706ac1ffaf2c7379331941314a0c00ba8442e57336022a82e502cd82617ffb26

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
Size

4.6MB
MD5

048da482e362d957f16dcbe3e5360469
SHA1

6dec35037cbf404876743be8b58f1883b29568e6
SHA256

706ac1ffaf2c7379331941314a0c00ba8442e57336022a82e502cd82617ffb26
SHA512

e78cc3e6935e6dcd28257f157698cd5ab3e4749f18c90d64a3d839e57aa514a397c9523f07fc63d346e6181fbf13d20416394d5171af4a07ab61d7b619c0856c
SSDEEP

49152:1ndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAG5:B2D8siFIIm3Gob5iEaOkf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2452	alg.exe
3568	DiagnosticsHub.StandardCollector.Service.exe
1520	fxssvc.exe
2968	elevation_service.exe
3756	elevation_service.exe
5092	maintenanceservice.exe
540	msdtc.exe
4668	OSE.EXE
4396	PerceptionSimulationService.exe
2496	perfhost.exe
2468	locator.exe
2172	SensorDataService.exe
1376	snmptrap.exe
4216	spectrum.exe
216	ssh-agent.exe
2720	TieringEngineService.exe
4352	AgentService.exe
3808	vds.exe
3944	vssvc.exe
3720	wbengine.exe
1516	WmiApSrv.exe
1752	SearchIndexer.exe
5160	chrmstp.exe
4336	chrmstp.exe
1524	chrmstp.exe
2612	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\be3d2700293b476c.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a79bb78d77c9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008479538d77c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e28838d77c9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000dc1dd8d77c9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000acb9d28c77c9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e9e798d77c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133640654223435656"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ac2be8d77c9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e28838d77c9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc69e38c77c9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000368a858d77c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
8	chrome.exe
8	chrome.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
6008	chrome.exe
6008	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
8	chrome.exe
8	chrome.exe
8	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3412	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
Token: SeTakeOwnershipPrivilege	1312	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
Token: SeAuditPrivilege	1520	fxssvc.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeRestorePrivilege	2720	TieringEngineService.exe
Token: SeManageVolumePrivilege	2720	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4352	AgentService.exe
Token: SeBackupPrivilege	3944	vssvc.exe
Token: SeRestorePrivilege	3944	vssvc.exe
Token: SeAuditPrivilege	3944	vssvc.exe
Token: SeBackupPrivilege	3720	wbengine.exe
Token: SeRestorePrivilege	3720	wbengine.exe
Token: SeSecurityPrivilege	3720	wbengine.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: 33	1752	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1752	SearchIndexer.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
8	chrome.exe
8	chrome.exe
8	chrome.exe
1524	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 1312	3412	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe	80
PID 3412 wrote to memory of 1312	3412	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe	80
PID 3412 wrote to memory of 8	3412	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe	81
PID 3412 wrote to memory of 8	3412	2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe	81
PID 8 wrote to memory of 2492	8	chrome.exe	83
PID 8 wrote to memory of 2492	8	chrome.exe	83
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 2212	8	chrome.exe	91
PID 8 wrote to memory of 428	8	chrome.exe	93
