61bb6413b9d4ba3b90d27075e5fbe5d24030bce5f987b4fc48616dd7576a9328

Analysis

max time kernel
26s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
Size

4.6MB
MD5

796e69f0c0513915ddbe3c525a76e136
SHA1

2029e74ecb231da8c1f0421aebfa01355f941fec
SHA256

61bb6413b9d4ba3b90d27075e5fbe5d24030bce5f987b4fc48616dd7576a9328
SHA512

4122aeb561be98101b26033849b59342769a819f61eb987de1128cb741da0052d254896dd6988957c57f5d0c5a2c2dd1d47fe2534e619ff8754da774a41df066
SSDEEP

49152:KndPjazwYcCOlBWD9rqGfi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGT:A2D86iFIIm3Gob5iEMehgL5

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3940	alg.exe
1144	DiagnosticsHub.StandardCollector.Service.exe
2312	fxssvc.exe
1980	elevation_service.exe
1484	elevation_service.exe
740	maintenanceservice.exe
4264	msdtc.exe
4728	OSE.EXE
2548	PerceptionSimulationService.exe
1824	perfhost.exe
1152	locator.exe
5216	SensorDataService.exe
5308	snmptrap.exe
5608	spectrum.exe
5804	ssh-agent.exe
5900	TieringEngineService.exe
6092	AgentService.exe
5192	vds.exe
5488	vssvc.exe
5172	wbengine.exe
4740	WmiApSrv.exe
5504	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d829c6f185dff9a7.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{0F1D587F-0CD0-4502-B48A-EF0248B94ACE}\chrome_installer.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5e9015ce9cada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000070f1a5ce9cada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce0a665ce9cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe86ff5be9cada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002575045ce9cada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e372ec5be9cada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092851e5ce9cada01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642242454756304"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be211c5ce9cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ced22c5ce9cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3984	chrome.exe
3984	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
640	Process not Found
640	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1744	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
Token: SeTakeOwnershipPrivilege	2700	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
Token: SeAuditPrivilege	2312	fxssvc.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeRestorePrivilege	5900	TieringEngineService.exe
Token: SeManageVolumePrivilege	5900	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	6092	AgentService.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeBackupPrivilege	5488	vssvc.exe
Token: SeRestorePrivilege	5488	vssvc.exe
Token: SeAuditPrivilege	5488	vssvc.exe
Token: SeBackupPrivilege	5172	wbengine.exe
Token: SeRestorePrivilege	5172	wbengine.exe
Token: SeSecurityPrivilege	5172	wbengine.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: 33	5504	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5504	SearchIndexer.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
5532	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2700	1744	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe	90
PID 1744 wrote to memory of 2700	1744	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe	90
PID 1744 wrote to memory of 3984	1744	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe	92
PID 1744 wrote to memory of 3984	1744	2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe	92
PID 3984 wrote to memory of 2296	3984	chrome.exe	93
PID 3984 wrote to memory of 2296	3984	chrome.exe	93
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 4604	3984	chrome.exe	101
PID 3984 wrote to memory of 3260	3984	chrome.exe	102
PID 3984 wrote to memory of 3260	3984	chrome.exe	102
PID 3984 wrote to memory of 4688	3984	chrome.exe	103
PID 3984 wrote to memory of 4688	3984	chrome.exe	103
PID 3984 wrote to memory of 4688	3984	chrome.exe	103
PID 3984 wrote to memory of 4688	3984	chrome.exe	103
PID 3984 wrote to memory of 4688	3984	chrome.exe	103
PID 3984 wrote to memory of 4688	3984	chrome.exe	103
PID 3984 wrote to memory of 4688	3984	chrome.exe	103
PID 3984 wrote to memory of 4688	3984	chrome.exe	103
PID 3984 wrote to memory of 4688	3984	chrome.exe	103
PID 3984 wrote to memory of 4688	3984	chrome.exe	103
PID 3984 wrote to memory of 4688	3984	chrome.exe	103
PID 3984 wrote to memory of 4688	3984	chrome.exe	103
PID 3984 wrote to memory of 4688	3984	chrome.exe	103
PID 3984 wrote to memory of 4688	3984	chrome.exe	103
PID 3984 wrote to memory of 4688	3984	chrome.exe	103
PID 3984 wrote to memory of 4688	3984	chrome.exe	103
PID 3984 wrote to memory of 4688	3984	chrome.exe	103
PID 3984 wrote to memory of 4688	3984	chrome.exe	103
PID 3984 wrote to memory of 4688	3984	chrome.exe	103
PID 3984 wrote to memory of 4688	3984	chrome.exe	103
PID 3984 wrote to memory of 4688	3984	chrome.exe	103
PID 3984 wrote to memory of 4688	3984	chrome.exe	103
PID 3984 wrote to memory of 4688	3984	chrome.exe	103
PID 3984 wrote to memory of 4688	3984	chrome.exe	103
PID 3984 wrote to memory of 4688	3984	chrome.exe	103

