04bdb172dc2dfc0e29e89f385477255997eb88e1c4ff7e792a7258cd3f4fcaf3

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 18:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
Size

5.5MB
MD5

6f233e34f005c6ac730f63a510a919e2
SHA1

1775eac9ff714a7509e49e5688b60cc86ac068de
SHA256

04bdb172dc2dfc0e29e89f385477255997eb88e1c4ff7e792a7258cd3f4fcaf3
SHA512

36d4a07fa71366c118e7f9d02fd7f9e5e1ec5168c11f0d8365a2a06664a5369d7124604557fa4a1fe7a9ddd9c518a0ef8744614a400e0e7d3910c1cd3a878818
SSDEEP

49152:zEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf9:vAI5pAdVJn9tbnR1VgBVmoB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2668	alg.exe
4216	DiagnosticsHub.StandardCollector.Service.exe
3644	fxssvc.exe
1752	elevation_service.exe
4536	elevation_service.exe
4512	maintenanceservice.exe
4956	msdtc.exe
1712	OSE.EXE
4612	PerceptionSimulationService.exe
1376	perfhost.exe
2588	locator.exe
4952	SensorDataService.exe
5028	snmptrap.exe
3632	spectrum.exe
4544	ssh-agent.exe
4732	TieringEngineService.exe
1496	AgentService.exe
4464	vds.exe
1540	vssvc.exe
4396	wbengine.exe
1756	WmiApSrv.exe
5236	SearchIndexer.exe
6004	chrmstp.exe
6080	chrmstp.exe
6136	chrmstp.exe
5276	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d0d62791253fadf5.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89906\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89906\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000faf774a4e1cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f825fa4e1cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026f793a4e1cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000033827ea4e1cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051ef2ea5e1cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000531374a5e1cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000994583a4e1cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000357ebca4e1cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004285c7a5e1cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133643308816107635"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1900	chrome.exe
1900	chrome.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1696	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
1004	chrome.exe
1004	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2624	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
Token: SeAuditPrivilege	3644	fxssvc.exe
Token: SeRestorePrivilege	4732	TieringEngineService.exe
Token: SeManageVolumePrivilege	4732	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1496	AgentService.exe
Token: SeBackupPrivilege	1540	vssvc.exe
Token: SeRestorePrivilege	1540	vssvc.exe
Token: SeAuditPrivilege	1540	vssvc.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeBackupPrivilege	4396	wbengine.exe
Token: SeRestorePrivilege	4396	wbengine.exe
Token: SeSecurityPrivilege	4396	wbengine.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: 33	5236	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5236	SearchIndexer.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
6136	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 1696	2624	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe	84
PID 2624 wrote to memory of 1696	2624	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe	84
PID 2624 wrote to memory of 1900	2624	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe	85
PID 2624 wrote to memory of 1900	2624	2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe	85
PID 1900 wrote to memory of 1084	1900	chrome.exe	88
PID 1900 wrote to memory of 1084	1900	chrome.exe	88
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 4112	1900	chrome.exe	109
PID 1900 wrote to memory of 1224	1900	chrome.exe	110
PID 1900 wrote to memory of 1224	1900	chrome.exe	110
PID 1900 wrote to memory of 4432	1900	chrome.exe	111
PID 1900 wrote to memory of 4432	1900	chrome.exe	111
PID 1900 wrote to memory of 4432	1900	chrome.exe	111
PID 1900 wrote to memory of 4432	1900	chrome.exe	111
PID 1900 wrote to memory of 4432	1900	chrome.exe	111
PID 1900 wrote to memory of 4432	1900	chrome.exe	111
PID 1900 wrote to memory of 4432	1900	chrome.exe	111
PID 1900 wrote to memory of 4432	1900	chrome.exe	111
PID 1900 wrote to memory of 4432	1900	chrome.exe	111
PID 1900 wrote to memory of 4432	1900	chrome.exe	111
PID 1900 wrote to memory of 4432	1900	chrome.exe	111
PID 1900 wrote to memory of 4432	1900	chrome.exe	111
PID 1900 wrote to memory of 4432	1900	chrome.exe	111
PID 1900 wrote to memory of 4432	1900	chrome.exe	111
PID 1900 wrote to memory of 4432	1900	chrome.exe	111
PID 1900 wrote to memory of 4432	1900	chrome.exe	111
PID 1900 wrote to memory of 4432	1900	chrome.exe	111
PID 1900 wrote to memory of 4432	1900	chrome.exe	111
PID 1900 wrote to memory of 4432	1900	chrome.exe	111
PID 1900 wrote to memory of 4432	1900	chrome.exe	111
PID 1900 wrote to memory of 4432	1900	chrome.exe	111
PID 1900 wrote to memory of 4432	1900	chrome.exe	111
PID 1900 wrote to memory of 4432	1900	chrome.exe	111
PID 1900 wrote to memory of 4432	1900	chrome.exe	111
PID 1900 wrote to memory of 4432	1900	chrome.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Users\Admin\AppData\Local\Temp\2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-01_6f233e34f005c6ac730f63a510a919e2_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ff95967ab58,0x7ff95967ab68,0x7ff95967ab78
    3⤵
    PID:1084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1832,i,6542232913187738458,1150435387158342288,131072 /prefetch:2
    3⤵
    PID:4112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1832,i,6542232913187738458,1150435387158342288,131072 /prefetch:8
    3⤵
    PID:1224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1832,i,6542232913187738458,1150435387158342288,131072 /prefetch:8
    3⤵
    PID:4432
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1832,i,6542232913187738458,1150435387158342288,131072 /prefetch:1
    3⤵
    PID:3564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1832,i,6542232913187738458,1150435387158342288,131072 /prefetch:1
    3⤵
    PID:4704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4220 --field-trial-handle=1832,i,6542232913187738458,1150435387158342288,131072 /prefetch:1
    3⤵
    PID:5144
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4300 --field-trial-handle=1832,i,6542232913187738458,1150435387158342288,131072 /prefetch:8
    3⤵
    PID:5244
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1832,i,6542232913187738458,1150435387158342288,131072 /prefetch:8
    3⤵
    PID:5260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4868 --field-trial-handle=1832,i,6542232913187738458,1150435387158342288,131072 /prefetch:8
    3⤵
    PID:712
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1832,i,6542232913187738458,1150435387158342288,131072 /prefetch:8
    3⤵
    PID:5772
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:6004
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:6080
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:6136
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5276
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4408 --field-trial-handle=1832,i,6542232913187738458,1150435387158342288,131072 /prefetch:8
    3⤵
    PID:5448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1832,i,6542232913187738458,1150435387158342288,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1004

