26527ddb05e2674581d544117bacb6f7d6dd563cbf2a8d99c1ee1ad7228227419ad5b5411355654cbea1ad7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
4df135fd8d0ca373057be42732694e92

SHA1
d7f0815490fed5bf14ef4ae160e7b7493addd607

SHA256
39f000cafd31d23d6f5f2962b37c24ea682e2e715cb5c8c0310568df6ed0917f

SHA512
8fd701fd02b6940f1971c2e7e59b16abebbebdaa97278cbfbf0cc77399cf6ac45159be5544c1438dd4031042e6b76cd8a2ee4cfde173fa84b7512adef84f4477

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
297d6e0199fe45360be2f508213352b4

SHA1
17c27dcb4550f26130c1e8287ab36158d3be5306

SHA256
3d48588ab6e3527608d3933f6b601cf68e7910d03159b0d3271a0c283eef41c8

SHA512
9306aed910c561dd98ea6f4049087aa9971f44259cec761a8b509e4b39afc0af7ee8c333a9fcb352ca9988688dd1b2ce1c9f3698bd228fb26c6c80e412b256a6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
8af456269207e84f912cb35ba038f479

SHA1
c78966dbaf2446d21f29e5489a19dea5049e33aa

SHA256
cab8ac2f2ac7e643f6d66cd1d4110b66b0a811f92f01891277f7f48ccb1b658a

SHA512
c273a1654d32f5d5dfb178531f3b6c2aac0992b3a92acbb8252318150207e5ed5381b22c2b91fd383a078adb0c0b9028d141fe8fa553344a70d0ae848bab3cbc

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
19e22ca1a9df2724248ba0cad78de42d

SHA1
af1dfb5afbf5e39494a8aee7d870fcbf127f810a

SHA256
999e777fe5acc6a5595a07b52e51cf5ccc731d977808b982d47efda3092068a8

SHA512
922199f5fc919cf51bd51456287f9a0ebfe67cd714a5c22fd911443ea2129fb67bf92e83066d99d002605eff6e4f5db87913323b553646ab2bb9f9166e6e1a14

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
01e9a50c86f8f98bcde283722b805c0f

SHA1
0e2bd862a4e5db5f580ec200d15fde2f8e7cb7ce

SHA256
afadf7189a9aad3b3964c77f25ff4cfe2b6bb81b82bd345651153c5b7fecb850

SHA512
66ac6cb7021b34d3482ff2aff08db3fb5dbee9b93ba4724ea5d490239d8dda22d3f93550dfa60a895bdaa4e465530038982011e99df35e3c1682f9163f5d6a6d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
117eec981ed847b9de49af157fdb9cdf

SHA1
2a3165416f571491e0ffe9b2f800544b435645c5

SHA256
fe3512f9050b8aee2654d8da82233402785a0006808c2b1a6f21386d927c6dda

SHA512
d833be5a5b699c36f6d13b98e04434888849d001809d70cca60c52a0f69697ada62f81775151e7cbf7a1fb32c57b0bdbe459a0dc774827dbcf60b721bd0e7512

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
45eb949853a488c49b9a5ab8acb6e23a

SHA1
f85033110ea368c2587ef19d7c0652a43f11c7df

SHA256
64388ff7f9be70d37030412938750353660996456d7deab0278ec93ac87f9ff7

SHA512
6ac6493aa959d2e495c3a6e90b0b4e32123f5b8016e25e704c47f9c1090e7f06dba996eac7420e21199d96edee517610e98c3a58e80f976ad99fe3d33c0a369d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9a00d1f764c71a80bae49fbbbb1a131f

SHA1
7ef9fa2384332b0d52bc19c4a0ffc76b1a57cff7

SHA256
fccbb2977bf6f3f9c20af661cddb368f2aff78e08d81eda99b1a864689972162

SHA512
c7d59ee34007d98c2166752d037f8a266b64551fdafd70ed0e05dfeffa3906b64db2cd7246d0592533c9ba0c61903d36f9410867d23d464eceaac75d6edf59d4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6167e9e5d45d5cd838bbe8d1a67b79ae

