7245cc9dc4806f39733d3b72f0fac6544f44917866d8c20ff7b566b50fe842d9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 15:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
Size

4.6MB
MD5

35c7960e47fc63bdb17014366337a8be
SHA1

9af4400f7252d9604dc299f472ee047ba67eb03b
SHA256

7245cc9dc4806f39733d3b72f0fac6544f44917866d8c20ff7b566b50fe842d9
SHA512

fb43cf44fc33d0715095a713d02e9a4377c7b1ae20d7db6c09784672f97838ef17cf121e70b381c846ded9c6bc1c88038f461fd6b80f6afdc67aa465c32a5f8e
SSDEEP

49152:PndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAG9:n2D8siFIIm3Gob5iERnKkT

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2464	alg.exe
4524	DiagnosticsHub.StandardCollector.Service.exe
1364	fxssvc.exe
3864	elevation_service.exe
4384	elevation_service.exe
4148	maintenanceservice.exe
2772	msdtc.exe
4120	OSE.EXE
3792	PerceptionSimulationService.exe
536	perfhost.exe
4624	locator.exe
1152	SensorDataService.exe
984	snmptrap.exe
3356	spectrum.exe
2860	ssh-agent.exe
3992	TieringEngineService.exe
4512	AgentService.exe
2480	vds.exe
4220	vssvc.exe
3044	wbengine.exe
1888	WmiApSrv.exe
4864	SearchIndexer.exe
5416	chrmstp.exe
5608	chrmstp.exe
5760	chrmstp.exe
5828	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b6a22e7b99ad3704.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{CF62F5D9-6052-41C2-9FF7-4E6A3DAC056D}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_109015\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c96ebe2ef0ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002882d12ef0ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000891fb02ef0ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000071fcf2ef0ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d6e9f2ef0ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2476	chrome.exe
2476	chrome.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
5308	chrome.exe
5308	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3876	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
Token: SeTakeOwnershipPrivilege	2520	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
Token: SeAuditPrivilege	1364	fxssvc.exe
Token: SeRestorePrivilege	3992	TieringEngineService.exe
Token: SeManageVolumePrivilege	3992	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4512	AgentService.exe
Token: SeBackupPrivilege	4220	vssvc.exe
Token: SeRestorePrivilege	4220	vssvc.exe
Token: SeAuditPrivilege	4220	vssvc.exe
Token: SeBackupPrivilege	3044	wbengine.exe
Token: SeRestorePrivilege	3044	wbengine.exe
Token: SeSecurityPrivilege	3044	wbengine.exe
Token: 33	4864	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4864	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4864	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4864	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4864	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4864	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4864	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4864	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4864	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4864	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4864	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4864	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4864	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4864	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4864	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4864	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4864	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4864	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4864	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4864	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4864	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4864	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4864	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4864	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4864	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4864	SearchIndexer.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeCreatePagefilePrivilege	2476	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
5760	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 2520	3876	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe	81
PID 3876 wrote to memory of 2520	3876	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe	81
PID 3876 wrote to memory of 2476	3876	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe	82
PID 3876 wrote to memory of 2476	3876	2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe	82
PID 2476 wrote to memory of 3804	2476	chrome.exe	83
PID 2476 wrote to memory of 3804	2476	chrome.exe	83
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 948	2476	chrome.exe	111
PID 2476 wrote to memory of 4068	2476	chrome.exe	112
PID 2476 wrote to memory of 4068	2476	chrome.exe	112
PID 2476 wrote to memory of 2936	2476	chrome.exe	113
PID 2476 wrote to memory of 2936	2476	chrome.exe	113
PID 2476 wrote to memory of 2936	2476	chrome.exe	113
PID 2476 wrote to memory of 2936	2476	chrome.exe	113
PID 2476 wrote to memory of 2936	2476	chrome.exe	113
PID 2476 wrote to memory of 2936	2476	chrome.exe	113
PID 2476 wrote to memory of 2936	2476	chrome.exe	113
PID 2476 wrote to memory of 2936	2476	chrome.exe	113
PID 2476 wrote to memory of 2936	2476	chrome.exe	113
PID 2476 wrote to memory of 2936	2476	chrome.exe	113
PID 2476 wrote to memory of 2936	2476	chrome.exe	113
PID 2476 wrote to memory of 2936	2476	chrome.exe	113
PID 2476 wrote to memory of 2936	2476	chrome.exe	113
PID 2476 wrote to memory of 2936	2476	chrome.exe	113
PID 2476 wrote to memory of 2936	2476	chrome.exe	113
PID 2476 wrote to memory of 2936	2476	chrome.exe	113
PID 2476 wrote to memory of 2936	2476	chrome.exe	113
PID 2476 wrote to memory of 2936	2476	chrome.exe	113
PID 2476 wrote to memory of 2936	2476	chrome.exe	113
PID 2476 wrote to memory of 2936	2476	chrome.exe	113
PID 2476 wrote to memory of 2936	2476	chrome.exe	113
PID 2476 wrote to memory of 2936	2476	chrome.exe	113
PID 2476 wrote to memory of 2936	2476	chrome.exe	113
PID 2476 wrote to memory of 2936	2476	chrome.exe	113
PID 2476 wrote to memory of 2936	2476	chrome.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Users\Admin\AppData\Local\Temp\2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-05_35c7960e47fc63bdb17014366337a8be_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0x80,0x108,0x7fff6e78ab58,0x7fff6e78ab68,0x7fff6e78ab78
    3⤵
    PID:3804
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1912,i,14796425573306024338,6010807954286243725,131072 /prefetch:2
    3⤵
    PID:948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1912,i,14796425573306024338,6010807954286243725,131072 /prefetch:8
    3⤵
    PID:4068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2160 --field-trial-handle=1912,i,14796425573306024338,6010807954286243725,131072 /prefetch:8
    3⤵
    PID:2936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1912,i,14796425573306024338,6010807954286243725,131072 /prefetch:1
    3⤵
    PID:2380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1912,i,14796425573306024338,6010807954286243725,131072 /prefetch:1
    3⤵
    PID:1816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4284 --field-trial-handle=1912,i,14796425573306024338,6010807954286243725,131072 /prefetch:1
    3⤵
    PID:2404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 --field-trial-handle=1912,i,14796425573306024338,6010807954286243725,131072 /prefetch:8
    3⤵
    PID:5388
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5416
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5608
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5760
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4756 --field-trial-handle=1912,i,14796425573306024338,6010807954286243725,131072 /prefetch:8
    3⤵
    PID:5472
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=1912,i,14796425573306024338,6010807954286243725,131072 /prefetch:8
    3⤵
    PID:5636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2404 --field-trial-handle=1912,i,14796425573306024338,6010807954286243725,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5308