PID 8 wrote to memory of 428	8	chrome.exe	93
PID 8 wrote to memory of 4592	8	chrome.exe	94
PID 8 wrote to memory of 4592	8	chrome.exe	94
PID 8 wrote to memory of 4592	8	chrome.exe	94
PID 8 wrote to memory of 4592	8	chrome.exe	94
PID 8 wrote to memory of 4592	8	chrome.exe	94
PID 8 wrote to memory of 4592	8	chrome.exe	94
PID 8 wrote to memory of 4592	8	chrome.exe	94
PID 8 wrote to memory of 4592	8	chrome.exe	94
PID 8 wrote to memory of 4592	8	chrome.exe	94
PID 8 wrote to memory of 4592	8	chrome.exe	94
PID 8 wrote to memory of 4592	8	chrome.exe	94
PID 8 wrote to memory of 4592	8	chrome.exe	94
PID 8 wrote to memory of 4592	8	chrome.exe	94
PID 8 wrote to memory of 4592	8	chrome.exe	94
PID 8 wrote to memory of 4592	8	chrome.exe	94
PID 8 wrote to memory of 4592	8	chrome.exe	94
PID 8 wrote to memory of 4592	8	chrome.exe	94
PID 8 wrote to memory of 4592	8	chrome.exe	94
PID 8 wrote to memory of 4592	8	chrome.exe	94
PID 8 wrote to memory of 4592	8	chrome.exe	94
PID 8 wrote to memory of 4592	8	chrome.exe	94
PID 8 wrote to memory of 4592	8	chrome.exe	94
PID 8 wrote to memory of 4592	8	chrome.exe	94
PID 8 wrote to memory of 4592	8	chrome.exe	94
PID 8 wrote to memory of 4592	8	chrome.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Users\Admin\AppData\Local\Temp\2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-28_048da482e362d957f16dcbe3e5360469_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe4014ab58,0x7ffe4014ab68,0x7ffe4014ab78
    3⤵
    PID:2492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1912,i,18253825917196471375,14547815418783203950,131072 /prefetch:2
    3⤵
    PID:2212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1912,i,18253825917196471375,14547815418783203950,131072 /prefetch:8
    3⤵
    PID:428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2092 --field-trial-handle=1912,i,18253825917196471375,14547815418783203950,131072 /prefetch:8
    3⤵
    PID:4592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1912,i,18253825917196471375,14547815418783203950,131072 /prefetch:1
    3⤵
    PID:5084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1912,i,18253825917196471375,14547815418783203950,131072 /prefetch:1
    3⤵
    PID:2448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4208 --field-trial-handle=1912,i,18253825917196471375,14547815418783203950,131072 /prefetch:1
    3⤵
    PID:1908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4396 --field-trial-handle=1912,i,18253825917196471375,14547815418783203950,131072 /prefetch:8
    3⤵
    PID:2612
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4416 --field-trial-handle=1912,i,18253825917196471375,14547815418783203950,131072 /prefetch:8
    3⤵
    PID:3524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4772 --field-trial-handle=1912,i,18253825917196471375,14547815418783203950,131072 /prefetch:8
    3⤵
    PID:5188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 --field-trial-handle=1912,i,18253825917196471375,14547815418783203950,131072 /prefetch:8
    3⤵
    PID:5964
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5160
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x268,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:4336
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:1524
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x268,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:2612
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4212 --field-trial-handle=1912,i,18253825917196471375,14547815418783203950,131072 /prefetch:8
    3⤵
    PID:5548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 --field-trial-handle=1912,i,18253825917196471375,14547815418783203950,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6008