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Local\Temp\2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-30_796e69f0c0513915ddbe3c525a76e136_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff2e1ab58,0x7ffff2e1ab68,0x7ffff2e1ab78
    3⤵
    PID:2296
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1884,i,16320054196272374270,7433801352145394345,131072 /prefetch:2
    3⤵
    PID:4604
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1884,i,16320054196272374270,7433801352145394345,131072 /prefetch:8
    3⤵
    PID:3260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1884,i,16320054196272374270,7433801352145394345,131072 /prefetch:8
    3⤵
    PID:4688
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1884,i,16320054196272374270,7433801352145394345,131072 /prefetch:1
    3⤵
    PID:3972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2972 --field-trial-handle=1884,i,16320054196272374270,7433801352145394345,131072 /prefetch:1
    3⤵
    PID:3136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4304 --field-trial-handle=1884,i,16320054196272374270,7433801352145394345,131072 /prefetch:1
    3⤵
    PID:740
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4428 --field-trial-handle=1884,i,16320054196272374270,7433801352145394345,131072 /prefetch:8
    3⤵
    PID:4516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4540 --field-trial-handle=1884,i,16320054196272374270,7433801352145394345,131072 /prefetch:8
    3⤵
    PID:4484
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 --field-trial-handle=1884,i,16320054196272374270,7433801352145394345,131072 /prefetch:8
    3⤵
    PID:5460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4660 --field-trial-handle=1884,i,16320054196272374270,7433801352145394345,131072 /prefetch:8
    3⤵
    PID:5496
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5160
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7b852ae48,0x7ff7b852ae58,0x7ff7b852ae68
      4⤵
      PID:5244
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5532
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7b852ae48,0x7ff7b852ae58,0x7ff7b852ae68
        5⤵
        
        PID:5204
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1884,i,16320054196272374270,7433801352145394345,131072 /prefetch:8
    3⤵
    PID:5140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1900 --field-trial-handle=1884,i,16320054196272374270,7433801352145394345,131072 /prefetch:2
    3⤵
    PID:7140

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3940

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1144

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4976

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1980

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1484

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3924,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:8
1⤵
PID:3184

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4264

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4728

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2548

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1824

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1152

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5216

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5308

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5608

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5888

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5900

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6092

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5192

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5488

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5172

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4740

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5504
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6520
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe

Filesize
2.4MB

MD5
47480d539f5608c4e18972c01f34c035

SHA1
bcc5b820a9c805e5627cd25630e7a20124caf188

SHA256
6a9e950a99e6bfa6fbf8d5fa3701217393388085624ca6e1e23dab3f8fe02a22

SHA512
c1a7a7e4c51cb7abdfa2a1e511578e0d314d5b1d741f5e6fbad8238320e17a9dac5d097f53d8bf9d7a2068a0e45c942eb02d213187f37d032b30790a35c3373c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
bf16cf92d1491a96a274ff1a0ffb3de6

SHA1
9ad53f9efc2f1bd3f8bb42e7c585834eeec3a9df

SHA256
3281b3dd75ee2acacff31d0ef7b0985f1d872ce10e80b8e0887f864891ecf232

SHA512
de884def761df2d40a8215313b158fe23c5ece0bfa4116ee401c33f53edd02a4fc6e9e072fd127432cc83ab5ce6204ea5886c2f0450666980d3195b3a84efc54

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
6440ed3d09270f33876a05acf247ecdc