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2464

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2956

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3864

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4384

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4148

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2772

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4120

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3792

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:536

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4624

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1152

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:984

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3356

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:792

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1888

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4864
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:784
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
abdfb0abc16e884ec62e94b7b8602b30

SHA1
c59c94a451e27c04d5e272b498c92c402ca68f01

SHA256
a739b4e7ebfbbe1e5ac715f0b1d96630f7b69a1f51e1ce5c5f25c20587c2a149

SHA512
073a4d3f74d663aa18581832b7e359002ac8cbe75bb3330aa06bd3e7536fa87e3747e45e03bb6d39533a0e48c38973a72457cc8bad4432563557782c7e5e6e59

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
d04359cf72d42f6814addc58218c07fe

SHA1
a8e840ea9ee1ab65fde87d7efc701c80d7421eac

SHA256
e0759ac5de8c47f05a0c2a766886af01400f81d85299bdbfd5fd678b582a5041

SHA512
c0ad0ade9f78a3a97e510cc94093771e5f0d275d90bdb17e2f47f71d09c716950ad66656d26916e0a3afa7eb33cca5516b3ff3a300b65379e4ec386c5e2beb27

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
445ecf9f52ea7b2a75c741544ebb1858

SHA1
56afc90fce9b32b1062e13c347ed39f6e1d9d0cb

SHA256
4b8c5263fd8d26d2e8f75618d1ff79f7f8e0bab51ed5c2fd40c38b7419d79e07

SHA512
bffcdf7043c917191ea23c35105c12cf8e2d874534322c93a422661234e6ef1649e4df4889c5e3bdfc719cab610a7e13eaa174864fa3157eefe43adaff8fd22b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7b39265f1b1f676dc3cf08a89c1d4d7e