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2452

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5064

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2968

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3756

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5092

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:540

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4668

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4396

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2496

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2468

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2172

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1376

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4216

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4856

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1752
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5844
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
648663c48900aeceac12000115f0acf8

SHA1
be85ed024e7e002c54abdd92abc1bde8b2bd79f1

SHA256
54ea0e4bf72adb9c987f44c0bd32645ea6941a6f2132b96620db2fce75f32195

SHA512
588de8a575cf3be0015ae4fc496c0c2bd43b835b5b87580df97b2cab64fd8c7ba6162ce779020f2c3fe0da53ecf7cce78530acb1af3832c62653dfe9047d0b02

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
fddae91624cd78ab4b873b9b36ea3377

SHA1
d582ab429a4843f5e1be3d50bc1bf888a1531bc4

SHA256
6fba827f8965c56da9a77def70f1102206039cd357af7bff733076e24497ed42

SHA512
69e493844ea44a3299cbda6fdf1ce12c1dcb3bdee8e100f25cf51f24c234274853ad9201bf03312cdbbada12304ea1dfee6b1fa8c4c5267c572ec0f1d4cd943b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
2bfe576390a67fddd4175aa9b00ead6d

SHA1
bd97207dcec39f66f8d2e93be10f84cfc65da9c3

SHA256
b8d700c1a55152e0a3e3a53eb41e977e27f0e5034d4401791ea6b9a2a76c438e

SHA512
ed454378460860e9eb51454082126e31c71cfc4e6fc60fbde3a366b1aa244da6e4af53f93ca72b6cdb597c8a62bf63159805f57398ce11f39e46f76e4a80eada

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4ed318f9bf985c5f27b238abb94e60c6

SHA1
9d6d9ea974d663b91d051e7006085df9ea6851fe

SHA256
cab77c01ff3ec60c4223ee0e16c2ebbc2d3e9a0a85aefcd4b868b1e637fe5ee8

SHA512
e52085f888d392cb6a86467747223a535b742c962f2b67397d396304920c86d1100fd1c7ef7654648d50d3bfe43df0752e9df5ecca77bbc1476575d93f1a60bf

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ff486551f75485d20684afca7b74e072

SHA1
77022e6a49b1487ba5366ff79a462bb15dd6e244

SHA256
d2bd62602523a4a4b68f2640a9a09379dfc3604c8416dac0c2e2929771820d0c

SHA512
f8463480a7b813bd5442c732307973ccfa39ce6ecea2e09058b1a71a91b5602cf0d22476a230ec1267ce8a315acd41d892c2072c2cf5b8275cfbbf8be14cdcf8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
139466b528f67bac9eb9a55aaf806f78

SHA1
ae7cc3f067ad938f9056eca1485817118e5068e5

SHA256
dd342dcfa678b515bb384913217eaba805ff45b0a182bfdd9caf6a07e30c73f1

SHA512
043cc0b90049ce4550ef9bbc485b3d53c07806a3a40c5d7c9165ba09db33f5b51ceb1bf8cd00ee4c138878a399ce36def0ee4bbfd28423dd0b027d0e7c7af8db

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
598faef248ba6a7c2c368b67926dcf2c

SHA1
3f1d60b928776e9859604ca4ec81b82fc0adbfa5

SHA256
f1c00d2f8837c5759010425129c6dbd9e94f218aee91916616326a4689dc9885

SHA512
d089aec37e0b821140bab6310b2e81ed89167ee3003928c05101f7b1278d17ffbfbc3f3e860940134793f918a9c62222089579c1a8d01e96ec273a9e82203c26

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7267358e19a31fb32dda3ed1a7946c6c

SHA1
7d7dbc012ec028cdabcce5efa321018d1c9c4942

SHA256
08afdafc5a3cc7113649043ad7f9a8f6e25b456e352a737223af534a421c66bc

SHA512
cab60aa02f99a0469c143a510b4182f23af9ae069b9fbe60991166314c8abe76434d06336da3bfa6af95cb72f983837caaee5982913dd697f00ffc120a791680

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c278851e9e0e2cefaa09789e9670c1d4

SHA1
175a30d4083a53ba75dfd112352de869f3a08a4a

SHA256
1b1d02b660d82b251702f25607922092bf1803d91e08e7553325705e8aa3ada7

SHA512
d6b1ad7dce2a85a6001527cc7b46d6114dc1615bce554668b3a42088abd017f107401bac127b1fe2af6932b9a8fab7bdce03d5037a33694228738b756fc1aed9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
69271d9b9f0bcca4e22540f358f9c612

SHA1
afb9c15a8ff17f71fc0ac00750ff2299338b2392

SHA256
9d0a47462dc8e92b93f5ffd87ad8bd5e24b2e83ddf83171170b9e63fab07caed

SHA512
482ea0c9a1fbc56118a5bd574e57c8607905dba32d428c5b8ac3353fe00fb27eb0833315e24b09069ac2db1551841d68ebe4615e5f66b662d61470b5875c4c2c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
cf7b76e20e93031ea9f3f7057a6d1255