SHA1
f666959aafb04e5b54039898b4734509cec0e9fb

SHA256
b88d36429e6b8db0055709df9c5126e46ec15839ca63b6f444094bf2c00a1bc4

SHA512
dd0c55b6a48ef7d1c6b40e7b4103ab9d02a993e0b563c55b57b9a6a824dcbb72a7ab0d30879a856df33aa07ab07bca3e1b390390687a6f890e8a1af35131a35b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
438a44cff9aa0445c462a67579251a72

SHA1
6d3e09af20668ec54933659635fc5a4f31cf540f

SHA256
53d9d4a5ed36a572f3fc615ceab979e5869ebae617a15a772903d2ab8feed570

SHA512
ee6f325a1eb450bac4c0a871ff9845240e3e575a60de71097cf5757c9a9d03d8ca70f635cb5a3264274eecb4f7cd04a7a5866e998c86d1ad33294b8d0cc03077

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
04c3390163f71e38c47508a7b3440d5d

SHA1
1d6501df7a4235b00dfa189ed25272c23eed3f3e

SHA256
3f1a6ae91bb0614af5a8f05a13751ee41b2541039b14a7961b01fbffdb6303ca

SHA512
e014d40735609cd8e9c84b26a79aab8b44dd2ef4489a7a42a6a8ff0d6232998adb525c6158b80dd7e5fd3f92964a5afa4fa0b2cdc1df20ed616cee9b7257084f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
3bae36c2f4702c5adc268c26b914e3d9

SHA1
de48cf88bc22e4c7038ac280fde52ed49f105ee3

SHA256
4c7b2a10d2c49ddf93b2bc53c4272f22817abf1cbe6d5993f1851f2a019ced95

SHA512
69979038cabe799ba71b40c7ac32df9c4177b3019308e81b1411829c638ad6eb7d4fd10c6c336bd0b8dcfecf7a7404119823bdedcba07d5a2f8447a7e81da007

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
8bb1b706bf156a60b6331927bc5b9e5d

SHA1
415896d059f172fd46926361c0a746278f8e807a

SHA256
4a8f518586fa974e4d0bc378048f5eea09c9cc38d1b7d5fcf730079e8b05f26d

SHA512
d189f2adb19ae7344c602589f8137d1115bd551742d58c0e099496e69854f37b9777b074d9b64c40b6fec4d5fc9bdf1e0c62077b73b47dda779b5339b885e46c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
af8275bee2a7aef6d20467a9198d7262

SHA1
f0b1e3192e4edece3278ed21459aa1bb0ced7d3f

SHA256
baf3a8e8dfe0c14de4be8d21b027d925b20596ebbbfc3f2b44ad5a09d701cd9f

SHA512
e1ed34cb79e4e7c9422f136eb8c6b8ff059ec1160fe294c9e0b17d90a9010ecce5c88defc73b7d24214e05df164e00f18049287f8c2cf674d7bd36dfda656032

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a8f1969f0a16b80b5db3d86183419c65

SHA1
65f1c07101c868d754624801efc882773015df12

SHA256
bf5fccf9ceee6712f9b8c109d63e9e903b3774a33b0007950c983705f21048d0

SHA512
98c352c7e6d3c439c3ceeb705b89913ace58454ece78f3d4dc22aee7e6d864df3a15a991c5cc653c1b85326d39484976698d07d766a098515844d0c83c613c87

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
97d030a75dbc70db046ededa0b4a1b1b

SHA1
585d29ff480609dea338c66053d5b4015ebe8f79

SHA256
d8ad0ab15273aec8d82be0f5dd11592c42417fe739344c92900df94f148c596f

SHA512
d6ee6011f1a5389957b3672bc95473625ac0f05a0e6e31da80379e6a0cf68019db943bd152303116de068f9f1c896b4a27076edb537400562d4c89e2133cf3a8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
cbc1ac8e89adb8763cd5ce92928859b5

SHA1
74a7cce2e2e997eb91373d7696c5b02059478620

SHA256
3d88b2723ed116ece31fbef729754b9d7cadaa0c5850e8b13b73781887769299

SHA512
33a638b3e27f17b6a45a60d47dba44180ca4646f68f0b4273fcd10613012ec3dcc2fb266098c99242962111a43b1cf8126b3417c94096a27b6b092c9ca5be394

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d1bd787078063b8954e0ceeb11df3028

