4d7032ff9aec52fb397db1c7dd3dbe6f979f3006e02584e48bbe85a705be0268

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
Size

4.6MB
MD5

bb9980ebc57a87b26550cad4e9d5d2a2
SHA1

2ea58e29129025acb0d993a47aab3155752c0782
SHA256

4d7032ff9aec52fb397db1c7dd3dbe6f979f3006e02584e48bbe85a705be0268
SHA512

f5a19cf28f87c2b156a97ea592c62ae6230e6b084bfc6ac9c0186e71cac9adfb5cd0410de09587013d947b02272ea223ad12719a9feb4f2f3cd1a44074bd27bd
SSDEEP

49152:IndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGO:C2D8siFIIm3Gob5iErQWdO

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2888	alg.exe
5060	DiagnosticsHub.StandardCollector.Service.exe
1776	fxssvc.exe
2408	elevation_service.exe
2124	elevation_service.exe
1432	maintenanceservice.exe
4368	msdtc.exe
4276	OSE.EXE
464	PerceptionSimulationService.exe
2276	perfhost.exe
4224	locator.exe
1776	SensorDataService.exe
1828	snmptrap.exe
3568	spectrum.exe
4564	ssh-agent.exe
932	TieringEngineService.exe
2608	AgentService.exe
1676	vds.exe
220	vssvc.exe
5168	wbengine.exe
5288	WmiApSrv.exe
5404	SearchIndexer.exe
5304	chrmstp.exe
5536	chrmstp.exe
5684	chrmstp.exe
5848	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ab78cc34b3b9834c.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93546\javaws.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93546\javaw.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{B7E43319-E9B2-4347-B44F-112CD29ED4B3}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93546\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad023bfbeecbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d5c47dfbeecbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000745fb9fbeecbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ac73ffbeecbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000342861fbeecbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2228	chrome.exe
2228	chrome.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
6860	chrome.exe
6860	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3220	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
Token: SeTakeOwnershipPrivilege	1952	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
Token: SeAuditPrivilege	1776	fxssvc.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeRestorePrivilege	932	TieringEngineService.exe
Token: SeManageVolumePrivilege	932	TieringEngineService.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	2608	AgentService.exe
Token: SeBackupPrivilege	220	vssvc.exe
Token: SeRestorePrivilege	220	vssvc.exe
Token: SeAuditPrivilege	220	vssvc.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeBackupPrivilege	5168	wbengine.exe
Token: SeRestorePrivilege	5168	wbengine.exe
Token: SeSecurityPrivilege	5168	wbengine.exe
Token: 33	5404	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5404	SearchIndexer.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeCreatePagefilePrivilege	2228	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
5684	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 1952	3220	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe	85
PID 3220 wrote to memory of 1952	3220	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe	85
PID 3220 wrote to memory of 2228	3220	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe	86
PID 3220 wrote to memory of 2228	3220	2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe	86
PID 2228 wrote to memory of 408	2228	chrome.exe	87
PID 2228 wrote to memory of 408	2228	chrome.exe	87
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1200	2228	chrome.exe	94
PID 2228 wrote to memory of 1880	2228	chrome.exe	95
PID 2228 wrote to memory of 1880	2228	chrome.exe	95
PID 2228 wrote to memory of 2828	2228	chrome.exe	97
PID 2228 wrote to memory of 2828	2228	chrome.exe	97
PID 2228 wrote to memory of 2828	2228	chrome.exe	97
PID 2228 wrote to memory of 2828	2228	chrome.exe	97
PID 2228 wrote to memory of 2828	2228	chrome.exe	97
PID 2228 wrote to memory of 2828	2228	chrome.exe	97
PID 2228 wrote to memory of 2828	2228	chrome.exe	97
PID 2228 wrote to memory of 2828	2228	chrome.exe	97
PID 2228 wrote to memory of 2828	2228	chrome.exe	97
PID 2228 wrote to memory of 2828	2228	chrome.exe	97
PID 2228 wrote to memory of 2828	2228	chrome.exe	97
PID 2228 wrote to memory of 2828	2228	chrome.exe	97
PID 2228 wrote to memory of 2828	2228	chrome.exe	97
PID 2228 wrote to memory of 2828	2228	chrome.exe	97
PID 2228 wrote to memory of 2828	2228	chrome.exe	97
PID 2228 wrote to memory of 2828	2228	chrome.exe	97
PID 2228 wrote to memory of 2828	2228	chrome.exe	97
PID 2228 wrote to memory of 2828	2228	chrome.exe	97
PID 2228 wrote to memory of 2828	2228	chrome.exe	97
PID 2228 wrote to memory of 2828	2228	chrome.exe	97
PID 2228 wrote to memory of 2828	2228	chrome.exe	97
PID 2228 wrote to memory of 2828	2228	chrome.exe	97
PID 2228 wrote to memory of 2828	2228	chrome.exe	97
PID 2228 wrote to memory of 2828	2228	chrome.exe	97
PID 2228 wrote to memory of 2828	2228	chrome.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Users\Admin\AppData\Local\Temp\2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-01_bb9980ebc57a87b26550cad4e9d5d2a2_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe9205ab58,0x7ffe9205ab68,0x7ffe9205ab78
    3⤵
    PID:408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1884,i,36810463629500083,5405307360584811967,131072 /prefetch:2
    3⤵
    PID:1200
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1884,i,36810463629500083,5405307360584811967,131072 /prefetch:8
    3⤵
    PID:1880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1884,i,36810463629500083,5405307360584811967,131072 /prefetch:8
    3⤵
    PID:2828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1884,i,36810463629500083,5405307360584811967,131072 /prefetch:1
    3⤵
    PID:1008
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1884,i,36810463629500083,5405307360584811967,131072 /prefetch:1
    3⤵
    PID:1980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4408 --field-trial-handle=1884,i,36810463629500083,5405307360584811967,131072 /prefetch:1
    3⤵
    PID:4144
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4476 --field-trial-handle=1884,i,36810463629500083,5405307360584811967,131072 /prefetch:8
    3⤵
    PID:2508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1884,i,36810463629500083,5405307360584811967,131072 /prefetch:8
    3⤵
    PID:880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4748 --field-trial-handle=1884,i,36810463629500083,5405307360584811967,131072 /prefetch:8
    3⤵
    PID:5728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1884,i,36810463629500083,5405307360584811967,131072 /prefetch:8
    3⤵
    PID:6000
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5304
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5536
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5684
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5848
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 --field-trial-handle=1884,i,36810463629500083,5405307360584811967,131072 /prefetch:8
    3⤵
    PID:5600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1884,i,36810463629500083,5405307360584811967,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6860