SHA1
fbc9c7193d9addee754b295e5e473caea91612fc

SHA256
f6cfa23068cca355ca200f3e6bd9796437c4c0c02bde9d101045506c619f0f8a

SHA512
eb4c217e1f342ef0d68192865901f2b2691b6656f27311075fcad1328288df46f76a097b66d30750f3404186b2db3ab8b59c501e213a736c7b0e444e143b0913

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
add18c73cbdda355de5ae3b59932d6f6

SHA1
8cc609f5c84a6fe828e65966808c42cac12aa37a

SHA256
72780b63bffdc1e407f604169e6853b8f8b981aaca8fa3dcb6b494a4766c6d4f

SHA512
e58d61c20ef798e70ede8d2cb6569ef61e35d1c82b60fd285c2e24bb6a5874a6221125dab40e6857ff94b3bdbc1ffd5a0066ef765fa18cf7ff34b96f15ef1227

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ae7206b34e5068f4497555632326f1ee

SHA1
db6a79a8a96d432fbd6bdc294986c9248638d193

SHA256
fe2c07df20ac67f7791637e5a3f5ff49aa59cca062e2aa37389d098bb0acb946

SHA512
54c6122c43a17af7eee2ae885ffe5bbcd839849ee64a4151a960b667a4dafe175540cedebc42fd27596e43cf50b9199be68225d9ce285fd28525eeae51c8f4ec

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
fff8df83568b934f65405f44c8077e96

SHA1
287efcd9fcf451c94d6131a1fda35a61411ae03f

SHA256
0d9b28eba644d7a8bd471367683cc54ff2f9bf9a9f2eb5ba81be6325b640fcfb

SHA512
de75ba2b03c64e388e9ba5f095860cd83f959ded2137d8b2d61850cdb8d4b295180063d89770495b7ff8797317967e82d0ddeda988f2f14219be6414758e3a3f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
bcf0fcd5b910968e78278f6ba553b132

SHA1
dfc13e803795b88f80a052e314894df164b2768f

SHA256
a8080e3efbc960a7dce337d0d1fc3574a143a9dcd56026790f6fcef042fbd2a5

SHA512
dc51a613e4fcb17c073d7faa3a9214ef3328e97334e1a843d75d11f94412be4a2a91071c470644e16a70b2e0ae198f27eff9b9baf004f959670860613cc63993

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
13cb15102565dcc8fb8f2f209969c5b6

SHA1
552c8902bbff7c1334c26261c34d5757c062c4d6

SHA256
05a4ee3ae761c3673af870f3187d87f9f08dcab1d68d408e6ee6125ac0a9295e

SHA512
208c999dce2ef97e1233d702a0446f9aa60f573632e37abbc2985e524319f67f13969fd364c7914bac3a529cfa6f27f05e01b13b35a0c6fa4603b7fd4844a882

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\10599235-7971-4d7b-a889-5127ccde9515.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
927b3346ae2c06fc664b3b979633abd5

SHA1
85a298ce5af1492022badb7d865981054e0290f4

SHA256
87061034f2c83cec976870aee31478a7f621d470de1fd4c13996c5b24c2955a8

SHA512
c5bd6549e031326cb7a64c84d3f911ce697fcd33eddff4953046ad2f0ff68838ffb569435e81dd46b9363d54722dd7a07b404275d0dbb8f07172efd7aeb6a731

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
76cf525de223bde8c29df79bcfbec912

SHA1
a81e5a240b4d1367a62c10eda1eadacde5b9ddae

SHA256
934835cb837195995d7e7e718bea6d7dc619e2aee11f78c9e58b88e3f9969f8b

SHA512
9d2dd4c18fe75e8a42e3d631f70a565866079a55cb0a82f54b36e798f76cc948fc2d8a322f503bffbc4ff3f45a19797f774fbd7f2d500974469d5dfc5ff754bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
23e6ef5a90e33c22bae14f76f2684f3a