SHA1
2fb083ffd1d2367eddb07bec296ed4f1c2ce8777

SHA256
37b1c72ee46162bd468b77f76dfacff62e39a9511acb4654dc3ba31877b773e0

SHA512
0f6622f8130b7f45ec9afbc8dd254d484695d53d3b187d1a977b3b486fe6cb7efce7fa88bc6937016d86aa1fcb48f0e675b3213c182d721065ef063f64b6b1db

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
fa2c92ee28946523e2446ab560ba8bc1

SHA1
f76788c9b0cddf82d6b7388502c7520896564142

SHA256
6cb4f29ffab1cc324d3ca2fda7ffa3ed7ca545543c72752c6e6b7e47deec81ff

SHA512
1feb2fed7cda94395d3ac962692aef68f00dcfe510306a3ab37301c2aedb6615dc667994ea8cb76b5f986b178b4bafd8b5d349be703289dad2c930e733c1b7e0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
359629c609f2ae785554ebfb7952f8e2

SHA1
32ac5d6c60f589dd9b7d17333b32276ddd19bfb3

SHA256
79c4cf658b35f95341732a95c2c7ca2ef454349d8a86611be6ee4d2acfc56751

SHA512
eb822a5f1be133468b2bf11c17f16f27f41bf89d60b2018b4daecfb926343609ad95b96158f41e83882dfb714b7fbb73d782e59adf637a5530cfb2acb27c05d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
a137eac90fd416227c38138976e1801c

SHA1
e77234419298f5b3ab21d474b90091c110d22aea

SHA256
26cf1f257dabd90568110c4e26c5c35d9fca3e811aa30162a91a9cfb38cfcad3

SHA512
f507856a9a68b4da38cc503aef7ba9a993d459291f10bebbc82adadd1577fe944fddadc480420bbe996c4de3bfc33f9486aa4d08358f973f41e38db9e9d46c8d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d1eec41b816d074150b02bac1713c8c0

SHA1
f4912eab74d73f694a1a516d88094537973421e5

SHA256
1e7cd9cbe48909c809ee73bfc0b3ade8037e2b9c5f427be54ce757dded8d2fe6

SHA512
7531f4afa4e0c1829941a93abfca878d38a498accfff5b8df6edad9c042ca1c79870fb49a67cd4f06e438a77dd172cefb47a0d21639b7fbbacb321f13d970549

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
9daebc68cc95d41238d53bd69e3bf05c

SHA1
918563691fe378e058fc0a55905e35657a026d26

SHA256
93e769759d0b76f70dcd26ce9ec33a4c174fd74721010226023cf2b33397a872

SHA512
f528ead53904da52f821a761fde224cfaf98afc5880c51f7977185c71ce144311167d1357391dcf15d6dc6217c083db14eb158c18b8065d7b7f56b6d28b04f7e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
60496ede05cc3a6a5e048450198f2d73

SHA1
09b5dc9722287b292ba7ce6cf1599e1c75d8d135

SHA256
07309d45d15a03e6568ad60d9beac57bec781ba15d1b3c24384c41bf212f91b8

SHA512
33f6ff6b8c865e5026d87b43410aaf84e81292d006e14d6df72430cea044120b6e181136aed2ddd9609fe454be9bbdd518196bab6fd16e1dee75ced2fd8a05ed

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
156167b78d23fec4d6f1b5559d5ca3af

SHA1
9f84d331ca3209ab8c6f367d09cc34d13b32b882

SHA256
f1371a8cfba5c77461858e9f6cbddf57b8eb6b308ac728a580e424702f5d236d

SHA512
34d085014cd8a3377bb285af630ebcc90847cb76893818b5543264d29d943e989999d7381905b8710dcf9b77e34c4b653268415e228f7178a59b3fcfc755004b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1455df0221b9f3e802f26620caea8fe8