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2668

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1968

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1752

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4536

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4512

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4956

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1376

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2588

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4952

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5028

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3632

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4544

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2556

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4464

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5236
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5700
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fee1286b9bd107ed30003c0b0b277d7a

SHA1
2b7d60dd2a45efd0bfb080386b40bc64d138d8b3

SHA256
6c2add13c4e7ee21e52b3084edebf9b4e45a6ce06b18a64349eaa73e6cdae2fd

SHA512
b54aa5673efd4f79a33ac1c8c1c2ce2262a1991abf129a0f280e898bca237a71dacc25cfa8856bf35e2be8f91ada581895dc95973e3809a30ee044d739aa27ee

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
51d90ad267a663bc0268a5a57a5d3531

SHA1
026e8e97e6357dc1e6837c8c17499dc2f07deb6a

SHA256
6f6fcfa21c423e4100dcd79f383207a538cb9e69327bbd8d0ab72ce3e4444766

SHA512
edc3be6295878caada30cca5110a76054349d11341995df404f5acb1c33dfbb0eef9126e74df8a92352acad63caea4957b140004b8057cb4670f1c1a60464d79

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
79ea4479fb67b418ffeb774b0b81bbe1

SHA1
3d923f4546f97b24104b7f49fe6932ae19a480b4

SHA256
35ab271af5632d600d3124ed3d7b4ad07514f571e3c42523f70321d47433b9a0

SHA512
cb74248ea0fe5b00a087a11027e2c5ffe22153a506b3b0a5d5d05efc841ea14df1ed0d6a9732221a72284fec14dad875d14015c2470c50faa4e0fb3fe700360f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
dd1203fc84ffd67f41b2aca44053a593