SHA1
77c72b67f257c2dde499789fd62a0dc0503f3f21

SHA256
62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790

SHA512
23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
12edac47ef5f6e62413972deb5d4672b

SHA1
c89897b6937db2eed2487f740c3bae44b714c913

SHA256
fcecf7b6a2dbbcf04a0d99ccf5247e170dbd1e26b9cb666acd5aa4b47cbb9cf9

SHA512
b194d8b8a15254e4a5792d8b0748c71ec579428c8db9ad95e5061c52b68b8007d728769e358383f8eb86ff73b1bafe2b55c816c836cb991b084323aa76232a2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
50906d00568aed2886fdfc3a6684e520

SHA1
959d8a5d7c488496bede389ac487bda1e155bda6

SHA256
0dce0e17737595fd5673653ea1bc8914f7f4e07192a66e3dad2713772c4a582c

SHA512
1a011689509a1f3c01d4afac94426fff3926c31f7adea3768621d21a56aba4874a7f0cf1a60c6f2c138871f023cec5dd6801004010ee38c5c9cf28bb1e784eb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0014f4ffd2ce98c0f5ce3be5a7fbc92c

SHA1
be407a37d942ab30521947984a8af15d89db0f7d

SHA256
5d86d9ce0ff18163e824389f2eeae1ecea86a185ee1bac0c6e3e7be98fb84a7c

SHA512
233703c97ea3eee9b2572ebb1b5738de934ba8476280d062e272727099c090ce109c13f982fd93b7e3d9eaa19ed1cc613e39d44fda448aa3d63ff8d4605e3575

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5770ac.TMP

Filesize
2KB

MD5
8441fa327ce1f6c12f371a1535e655be

SHA1
7ccca62179f1eb9a2d47c3886ad8ad4bf5b15071

SHA256
975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158

SHA512
986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
1698162ab439ca0502936824926d7fdc

SHA1
ef3ceb6c96b90e5c4c69a646a0bdfbb6c2c9ad3c

SHA256
3156c28a36e2df8644df3a68057989aee5f7650cffd57f3fce8e4fac36311401

SHA512
f32080a2138337b4b8a3382ad6ae675fca743b6ff6c26a883dfcda6e76614f54a8827453f13c2704dda0b50adcce84148340b1802ffcf9bb70b41a4e8e486620

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
272KB

MD5
02f354735bd38a9b0b56005facb22056

SHA1
67eda676240d594c77e9ce8e1bffcbc81e1436f2

SHA256
dd022325798e468d18df82040644d5231b15c1050ec1b5ead99f2f0432850c71

SHA512
d7bc92908b7d620f4e6c1db9d42ebad476afd118fe93a0f848c6cf23a822e8cbba1a8a88ce530a92a99cab3d35a316afec36e7dc7b1547f6065caa179ff86436

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
8d672b1df797ae16e7aebf3d52dbada4

SHA1
5be95004d67a018fc658062654e44f7b4e74018e

SHA256
66db98fc4b88cebdad93f84dcffa9625e28e7e55134a39148d28b60b44324b1e

SHA512
18d75797a69c8996e0286fb8d773c9bc1dc9fb44fda4c3b7cc788f076c47e3e87ed577e1c3d5121a4623c5d652c5fdde572495e3ad4d163dc017fb954a22878b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
4879c2f64aea5e13df7456c5e1b05234

SHA1
b5338fb93dc3b9cbfc85362c826787b7df97a675

SHA256
7700b0e062f3a68d31cb1c343a07ca699297f31c9b8d276464a84626d80f1531

SHA512
929091c5b40d59b8a7a5902b8766b5cfd923ddb6339a7c145149885671231b1480422d92619ccbd908f1a646e767c5587f1da9f171b1129bd2783c7e683d5d02