SHA1
1d7588b1473f72ed2d3d410392a0b58b4e5509ec

SHA256
18cc917bd40b567ddfd8deb357a488b9c901703cff01b3b4678f3ee4cb4a0b7a

SHA512
0989f230d87b1070af0943c9dcaa8f1fb251632be0894d66bc19ba69f1a455619f98ef792112571dd77f40930b48199667df0b04b5543874d0506208fe01498c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
3e1f89b1e198985963a5b689b40991c9

SHA1
bb41e563cdfe96df24c49028e5687bb88f53198b

SHA256
0eb9f7a6186e7f166c76e0a2c7bddfbbb895f25958b1315c6c426b35ab463713

SHA512
d2e16046e76864cefb07bc82f705feb9971c4d41e989679db061ca2acc02989ab4cfc3f25103141f2074ffd64c7d56cf6f5484b15b3a188a9891b43130005f2f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
d8964e7111f10f74531563d2e960d03a

SHA1
8bdd9968cb3b535d1f7a30254d86f1b3944da298

SHA256
5d381c17e8e114707cfdd4f7904408a2bb72b757a7d637e0c626832de5c22602

SHA512
97391b577d5f6a8b3a900ec494623583f0dac305b15ce6b4a7fb5efb764c3ebd5f1021b711f7da7b6bff4dae4ea57fbf5732c3ee6932a0ee6ae77bb30e1e530d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
b2dd574aea4c8d430ba991a6a0fce7f9

SHA1
60fd71c96c07b3e9435e2a3053a1acde6d3d0806

SHA256
57372ec8ebae472a4c2ebf0506db1dd0a9fd092e7572326814a5afb50fd0ccb3

SHA512
e852793e4e14d9d378236e70ec2f42d66767191ab174a440985a2205cf891a40769e787486cc9674d0d88f7c0d4889015e2190612a9e848f7c796378b011d224

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
c08e6cee3e925602592688a09f0c7ecb

SHA1
caccb75837a23817e54ce62aec7ccf58f02e2757

SHA256
5f4a5138aed243a8c7c55c3d26d7652c2ea4eae64bcd4663c2cadec760f73175

SHA512
a8ae9d286e0458d18027a23e6faa202ce74b77db1449f7a1fc530cca163b6c6723d719f677b51d90b8e8e626681a0cae38fa8e2ec1e4a664e8d984bb2dbd2355

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
63b2f9f9f895163a553099f41d48e43c

SHA1
e08088444f3f9546c62d0b4c6f9791fd1ceb047f

SHA256
38b539f72daeebc6ffbacd7e57d7242693fa39be85994057244724e9f1634a43

SHA512
211aa4e36439244d05b52600fe6c2a33e3ce0ecffe1cd025ed20c5db5f860528a0d08bc8e3a698429c699f4ae5892aa984f6c57892b1c379eec7f33e0c34433f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6d22099cdd93acf1eb02c4e9b4c5ef7a

SHA1
7a453b191f1943e293053147409a1df3d5ad1f46

SHA256
ce84f418d259aa45a4a2c86ef9f5361fd10781336d841926152f99d826bbc66b

SHA512
cb086fb96dac3ebd09647cec0247a6ed4d2eda2a8c8856fea36f76e8b62cdd7ed6ef6ffdf339c0609b9db4fb2810b9107f5a99622ed010bb5345488900a7ad49

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
1a6b2fdf2b6463c092010799f5981331

SHA1
753ae0bb9f0d98b0419655e3619377ce09ed0925

SHA256
6f483776e2b3744fcfab260aa45c1cee7f167c19ffcf8ce3923662b26b9f76d8

SHA512
ec80d86a303bc2c47729c2a513f0105e2b02989d0ab3238ad593e7f8fc18e64df3255f8e638c8c5a8f81bdf27a3928de378cc3cfa108c0c4cf5c82b9e9e68e72

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2abade4e43ef08665b0f14430b557d76

SHA1
3596053b354d22d3f6fead3c4483e81eaedeba22

SHA256
a8730b84de14245daccfa602c8827ede0b8295d60397b9678b8fadc561f96faa

SHA512
1f9596b45b22c0514b27db34e746a1818418555ca51537350bb9cfae64ef6d615ab3be0b4692f5d080eea7ea948fe9c1a5448ff654e9dbe5a7ea497d637ddd17

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
38dd2bcb74221a051f4e79c07a3b5846

