ee30936b9f82aaa9edfa5489cf1498cb7dc1e661a84dbbc83d4d49ad7681dd56

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 07:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
Size

4.6MB
MD5

f65bf1837b93536d76702377c5862222
SHA1

1cf0522fea9df2d1dd6857575580a1c2158e74da
SHA256

ee30936b9f82aaa9edfa5489cf1498cb7dc1e661a84dbbc83d4d49ad7681dd56
SHA512

2e545a09a213eca8a50a2cd2a55da10d323144f8a3c84ca788abd9a2aa857cae9dd37dc8cbbe96771b858e988f08d6d411550ec38ce84000b2dd9b8a6e658ec7
SSDEEP

49152:IndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGi:C2D8siFIIm3Gob5iEsfb9s

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3724	alg.exe
364	DiagnosticsHub.StandardCollector.Service.exe
3992	fxssvc.exe
4444	elevation_service.exe
2308	elevation_service.exe
3060	maintenanceservice.exe
448	msdtc.exe
4728	OSE.EXE
4080	PerceptionSimulationService.exe
2900	perfhost.exe
2096	locator.exe
2260	SensorDataService.exe
4412	snmptrap.exe
3064	spectrum.exe
4812	ssh-agent.exe
1952	TieringEngineService.exe
1268	AgentService.exe
1204	vds.exe
1636	vssvc.exe
2404	wbengine.exe
3244	WmiApSrv.exe
2132	SearchIndexer.exe
3768	chrmstp.exe
5148	chrmstp.exe
5344	chrmstp.exe
4492	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6c6b5489c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088d74fa5e3cdda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1daf9a3e3cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005db048a5e3cdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039eeeda3e3cdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a3684a5e3cdda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a8e5fa6e3cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f60456a6e3cdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1988	chrome.exe
1988	chrome.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
640	chrome.exe
640	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	624	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
Token: SeTakeOwnershipPrivilege	4504	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
Token: SeAuditPrivilege	3992	fxssvc.exe
Token: SeRestorePrivilege	1952	TieringEngineService.exe
Token: SeManageVolumePrivilege	1952	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1268	AgentService.exe
Token: SeBackupPrivilege	1636	vssvc.exe
Token: SeRestorePrivilege	1636	vssvc.exe
Token: SeAuditPrivilege	1636	vssvc.exe
Token: SeBackupPrivilege	2404	wbengine.exe
Token: SeRestorePrivilege	2404	wbengine.exe
Token: SeSecurityPrivilege	2404	wbengine.exe
Token: 33	2132	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2132	SearchIndexer.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
5344	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 4504	624	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe	88
PID 624 wrote to memory of 4504	624	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe	88
PID 624 wrote to memory of 1988	624	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe	89
PID 624 wrote to memory of 1988	624	2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe	89
PID 1988 wrote to memory of 2908	1988	chrome.exe	91
PID 1988 wrote to memory of 2908	1988	chrome.exe	91
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 4428	1988	chrome.exe	116
PID 1988 wrote to memory of 3060	1988	chrome.exe	97
PID 1988 wrote to memory of 3060	1988	chrome.exe	97
PID 1988 wrote to memory of 5124	1988	chrome.exe	118
PID 1988 wrote to memory of 5124	1988	chrome.exe	118
PID 1988 wrote to memory of 5124	1988	chrome.exe	118
PID 1988 wrote to memory of 5124	1988	chrome.exe	118
PID 1988 wrote to memory of 5124	1988	chrome.exe	118
PID 1988 wrote to memory of 5124	1988	chrome.exe	118
PID 1988 wrote to memory of 5124	1988	chrome.exe	118
PID 1988 wrote to memory of 5124	1988	chrome.exe	118
PID 1988 wrote to memory of 5124	1988	chrome.exe	118
PID 1988 wrote to memory of 5124	1988	chrome.exe	118
PID 1988 wrote to memory of 5124	1988	chrome.exe	118
PID 1988 wrote to memory of 5124	1988	chrome.exe	118
PID 1988 wrote to memory of 5124	1988	chrome.exe	118
PID 1988 wrote to memory of 5124	1988	chrome.exe	118
PID 1988 wrote to memory of 5124	1988	chrome.exe	118
PID 1988 wrote to memory of 5124	1988	chrome.exe	118
PID 1988 wrote to memory of 5124	1988	chrome.exe	118
PID 1988 wrote to memory of 5124	1988	chrome.exe	118
PID 1988 wrote to memory of 5124	1988	chrome.exe	118
PID 1988 wrote to memory of 5124	1988	chrome.exe	118
PID 1988 wrote to memory of 5124	1988	chrome.exe	118
PID 1988 wrote to memory of 5124	1988	chrome.exe	118
PID 1988 wrote to memory of 5124	1988	chrome.exe	118
PID 1988 wrote to memory of 5124	1988	chrome.exe	118
PID 1988 wrote to memory of 5124	1988	chrome.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624
- C:\Users\Admin\AppData\Local\Temp\2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-04_f65bf1837b93536d76702377c5862222_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeacddab58,0x7ffeacddab68,0x7ffeacddab78
    3⤵
    PID:2908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1876,i,10173716537047441259,5598481166270000006,131072 /prefetch:2
    3⤵
    PID:4428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1876,i,10173716537047441259,5598481166270000006,131072 /prefetch:8
    3⤵
    PID:3060
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1876,i,10173716537047441259,5598481166270000006,131072 /prefetch:8
    3⤵
    PID:5124
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1876,i,10173716537047441259,5598481166270000006,131072 /prefetch:1
    3⤵
    PID:5352
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1876,i,10173716537047441259,5598481166270000006,131072 /prefetch:1
    3⤵
    PID:5360
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3872 --field-trial-handle=1876,i,10173716537047441259,5598481166270000006,131072 /prefetch:1
    3⤵
    PID:5860
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:3768
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x2a0,0x2a4,0x2a8,0x290,0x2ac,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5148
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5344
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:4492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 --field-trial-handle=1876,i,10173716537047441259,5598481166270000006,131072 /prefetch:8
    3⤵
    PID:516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4692 --field-trial-handle=1876,i,10173716537047441259,5598481166270000006,131072 /prefetch:8
    3⤵
    PID:4620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1876,i,10173716537047441259,5598481166270000006,131072 /prefetch:8
    3⤵
    PID:6080
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4392 --field-trial-handle=1876,i,10173716537047441259,5598481166270000006,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:640