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2888

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3572

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2408

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2124

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1432

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4368

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4276

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:464

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2276

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4224

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1776

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1828

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3568

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:372

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5168

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5288

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5404
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5188
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:5584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0805f7d6a8811989ff64b9a0388eabf8

SHA1
2011301cf5bf31a2c62a38664808d6b818ee516f

SHA256
4ceea1b06a80e9377a5d42a8ff5fdd90174e6a634c5325963ca22105f4712e7b

SHA512
05fc804db031c34369f4e56dadd72e3aaf43ffdb0b68af73170fa5d7b18e7408a5766f0757c63afd7cd9d37b19c0a60780201365e2e79caf7e828970212fd854

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
72ed1fe1293fa0d8893d4a68bff69911

SHA1
7a9f1081dc25fc22821ce026302e92a0c20e9504

SHA256
2070762d4fffa1d13ae228524cb486dae7f315791cc95eaf18aa1bc3daf4c466

SHA512
6f2b0f43101e14a7fdc7a3fc131e262ae1e0a9b184b8c6c4edd71d9006084c94dc3d8429dd90e0e42a98a2d4482fcc9b5b6ad595d87b356acc8868e897d988ac

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
2622a1b37fd75294119946a88303e1e1

SHA1
379628d6ca3a028131aa6ec28d6902007f1c8feb

SHA256
ba595f04734c541c20b868e9f9dd8b0908a36dc3396392b7c5e087df17ba32fb

SHA512
a0c1029154db3d22e969c03576804d9081b19bbe2817450c8d51195f1c0a7700013c0df4b4292acfff4f8b6f38de12ef828f375711c6bb2d368a1ab28c21aa98