SHA1
2a806471b49b4a59551a50030002e3f4174617e8

SHA256
5f262757519cc114f10a0ee17b239f4da72a27237b245ca602f23af3a2473a6d

SHA512
276356f6d14d83b322a731bfd4e3f3c59e2cf54a71acbc674a3db65a763d3ca4aad2ea54f37306cf0e51ed7ee81c773ca09b572c1b08c5c3a9f84078b5cea510

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
64d7569e7e9cd59b61724e5ca8024d2b

SHA1
7e567c8f3a278f528fd7d85d462cce4e56bb8e79

SHA256
8adde9c0e5b89d0b9041d73f1c9ef531e668cdc1d020e7625e45f7063569ab1c

SHA512
b4425d6dea07aaa95039db3491ace66ff0e4e64232309b2c7dfe29200823454c3f91391db09b01b83edeb298dd3a9ff1dd0198c13230763553160e5a2607efb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
be68e8233b8f48c0252ccb4d73697d12

SHA1
627a1cf04840f5cb0b0df5a3d9c29a677e53b98d

SHA256
3dc3844067e695d95260de337952b0156c7a89ab14aeb5f9102ffe562a47982a

SHA512
ed822e31ffa7f7908dbfa3f0865065c4dab63c230bcaf2d0a23b1470cdeb028e25a087263694f10c0b55d3f8481662de36ade4540314b09af3c683d60c75772c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
3a203e0eeda8c842214c2213571bb17c

SHA1
51b8d0be065883a07ae633a4d248bd0b90a0a664

SHA256
3d5e1b4f5d3731d6737c1c373ede180ef8507f178c4be375612e9ff01c64c772

SHA512
e560841725891079e914aede6c928fcfca5f1a877a2636149976cf279f949eb763b3c15c12aa01d7c16c643932a9c240b158714fbfdb81321fa69fb5be8ba86a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
09433f6cbd31bf699790da1bbe8a84f0

SHA1
dfeb28efd591c1b618386fc500fa4507fc5f03bf

SHA256
5ac7ce122f4858854f7f56bb67793cc7570cd71f6aa67233e7dedc7fe3691562

SHA512
70cb7ea6af57a95db521d9d33eb1180e679e037df9a912d4598f7abc4a26aed633a80945f6838df3b3af7f875a24e5a61c01842287fb196f12fb9bcc1f2809f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe583042.TMP

Filesize
2KB

MD5
a361d3291546212f08156eae58b34e1a

SHA1
89d7162134759edc4109797677471c64824c4130

SHA256
c94bf51d6a92796deea251ef7bc1c0bad2f1fa49fd8a4f62d6800ba729d275b6

SHA512
1100cf4de624cb6e3030e83629e5574da48e5d498f1ee3508f4b342b3f020a40a58ed7e83db413dda0036f15b81c8945f9491ae351647c579362b09f2654c18f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
bd28d9da5d29c5c6afd6158b71a07f88

SHA1
a74ba84ad194d3da674f8671600bfa4a1174689c

SHA256
cf7ed697cd9136b5060a24deec26c6e6bad3ad3140c3e66933c43eb597a815f0

SHA512
5927389fcae3aa284a8a52c25ce41b104cf6eb6d52917898f15feb28c7175b64aef488b408881b77e65a554645357b12057fec699551bffa689506913e27f708

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
f7c116d5713fa54476b53f5c8fad896d

SHA1
3bcb8b053d56a318d5e412d836ba17ad9a0d7cc3

SHA256
4c6fb9a43f144a808ef51d91952adf06d75e8d4f6f06ab3ba3cfa0100493f6fc

SHA512
7cd67ffd0c9aa27594bf17899b1b618747f6c5baddf88a13b9ad1c26c0228843ee292a6004c0d776bdfa6e01e746426c039722e96b1f8666580143fddd4ce515

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
3d2adcf283a98e83be679fee9ad67584

SHA1
61d2d62a5526609039c6d7799ed13766d916221e

SHA256
76b011211cd1fea0fce033c1c5096465b320d5dedfbc59b0ed06a1ccc004350a

SHA512
3760a312ea7a2d6f8361910e95342cad2be3d2ba9fa78408afa7a3924dd2ca8eb922bb8e8938b62b7c3a1f498bac594ed9ea6de84c401740e442ef39f412cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
d11ccf18f84074a72679f34894340dbb