SHA1
318603826b3d94e38280ed0a6dc1922b9364687e

SHA256
7a24162c32f2aff9d24acf0f0ea1be7da75ac51c1dcbd933ecce4b8bd99bb523

SHA512
1bd3b366e96c3cddd2e9480f79137376f996f65fbf9779cf3c1212144cb6540a62d4a10920e0ea9df245d8056939e91866cea7bef5e47bc5e9c19e552b101259

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f1ea59ef7fcbf63d1f378b05f45bf5fe

SHA1
937626f237cacd1fa364dac4271730a7757d78d3

SHA256
be68b81f44f485259eccae122ae688fce219b9e3534678c976360016688a8024

SHA512
a6d3eb7f2ac67220dabc38a0fcac4b2854c885fb34a80ace58fc51db15afcec84986e2809ac73fe7da5b108e4a540e3e5f40895711a192a3ecd1f3f91488541a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
c6fa6bf6776b3bc9670a8ecba940b2f1

SHA1
1763add8490f6683d7fc854884df1ced4527d35d

SHA256
27a4b7141bcf5397caa6f17006c22386630ef681f2702eb7d4871724b64d96d8

SHA512
d917b5df2e7fdaa92c99cfa3fc03fdf68a59c411c75d6ffcc213fed56f171e1661ec7dcfde72a841a24b4b9b8f58a3207707fe729185207f71d873e412c70d26

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
73d7708eccfd93a977ea37ad5c735e72

SHA1
7318ecbe9b67f611d47736e22358718b1c9f0856

SHA256
cc5603c0dc15ba431b9fad28337d4a70a410ae7148526963f98ddd2882af5207

SHA512
03308d686f7cb9bc56c72e1b4d26127b05b3756eb6c74fd0949754174ac745627dec2a12fb8020c0df94cbf4520884c1dc2563d87ea9132911a22e600a5b8915

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b53f02382928c23754290add03007845

SHA1
75ba34a00a7c33fffcfa4466aaf7b7480b193788

SHA256
20ea42c8daf5d819952abc3bfc1de712d7a67b9291e773b90ae8ffbff3803e22

SHA512
7f9a036db8960e3cca5e9d3ed10f8ca98fad3f920b60c4514b0ec338e99a4c5bf844c030373159a773d96ec053f30a0e6f1412f10da6249935de27803c2245e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c10f0bc0e79d81b357305c0f6d1c4c9a

SHA1
67dc64cb3bbfa8e4a7e682514bc3e54a531cefbe

SHA256
b0ff4c4bed27bca6f85d564c9da7878d41bb15134e1cc409034d1b5e94204aba

SHA512
b6d69fc309d1d249ecb1f3f206f2f34f820ec2832d6331e0165d98618510fea7096fdb21bd4380182ece41b7f57a6e95b8e46d01436668abd3714ff250135139

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0e895b6dc3262a7245330796e2d3b2c5

SHA1
d88a775de3568be15a90923128f677f2564efecd

SHA256
7f01566e1319931fc52edf3415c2be07eb9f016ebe39f14c67637e838614632b

SHA512
9326115e3e00aff19c5a41d71db93a881d436c0ba028a0ae9c0cf85990f0d8755eb2634dfbb094717dd2aa1bf0608a260f56602603906527280d5327617d26f6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8fc93f48bea69abe39b03593f9f478b7

SHA1
a41267fea6752584ecef3191bab1cc3414f54242

SHA256
d59c68a75dbfbcfce8ce1dc4b2d5bc4bac42661785be45deee36e3ce91cf668f

SHA512
77b749ec976dd3f10e313e50b9cb119b6e8a136834281fdad2e8d356fa68254b071f1588c016ce8323b9816728cc917fa6afca7546e5c22a77ed119b6e1ccbbc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3aaf8f2b0952e4b966c25a5662612d61