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a0c2dca986a05bcbda3c19f5ca719259

SHA1
5a3eef83f2c5e42484d7b8571192cd29704de028

SHA256
631ea356eff199161ec8bd7bdaddc9f4f1ca16b28845752d223465139961033a

SHA512
9aa81ce2a7528fc2bf1e18bba44935d2189526c65245962a6c51b3a4bd9da83085d51b74892d4be2620c339e4547383629d30d9fe7114343d456aca54eee8a34

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6caba215a7cf84c903ddfffaf88910f6

SHA1
9a5e8687c19b89343677b72434acf37ba04d12f5

SHA256
73ac4aeb3876be13b1d14f14f5f7659a154eaeae16ac47233638dfb0df095ab7

SHA512
b8470a8836a570e69d4293028eedfd39d49b8e58d7acf7d5600dd5963cf8d1642b7c89dd5bfab369ab42c0a6fa023ed4dca292646b67060d2a0a419678e495f5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
20be3897deef63c4328b1ff89dbd149b

SHA1
bb498ec2720520f85d48f236b08b4958ccb8719c

SHA256
09e5bff4286fa744bbe5f4ffc7f592a280811ca6b9d45eef8dbf8983d0cd7244

SHA512
32aefa1056130ec1ab71ff24eef80c6a18752ccb3113b650a5f285d2e6f318b817bd227318fd3dfd50adcee6e00fd4150f966d756d3ddd235dcc0b15796ba987

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
fd3846ec6c7c7b986914d6457527c6c3

SHA1
1580cb036c6f635833e685627a1dbc6ab6214ca5

SHA256
05244dbdf2a924ae700f531e03f59ea5324ddcc6416a09f58a5a1e02bc43b540

SHA512
52e40a654e01e1c1560174726839c5bef3c7eb1ed9d0043101a1350b389f525e83a06f5a5d75823e2bad4eda278d8bd88cd094c64a56cf62d49af81ad405b363

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8ff2edfb51718b9db76dd2d619517ea1

SHA1
30d8e8c24b15de0cfdab2d169c0679410381fb26

SHA256
ef29b5407c05c60ac2391e926dd6d6cfce1ba83d8c0de3ee163a2a5a165ad04a

SHA512
62b33b58f9b16a72f5fb6c3f4ec1544c42aa5483b1938f526f25e25aa82b5f865e06298a54a8b0bd2788e0cb704fe0dce9db67a8816b2e9c32ee3bc54b559250

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
879132493823b395f36d649e1d632b49

SHA1
652a0513c6322d567640d54547dd30f841c13abe

SHA256
c76968eaed0ccf349f10ae080dfad71777f2554064179e3fb45eba3c5b46f6f3

SHA512
aa76037d51697c4ecc52baa977e3043639163dd6495370c66ab5f93e2893c3a1da01b34498e9170b0efaff1410d4bf4211bf04603df8acb62dc68a418ac418c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4a08068bf69627068509fa2bee23b299

SHA1
6818dd1e22ab7e97fbef531a34774696a2e0d97d

SHA256
116787e001578082081513e16c625e5302a44b5d8ae5b2ec6f423b104c7738c3

SHA512
06714a12922eec985deca7f9ff53457fa015b6a5063424dd985b8137473decedc9baabf21910ed2f77fa9cf8107d0bf09500fe98444fc7ed8f38ab5d40dfec2c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c08c8172755a583e4cc6c986967fdadb

SHA1
d65be6c78ff3d856dc48b67d0d284eddb3719224

SHA256
760e8d6ed0538c59c3a15c091b6dc9652975423900a61ec4711d1cfc27adae6b

SHA512
a7b39601e6f1f79b766d0c0bcf84bf408500d0117e891e6e74b87952851f31253565735db4724ea308347957c7ab3fb2ed4a3bfc0d078f180b589c4d85c84416

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
5526f4584b6667564f1748082fff5481