SHA1
d91b73c1097802aa21fceb8450e9fec9409e9e8a

SHA256
cb216f3781d943a311d04dc67cc7f2d5449ccbe8cfd96a31dd8e0efe61c92b49

SHA512
f3cdd717becfe67e2167af25171ecc86fd36dd1ba248d16c4bde2f2bdbdf5c0864bd9f8af2370d9a30bcd3e86bdc4701c8990776a8934cf35649852d7cd80e7f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
d055df7ce91348f0a662a64caeec5d11

SHA1
3db3cb553a499a49ef107081719f5b7b93bda8d0

SHA256
682cbc9f4fcd60190b14ac81a6634764822c6b66f7c82b936e4c37d2e3c42eec

SHA512
69defae5b3754a8bfb142adda15f02052f480fa2f8e3b27423aaa17e3c2efe10c6802f1a2aac912e7b6f5753d3210abb024d397bb1505aa5de913695f414157d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
bbf7d24c0531245d12c67490de92718b

SHA1
eb625af301d295030800130e3b4ae26f6ad306c9

SHA256
74809e43b3c3faa27c6b98903d6052363d56b972fc1d5cb78633c2cd74c3e87a

SHA512
5ea64c5f9751cbca2ceb0447334d4965f0cc7bcbfd3c9b11d775d1cf80fcf06a74b6679566d0549a2547bd0f78449f21bb4d5d6c96e331410fe796c9dfd112ac

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
ac09e8deb385be1a12feba04001ec83b

SHA1
4b9056ac078d1daef697f08ebd98f8dcf04b1bd2

SHA256
ecb615006036b8b4a5e7187fe72f42428d78c43226690caafe597d054afe4441

SHA512
544a703fb1e14e6bb3bb0739cce2b203cc24eed67b854c55aef7d798162c0067b32ebf3e26c13e9cf40ad6abeb80ae0b70635d3b4fea2e28368326f80cb5300a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d9866bb2902ed05d0b57737c97414a21

SHA1
dfef5652da42e9f0445fdec16aa726045a724b3c

SHA256
2e83ba51aa90397c487acb22a8ed7dd0bdabbe4f85db700a229826f54906f235

SHA512
55f3fb9d6317abbafc565963cc1855ca1ae6a93f0d968a6bebfd4c22f23ee8cd1164cbdd740a2a480df2375def47317f34aec1a45ea72c5727e92ea64464d21a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
16a1fd4d116c7a02f79c39c36d97584b

SHA1
f5dbdeb394fc5c89039aed4bbdde544e90adfd28

SHA256
48af3e2d90d01bac599ee94a3f28c83229f087d933536a7892a99b75f9ec221d

SHA512
c462d915602889d3b2cd0d175424c800d5800320a68ec55cd35a5ddf4101bac4eebee08ebe95b774345c11587db32c889a948ac5c968e12905e55e8ea15d16f6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
2cccb4d0161225de46416c72a48948fb

SHA1
ade05497313a4aba79a1f03c3ff1208ed72e405d

SHA256
e6233bad594841e62d7e9c23ef68eb48f87ddfc096ed14abd8101a68f71af1c3

SHA512
773c416895d9d273edd94e7b547214b7a7eaf7133c163d8301acd46a64695e5974125edd2e716eb8fe23511c1df300cdd185284f16ae63e3561e93ce81b847f8

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\525b7d31-e536-44f3-8fae-ae28295e0883.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d5eeb50a6d4b571d13c234236df24c93

SHA1
72e3624a195642f408261240a8e9b33b719aa4ff

SHA256
1bb645d8e26158e26cbe09469a46c4924b1a0ae0bc8953642012ebf2bd2d1aba

SHA512
73919a8984d606f7b3064541486c0bd2b1adcb85eae650e696320a84fb10cff13b2a9cde9a8df5de756584987acf259714da5e6eda30eb8f777ff31bd9f1e93c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
68a62419cf1109e9911f4c8e020a2b22

SHA1
e60edba344da2e72bd5fb0480c31db1ba56cfbe7

SHA256
17964c0691e61abd2e4d067445aa250a8ab3b29688afd21ffb205bd0f53fb436

SHA512
a0ea2d6fcd848c5429b6b1bb56b09ceaef197dcb8150de2c09377fa5739a87bdf1b92c66d2e5d6f72defffbc69c3c427e981d7b1ec60ad39f77005505648b1b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
1030d0994c68044a5086bbd3f66d4b78