SHA1
7270a1c6d927ba10f9878d6d82c3b09ef32e6999

SHA256
8428d71252fe92b11841249b26519468a0cb68bf0753ba5990f072926a14bd42

SHA512
d7a8a4563c9bc88d5e8fd3e194553ee97718a62262261f5fa29cb936470a008bad29bb445c17a78a739840290109f07c5e6f3823a5ad3b87be58c351971dcb37

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
8b69d1deb50d383ce53f7c5e0ce3c87b

SHA1
d52482a9e2973b2160946f2880846ec36ed4ba26

SHA256
b6bc6a15baa73095ef46d02db8b9cb2694008b07cc3003ae810526869a37b06c

SHA512
3abf494a144b4a633581993a276442ce535fd3688142824c13ba8be4e738c429769ea5cbdd10a16b11263cd042ecbf03aee3e7d3c9ea5e1e43174cfb4a8e5d76

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
b15898b508f616e5c6dbea60bfebab6d

SHA1
203e722359cf57e2cd0dc333c95edfcc4e51e79e

SHA256
93b5b950a74438ff9b5e276ad3831914b2b9a582a60e5489bc5bf6205bcb8f8c

SHA512
3d34fb93aff9a6afa587bd0e31f0a88675cf701f28965dd83e8a4bb1887e22770c0d874406896bd1e3490e9bb185151e5b2497f6883942b458dbb51a371156d7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
69adf075d392ef64c078cc7649a7e3da

SHA1
8b90479efa504dbc25daa876ad90a05b099eab55

SHA256
f81bc5ff1ae456ca7b1be060eb4a0ac884995ea5441cc1fc953bdddbfe55c532

SHA512
36fc7d51e78cd6aa6ca27c3e02301fb4bf55a1ff4ad1d840424a2af57f8f29e0a3825508807fcedbfaa3e3035ca6b1759a7e3478583da3c1301059d1aba29f1e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
7d2c32e2bba5ed662e6e070ea0acbe94

SHA1
bc13f5f6676e3048a74c7e2b3f0994e3949ed7f7

SHA256
6ee24c8704599c2fb2b27374bcdf79299717244789bd8e655284e77420608a70

SHA512
f2efb50e45885863c8d23839c8987f0bb20645b241409d87c57ac432e44284c58736aca34f52553aa54ee6252b7f4918fe56dd587b44e76ab600ac327a02d0b5

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\a6a986ee-9b24-4c5a-a823-a5906a5fda0a.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
997e13cda9a51fd075514e88c91b6f65

SHA1
48b7680aa1ed83e59fa1450fd571860cca54ea8a

SHA256
55229fd247a9e045008aacc4d88a63713ae856f5dd44e6261d4f9be17c609efa

SHA512
e51c89764f30716d0285e751bd185bdd6a6a935ac6ea80356e4c3f5e1fe2ba15f3cfe55655dd51175acc0ede9f9a997c1d5dbf26464493d7e61a3313603020e9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
2b41681635c9245acabfac4252164d51

SHA1
98f85a6a365dff5f671b604275305ee36463fc17

SHA256
4248c607e1947d7068ea3017ef65ca44563236b73b517fdd8336d4a8a62f3a7a

SHA512
01995acf1bc459a23a7c54152b046fa14421fa09ba28440263d8a05cbbcfadcd0e1730ef066e2c8503f23d22df500cdb1b155af30a3b6f2e320ec1a68978b8a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
a85e5add31f209ed527bf82ac0768582

SHA1
9551a7f1878b70b64d4ed23aa8f5d69cc6f272b9

SHA256
9b28265c7c93e93355a28432984cef0ab471397329c2924745ff139d2a585c43

SHA512
4e216dc0fb62569a58c05a34e91658cf481db11e2d27589f1cc556ed2e986bf6d999a51dd35a6cc98c59be97f9f64df3ff084bdd8b8f1739f4589e7c47e11bbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d01245c1eb17a664a8dc30f7405bdb95