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3724

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:364

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1092

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2308

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3060

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:448

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4728

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2900

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2096

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2260

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3064

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3100

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1204

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3244

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2132
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5540
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1424,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=3916 /prefetch:8
1⤵
PID:6100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
18625447b7da247a3d512be811afe74e

SHA1
ef5e0625404523eb5ab96d918c0e367721506fbe

SHA256
dc391bf3109c6b3521bb0354246723eebd60c7a2a7c8abfac360f409ae182744

SHA512
eb485c901f9edb0c3171bdd918ff91d4c8ed2dbcbc3baea62201dba74364c87f57aca3581dc94269a7699e40eed3f94c3316c5ad7a681f3a11f98f42456706b7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
0475d47f2483272f2c04b599226ba49f

SHA1
b7a7eacdbfea61dc5671585ba09343ca844b32e8

SHA256
38de3699a980f04e8d665ab093dd8029c265ce15a2e142d2a3968a89ca884e2a

SHA512
081b796acdd42348fdc6753a0496493b70879f2d16b6b8b75a0c68e1dc1ece0fd8c74ffa644b8fb25df359c55646354bb09e7bdc609a71558cf355e7ed57b8a4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
0a902f49e5c467a92fd7782308134381

SHA1
f9c95b209babaa23ea4b98d9b529c7a4437ce7bf

SHA256
b1be56afb22a67880737dc2545cea414e63f595e3ca072028003adcc59d852a7

SHA512
78536633fbb97b06eaf691ce0978428d43f4af021c79a2faed8950d08ba8f9807097968176a5b9caf027bca40dc21428cc4c0cec967f1414e60b2445842a8a2e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a283f3ec154af35be44363468b0d8c5f