SHA1
bdbe4817ab8c344c2a1b2e42e84ea6d47d82d259

SHA256
7abcc8c1b2353fc583d752cae9935c689b3d2db923bc93024227479e2367aab9

SHA512
c3482f6b17ab7093a344bbdf5765f99f85e3f58a0c1cf7f1f66006f6678f215fea59b24da772f75dfdb76c8d87ac5dabfade6503637c19b04b22d5b6a9dab21e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
93d4dbcc4371266dda9a9c95a51adbfd

SHA1
08d0c00ab1b9995b9c906d304e8edaaaf4d7e230

SHA256
246b11fcfd1509de76cb04307d5bf8cb2cea296538135db710ab313ee677914a

SHA512
89de253efd48c686a60d05ff87bf0cab7b184f240dd3463b57457f16b4f7298e4466fb2a43d040165d14950cfd6ef783caed0ef8d970a9d5c67431cf34a862b9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
3119fa35e71c3c91fa60ad91d4130cb3

SHA1
de05507e81be040334951fde18fec81f780fdf7e

SHA256
033596b0a93a6bea50991653d3ef7c8aaf00c9e955517608b3a7b5f3882a3b97

SHA512
edda9ee5e3cadec51826d6714daf467336e121111b582e665d175c9e7da7daecdf69805eb7db660638c694457c4bd36fba80ed07ab3b3587fb2bb0e0aebfe844

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2521dfe2fca7ff6cbbb5431e324e7cc8

SHA1
37fd3ce8746c7a4f3dd3b0b55e6de436cbc06cf4

SHA256
2d573bdc8115056fdf0a6b5529d92095647af909b3417cc2f6173c488df05920

SHA512
c5d051d582f06fc686c816190b4459ac09f751068c6aac987ecf60fdc9f7c86e759f4744200c2bb7f9c5a20efca9d7c3276c17cf399089397b17393d52f3b7ba

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
03ecc4347d2a01fc9f669113aadef5de

SHA1
e72515d78f18f59558f149eb0a902deea14dd071

SHA256
18345321580850be2ada21a7039fe6282c8de21da0a14e31de370dc89c921a99

SHA512
5d24cccfc87288cb33622301658920c89cbeff544daf6512a84abcc3697e38e706b4e95f8ac3556e200f75ffb04b1bbaa9072c21a1f4992ca3f125ef4a091aa9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
78ae00aa9346571f40e6519e47a23bba

SHA1
a7efc4f0bb77b04a329f904b534c11f18e01f517

SHA256
df95610894ef4ffad338ef6d56379ed7ba444789442b0d037dd4bed02fb5ad43

SHA512
517be26d82274bbeacab5ca9cdaedba7d153570db99e569168192cbd05e4e71296c03c2b74b96dacaf50b39a1f54ed2d49ccb4422834391b384d0c57c605ddf8

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b37ed5a3a44490ec249201bddbff550d

SHA1
6d66e9f54ef648ca77592f24fd4c011a88ac7eb8

SHA256
f9b3b83c573ae73b13a66720d427635c7ab02da5c0bc3f08419b8da3bf45e105

SHA512
44ffc96bb567600421157233d420fccb7519bd97fa0fec6a7afe273c9e537acd5148f6cfc60f88dbea502db4cf47f847724027be587149827d47a963da6456e8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
1450a58c58e683e874d5f87f26bd54ad

SHA1
87cb8a4adfb0538387b680c84fdb296e95d8a6f5

SHA256
f605d0a25c7cdef3802c4fb5e3c0159e6f972095adf2879dd81d94a4eab86aa0

SHA512
04989c4e3963c543f264b1082810d9d53f3c436b13d9544b31f1e03e85c7ff9a3af4f14c5eabae9a80ecb4b9f32c54d12a76e69f5e613d72bee0c35c59dc73f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
3ea070e60e7d429e1e61c8db38c29e6c

SHA1
5e299ee911c837db884fb5fef2f5abfe4e9e8863

SHA256
b2a5745d6bc2caf9e182d87fe017e223f6237fdd3768705f02a67a10b4cc2d66

SHA512
bd55194313210c91259cdfbe4e6cbef7eb74adf00b7bb292cf8bdeb109eab962f8253ed0277461b94fe7eacc644648318baed002cca9af07b27b00e584fb7cbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c79a845ef76ef0a4e80789492c4f1f62