SHA1
9d256dfdea151b600253eb22809b11c4473676e6

SHA256
3ad974a9d23b89f510ba7f40724c5abfe657a98bb051fa69027b17a58de21d90

SHA512
b12e5aad9bda832c0d1bb26f69ea8079be28801fcfdccaa3308d620732d258391b38bb4e0200e28fb2ad3e76883162e51d21f0e0f5007a00c4677930f0f0b639

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
82a29e528916c24b6e16a4b7ccbbce99

SHA1
e4a4df2daeba99bfd7d6b285968bbfd7b12e2e95

SHA256
f71451bdff96938f1b53a3e60fca1ae1569f7c5ac253173dd25c2662f234d9d9

SHA512
d1ddae84e87b21a4064aca74d3ea3015d294e057ce037b0c48fab52f6b354b4ca6b88545877b7e203433129b93600ba335e1bc094f5a5848a6fce79def2b9b87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7420c55f1dcf08e34e9aa9cd5e3d7bd9

SHA1
b6d7bf703f2b7bab07bde753fe5f79cf9db82c08

SHA256
c88caeb0dbf4a0db859fc69926ec82d8b1919ff1cbe54a618688094665a8d00e

SHA512
e3460260b130b17b424aa3884fb24884de7409a1c011f8304c40fd5684d0853df4fb146d2764d4b1e1af85d1f20e4b69e0d93a3d2f47fa4ab0c8fb53cf48ee1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57685f.TMP

Filesize
2KB

MD5
d917d97c3b6c9738b6c7d64102541501

SHA1
8bef2ea95a43a99f555131ee39968900da693d2d

SHA256
a19e2eff9ef2edd365b1a025e04d95cad5b88513a76a165c3064a223be7ba978

SHA512
bb62099154a7d9df3b4ac848b9158b7022a588745693fd01a1e1c0859280b5fc9c247d0ef6dcec85618a2a778daad7c2e1251616ddd956d661ff4842d1cc9fd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
a21d35185b430f0c2c329d60abe9cae2

SHA1
19f9892e1e132650086e4582e62a887ee36520da

SHA256
a911c48c3d59eadbe5b701e68f4783a75163ea61f78edfe516f06b115b1cce36

SHA512
f75e3e28d6bd243bba188a908eed136bb170baacd5919801ca614f0ef3aad36614858fc909e14a703bb67773ac9843070696749035d08389cbbc2e19b334545c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
278KB

MD5
5e577be463549ee10634bf14089be0c7

SHA1
512420f57db8f42493880688515dd391d43042dd

SHA256
943e78c0be9a2f43201d760bee7cd87b05164b8fb113d2e9786c7a3b5af98e98

SHA512
2305961dc7983e132a10957c0b0841817da7133c3aa414044a3cb53a670702820a905314e9b5d4bdaa0ac916cb63ce435d283ff3d9786b11fb483f7a85bb4d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
80f3b8bc5fe17e69e96d480551ae480a

SHA1
6ab7b2fab0c6498863411786abe7a74d14c3b2ef

SHA256
da25d530c2f557ff8c9a2147c79199778bff1fc0aa869cf66fcfe09bcec541fb

SHA512
184a39de3ebc02bc91e81b0c5df1aa96ddd603d85311530e6824bea3736946f742e83a8ea2b27541b3f49c59726214c0cd07cef6ffba6f2f2597849b12f97b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
9KB

MD5
abb722155fc35ebb7ef309e6d45422de

SHA1
bf98345d08281cc0db61c30599e4bf25a54d4fff

SHA256
ef90da71b283abfa38537a8dcd977120415963bc919fd72b3ff84da9ca4e95bf

SHA512
dd8bbe82a8796acca488900f85e6b71b4ba7c77fc34b465dceb158cbf21a72b99cd73dc155b1bdd5a605ab765e1f6fd5f6def24ce92b53804279cb7e23f5a971

Download Submit
C:\Users\Admin\AppData\Roaming\d0d62791253fadf5.bin

Filesize
12KB

MD5
4433b199f6ab96adc5640f1fa2af9f70

SHA1
22a04a034973848c206e90cca9bfb7b5d37977cb

SHA256
412387771e5e4a1a89403b9f2420d2b0897f39896a04111b0da458d9f9a69bad

SHA512
0ab1eebc8e96825d8e272220d6d9e32e30ff8c6b5385afa5dc79110551ec44092bbefbbf2e5c521476700727c7cc1ef1bc78d3cdd373fa487b29bbe6fdd52e46