SHA1
2bc55840a567a968e8f4a8c9a413bf65f2a110b7

SHA256
c51615784b254e9bf157b9a503c377b34986525f0bc5f8da198f053c066fce94

SHA512
1376fda7d2c00557978f979a09b88427881d1cf65ebacb8b8f1b83335afa5d213e79823a8c5de684e9ba70a739d7bd9d2fc876fa90696cac6f98c3be44cac6f2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
751f1475df53bce320cf77d758abd512

SHA1
0acf2e92fadec779a53c3ddcafc9b5bb37a9f05c

SHA256
1217b6fea5865841d1595f70c72b71484e5e1cea70cb2e34b61f7885300f8405

SHA512
fb31b607670758079fcc6bcb9dd13b1f06b88e50b5ea8f38eac60a96f0d99ee614e4a386f2d7a6e1f5536b5cebf48bf2cc1629951fd853967d4f0d4325a28686

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
454d7985ca19bb7deac280f5bf7e2f5b

SHA1
f1921fd7651d7946e9745e1f19785ca294daa4f0

SHA256
e656ed9c2b5d413f61f30f015eaf4e5d581522e676b073284598965ee0104118

SHA512
d7fa4380277478e05a21ef3128310eebaaa263c93f86959d5d90dc7289b66a3f0d48247850ab080184a8406c91451ecc3662372a26422fc8158acc7460acd54c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
aa9624f98fc0777e5074f9c0cf1f7424

SHA1
93b9eb30bf3e926e9ee2b6dc2622266c1b3bb0fc

SHA256
72de05b999486e48a417d974fe1c81d8e1efd62a0f618bc8275348a054bceb93

SHA512
a7eb81be10d93d48f926e2aa40b5b8c37b3e34def65bca74e61056ab762acad9b51d16e66966b446fc67f2533cc50f9ad978d87c6137575a696b6a7a6f476b5f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
46fe953a7313975b717068fa37fa63f2

SHA1
f30daa0235765594300a4353a45ae4aa50b170f5

SHA256
8ec24c0503fe1a31e8d6b067ce2ebd717119e3e7b59468fdfbf13c8fbf88ecbe

SHA512
033a7d93f3037d15b304187f56f6049b9e705f034c0cbb080a9cffb9888daed06fbd84b7266d98f8b10d7f21ed60b6d100a6a592110d5be63870d899fec8ac5a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
7de5d93d4abae34ea4fe60e0905c907e

SHA1
ce664ed8079fca09231439bc1ff8d72408fb2899

SHA256
bfb25dc190a6f46a6b224e7bacb78a372266f95b41ff686a8108d422957e1517

SHA512
8886980115f8f5c8608a221b95ffd437507b9cb3540c40101c0e3156dad34d7464a252ec3720fadb35907909c1b20ee22aee4ec1dfe4f5350b67d79f4a030c51

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
86af5c287a64c91479c93e951e2a15cb

SHA1
50efe86fb205412f7037a65c4e2c6807bfc701b9

SHA256
8f6ae183f5a61529409dfd19e75e057cd7fd0762db9430402329594625efc12a

SHA512
85755bf46ddbe7aacd5ed21c460d181a29029feb9e4379df546c484cc127858ae671cdec682448d2f246f3c2d67bf6f9b13c3561aaa249f5f7b86dd8613ce09e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0d051226da557a8db0a46e459f051d21

SHA1
a353d0ea8315dc6d26c04d7466b1d2388f449274

SHA256
7ca85197bc54e563b1c89fb57d59623c9116dd81b53e5242785b3aff70573d48

SHA512
9df3ace1bd07f9af03bb07f69824b62e096dcc06f3b845d510ad1893ffc61f4551c4be6375b528218ca15ad0e41370ddf1a0ea86f93b02db3f7f9d2e001c3a11