SHA1
3f8c3940fb18fa22bbbf2ff9cd4c39b969a040d2

SHA256
c2c861dfd828b003e196791f40c53749c4e084273f44ac526f5c46c99daaa890

SHA512
31e57d25d5f75564e1e08c56c03c6d9b443ff5cdba225f44444cece26b9375ce33f5d20e3ff44631f05ca44e02d17325ada0b346da51b52c5fb1d965c9eccf27

Download Submit
C:\Users\Admin\AppData\Roaming\d829c6f185dff9a7.bin

Filesize
12KB

MD5
82d670134b1f765565e5cbed7b9df648

SHA1
45c72c595c73eda6f1e52773f1f8a583d1890918

SHA256
78eb828fb4976c54676eaa9e7d8c04da1944c9c6c08fa1f3a827d3d386f48e4c

SHA512
3945b137ae53f3bf03f54b05d71fff2c8ce6181e41610a94379d4c1bbc2ca06107f4a5690ab282f815fa22947cdfb4f37b5284e8ed924e9c6b90272e37714acf

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
9c2dc5a499598933b74bb473e952bb7a

SHA1
2ddec101a0131f3a3293e3a7f98081e87c6e6350

SHA256
aadc096399655e6b98a807807da19ca58718aaeabef70057ea44934c079263d4

SHA512
5c51c1296c86fa6d910b944b2c17e25eb7f7fd0cd0566ffb936659287475921e408f1b1a51b05b95416030b68948257b0daa904f3369f5e1ec61f9672a1da6a3

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
91523bfe9f046d87dd494bf608e4364f

SHA1
00d0af376e94f6dbb23bbcbb3c6b281413fac85a

SHA256
4ab5c4c7a5d605fbfc1261b5bc98f16831522c0cc458d5f5a8e47a810e0129a2

SHA512
e478676193f3f91a8aacb8bb21e460a980d2f0d81843e5aa8ff8ab648731d23e4b330d8ead5118053ce5a5547f9709ab44ef24b2cd917170c9d2ace6ed9b5299

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
9cca068d352fc09065b20c94cb0cf90a

SHA1
334924fa74068157f4d13292abc06db7950b691f

SHA256
45b44c059dd9869253ab544ac4e3b7b4756254acfbc5799901eb7c2e0b522746

SHA512
5d70b6bd5f031fa15a7b29b1bfc6ee6c2af667517efb32a65dd694e812e304e1c6d9cceb2b02022de872b9a7c20c96d0f37ed461de172b0c9155dda5f776755d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
bcf0a96a4b9567cfeb0de30d9790e7a5

SHA1
bd4a0c481b82e0ceaf6cca26d34b88e1ed52b8bd

SHA256
92d74341644e4b4f515292bd896e52be199cc332f862ea8f34abe34027c554d0

SHA512
fbfdcc53bde54abb7e4ecfba66bf609562be486ae44d1f509cb0f14e31c040ee54ca7b3399869f56de76c11bed82f0cd521dfcf6b5bad680581d3a891e864dae

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
126292574451edd87ebc052a78b98422

SHA1
f46591d942fecbb585707fad93cd220dc7fa9690

SHA256
cde6bea023b02891b9f8744f3a2613e53d528112fe723cfdae72b738a1ef709f

SHA512
9c1f081e773358af4ab94f8b61cf74f2b9995020c87b914431a084e4eb6b80512156132b868367c620b0b5450ef2ece59a7cade099bd3e98e94d4b770a30d2d1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
cd407403bb6e675cc443c48bb6fa4d85

SHA1
64f56f35c3e167f98e8fcb172d064bbd28a65404

SHA256
3135060be93465bce586af71b6a1bf1a26c82d3ae5982e5f133bb3de85c37234

SHA512
a8bb5b5a1b0a2b277f9028ac79cfc6dec26d5fe13e825798e4e62d088fe94ac1e1dc51b007ef0e1cc894684e420d8014ecb2c44948a53e3f6f05fd863a256035

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
5a810b40504d5fccc1f94dd7c37f803d