Download Submit
C:\Users\Admin\AppData\Roaming\be3d2700293b476c.bin

Filesize
12KB

MD5
692611ee9f5fa6ff4025ab76ecfad47f

SHA1
2a35a6dde3a5c2f6c6e59dea96503d10346c51f5

SHA256
5bd2f7f14bb15a758bcc0e03be1772acf3bd28e082208006c6da7877c1e9be15

SHA512
d7e37bf8074ad897595bbbbac770858f744d6726ac7831e60f94671d3396dfb407137f306487cd37d0d88b8cc35461ffdb57310410f5c6b386681dae7ecedb38

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f7604fb8bf5eeb007ad986f9bfdb09a7

SHA1
d10fb33a9d1cdf432edfc07a4fb56b77cb7e342d

SHA256
065166a7a808d10791f66f3f1a07799864cecbb36627fbe5aafade4c3da70058

SHA512
124b550f14eeb86ab39b640612d87061ed00f26bf40bb99f97dd27a5dba6a310fc41cc646f9b4b3cbe9cf61792c02e54a5ad923770ac170035a878da085c8c95

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
09d61c9e26f0efd49b7354a53332d7ff

SHA1
54856011871d30598c4b1a78ac7afd1828bf776b

SHA256
9d60784b326dad634d0425b18d2ae398d912681ae1fa8b62b50bb9cd919bc8da

SHA512
5fb13e12ca746a14951c28ecb1ec6467153b5912d578780e8388fb15d9a500ccd9b05f7b4366dda18ec4aeb541b4fdcf539b8592bfe218e0584db4bd4fb2532b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
0d2a19ce06bea48966ffcd0d103a2b2d

SHA1
518f8b50a20b666c261a16359fa0738d53583eb4

SHA256
7a2052a330258cf86fe8bff2b03c3963237a24e3fa7a54d0314132ed26e38ab4

SHA512
d589fdaa2b8a79834dfa040957f29ef07390c5d47fc9dcb8bf3ff8060ee9387b1c1e813a484268a8ed6d65cad1085f4a622e8406e34b81a83fec23dde331ce17

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d17392bc4e3adc89f19cdb3de86e2118

SHA1
e51fb9dbab13ed4c01a6ccdad7e97867fa47dfcc

SHA256
0ca073bc2e59a9416e3cf284255856b29d2dfea84aa42a4859a8fca3b88b07c1

SHA512
84d718421692a39dc7a63286ebbfa400c9245066a4422aa5ffbbb19cdb30b5f5c657ebd195429d5965de9e5fb42afd732f61bcf71c5fa3853d04132d792ef77e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
6be24ed86d2a04b1ff20d89cdd154c37

SHA1
d3146d0b8b77ed8ff0e94ac90a42d9d359f1dcee

SHA256
9129ae87e89f056019eec7cea3905517f4c156576a9618be26b5741aa3df445f

SHA512
9d491059d0593c4c1bd4a776f85d9a934c7da6a2ca2d36b1e7073a2cd862505d97a917b8f2436d717b8d4e54e341d9e1c75119d2e8d7d6ac8d2e75903957bb0b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
eb28576ecec0307fbd60632b3d3f2423

SHA1
de90106a5bcd74baa66c6f97edfe899b447d83ed

SHA256
c4a8f79d61b74ebcd82822f53093fcadc62497c047892ed9ef75163dc7059955

SHA512
e221006a334092a88af411e6549a0f14decb51c36132607b8b40a7ada0d68e4cd36651dae7c910375450c79852f6acf70ab5d1c52ab0dd33c4b4993b7fd5d65e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
8653a85635179f0608ac7e0a9028f318

SHA1
0e7e726ff4e91910f3dcdd9a2f0002c297f76a26

SHA256
6cedb9b89eaf6566a8630ddb80538c1c1ec18ae009fa9d206fdbaa89c623dc32

SHA512
b883fd079784e62f8d1ee4b5bf9921d70e88aa7899cd51211e7ddae8fabad4463e685f7d5c3c291faeef08d2bd9f120d200a8ad6eeedb1a878227680ae8f0a83

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
08cda3c1310fd33b1c0b605facd8fcb8