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3d8918d5e31506d94b4c38dd40ffb254

SHA1
41149de6352523c78c723abca8d33b4bed6dd547

SHA256
be10042d6e299cf0d6276768585f32eebdd0331867f8213ccf9a2e1ae28e4d53

SHA512
cc455645698a099be08672c937c1199e0d5ebf75a2b895d6fa1fec0d54b7fe822c11b16680d58ffba85517df09b02c57050155540aff89986ace72bfdb6979d4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
d5e0fa75fbbb0d5b8d77d516123e2679

SHA1
86d43b3288c20612a2e0c4638a836e93f1d93b31

SHA256
9d6aabfc4cf6672f3104257ab926e69c73bfc18fb965fa27bc216eb2f82a340d

SHA512
aac75aacf49ca2b5282fbac9a09001477cbb0ecae48e524a52a12a9b01606485520b849b1f9733ba543f74b691a2af7f34c1d867f2ece7298dc15bcd10886ff1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
955f027c26ccb97686edbd343ebc3d47

SHA1
dda1a21c371302853533adfcc3761ce6f07ad798

SHA256
773c9bce64694673770379be0554dbe573cd54db3db84770ca8ec0affe429225

SHA512
f4b57a6bf182e65563421eafe1e082cc4b46b6538a9b5b87db1c6d972dbf693f85b19a58bccd69f0d1c8c73e9c18c2e7a069d2c5f7eb9408baf3fc6a61897011

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
84a761d329a5971d13e6145578973fdc

SHA1
501429b5f3ee9c3469a303614c3a22deaba8dce2

SHA256
a878d4f2b616c726b124bc16285b00a0cc8944094264c1a041b7fc91d6c21638

SHA512
44d944e9ac4a2834ef7c9397127b53ba3dd21171f35fb97120d49e59f00daee76fe81a6adcccda377513f1b2e169b66a4d7733822fffa25a090eaed1bb988916

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
41fb40dcff1b400c2f0d40f2e634b429

SHA1
5a65996ca8fbdcc48d9be6674a84b48bd55adbd0

SHA256
1a97db334a547b65dcefa1e87370ce4bb9741d31a1d7795456644ceb57e2d225

SHA512
8d165682fc451681f2dd92f6ebc2dab71039f13c567cb5c6aa5e12ab9b03335638a014a89884f7b39051c8d33a8d127000d82c376ac3b982e31ace1e667fe4d3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
70c68c99ddc2f72252db65564b28a8cb

SHA1
08b0756b12a5f72cefea7fb29dad2ca00537420f

SHA256
3ebdf196299388541d66fd1e481311615af875c99214ad3908db0dcae69615a8

SHA512
67b84d391cfd0c3546555acea854ae5c8333562ca53a4af9ae2c4d6cf7080e76105d2aa32c5fe06fda68ebfe0433c7d2d38cb21fd8ec98f7893c48df8bcc3bfd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
2fe6a701c0853e500c66bbeea1ebe59d

SHA1
38e253fc4f4e07102e97ef2bba01d26d7b9f68a9

SHA256
60284e7d35021b58de43c0c10f63c736b6591d144bb6f490185e4ad2afd0a720

SHA512
3ada0413bd16fc46bbe36c263c4a2272c81436a1d5c57bdcf50096563dc0f3093d590258ae825e60001e831e9e00da96f5c613309f566943600e2af1fc9e2e4b

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\da680cff-b7a5-48d2-af53-a99bdcfb676d.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
08edc450e9a0c1f4154c1004a279b1ca

SHA1
ee7db92da254276e4f40a74ed4ae01a8712473c9

SHA256
421caa97ac44f5ecd4c3553aa754c74010d0f2fcb36bd869739a724935e8c4a8

SHA512
8382d828ca462566aed47c673f47954b14e927e64261fd7610e5a2c6df85b120f818d44e66bb098aba5d812cbfc30ea18ab50ceb22908ada5f538c64e55d4552

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
61f32309b0f1205fd25b643c2a157188