SHA1
3e5d6241bb5e95f1ce372279d37e0f4a99579720

SHA256
ce40ee829e4e585c1c029de602048669cda05efa7c3d53695ff8e62de43be82e

SHA512
af8e260a2753422d24074b38c07252f61702c75fefd5a002c080601be2815f43314ad8371535bf38113d43b0d649d9ed714ed04f525efb939f82d45adad4fae8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
89306e4b889979860dde214fe56e4392

SHA1
2ad73eff3bff0527cc600237c27fa29ac61c8d96

SHA256
cfea8d3d48def15cf6c926eaab16a291f7e07253ea4f5b9d5f28ddba28f973e8

SHA512
fcf1d615c7884252206209a7ae91b7caa15824f9400705865ddcd1623ee79128c5168a93e72ecc83b3fd64ff2c5b38022c3fb8cdc529373e4733c00890000a18

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2b399194bfc447712119fa6642c345af

SHA1
ee65f06c4060b535478e1814c90a074d72c02c3d

SHA256
1842ba9b625ce42860275929d92f74809f8bd544f41786b945cba21cca509b03

SHA512
0f444e97a11e8b6cf341ea2104893a2c785891c5fe120e03f4096e8980a7102837cc2b4ccd79a44ff427ce402e57136cff7405ae7c165e9af3b1c9be33f7effb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
badc7e1e02a2f4c92ab23be6505223fc

SHA1
62497851cb0a6c73b10c27ce46e7bb026faa5f4a

SHA256
0c5bdeb4da3fa63240542ae376a3dbacfc402d63366fd203be4bdb76c9003d26

SHA512
966bd7442551e61907aff71421defbc1b8615f2d2a8c083d5e2f24513378909e34b314b1a6dcb732d2bfba1cf244ccc9274711442e5d48698574ba61327519ac

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
5a7707db90899837a55be218721d550b

SHA1
4837411b86992537fc08e137f841f94d4dc707c9

SHA256
3c5ea8a714a5c7001b08a93464670ff149bf427f8217e2d8bfffed39338b7222

SHA512
f6fd00a8987db35e58aa08ddb31ca6b7f03d85df7cadb7e6b184623ca5eeff1f49fa7ae47ba0942f0d0cbd206f2d0a4a7674de3de14a3e1c21fc76e471137d39

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3f30aa3ee95dec61fde3cebe6ae08d48

SHA1
776d66a912cc1a3523929b0acf8140950b9c521b

SHA256
653d2440baf0aaae42a6274d9aa1c1c6a448f57ed6bc468e573ce3cbb9f01126

SHA512
f10be405d85d8b234de5c229371bf93bd4c203246a9045870e0abc5ae17fcc8879c0b1b62b9235d38551f601b752d1cefc786eb39643455ac94a756a67905721

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
40686900dd446b8932c3c6af00a1ba35

SHA1
4112c10f9a6096c2e364f190394533c95d4225bb

SHA256
d0927c9bcd078b584e2a473e5395159f9744ca4e231e13a599a960a03bcc1420

SHA512
6d4093bf7fc31f33d636e22fc462497f8a887cbde4c2fe5d2e1f20b34d6d89cf3fee19ded20dee8c59adb17380629fec2a91b370123f9390bad32fe5f62a9267

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
5cefda311e85407622c87ae68c5293ce

SHA1
750a0661f0f9d0fee67b4ec1d97f707e35d516ca

SHA256
d3cd4994059c78b45f5964b64ba12960d501c0d3beb2de7ad04d9842bc52bfd4

SHA512
6a48d7f6571d664c73ae9210c43ad32bc6460c59098bbb46558eb2e94c8b6fafd5799554b07ed22fe31d3becb75ce5dbe8773c35505d1b1e4cd69babc38e4f91

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
06efc9c61dbdbbe9d044c0a175431d04

SHA1
7f9fc0b9032b494ba4c49d7d0ee93c21b6c720aa

SHA256
6a444c8518d4b0040730d6b80d68d3e181b939dd0b2f56704b96eaacf801efbd

SHA512
cdf3076c0aa206d3b41cd077158e51f735c0c228fc8c33c69f6131955a8593c9b91fa90a45d519a6d4c05b7626b82b3614dcfa74ed391ba3b4164c06818ad17f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
de39b91565da3aa7f18d4028838fd54a