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
07f37324fac5b825aa89ca52fcb1edb2

SHA1
0f3bf0f2c0a471d7b213986bef51a4e6f77e5c6c

SHA256
03ba4f200c59eada2750ccfbced806aef1fd29c660695b7d360b47cc5c7116dd

SHA512
d72ee8752651fa807679c1c3f191ba5e24197117499e51bda3f23eee21e459e30b11c34077cc5bf26a7e75bfb8aedadfd92f1f495f34dfa5d1b20d39507df221

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
92f14ad73bf3521299c078477bfd78e3

SHA1
85528e147c5cd0edaf47a1b14e86473af055d2ff

SHA256
0b7d38cd370bce4ef9177be8ee59371db3fde76b6a928f83fc3975b6a79156de

SHA512
cd673e0b0c811064075ce98a2cf7811f0c425c9304e42feeedeeaaddf518368e05b9d9cdbe435ce5e67ad71137caa4884ea15de6104fcf6fc11d2c70b3fdd5d3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e38d94490f10e39c3165ea59b5d7de72

SHA1
a2693b76f4cf5714006e1cad5b1435c0e8e7d3f3

SHA256
d050b38a87266855e7565029afb180f6a22ce1b29b022732e24754c3456b5c29

SHA512
98017831b6be384dc788e4e6ac240c10e1c028c0d7159ba7c0d7ae00b6789db3d8ad0ecb21eb3072e880e6d7a51474c072ee4fdf3c94ad3e12d26f0d72cc413b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c2a47a82bbd8465c09fb6da619d07612

SHA1
ca57e50a011b747ee777895c412aab8c5df0d9b6

SHA256
dc8344ed3bd5794e2c827a3c3d92780c6b9300c072bdf0d6b65f4efefa47b4a6

SHA512
fd0122889015a38f1a3f2ac76e128d556fda15e4b9da2b04b25f2a50d3a570ba2f4bdfed78e12392c17d22e0ab05467338ac51fb1691edc9b9b76a89f76fe4e8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a79fb278d47766097c2fc8c4d5a88e38

SHA1
78f672d1ff99f5ff871f468dc5bb8fab0e45a3d6

SHA256
63e70e0f406f20d7f05f1715afc50da6dddcf68f07eeb38deed7dfff12dad169

SHA512
b7f99dc2ab62e98e35d8d4e5177e7e9d1196d7a2a90aba796d2e45ec7955215189c506fdc5680d990383b9d65baafff2023d15ab4b85c8c6943e6ff5d8b6fed9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
29a4ebc648f0a31e26156eea446f4338

SHA1
6aa184c5d7ff720742af9ce557e72a8ce3286080

SHA256
3b88156bfc2891f22b5406660705228cfca9a9a9ec3d440137da714973ba1e99

SHA512
6a9abebaad871f05362ab5b999684debbc1b53f0a0710c25d703139be2cfe12668b93a4b4fb904c444aa7984df2d3be3777286cfa2f13b6f81124d1917478a86

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
b1a89bb751c98e05cd4e01aa149e6007

SHA1
9854fe33ada23f328574c44433fc608969e10a5b

SHA256
9f04b1d743a5a341097f00b5d291b955c20e1df8a0644b28ea0cac53c4ec83d6

SHA512
c07b58ea2beae363ca953a15a10b24a4f97eba83d13d7a6c8655e3b93196892c011fe16e7433ecb572974c38dcf94eb196bfd35853047f716fe85487fd70bbd6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ef1838f36a03d4a4496c1a15f0c97654

SHA1
e30ea369466d270a143a4a2197dd4fb7a1de5aa7

SHA256
3b04d882b99a9ef71b1991e7a80a38b21b1aa1e6f2e33fcc583ed0c87725cfb0

SHA512
5a4721a3681be64c352016c9ec79c6285225d57dea5655fba150f5b7bfd92f5321e372128cceebbbe4802c7af44f0f00fab1de332f185abb7e34f1023187b233