SHA1
8dc0e74a251aed2ac3ba5a866049b4ece9773c79

SHA256
a9b814840371d069abb1b607b9bed13bcbc97b12d732dddb418d8abd4dd00df7

SHA512
f7ea86de89cd32a64f4bd97949a7f9857750829bf1da4fbbd93ece190d94f6b2c129f253e92da92f7192777d09c84c50ac28b1356d9dfb7ad3a8d28fb30c0eab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
41eddd7adc29ab0c143fb371f53066d0

SHA1
4b5897460f56fbb84c451a12fa0eb4663828a84b

SHA256
58b57925b1f88f4efe4eb601bb8dec174dfa9bcb39795b518282e7054fa9bf1f

SHA512
527ce4ab90e15d2fe3879cc1ec445e530e3ad166f045031dfbc3d7b99f29d926424ee4ef0c0b36d6cc47ea3e7b40505153d8e1c80225d84573bc1d878411c4da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c42c1c1e26e046b9598b0cf44dca3e3c

SHA1
61dc3cc83af82f005fe2e7f94fb231fc17309fc1

SHA256
297672a0afa5a7f745dcbf706049ccfea5865a8606efa055fe63b727cd90ac8a

SHA512
47b8235e367200e880e60051efe51de05ae3cf2fff255be4555f14f56290bd7eac37b9f43c243ad335648fbbed9e341fe64a050a0fd896e61e64d9b406916613

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57684f.TMP

Filesize
2KB

MD5
d815a154d920aff927b3986ef84917db

SHA1
c1c2bd7df2e21219963cc39d302b18173713afc9

SHA256
0603be058d7ba2a08d3233e42e5575b76578513ddc7e3cb58fa53fcbc5e26028

SHA512
7f7fbc48d9be3c0a935906b277e766261ca8fc1b9eb05542d528bca09d1bd817e6bdce0fd87fe3f56e7597f09595b5b610eb103903a66c2bd79de04cb4f250c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
1ed1b99fd1c19526e332ab7c5c9ebe1a

SHA1
ab7167a44e9d9140ca7e6eed22711d260f439ad8

SHA256
10f919b76be86c608ccd945b9b5ad1f6227f195a421012bef1b4950f4817cc90

SHA512
8e464d1152f73d409ce895862d0bed114adc72c7eab2ad75b619b77a782bb428558c0a2aff3f5fca579ef74aaa0602a2af2181ce605df2e61c628bc6cff4cbbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
278KB

MD5
0eb6a2b98e636ce1ec23db919efd57aa

SHA1
09d07ac2c49c156f60c672e716d78e57a2a7f7cc

SHA256
ef696110d4562306914d4c28851bfd130e5c0e5ef730bd19b0e76dbe81798983

SHA512
4153c490a6393c1f7509d54f6307eeaffa7c4fd9f136afb1f03f619716e8f6aee3df40ee404c661af1f0b11230f72071d97aba1552a2cc0e9a534a46acdc0f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
9c82eb0dea250f9eb82810bfb8b57c84

SHA1
ba3484c268e9e68a8a9a1fc503b879d6d9999e22

SHA256
57bd48833490f4fa53696ffbb364378b242c6f4a7880f5e9c7dff86b069c34f0

SHA512
d8ee443a91be116f5112e8b2fc0481c62eb2b00bc560bfa9e355b89d225b745eb4e80246f2dd8f74e16cbb55bd1026bcd2e5f21ab04c2ad06d245ba9575a8a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
236f99a694da73301aadd75ab4854d50

SHA1
c74bc07e99f94bb6a53af36077dfd7cb24ef278f

SHA256
5c644380b84029648f1576f55bf23f0d11f33e89436ba2245f4b5c3b48588a93

SHA512
5844bec10a62cd19ffc6d4d0c0eee0f25650215312ec0ea0d0f3a6356161b76b60166551661b0978b350f676c9fc8e7731ae195ffbd3d572fbf2e6a25d0b1b70