SHA1
5488d4f7bb5af8af25d3c5101a35f73289f16548

SHA256
c13bdab727c6a02090ca5ff4b7b83a0ab586568f376374d9e952fa105777b5bd

SHA512
1181a08dc5e0574615c9f926c9a0625555a715ebf462c1203731cdf6c2c197db93db2d9f250d0bc9d754603ba8418b0ac1198711c98c2ec1cf9ebcd8034c2f78

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c8e86e545e76d947f22856d1e55178a0

SHA1
6c276221b2dc7d1042e9b0d657a867d12b8e5e0d

SHA256
6628f4a18893d8a4741608680abe7554b7f05aa66b1c6913aeeedfb1bb15ae82

SHA512
c09a88cdde51dcce0458dd300ac8d559002a97485e5b85808dc00ee489bb390e84565170116667fbd6e1bb261c7c1e3940b1c5294b4aaa06b2278624496392c7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
885db0f13c839ca9eb0f00ecac091ddf

SHA1
84c77acf93b5d765a94361de444633a2e727530a

SHA256
2e93878bca5941b0fe901f582a4067ad35353d5bb0b16847b8100eead9faa577

SHA512
d88ff63256465ce6c029efe5d8ee34f19409b6ee2c8361035347541a521b72d6119b2d06bc82291981d4de9c1f86cb724893528d2e9b8f8d9f3e3933d8882dff

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d2a53dde30114b92db59c4d823d94851

SHA1
1300d42b1d85a70d32b693e0f0f3147ca82cefa4

SHA256
707335471be9b887c8eb329d2cf5123975dbe4a264f6e8831c8a95cae6978e69

SHA512
be6e31b7f175f456b694f47aaa94ab35b101bde3e96c6751b2ab133d710b8f2c9a452621c2c2b2b9d59a149b397868db1807aa6156c298447b40710000039f4b

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e0ea4b03391c441cebe8aae3e8d79fcd

SHA1
3c4c63cf3a05556fcee7927db0f8f0d288369792

SHA256
e51b8dbaedf40fb1a0d0789a93d0926fd5c6c68c5f6f4389713c3eda24268fb5

SHA512
b12b47fa56d7b43efd71d8b0ffb7b52ae316511ea42a8d93b2472acb404f4b8da16c3046df84c7916394b8039f45387e5343506efda595b64e6c6dd89028dddb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
35fdc5d8bd222a6164bb02258c844e32

SHA1
3ae75be491a64d09d854688ccb9aac30fefa01fa

SHA256
8085a17491c43df12b4351f408e118cf95c46a7d8faa1bd56300f7fe901d114b

SHA512
28be6a2643418a63b35bac79b853062be9701a85382d82dc450cb7ba29961a5c53265f91b93f5a78ff629fba93635766f0164d7d3c32635fe43aad87da6f0747

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
56fd44e1ccef410ab3d8539e028d0f4a

SHA1
ba2620702bf3a56abe9129b46178b56c96d9f59d

SHA256
3952ab517f4cead2bddc5b4cbe75fd5f57451d951ed9d46d9f41b081eeadb41c

SHA512
693dcebc131a7578db8a265593a48ded7d9050704276d2d3e9adf2ee22d7a8eda006e9bb83bda7932531cdd1cb0c10c4e6d3b75b7e6885a955ada7e47a56dcd4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a8a08460ee32133ba3cf5b26714bf44b

SHA1
be90edb50fbc1dd878175c0337bdcab3c595de84

SHA256
be97b4d41055d9edcb15a1aafffa1ec300737d9907ff706d49df09c1888bd582

SHA512
1b848f07e3c00b9ba0fd6898a5462bd34220b77b99bd82e18cfbfe9896024cab583f13b3c41333d3fd79a9e9657fe4713ba05d491f57a604328478c9b309bf40

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
2da11fa10cfd571e6542f90631945862