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
789a9ed779fbbf2d9b0276c029ec126a

SHA1
549dbca1aa291e7ffc01627b928d9e187adda547

SHA256
8670d219f44d7e53372ed9944c6b3dc62be544e3c5618b3918b268dee2687172

SHA512
ecd828885b1aa6a43964e2a42086c8283f02b7056cfef17815def845f17a14b5d5e5595025fdcb24348bcff0f50810f58f621ffbf3cc515c0ada5f515dcd14f6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
59c5e6398967e755928ca1ac5e484a8c

SHA1
0f7b88d79c6bb5f9e76f84f84a09fcbb54db2e68

SHA256
2588f9faefdb63ad6b1607b05050a627b4392b624e721157e5c9d0a07e82fdde

SHA512
8f911b8d5439a2e49ac40661c8d6195d5661f15af2e2ae882fb5c0c715bb56452a1b3643653985370840750070473c2c09c358e4e3810588ed5fa4d2654218e5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
e50c794f9afaa0de80f82cb8f5ec5674

SHA1
86711acb0ac843f79953904e5aa2190b043ae1ef

SHA256
f2e666fd8efc11e514dce379695eb77dc98cfcd5b64081d859f3c06a56d041b3

SHA512
a36196adecf4f6eb96160c0981c7ea283a273c0999e40b1cc515d94bcc5330a6c92cf49a5bc341e1c20d1a7aca0b951614e755a1bbdbbeab0668f2f2db2db9a0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e82644bf367466727390cce8bc4965cf

SHA1
7f01c3601c0a209eda1330d3f88414c58130999b

SHA256
5b0331890d8f1acb2511661755d043d7dd924196bfcc3489d67a18a14b73ce24

SHA512
3786b138703b0572d75f6f641c5d881f9fd0a24bc6c85b336694726ce675d89a2b66b9e76a532345bd1bc0490f719ada6c04dc2879ac2fca480e94d7bab4ae6f

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
a406e2fcccd104f4be46c85756e2559a

SHA1
b3a1217c7a0edf4b8d7a1b1418e2ad1a2298f8a3

SHA256
ddd26a729ebbadc015d2dbfb94bfe8b4ebb27f7afc720ea35718a938bdc710a1

SHA512
d19a0991122dcfefbb00972ab3c9be23141470a9f3adda2e5568ee09839df87ca58a470326d17d0c85405a4cc0afa94c5fa5f06059900e5e1c988641a4ee1b03

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
9c3596abb7454e5a03c1bf3277d60f01

SHA1
dc160e7359106b5e716c59f3a1134596f334a2e8

SHA256
b8a756e3fe956adc24af3ec5c07f52c5e0e4e42ccdb86e80f9a0e93fbd25a3a8

SHA512
6d05df2352fc43a11a62a8ec1c7f700dda9450c59e7a2efa88dafe43d2e329ce8e96eb1fdb0246f8b8b64c40df3beb264480a5b0209b85bf1c8cd1733da1108f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
611685ef1d3846acebd510d7820a837e

SHA1
2abb06cc6a8ed9a1970fa4ed277eb42c10751292

SHA256
a65a910aa3feb320a846f1941a1d76495acaeab171a661b892ca9127b6d42e12

SHA512
fc3c0cdb0f9800c692b9bde4852ab65f1d6dde746ab0b3064242863cd9d924b640a81316d82b619f264a991bf3ba597866ccffa732b39d6b0a33edbc467cb782

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b2ecb0ab48e6e61579c9b20d84ad8526

SHA1
b45e575b9defeb697094d9164890591102cfe571

SHA256
f5433d99a34b73cb2952ba9c4fdd5e969b4f7b84dea07cc34cd20c9004136fba

SHA512
7aa39497c9819c1bdbde241968ffcdf68a550142ae59f149df7dd1ac8d3c6650ba81aef6fafa6fc2e23bec06e67e01b2c96f8789f1d1961ca5bb1c63723b44a0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
7e458777df9beae166d73be6d57d96f9