Download Submit
C:\Users\Admin\AppData\Roaming\ab78cc34b3b9834c.bin

Filesize
12KB

MD5
1572856385604f8cfd2005c885bb9c0d

SHA1
9225f30350423b25b697229f51c66fdc6802f319

SHA256
d50a3087710dc262dde4ce235de37b862c8ae1201e0938ba77bb077704d06be4

SHA512
ff313b0ae0be535978b3bcf396b6c573c1c44a8af8fcd39c1fefe4052e6a28f11a9ebc859eeeb0ca707f4b95dcbba070b48431e07a8ffd808c653008c2072fcd

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
cea18bb66d91eb9b7ed527dce195499c

SHA1
3d623332adb5a627b66019ddcc95aa9e634f0b4e

SHA256
dbf048b4aec9780a8358265dea8dd03cdae57055ef0f15bb0494d87a15bcb9ef

SHA512
c76e7364856882c7704b37b261ac01e550aeea137ec17630a4efefd89bbe84ac9fc28ba2bf6b5a4186156085e0e946357aa81022bab310331e54782ad870c47f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d7f6e17a80dedd74439d418eb145adc2

SHA1
23c3fed80d0f91f6aa3354b9b0e3be4937b951ad

SHA256
a709bc5a80daaaf6418cd75658f5cb623de74c3d00955b8d3a27f0a042275cd2

SHA512
09c77b01d6efd31d1e1e3e61a8e64a443da7c3e4588786dcd33481965c6de2a827e42e68a44c2c1b252aa1f33763b1048561706d9ce95c014098fa9c5d1701c1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
74d5deb71d1d0b9fa29e65ea98368732

SHA1
525c6748abbe19e118745fb4673c103c4495c1ce

SHA256
86e65b00569743bbd2748edaab7575076c33a147fbadb3d860dd26f6268560d0

SHA512
9aa87de23494c1cd0d748366244bb9709b43bc75284e520b0a0a522c5e67b6a7db1d0991a09180f5dc64f76d9bc393965503de2003fde17729bfbcb65dfd9166

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6616d98882de14d277959bebe19a946e

SHA1
4dd3ab29f885a5a9cec5eefec491ccbb28be83a7

SHA256
f4921bc387747129f6240a9d7f6e8d163cea7a1d4f31a6fb485b80e9190bf9f0

SHA512
f104b69c75bbd3682d1da5ff2adedaac75ed1dfb789a34b805aa4ae7f71ef5a079c491b898bdb26dc314725280c3455670bab69d95e457dba28de80350f38412

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
51dabe5f201e98d00becb9e6cf8c53cc

SHA1
bd06cf61a19ccf1a0dde1140085add25b61099ff

SHA256
987e42b62886571cdbd653156e9ca35be6b7607a521a3a0528e862bfccf31b93

SHA512
602103d6ae855219f57b22bb902265f461385e7efe2be0df22525a56d30894ed7e736a7cb782360a65dc8fbb4e6fc17c6bff6dd87781412e3a1a3d292614f099

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
3de302fef203d6cfc6b09a71c963410d

SHA1
2b986d1ca7a9666d18a868866638571d9f964313

SHA256
6f0c7b4ca9c7e868f26d8659fe35749964bca96b9475cb7bc4f07a07e87e686b

SHA512
3d343285ad1e7b2296eee27de4e0860b1139bb5dd584a67d75c464fc7b54c39a380f077d4907deaedc530a45ae6925cda2444b9621f3ca82fa2a202b6a1c5e71

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
b87011ff5eb53a8d45d54a2e1b0fcba3

SHA1
8681690bf269d31ba87e7af5b33dc70114fafcf2

SHA256
670c7fc35643ed262298162dbf91e98995f6e407f640740255c244a1e87e2805

SHA512
3c5fab4a8b513d7d6a875567e146cbc965f1be23489f057feca6af4f8c236adc64afae3b2719e3a9106ec916a615da886efdc80f505b3621da887ce27deac3a1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0b7b651ad4880547ae3f3703b191ce7c