SHA1
9a518fb4d0af10ad2cb268ecdbe644813e7569d0

SHA256
a8a5fe2db58ba5b6255629287c45596c730e82fb038cc12f439b27a62375dfb0

SHA512
7d49125a8f6d9393dabe2b4abef1c49de766badd6ac32d559f8fedd5d10d09ced112aa55a8ff5451a24fe9ba7118f003983f9875a2fd5cf1c6527cfa5c0ff70f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a5d21ababf5566e80a445b8fc0cc3cfc

SHA1
5ed65a5b048afe7196903168d96fe22bd2bca4d1

SHA256
e9184c7db9ad4fc2cbcfc4834238fb73b2214eb9443c2432d660efb0619ec851

SHA512
93159a41df54f66913e54f6bc7215a6a86a03cd4c56d01ed22caf31fda4c44a3ba2089d72e0b39b6fc2ddbfe18c244563a50322c7258d0ee2fc92a45a3dac0b2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f659dc2275a39ce22d02ef0c50f6d4a1

SHA1
1e569bc04b5e4881a35615f40b25e475a364f10c

SHA256
591c577eef9d62b2bef6f76a1fcd7a9298b6136396bad6ff94fb28b8a6067c97

SHA512
f573a3bf5622defdb6c500c2980f6d39d289a52d86cd42bb29644d6a740553af19e3ff3df0930302b7ca01d37d4f6e544e6f4760233594f516d2f8c3d97119e1

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
c75904f52c5a3d06d039d7e29d12330e

SHA1
01609a94c02faad94d2500a526a955eabce1584a

SHA256
7ead57eb6e58b3ef599ff51ceb37d2b3e4355de28713b5cbcd0cf56a442f65db

SHA512
b55a3ff4fb2a25ca29e8a4a562166e5c13a6b63291df4e626bb19d33ee03cb9056dc9348ba28cb35ddefc13c3b162399cb260b91c85b2ccd1ab1a491ea1dc162

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
64e8577badec935fd5971a896fad0501

SHA1
c8ff1495698a18c65ce4aa7901cfc34b89ecd1c8

SHA256
75e3492d8b6dda27419d60d0ff2db8330e831561d537fa2202d98c7b03732ce0

SHA512
4cb5f8b6f478c401e8cd07d751cf090d84ed7be77968c364f2054a4b2856fa84d6ef12f373a81fe3cf8e0e7d8fe5bdad0d5683dd23634f81cfdfefcc2c54ba53

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
0e6011136c6165f55bed79a313d3f426

SHA1
46c1cb832e7ddb8957351890a3739debdd980c8b

SHA256
7208d2e9e177e1d726ef5085af696227addb7be3a6fed12daf897ed634969203

SHA512
38774b49ef48a08792be7d54da992fcc987bc11d71566e5c36a2d2fb2226ff3238a125555b9c80d46eef5ca482da2e046ba0523f0c1851d5b09c1eea475cc5b9

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
e189d9edb496408c518556e15b80d11b

SHA1
e581502c89c99ab17e391e2980bac566a403f169

SHA256
12620e9c5a9ed8eb0b35ccbc61f8cfca27fd9c1aac25054f891fbefc294d1bf5

SHA512
6c9989343c75f10be89814ea28ed35a822a19b57a00c49be56c655218aea1b06260deeadf102009a52fdd2f1db565b33178a2a6844bf5c5f8ca5f3229399c968

Download Submit
memory/740-94-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/740-106-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/740-92-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1144-50-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1144-44-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1144-62-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1152-316-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1152-174-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1484-225-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/1484-81-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/1484-90-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/1484-87-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/1744-40-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1744-6-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1744-0-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1744-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1824-171-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1980-74-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1980-66-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1980-72-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1980-148-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2312-77-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2312-54-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2312-60-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2312-75-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2312-63-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2548-157-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2548-278-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2700-19-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2700-20-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2700-11-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2700-139-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3940-35-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3940-30-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3940-23-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3940-173-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4264-122-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4264-248-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4728-140-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4728-261-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4740-634-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4740-317-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5172-633-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5172-297-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5192-629-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5192-262-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5216-185-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5216-548-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5216-327-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5308-197-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5308-531-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5488-630-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5488-279-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5504-328-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5504-637-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5608-577-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5608-213-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5804-600-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5804-226-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5900-245-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5900-628-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/6092-255-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/6092-273-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download