SHA1
6977e6d452f67c803c4aa3b15982b8d0875c56f2

SHA256
cb79f901f9743c9970de2a7a1bb14aafab4c9cee42d3ae2f59a149fe44acd76b

SHA512
0cae45efc9d0f68fcc98de3906b202489080ab1d0f520d0e8a92480abc2365d1ca8d4f9b70ffbe7a0e95efae054c3f17026af83dba6d89c570613b84ff21d399

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c8a5f14693c3a30e7310eae19189f39c

SHA1
3105d5b5579cdb0b7f55e6b532225bf3f03e02ee

SHA256
8ea6afc26ff3fa3934b6e115919bb709d116b1c2d88c3c60868c89b09ba8d988

SHA512
7ce3ece9ef188b25437befae486446411181aac1729e2800dd43993abe6900d0e6516c702e54796db2462f83c762e06b80fe4dab23ea07217c77a118e1d8e265

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
19e6bd8510d0b56293f14196bd0c0149

SHA1
0b83afb532b210dad115fab4c596b0eaa16eceda

SHA256
7594ee0213326ce521672be806885c4bb3c3e0f1427488f000ccec459de6dc43

SHA512
af7e7408292d05c78d1c7fc23c2e854713b2146259e39ebd54955ddfd702b9cad7228019b2e3ce0368130f9394b2059e2c016fadfa1286a055380a2ec31388db

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
8999e574c314c8ca73a944cc7397a1fc

SHA1
756a9b851d3d7f9c257996b4c237b81294ad8a03

SHA256
9ed480e32ff788ed50fbe5d7c5bce56727dc8bf02a49fc4db0060df2a53ca04f

SHA512
c51f05361e51ef09147ec3a6bf90f3b4eb5f1c55874049b7279e324ac35e6567f327675d1a85058377dea2c767bacbb6b526fd14e79208661b33f142384cf0b6

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
1f21cbdb3d337d0cfcfd02a8d9b9f118

SHA1
e15230137e0aa6cce6bce5a824d7037f15a09fbe

SHA256
b181246573746a823a9cfeb0d152fdf32c3ed9d261f2ccb038dcf160dfd114a4

SHA512
9680a26a7e8b14154d70171b7908c86879a5b0d45edf597f1084d9c95e391cb71eaa1c9bf62ceb1bce15f66b893db7d52db092d3332875bdd008630e565fca35

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
a1be228f995295cb4b223ee3a9a086c1

SHA1
8ddd5a0c33cf8e8999878e9e6d8b499cc211c0d5

SHA256
dc67e40c2734cc58071e42d843d0333ee65bb2d130dc321f1f18773f152262c1

SHA512
b8a8b8abfbab60f7b10cc97065c28e6fd40ea5f748e944ef0bd4ea44feb854d87abb4168827ae7ec5ce7cf112436ded4c592f9ce4341b761c9e6759bb973b679

Download Submit
memory/1376-154-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1496-228-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1496-224-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1540-634-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1540-251-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1696-152-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1696-11-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/1696-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1696-17-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/1712-118-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1712-526-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1752-73-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1752-67-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1752-66-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1752-290-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1756-661-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1756-291-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2588-155-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2588-542-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2624-6-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/2624-0-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/2624-21-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/2624-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2624-34-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2668-36-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2668-35-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2668-230-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2668-26-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3632-571-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3632-210-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3644-64-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3644-78-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3644-76-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/3644-55-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/3644-61-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/4216-42-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4216-48-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4216-51-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4396-639-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4396-268-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4464-628-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4464-231-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4512-104-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4512-91-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4512-92-0x0000000001AC0000-0x0000000001B20000-memory.dmp

Filesize
384KB

Download
memory/4536-297-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4536-80-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4536-89-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4536-86-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4544-211-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4612-153-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4732-572-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4732-212-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4952-208-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4952-605-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4956-117-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5028-209-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5236-298-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5236-710-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5276-574-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5276-715-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6004-516-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6004-596-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6080-533-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6080-714-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6136-570-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6136-585-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download