SHA1
aa71a5d7d0a72a86db91a185af0e7e148982d610

SHA256
9babedc60618dac0c649e687630a0a48f603932817a2282d8bd2dae6cd06bf98

SHA512
ed7a5fc22db88ce1c1be3c9d0c54e2da24c42f7b86ffdcb0174cadd0ade82d4084b91258420fc571bc0203e0595494cb9f61c339348103b9b92065d5ecc85772

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
98215dcd768e215499f13291c75d966b

SHA1
5d589850d92ffe019b4cfe0d031cd8094de256e7

SHA256
345f04a93882e1a48193dc239c7926c03ec697ec1a98fabbf377ce3f2c44bfbb

SHA512
80045c64c4923428b1c4ab58a6cd5d76edbdd5d877c6e034131412ec993ca50e86b0e9ed7cf56437ae2d1b693d547b9902ccb856b78f295a06aa549e05d36b31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
12407b7f8c2f4f46b9233a12b712a0bb

SHA1
767ac2c11b136fb018f1088febad6e8764954ad9

SHA256
24609bbb6de27a0741b91785a0fb4fa8688226d2298580de5e13d738086a1017

SHA512
05fa8679ad60824d730ea45d8784e98ebc9dd1516f7b4d18fe8b1af92d14d9b90438df8717b2c706ea008d220a3da7531655eedaac29643cbf7774aa514020ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ad67f4c17d63187c2cf94bd6088db6a6

SHA1
138398188ecd40886f786160ce927a878c270a54

SHA256
52d0486a0258e03ecbd1fc53ee545d14e7703a21e95b1ce27d62115a3db1572e

SHA512
614b04bbf286b60d65d56433524936fea8d43dd50e33f7322e27d1d548f28c5f32075ca7124e560cd2a14df27c9d11db1b988b29042c5405ee8be7b5d48e6106

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57e80e.TMP

Filesize
2KB

MD5
e824ddb15c9337566baedabb5b11526c

SHA1
06353e2dbe2effb2d394360ea45ec1a1fb724568

SHA256
67e8c51f8766a540099fb8ad7c6927b18328d115b71868b3df00088043d905ed

SHA512
099d13b858b56d99c7d6b190d9eb2e3df77bb43f41a729546b4d1489e29e5b9b8c24cfb82320c8b49e2a8ea4fd83a1b420a5abf0f6ebff69176c7786684589a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
471f82f98db797f68f04ea525f90cfd2

SHA1
80aefdbae7c3e9a95e3daaab64b468b1792ea281

SHA256
ddfd26224fb13cc9674b0c8ab7fc712bac641f455792fa15f2fde5b9724b3ae2

SHA512
255965e871341b296171e5b044809b0d600c01eef2ef83443e50c9ce89a87264a3aec9a2901de7512b9a895ab6d98ab522d227114ca8ae973a8b4e67d5302c6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
99a46d54f5a6a8f03314ee134888e93e

SHA1
c68d1a50b5c25d21ccada98d431b4c60599e99e4

SHA256
f30626fd3f0ab22560e8e38728986cc71383be137386069174c634fa1f1d76dc

SHA512
2468cd664e20a8d1fa293e0d19357ab55c26ec605d7248a26f28dfdfb348d7981f8060a87abe91484df831bb31aa8760cd13195005e7eaff8a7ea2f9fc20c648

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
302c481c2e91d4210766feacce49c27b

SHA1
1078c655e793bff210e7047e5b30d570a533c1fe

SHA256
c5756bc5e9220af8843add49c763502874500b2e2267e13c93eb4933a7170bf9

SHA512
140084b1d226a191cbf371cb8b2dd05f4b89c146932f452f5f07e535d3212b94f5b8f42f4278365961aff79962c0a8f8f098e24cecaf0188d35fd08dda11aede

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
cb8c998faca0779026c74cea0af9550a