SHA1
1237687d084fb8619434aaee70c1c863e7ac3057

SHA256
f9fef0e6ba50343201773ec4195edef61ffe5f0ccf4bb17bffa3ec02ceea8fc3

SHA512
f6ff2b80b7f19bf524972b145a996c0afe781d42ac71fde8513d828c878dd6e558678218ccf09071cf856f101ef5a6fc62cdeb79b950b7755382c0997447429e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
e646991f9b7863013f4543e5deea2d49

SHA1
7d3ab1c249b15c5bc5761baef819fa96b043539a

SHA256
0cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07

SHA512
8b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c0683771085701d7e87126544111ef07

SHA1
add2338615433fe819fd2e2ba81a0463cafd8f2e

SHA256
68faffe3b3a1940c931c95db018fe70b7eeee04558045af54ffbc3b154ce4627

SHA512
d16dcb8a75509fcc0ea1af34351a13a3f203349bab9f58e0ea30954ca4f23ee1b26241710c062cc1dc126cc6b3d93105d8f3da1a6f2d0e0a4174d731ff9a4f62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5d8f8d7cbe3babda7c51c6dddd83478f

SHA1
04931f725c8db5b4562d027e68bce00048a13540

SHA256
dbe7bcf260ccb65f6c8865466933b6b2bd56e2c2b3c74519724b14135c3f54e0

SHA512
16ade58d831d783b7f68ecc793474ae39883a9cd378a88e59c8957971689c62ab717330ecab507d1cefee8c0ba34c14118a89d6c4ac4d67bc8c6d0523bff6452

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b568e199925f69c2d69c364cf48dadf9

SHA1
5fca8f4d9d7f5e611c66aef06c982bad01989d4b

SHA256
56782bb67216a3ac219914784c3efdf8cfc8e5b59f4775f7c6328676c40354c0

SHA512
cf36bfb9660ed3a31c8f17604ded289a1977bfc84e8e66df05f4cc728db887e02d2834b5322a93c6dbf9d7e9d8087c0220f41f5e34c6e177f3bf50aec0e14e9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe582e6e.TMP

Filesize
2KB

MD5
c4d12c24a85b7e1aaf85cad983fe7610

SHA1
00bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb

SHA256
6568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337

SHA512
0d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
8ecb122d31be64aec982e2f6a0066ca5

SHA1
80dc3348cf3cf8c71038ac3648b9712c3585064d

SHA256
99da032dfde946eb74c2b7ff9b95b0c00677920f23bc1267a6930a7bf933d65a

SHA512
dd23ab40b5424a9e6526bebdb12a93126f226a01afcf8887ffc688b2b722bf3232132ab9271d1430c83554904019ed9031de517c1df03c9aae0da3b71a7c32e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
270KB

MD5
02fdbd21f46c40f6303ea0b841cecb2d

SHA1
aae1d46df4aae3c3ce7f57cb3aee5be4a7b77852

SHA256
dbfb8c3582fcfa55862bcf1c962001bd377b7e01b8a5145e0046407fe1e3cde8

SHA512
7153995f3d90f71264e2a0e423cff325444900c6fde47360475571434fb9100c644c63a82492dbddc0569a8124df71ead73f92d20b5a8d701455fe0482a1b904

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
0b367f35840e807187da88fe944d7fb3

SHA1
dac5ded33ceba1720a423db1d61b845c3dcf22ea

SHA256
b2192aa717b5ef4407a5a20305975483827ceaead313bd81903bcd3efb4abd84

SHA512
4562a2947dff99bd61690fab1fa42bd75a5acd20985a8994bb751523bc913565ed9994de38367d3913f34fda5224d414b02491e07d5db01e9ebf1f00a1c93898

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
9e79cbd3ed64745082e447ead8b35649

SHA1
ca7efba002cc34d82cb70c68b4d6812523b99b2c

SHA256
4de1861a1a91af2263de31e6e0023ff543c5272c3c26f1b37f52d71a61fdaf03

SHA512
b91dbef50a8de3670dcaff15ac5e27df1c230034f4b80d5a51a84eb1a46e202eed7c2d5a84ed5ca89c17ad121c538ea7a1e37cd4a8c399b5ad3623cd92b9d4d1