SHA1
f209ed5628ef176e518e3ef13f2411834c9184cc

SHA256
3830409a5b997685ae84a03b9193911f194ce09f95d320fbe10716604e53f6be

SHA512
c2ba025e383f0a239fb557f077615adfb5d3f6374cd7a8230326d31397f396b703b28d6693775a12e01641c5362154d5a29342da3ab28457f96f18e0c27e3736

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5e164d932e66a0f2e8ec1494d3c2536c

SHA1
35698025397462e4a5f61b2e0002197ba0611f5a

SHA256
29babfea20039a4e4a969f466a11fe4864e925a1a226035c29a13621883c175a

SHA512
70fab650ad8ebab315a9db861dce10f6d119ed9af6fe8b2be424c2a255ade5b20c7931da527d97ac5aeb0effa4c81bcd8803a05050caf3bd75fc124612eb40d4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
19c228f88728a24b2fc050b846ded1bd

SHA1
12f7aea95490eaa241c7e8024bf6c3a3c84514d4

SHA256
051c688e65c49bd3ffea6c4bddfe97dbb640b3e43d541db4a51f525d12b55c70

SHA512
0837b1f24ac4b15f75f7ffe55c4932b671ac98c56f63763b43782f705fa82c40da1a854d01a1adc8626cfcd8f59c3d09bd3eba0a5e611ac71752651458fae524

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
6b5f668b93a75ce0540bd41670a32ece

SHA1
b8c8d4df4fd901c7462f4652b60f0b8b84eb72fa

SHA256
e6156a5e940795dc0e114041c97cd5a2c03d088d95ab97b68eee04453136b2f2

SHA512
bf9ec7adea45a1be2291e2508b0b7a88575779b133c7b076366f4a0d8db7d1e4bb634d2a08a7786d7c1b75e819d189c795f1189a9c72e74881f59f6101d813c4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5102f84cf72696fc7906ce777d08761a

SHA1
4cfc9278bb5a442a06e9171a8d28d71bac107917

SHA256
7c0e7432c93e2980cccaf7472c814964513b8de17b1649a100facf85765fca47

SHA512
6dbdc1c0b203d9e3c02a5103c013107c83c87b65978e167b25b534542d1e6e0511bde30bd8cf0ad3558d8ba7effb77ef2a64ede6a8c33c1f33ac44ad80156f56

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
87e46e140c6954a74db5ed6bac231d6f

SHA1
6ede0463ed3caf2675ec62d4cf1172ee9fb87fb3

SHA256
ae8f4d78dfb5dc1926fb6d54a6ed2b23edba9650e92c933f841a8672f7c7991f

SHA512
2c572a7c754f370e504e3a23d915bf78fd5555f6944eeb7639487adf0426ccf4a2a0d07252a30c3378b3ff37fae87be265dc8863b5d75ea6daadcd5bed9a96cf

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
29c4d4b4ab42698e466125a2a3ab5a79

SHA1
3b1134d811497de9bf3915777db9701f97ddea45

SHA256
29782e581907aa36a2b3f264b1afcb0c8b72551374dbeb6fbf7fe8f7d5e61eb4

SHA512
5164e39ff3b6e32340085e2c698a9476024551a4362c43fb30aa954477fa529bc36f0fc250cbba57c7ee8547c7eb5d24f4da22f563305f7611b0c34b5dbef0f5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
91c9245fc84fe9a83f03c81ac92fa0a9

SHA1
4fb0b89cd9d027e553e6436575bc6f156f5dd796

SHA256
8c13da1e40752d40ed7a41d13b89fe34ce1ec16b5962c89b0fa2c77bc5f48d3d

SHA512
8bbfeb6a7bac6f7e63ea504db82ae9c89728f4e49e5b76e91310faccd3834d2b674749d2e84f7a81adecb7f9f9c0985924e9141b1cf7ae401f4f900ec6f3d5b3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3a155000e1c515bb2d5f3e26a367d5dc