SHA1
ed78c21306faf0ceda97a4e3e4b2f6809c6cd0f0

SHA256
5546168edce0781210074b5e0aaff03eef382c54922f7d979fb435c02aa1557d

SHA512
fc29babca34ac7ee2cac7552b2cb2ad5a9250cb124dfca11359d9ce1b157d7884fd49ceab7d833f249a3effd0064a430dfb8172e6ebf93c00a49341b80ea3076

Download Submit
C:\Users\Admin\AppData\Roaming\b6a22e7b99ad3704.bin

Filesize
12KB

MD5
526c2c426dda8cf0fc5b6f79a4c620b4

SHA1
282c3f0b81aee39cbcfe7dfdf7a00d94cb9df6fe

SHA256
495616d6460ab5606e6096e5cc4929852374a37b9b4504ff4994a5c9c50ecfdd

SHA512
552e210a7f565346753d621969d42299a8dbaff052bb6e9d8916e657d1d16eb54750d5e179a99fab7cda0e1e1c4bdea48842074dee332e7c41a6fcb977b1d25d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
575dc63a408785993ed557337e62f319

SHA1
bf855af32cbe05e8d20baaae5fdd7b1dc09cb2da

SHA256
88324e6301aa8e7c5b78a7acbbe669bbc7c72d518339faedd137bc735f895fb9

SHA512
be205cea61b86e191bb6204dd1753f5234a5f7259c96ff8d92ef55fe9b1a4ec5cce68e7a9ee1f61af63ca1ba63e877570af9194faaaef7a68b39b90a4fdb1c39

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fa435cccaa8fad9314f003ed80183a1f

SHA1
97de2cd9b2e364043f1b491d4bdbf10230c4e9f1

SHA256
0126bde5f5dc5020872d65200c3726279c622d2826908fbb9e13d92394a3beff

SHA512
4024b24b35ce877c7887ac3cea47c8223e4e9ec6d0b9e7f72f8780d7b75e3f1b90839cfeb65894d3474a855bf09a5668fc39d589a46ee6a06831c31807cfeae0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
807321d477bc1c571a17c3998efb28ad

SHA1
09c01f4d62f5086f00f3600d09216e0fcac38fe7

SHA256
630b0cdb612247db1770ed3a94e85ffd7cb9da475189b8514831e12c0d871426

SHA512
cff13497b62e22b91cff666b0fb8fe84eb7ec764c93d61fe11a986ade67e4cc0ee02079df2d76e5466658d4713dc163a221a2a6c0a9c0dabe6d2285dacd38a67

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
25d0725484a024f9efceb27efbd1fe0d

SHA1
fc7dabc1d6722665710264e9013c395b73c23367

SHA256
2bd625a9735cd7a3c96af42fba4929314d4ea9c42d74fbd5c41fa2fb302633af

SHA512
c0083ed156123cc5b8afd167c2d34fc11d75b7dc9a194df5f7469d06d8b5a9553fc4b5564c114c9c0ce6f9461b9dbaacd25b91fcbbe53e481599f71b471642ca

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
719fd04e2c9f12de80ea819a4f156e24

SHA1
753825c569a548f097758fe8e80fcc54763a742a

SHA256
93ceb8682268d9bae30f5ced9548941bda9f333f7d4069ff54ac515e53cca2f5

SHA512
d571b4799149aa38f4a81233c3437092427025b8f650b6eeafc89afc399f301fc126c96e7b168577671658295bfc26ba3a25fb343260731ba19db37f4bdab6d6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
820fa93d6245524b8b21e711c6dcfa80

SHA1
2f5975d67a8836be849f0e42a65bb2b80a308222

SHA256
d3565c911461b89bba8b323198f3d1df694ba205f139a2bb278a51ff82acecd2

SHA512
c2f7462652870c9bbdf0e5ddffd0243b36c3d58d11a3162d96074cb430161d52c682d909a5319cfb5dd1aea8631d92dc1cbbb2e537609a44cf697c0e0ded71f9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
e08a79d2a80aaa499f2bf07d386beeea

SHA1
26aaec4bc657fce329c49bbf60c506af9ecd7260

SHA256
f5769492218ebe4f2c54fbb4fa8d687208f70759b174f853dc126c4620d9d89d

SHA512
47b781b735b423486b48a84ee56e03daeb55cca4644c13c2581aeec42eaac4f3e8d912faf57d9fef8cc656511afafcdf500af21601da492471e1edd8ab5b56ff