Download Submit
C:\Users\Admin\AppData\Roaming\6c6b5489c3a5208d.bin

Filesize
12KB

MD5
8de2a9cb444f96bed84ab05a161afeea

SHA1
88d37e498a31df2685eea3da0f8836f2d540dc76

SHA256
109fbc8ff317c2d686b6db6341777865ba13fe934c252c9add589e8ceffc5c02

SHA512
a12c3b32d85f906bb68fc0e723a9833a28406bfee4bae758461094f5b54ec0b0dd85a8ab730df68bd959be3f79447d86a5a5e6eed00a803252c51c75f3f21a5d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
28a8261bd74dcc658359947ec02f0a13

SHA1
eaf062aadfd731d25e029a2f53c159d8abee9f21

SHA256
ab99db2e4c593d5aa98516fc8337263f36fa359aaf4dfd34d531d7fb86cccf62

SHA512
18f4f9e339e37ed607e3ca560a3ad69f6b3ddcf8180ad534206d8bdb429bd8db3f4cb78bb8375a884dd02cf2fb5eec9eb08bf366b89b2a21b2d929c5a28dca48

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
25f831e535006bf6500d75d99185655f

SHA1
c47f1af2e56e230eb4dd48ed944e72f2f5fe212f

SHA256
e186ba36b50379f5959d85da70eecc6e8dcb6ad1975c315109e65d2408c999c2

SHA512
421e9367df947ea2a127eb68027a21cf64e7596af4a1dda6f78d240dff4f1daa93dab5a48a71e356a7e4620f60de9dda6332c9713794071ae50fde7804730bde

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
e98e42221fc19f234f90cc2d8e4ab7d5

SHA1
70437efb20d9a92d8b60383c390043bc664b89a8

SHA256
e72afd103d793ea9af9c877a7889294eb45ae048be75225caf250650be0d54c2

SHA512
a05e23369ba1fdc2f96c29b2d290c431fc1436b5b1f190a135ba58b406b8f1910dd1baf5bd531aaa202fd1a36b6da0077e2deacb007fda7b0cd9daf560c4e284

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1e81508e7c92a646a921423a8416394d

SHA1
437888c379d4a41ba4bb36b752a89c2f2a19dca8

SHA256
1c505a840bb97787e3295fc2b7990c7bf6d8643c3ed5711e0dad339c6046209c

SHA512
beff510d1a139a484f666b8130f33a222a2f3ef456519692e666460693f9896702b6a8aff5a9739f637720be2e9b45c45ec66d2bcdffe84189e3cfffea62e6d7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
bac2ea200c0314faf34f57ee5106f07d

SHA1
00e5d403f205a0ef895933fce806034c95fff9ae

SHA256
fe30e8e974ca4a557014bb19df75266cbd5955b2a588d7bd3ea0aa47da7c0394

SHA512
224e3b9647c3bbd82f68bff688df2141c571e0768da52323b074cc22c4596494b6c935754ac5f4af3c2000956cdfa5b0a2d46178eb9b80c4bdaf60c0d364d4b6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
769c6eebefcca8a1a79de22b8efb6f06

SHA1
9945902f78d97a833b2fa34b830235f9dd09d6f8

SHA256
57112776d4e52c18587d449a98073351461e7c9f4901d9d926bc434d2ef82863

SHA512
067f7df329dc363b125ce6357b58a7f372598a01ff934401d451cc727439027546938c65c9e1bd015eb994db9ba924e4d0aca9f25309f614616bc0fefb185b7c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
4a12e70ee9589aca6341adceecf3472c

SHA1
732a7afdcfbd6cbe5fed8c05acd727d64070f1bc

SHA256
96c8757fae55aeb3a49278eb681b04964c0c0bbecf4234eed32b322c8f085bcf

SHA512
06a73965731414f50933a8f011bd80df629176b572e4383aa8595efd3ca00b98fac48c695bed79ffebecf5fa0a13fd8ff99df57316815d5e4e33ce53d5603721