SHA1
ae0b81157ba677917225602cbe6975af1116e342

SHA256
f78f2dfdb1ce2c9601024ed9d9e6f50a6338fd8aac7ad94f1d24fd8e9beccc14

SHA512
1d79893130c3adbadd2afeaa4b066068590cdc3f42df3b13a96655572d930f100f1bfca0015035fbc51ed2bbdd465acce6bd8a2643b4901102d608b396c33e52

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e461525194f3b3902908bfa2772252a2

SHA1
e22d6539dbc751d94841d593e756df8b6fb41699

SHA256
2217f931d4cf456468c12777589f1b26f4427b59a14660e4ded15640f0729669

SHA512
be4392fe0c7ff53b74f3b6327a5b51f16b20f3cab3c1dc7bbda75247b7bdfe6ceb94b18865e60488a48a9cde372e408f01d7e416811b83af0ea33abeb9d2d0a9

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
4d858969f9b63ec4e90b337affb40980

SHA1
c5f517b47ddc66cf8fe32495fe14e425f905c252

SHA256
d228412aca7296096c2db6c01dfe1e83ca0db6a7fc2512468473c94bbc3e50f9

SHA512
df058b39862395921f86ab56ac87eec0ed1adb201b988f3bae0fb037e14a1c33d842b7fac2354f0daabe15cf41c5b6757ed9971dc8237e7a5e9377314c6b972f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
752d5d16bc09a2bab29c267d105afa7a

SHA1
73a3ef917c82acb34cb6e5a939b55464b437fe2e

SHA256
a075d963e23cc30b9eb4f0af6ff750144c6a248c71cc91e2fa672265a65afedc

SHA512
ba9576e788743130440978d915384f18db12180f6a547aaf56a3ed2916e96fda8fc1aad15bfc80584bdf0c9d872ee758d03d9dfa357e93950b722d6dd8c1f7ff

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
20cc39e76c1bd60645dbbedb757db962

SHA1
4f106fcc27df52b008f1ed2a95d2a70278198d9d

SHA256
90bd33fc029a6f50789a52b8e813008353f4ffb3df3b0a3b72d2e47c23221f74

SHA512
0164ef1dfbfd9b70f51891a896b582a602dc648a7b33f7b070d05f9af6c267c4393017486f785c5c03ff03a9b4d046d077bb23b1683363677e9c2fbfc1544125

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
68957335a33e0fad94c5097bba12dd0d

SHA1
626eb99c84fab5bd3b02d9c9474838a70412c21e

SHA256
691808674cce3350948152bef4c0a39706802d2a022d6f8afe5bce4c3d4331c5

SHA512
4fa47a12b87acce65521dad79f721ff41f5b9a75884a31c9765c68712e6f80d50257bac90c87eba301dc9cd6b326b7400eb44518074b672c7ec61a88cbf3445a

Download Submit
memory/552-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/552-59-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/552-611-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/552-229-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/592-0-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/592-8-0x0000000140000000-0x00000001404AE000-memory.dmp

Filesize
4.7MB

Download
memory/592-9-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/592-27-0x0000000140000000-0x00000001404AE000-memory.dmp

Filesize
4.7MB

Download
memory/984-612-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/984-266-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1292-261-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1824-54-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1824-354-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1824-230-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1824-48-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2008-256-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2712-423-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2712-481-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2840-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2840-79-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/2840-69-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/2840-75-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/2904-250-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3008-96-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/3008-237-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3112-249-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3204-38-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3476-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3548-245-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3788-32-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3788-608-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3788-39-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3788-41-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3788-40-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4048-238-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4072-240-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4312-149-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4316-86-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4316-235-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4316-92-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4408-485-0x0000000140000000-0x00000001404AE000-memory.dmp

Filesize
4.7MB

Download
memory/4408-12-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4408-21-0x0000000140000000-0x00000001404AE000-memory.dmp

Filesize
4.7MB

Download
memory/4408-18-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4412-251-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4468-234-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4548-613-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4548-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4804-484-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4804-243-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5008-265-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5264-617-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5264-432-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5360-470-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5360-446-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5448-458-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5448-618-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download