SHA1
08815e4aa00898d9a76adc3680a5c2ac8621b1d8

SHA256
5095ed8419f639ac5b06103cab73e77f282b96cdf7a7a962e8ff1be873c2579d

SHA512
52410c195ef10de80a9b7aa24d933708cdea73c7b607c9f4fa6c2e6b5b9d0c5d915058c6696e648c317cc6318447de2bdf7a5af8262903dab09fec6dda948984

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
32e9b91ef55ed0a976c1cf3b53db6005

SHA1
ab48ca45b69e13bc65d2f879b7517f87089aa104

SHA256
e4d6f8b1a8aeed053f82199f9ab2828da042647802d973a70e3626ac61716c32

SHA512
cf4069fa0763155b558ed2d8d0e5cef374fac3f2b607762ffcd5e6503222d5269b17fd8b466ac1e7c4c8e2901c91877b872a7104bdc695ce401010c3ab25a256

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
690d8dd86c36d23c91c5d1a77d132113

SHA1
b1bec6c3025ac0dd97a65aeec3b2582996c6f498

SHA256
ba5916bc7e5257a8dc81ff38048f95e91ff305499cd6840d065e434d69b462b1

SHA512
ea76cb3b427c7ca1cc6f0d0f2eae49fa3b8313af60fd4d58fa199f1c675b60c455cfde3e580329ac226b1434641c388081b9ee48a540fd2eec33086ff813ab36

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
4c805c21199ddddbba5bb5d6dbb9f7b6

SHA1
0924912acb6d3cc401200db86c03e08371435d5d

SHA256
ec09435c26bb0aefc13f798773f4bd8b537f00261d675ad34209ac61c8cf96ab

SHA512
f4007fc71371538be2b1aec544ba6b408f8e3359943eab717d673d5dfa4d78a7bc6e0cd0ebfca1123a9c4fe07c26b6909826649e7c349695a0a92e2fec977434

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
20f28c8a8306dc2e37f4385b2abd8501

SHA1
c97078d0cb7a310d48266c17df0c6f4b8c3b84fd

SHA256
3ce834826c56fca5c924a9138ff10ad1ed87e7700a44279c7add198f11cbdebe

SHA512
e0e27c650fad67e6473f1cefa8a568f0ebd8944b3570913fe9456ba597f7008c110cb7966993cae9c2ea8df733588af8c2f01eac2829dbec539dd2dbc98bfed4

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
78450b430fd2eacc4c7431908f361e61

SHA1
05f00ea6dfa40d44d4900ecec82a415568c3650d

SHA256
ed4e040ccf77f9b77592c4dd3333fb67b5a8c6c969250197d10d8d48cdc8ebdf

SHA512
bcbb3c93b1b1d5349a07f240501d7faacd4a3da5af52445e650e106039479516a15ff531b46618016c6b5c073622d8302efc5d41460925d7e1cfcbce09b046f5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
9dd289614858e27db35d9bd14272d568

SHA1
4ef8b5f0a683449fad8e53745d360477fe4c0d28

SHA256
1225ae52809c97e834854039ca0ae22d00e3b0429d651fa96b7ba818666b2281

SHA512
01d5bc245453cca7ac54418892c8cdfb68957ea4cbaad2fe7110f70dd13aea1cb3e0974734f5fedd593750ede1eddf78665380d54ecb182d28c24a1abbe7e0d3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
06b9eaefc8c81e1da472ea566d240d54

SHA1
0ea4e4aab06f7db32a95296407fdfd9efefbbf78

SHA256
35d319b326200314bfa47d849ea46f4eef1d690242e2d12b04ad0aed7eeb90ef

SHA512
e96708d075ec6352d18606183a7fb1494b3bc7a4438a8e22b5a1f8a61d890d0ef09dff20db74b8b12c8cf83d7b2bf3d24ef52ffa106204b1ed349552f7092bf9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
38f9bb8736d7395ec51d521a010f8965

SHA1
570213c22c27b3f706b116c7baf566003c449af7

SHA256
cbb68bc8ce58abdcac47a16af1d22ae9f88d1f1e51f3dffb2ce989df02228a81

SHA512
b2d7eccbcb2717d6833400881c49aacf7b436d40b6789fb5a51d4140a0970c58c5cd94cc08e1c4362ce84940d95f3696c0e05322e2b3186c841cfc13d7d81d1b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
808cab08bd8df5cf494f21b93552ad59