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4f3f9999866781e832762a3fbd4bf3c2

SHA1
5edc524ba312cc29e486a66f57194459c8d23a8b

SHA256
85545002dcd6ec9cf98a3f908e49025a20b200739cc6a9b587ed3b59729b821a

SHA512
dbf85eabef11f77079c91fef85613fb8c7bd6a70b6d5bab73d0204e3baf997aba7801a6b06bc1f7f205654c87d379ffed2754309aeb879756e97dae96dbc27d4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b1956f99828930bd805442d9d276136b

SHA1
9f23982ad0bf6db688ace9a42e8a2a3a773b3234

SHA256
956b85e9b7981b9ece85b19e4be1fcde76551eae84da2d812a129d813c77c7c9

SHA512
fe23b76fb5fa3f829f395468cb2a586646d13e9873cf5dd43828a5d2917987a76fa077b4795498e7b8a3b6a52f0b34502dd8c9e2979e6e47990b7ef198e03343

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2ce796598007d4efdcf4b394ee430fd2

SHA1
b724a6a34dfa4df560e73b07d3f983de18d5670c

SHA256
4554b7f8c29546def7f8fdb42c5eb95a3a4ebec74f4228c9e50e6e3856e8217d

SHA512
5dfcf73882e1826ea241076cabfa3f41faa6b2829391f7147aa917e1b71bac1757955d1599d3c0e742ecf21afa0ca981e1e34cfb41c8fb957fc1cc751028c9b8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
1fdd051e64e61651ee4c98da7f47f182

SHA1
99f35809e7e5c3201fcfdd98b51ac40a9506fb8c

SHA256
c5fdd1435911e497517ff1945205193faa920f6696d0891b74741dd4b29c1cd5

SHA512
b81219bebbc25f7c945f189c7a0f475252a66d3f07cb80dc64463833de7559f1061aec2e5afbb5db7028eb1a135ef91d6a0c29a3baba51189ed126516cfe37d7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
10b5234f601aaacb87c0368b6530e284

SHA1
1b61feb83e91f0869f97f09706f07fbc695de49d

SHA256
7d8b2e717e32fefcf72efba7aed5a7edb01d95365d064f09b994769011b77ee1

SHA512
df7ca167c6c2c1933d3331af312f6b0362729adf2e9dabb22b2186fc2c1126a6ec08cdf52651ccb50647316a64e2ec2f4f4a665da046218b0708aa39e1e195ee

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
d7b95cb3c38d2605514936ee9b0d1ced

SHA1
ac9536abeacb6939d08fd573053492382e7f3def

SHA256
8d981b79977eb94647c3bb8a20960ee988bedd0212b7355c35845019b4a090a3

SHA512
d2502d448918e881a6141be4dca8730677df29787ffb1d918048f27a785418f9c90776f8640f8692192f7db1a73ebdd7ed34f303778931a7abaaf1a30d628c89

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
1cfd100f3402601d24945ae9b48d34cd

SHA1
45743075fd255fc5e532e0f3d5558da3c3a9fcb8

SHA256
11ac2a6cac7d2db2716c37bc357d59faeb900209cfedc2f8b34174ab4ac6478f

SHA512
1d57170266a561c228712b4b55eabae11793db5f786363e1e12d9236bb7f49b951209495cdd65f52f391b394b7591b212f1e8ab88bce74b37259d6592fe16901

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
18e91c932f66af8bca5c372694c35fac

SHA1
287da94d482a46e8d7c8e19888a74ab61461f0ae

SHA256
24916dfa3e78452885d8d7dc60542c04f1edcc8755ae3fd0c47bf435f25e3c5f

SHA512
cefce5e3f1ffe8fc5961bfad41195a24e8eeadaf54fcfb9e296a66e6318cf38d292a2d67b3dac0ea0405af534959fd5a2d4d549bfb8a2fdee20082faf0f3ce5d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
151ed991c03e5fa21626f6caa2efd071