SHA1
d4f6da184ddc25049f1397a0c15564817dd7e0c6

SHA256
c76f5c46a08ce3973775d1fbaa874eaf33be049db7085aada4aa1db998d22a4d

SHA512
50a0ace5bb7c11a43e161e034c6fdc4125cd4e2d98efe251273c6032078f12d2f2f8e60a1a6bff86293a36c9642aec8301ffb2eb2a07c8c7417943f1fb3bd61f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
2b803906573e574e4262481df8fa130e

SHA1
fe25a2d6a61e54eda1c5261495082f11da5f4956

SHA256
3085a964ff1c08e3e80193a9f3a4a151d508def8254e7a1accd7013955a9d89a

SHA512
8b7939d0786e74ae76b3e8e163a24c186ef24452a85bcf970c67a80fec66b0da66646c824790ea0a37ce2a4a02d13487c28cfa0ad63c4c2ded5b668a5bd854b5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ce84086199e70337e33f76243289a5a4

SHA1
3d1304015df478e3358414cd1ff798a3bcf16cff

SHA256
58d3af8758ad578d38334a338113addf8a105568353ad4f2690e40e21adf2622

SHA512
3854e910483a4e55e7f4d711ce37fe96522d042c217f5c7081c8c58df11a15abbee133abbf29b1caf79817298c8a3ea104a3f239e16ed69b66f587014a7aa638

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
440112092893b01f78caecd30d754c2c

SHA1
f91512acaa9b371b541b1d6cd789dff5f6501dd3

SHA256
fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6

SHA512
194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
dca61771333086197c2bea95f5777fe6

SHA1
cc637111cd3568fc9bda4d40b886e4104c35c8cb

SHA256
76c02425711d080952ba23693ddf6aabb704fb4744fca9623555f185fc80a42f

SHA512
43604354ca566af9343839610726894bf9b519962911b49468ca89c99eec85badeedf9d5c695821c1ded67a463eb1b0c6fa160358af55851163c8787d001838a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b45285c9d62a0e72831217eb4622fabd

SHA1
90b46c4c6bc90f2e94b747eb98f89fc284604b93

SHA256
b9a1bdbb7061f07b10ec0f641cc6bf9001b2bdffb0907c9c2e932b1a9c4081db

SHA512
776b3bd925a5aa86a2d9448f098480d58b8d64d702f48cca5e403f90fa45dac024169248ef8a972c34f27ff0303acbb662c016932d348efdeee04f88e24f8495

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
a9012ebfa3000d10fc4c7ca576f62f0b

SHA1
db34518b204b45cb2da08813dbafd81de7851e63

SHA256
507ff068b05e7d31f88d89db81f93e287aee5aead64daf203c6a996007d2ecbd

SHA512
b7630375292583ff89efe3b8eb0019924195de605eca9f330ec383f7bf1919a87536883224fa19df09ad6324547898d3193dd530277ed3a2a461533a36ca2ed9

Download Submit
memory/216-221-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/216-542-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/540-114-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/540-250-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1312-11-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/1312-20-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1312-17-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/1312-140-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1376-510-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1376-198-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1516-295-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1516-771-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1520-78-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1520-62-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1520-76-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1520-56-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1520-55-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1524-569-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1524-536-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1752-774-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1752-303-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2172-186-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2172-502-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2172-742-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2452-185-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2452-36-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2452-25-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2452-34-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2468-173-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2496-174-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2612-776-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2612-556-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2720-607-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2720-225-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2968-67-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2968-68-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2968-74-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2968-163-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3412-6-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3412-33-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3412-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3412-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3568-53-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3568-44-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3568-50-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3720-294-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3756-224-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3756-81-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3756-87-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3756-89-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3808-251-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3808-760-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3944-271-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3944-768-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4216-535-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4216-210-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4336-775-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4336-520-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4352-249-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4352-236-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4396-293-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4396-154-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4668-262-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4668-141-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5092-93-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5092-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5160-593-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5160-508-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download