SHA1
37ff870ae872e3f408c310e1552e15b008362e6e

SHA256
370e3a7d02a9fe04be598493ddb981e2f5c1aec691f5af81907a584b549dbdc7

SHA512
a2e1ba1e0125c0a0f2b5a3c0e129bef442191ceb43f5fe56b87a8894021800afc4114a3c9943619f58f886e75de82c882152d4454e923930fa698dce787e1cf9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
694c966cfba93e727c74858a86dd991d

SHA1
8b495fc5e8aca3ecd28fca2f0093fd29fdb29616

SHA256
cba49d4daf9ec20ab06d63a1c061e04a140b93fad0c0ac4ee372a0e9c1632b0a

SHA512
b8973d71f41c266b595caf66ca864d2b7d7e31c27ee0990aa1f848f1a0a135f7fd8ce6f80552725900cbb32e438ff8dd68f559b080fa7cb70fcc058fcc5ef0bc

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
36ce2b6cad119c81a528c439949cd5c2

SHA1
f635102f17707ca52a99ae7082a91df76d1c4d6f

SHA256
0c090de79661e741558d04a5e53e617bf3a81c1bf4fca885509d6297f59ede52

SHA512
848fe3baf38ddf286b42c0c9a4c443d3851fb681a095e1311d0a312cb84a6e99aeee42f165d51174de98fa6ce862d6851d5ed3c9eff6aae5d323237f48c9e878

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
92745a135e7dadc56f00ef5fddbc85aa

SHA1
05129a6465867591803498f80bcf9bde27ed9757

SHA256
5a486b9d0567e8fb8965edb56d00e2998bce2c19a05337b188a4c9ec885e213b

SHA512
86f45f12c21665beed37509bc84235c980b0aad125d29c7328a478e23b458988df208d533db15dc479ae12800065b853f828daaa8bda399a385e52072d6c8a2c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
6da8eafd01bef783d04b36e17c527adf

SHA1
2430a770b4dbc3a2d0cffcc1448ffe060d4cb20b

SHA256
9f0c25c0b58155a82155604aef91de009dbcfb4b09a5ebc5aea34185e022013d

SHA512
82d6088d34d14aae3bbd537b1782693bc5dd21970377276f7d3c9e408bd8a81dc91c3e1c914bf6563dc9030fbc11aadde37411df8148c2160149481cb616a3eb

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
d2c8e05c84e780e986a3374a03e028ce

SHA1
6d3c112f550c2e908322e4f06258cb4ff4985b38

SHA256
0af19bd6008058d8ad5590d103ad44f30d20711ad5e86d42bb51720dfca446f0

SHA512
dd7b1e24f4404149817be100a1375ddab43ce8aefa39d8914e9b63f11902269d7d5267bf231a6f6709906b919ee19064594a33a6b153e90435bbf9e5ab9d1245

Download Submit
memory/220-292-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/220-698-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/464-159-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/932-511-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/932-241-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1432-102-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1432-108-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1432-122-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1676-275-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1676-628-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1776-77-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/1776-620-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1776-63-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/1776-66-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1776-57-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/1776-79-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1776-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1776-187-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1828-200-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1828-458-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1952-19-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/1952-26-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1952-199-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1952-10-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/2124-83-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2124-89-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2124-273-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2124-91-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2276-185-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2408-69-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2408-68-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2408-125-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2408-75-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2608-244-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2608-263-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2888-37-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2888-28-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/2888-38-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/2888-207-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3220-0-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/3220-36-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3220-18-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3220-6-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/3568-474-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3568-216-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4224-186-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4276-147-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4276-299-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4368-146-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4564-493-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4564-230-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5060-45-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5060-51-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5060-53-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/5168-703-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5168-300-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5288-704-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5288-319-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5304-558-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5304-470-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5404-707-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5404-324-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5536-708-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5536-485-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5684-504-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5684-540-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5848-741-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5848-525-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download