SHA1
608f41efe303f8c27c699c2fe2fbf515542a0aea

SHA256
8f85d7195e93f102d0983312f5fe060865bb6aade630597ec78549a52d9e7f98

SHA512
b5525ae69023baae436b00025019bd0639b30351a8681ad3c8761b2e341599162074f081f4c98b7a357b09a86b72608e0a4e1fcebf5df8ab68e59d09bd434834

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
aa5ca6ee5b3c5e46a578af135e1a6079

SHA1
ba80b11bb4a1c1713dc01bfa1ea79cd44b5203d3

SHA256
0785c2c4d5c4be05a627dc3ecb712f3775cf751e88b9b2f543d022950117f92c

SHA512
e45c418423b233ccb638a367baefece2894096b166870940cc7e91abf36748c78d20ab46998a5bed4ab19f756341804be5adc5a8e459b46fa86fecb8dca074bc

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6d7065b2c084bd99a53d78a4b38425a7

SHA1
97e23583d16fb82c869d6d4c04b1c4534dcd0d78

SHA256
62af12402db19994568e441740a5ef9f4b66054bdf60c11070345c18b63358d3

SHA512
0a8b8fa03fedc6b0d90c9f9d784b7a9a298a830abba72e8d8c33b57d948d13a79445c58c40c8605a5067f851cab127928dc495c63b2459f59c87c20fca8ddcc0

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
de12892063f81f60b11c0497ec332fa7

SHA1
ccfa0530f55d277c3fe6d75260088ae08d5b7616

SHA256
afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae

SHA512
441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
cff6508ffb1b5c1a278b45be4f46a34a

SHA1
ab09b8305f6a2d6176e9d8995f3b43def95a6055

SHA256
b1f254d4bd6952a01a10b22d6e1dcc1570c200e15c8916e140f016aef7bb1c0c

SHA512
e02c7e3f125a61d06e2e8b7cefde06b5b8cdd203a816d8bb89060169e8a06ea9ed718c5e8f1caa40a7b739b8fd7d25dd1004d7b4c4cdab1b482dbc485867d545

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
2cb29fc378dca9c0e2bbec7e91622682

SHA1
c18aa33a8a000039490f1ef2e15f3722b80c54cf

SHA256
a503882981cab0085098faddd0c12b476a70a8edd365bdeec79cb8089eb008bc

SHA512
7e3bfeb2a17a6ea634ed6700c0e11f9375512768f584c096692aa7b02f55c37b4db1b18def102e6b8510021a223c174af073dcd31d33c41d46319c23ce01aef6

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
6f468c24e9b12ab9a22034907c391d94

SHA1
e8612b46ae1fbf29283e7449df835952a36083c6

SHA256
2a7923cd2fa969ca09da0a07fcee8cfacdf7b2d7963fd67c145c998657b38117

SHA512
9dae35c045f63f678ad088743e84b93fa82408e4a0974c83a65362e51687b202f46834b634304f73352919d50434f77daf18c0d59c0bea98e8ee918d6bcb5038

Download Submit
memory/364-49-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/364-45-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/364-54-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/364-532-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/448-342-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/624-0-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/624-34-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/624-9-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/624-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1204-363-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1268-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1636-364-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1952-358-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2096-346-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2132-374-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2132-692-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2260-595-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2260-347-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2308-79-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2308-686-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/2308-85-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2308-88-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/2404-368-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2900-345-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3060-90-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3060-103-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3064-354-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3244-370-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3244-691-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3724-35-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3724-36-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3724-26-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3724-524-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3768-583-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3768-512-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3992-57-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/3992-63-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/3992-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3992-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4080-344-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4412-351-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4444-76-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4444-446-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4444-74-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4444-68-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4492-558-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4492-694-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4504-507-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4504-13-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/4504-19-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/4504-12-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4728-343-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4812-356-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5148-535-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5148-693-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5344-572-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5344-549-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download