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b50ad138ac0ee9fae027e103fabfcef9

SHA1
2731595278aec01032e85cd9832a27e685a427ee

SHA256
1d2945dc73ac921b86d5f63255e69337e1abc2b612566f79f156c738291d6466

SHA512
d3a6d6aa93688b28002aaff8424e0852e74115250ee57d556cfda6f4eedb7d2791250bcfe0077df1f5469da09c55d9ad44ed274ab3970b971ab063b98eb4476c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ebfe5d7f76014ba6f78600b6ce4d27c0

SHA1
935c32f060f15588cc59afa6aac7ef5954e3df60

SHA256
1d5bcc4af6a3795018449d41345b68352de874331675a280358bb278f0704216

SHA512
40951b870a336921b14b26eaa05b8a2e678d2f6cff2a852715a4b2485032b1a0561051a4f3265b073fb07ebf2d3bd5a6e1aa3d1c1dc8c4542d84947dc7791267

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ed4bceae3fe4e07bf3d2cee8e4dd71fb

SHA1
f538ec76c7ac17b6735f0dfab19d91c7468608ce

SHA256
f4adb20f78764a32705762fca1fa9601de6aa1185833a7a7c532c064a03c098b

SHA512
b91357f18a69c50fb6378f06fda9206ed2130efa9079fc9daace04921b8dfc5bda94fb0ef141ea2e836042ceed371d86d4b04a26fdecc88a295976ca4f4901ae

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
36aeb2ea40f5f4a10a32f619fbf8451f

SHA1
3fe55325382c28556f40cae2756729bca152107c

SHA256
3330b38667959947d9c377d311813e3f3ab0edceb8c8e3a0625c3d74ffa1b7a0

SHA512
10d78a77683409e76e380151c6dec4769200ce049190bbaa634c48c9744dcf32d0c3b46b9800e9749efb0b8e166235ff03b37cd32a0ce9dba901f5523527d686

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c04eef1dfa12fd7618f6fee6574fae04

SHA1
f758a732e0885b409fd2a6ca4a5052cffa877f94

SHA256
4fa1e79fe765698535015cdd4aa1e920a0e38de26442434fa57d62732c810ea5

SHA512
a352f1bd856e5a6303090f374388fc33ef0146d80ebf1a58a349ea50d2ef06582e27f16208e4633f2fa58bab49c97cb27d007bea529d2999f273fb5a6dc9be31

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
2b9669edde0c465484c3574b8830602a

SHA1
289099b61cdd76a5bb48cb996adef7de181e6e47

SHA256
78beb79c68ce9a7decfbf3452cce52b26a19d77e20ebbcf6f1b1abb022208a94

SHA512
be6808f2d50108d8b051e58bfa9f2dd403545b39d764fe8caa294c2551831fdc63a2d78f82be552b231e2f6b021a2cec600393c3fa1cf473d298e9e41ff93b11

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
3cd250ffd0ed1d612440670f9012e1de

SHA1
473a386539130cd3e2e7db2695201acbfbcee738

SHA256
515fec6511adc55a0e8e36b322d8fbb017993da21f7c4f62831b11093d08e99a

SHA512
25460d90206d7c2061d307d2ba09ebd7b2048c61b16f627198f8f4382f4ea491f67089d5431adde44874c9b0046f7a5b558ad1d332307469c603f2055916aa6a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
c8eb9eadec08985206cac2b7fad2d8e6

SHA1
c09eab54d00449deea657fba4c392bb26fff087e

SHA256
08ad4bcbc9a1913b75a8dd7f56bc4fd67a97e6a0a1790035c7b44d5bb9f93f40

SHA512
73cad28655e67129c6db4659627ac9f65fe2aa1350d63fb793cc17619aa2703fea6df75dbc296b26b11f584dc3e3f40bccd5f4c28bcdb1200d009162fb3f8bb9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a1d7c623e5655038f470ee5f71e8d9ba

SHA1
31264cc12d47e75699b875482e7dc94230a447cc

SHA256
7553bd2ed185be0083c021cc69d761b5f10fc55252e3fb6add4cdb8045cf638c

SHA512
419b36850301aee56cf5282dc02ea83956a6408585d9dff3616c0b6b992843fd57a41694a10e9ed7d65e7bbe2bdf9e79e32ed8a6daf0c148f72b37d0b1b78ebd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
48b7ffb2b0c28da01efd890c3e9ba00d

SHA1
be9c8dc5253b3294db9a98c8e5e4514965d79a8c

SHA256
2fd2ea8924222fb6c641e17f40a2f09f341acf4cb7d04cf0c82811e35540a480

SHA512
900e437d8ca31cbd4c275e4cd9d7298c2e7c19312d22453be58d5a4c9690ce115100eb73c29f6243bf88dab25b52028d2cec52742a508c6533c68ef90f2f4390

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
018f15f0bcb79656520a9c4215d8cda4

SHA1
b2ab2cf1be9c714f309195b40be7567bb9bc0921

SHA256
58984cc7daf7b859878c3888e1025fbe246448053c4d9a6a2f35f8dc50f6ba42

SHA512
6b7ca3840a39854f19c04618bb5da3dde1b0da14e468c4522ed80bad58b05bcb4b59b0cf25f009b7fe1eef5fcf2b17dd0b242bcc03f8ffaf8e08e4f4f9bd8c28

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0481187f7a375d872ace4bfc191c5d65

SHA1
5e2da853f4ac21660f995b5e123d284cc9b7414b

SHA256
48c57a586f0052d5822f5d3e2e129eac52b1141f516cdab9ccd809c7c6476c10

SHA512
0b3729bc4de7683b0ced8108e1dea8b3a0df8f1977f09ae9ac18e965520b678250bf23e0feab8948241586e67249b9a093cff3bed322acf02f039111bafaeac7

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
440671ea760906cedb8ed9afe09b945f

SHA1
a33215358de4f220a355e8da78ce62cdb6e8184b

SHA256
3a27c1d713d9c49a5afdb4c6c97f72f0dac9bd9f4b7a4491ff731cec58c8323c

SHA512
6b1f8f3e3ae4d3b4a268f6bfde31b3044571b9eefe03042f4b0a257fc494b888846756a14f058286e8c986756d536147479e551edadfff3c332cc65b1f91d47e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
44f8fea05ffa22d5cf227b1241c32de9

SHA1
c8df13dd9b067e8c1f397b2d3511066a1fb6b80c

SHA256
ecf9dcad127e61e0a4b177b691221f3379677a11fc549a14d5e8642f125ef39b

SHA512
8d22121e94393f1708381ed7f06202ef565b1736ef04abc73ff0b36759fd89d0b72dbbdf464f8469adc4ce57e088b5df88abdb5843ad71bb697fd3b5b676aea6

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
c8d65e8372f27aff42700098ac149cb5

SHA1
5d2ee04167e7d1c45458299dada0f7381af34a4d

SHA256
eee0e106f18afc0dc1997044643bd16d55a4815385a796aa414cda3d8135b896

SHA512
125aaa0947f73896a54e293ede1f36be94b1ff7a752a2a862bca312305e64de1eda86109205819fa2fdcde8d03161db0b4bd50f4a90324fcfb7f8164bf963c4f

Download Submit
memory/536-357-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/984-363-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1152-567-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1152-359-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1364-72-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1364-74-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1364-59-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1364-53-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1888-741-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/1888-376-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2464-36-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2464-35-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2464-739-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2464-37-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2464-29-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2480-370-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2520-656-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2520-21-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2520-12-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2520-18-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2772-349-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2860-366-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3044-375-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3356-364-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3792-356-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3864-63-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3864-348-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3864-69-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3864-475-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3876-0-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/3876-26-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3876-9-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/3876-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3992-368-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4120-355-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4148-86-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4148-98-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4220-373-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4384-76-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4384-740-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4384-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4384-347-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4512-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4524-43-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4524-49-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4524-346-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4624-358-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4864-377-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4864-742-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5416-637-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5416-527-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5608-537-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5608-743-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5760-626-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5760-562-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5828-744-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5828-563-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download