5abf0d1f14c0460ea6ec32cdba1a2161a6361677261ffcbb7b23d9f803b8fa9d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 19:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
Size

5.5MB
MD5

dd00405fe5642cf6816075401be168f6
SHA1

e3152b215f3e7f8140294fd067eac6a68d0da1d3
SHA256

5abf0d1f14c0460ea6ec32cdba1a2161a6361677261ffcbb7b23d9f803b8fa9d
SHA512

d0b4b99e13c4b7e797e84d86cc892728991b564d08e435d600242dacdf4d2930cfa701b28f3994de0972bd313469c2364791a756a7007abe8977eca113b39f0a
SSDEEP

98304:lAI5pAdVJn9tbnR1VgBVmqU7dG1yfpVBlH:lAsCh7XY/UoiPBx

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
5104	alg.exe
1028	DiagnosticsHub.StandardCollector.Service.exe
2188	fxssvc.exe
3588	elevation_service.exe
1168	elevation_service.exe
4904	maintenanceservice.exe
3856	msdtc.exe
4576	OSE.EXE
4308	PerceptionSimulationService.exe
4940	perfhost.exe
3664	locator.exe
4712	SensorDataService.exe
64	snmptrap.exe
1848	spectrum.exe
1368	ssh-agent.exe
3736	TieringEngineService.exe
4172	AgentService.exe
4472	vds.exe
1668	vssvc.exe
740	wbengine.exe
2168	WmiApSrv.exe
4532	SearchIndexer.exe
1424	chrmstp.exe
5228	chrmstp.exe
4212	chrmstp.exe
5484	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\13083ae4a33ac798.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_112765\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b82dfeaf10cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000dc939b010cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068ccfbaf10cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8f47bb610cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002856e6af10cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e705eaf10cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3200	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
3788	chrome.exe
3788	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2980	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
Token: SeAuditPrivilege	2188	fxssvc.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeRestorePrivilege	3736	TieringEngineService.exe
Token: SeManageVolumePrivilege	3736	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4172	AgentService.exe
Token: SeBackupPrivilege	1668	vssvc.exe
Token: SeRestorePrivilege	1668	vssvc.exe
Token: SeAuditPrivilege	1668	vssvc.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeBackupPrivilege	740	wbengine.exe
Token: SeRestorePrivilege	740	wbengine.exe
Token: SeSecurityPrivilege	740	wbengine.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: 33	4532	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4212	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 3200	2980	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe	82
PID 2980 wrote to memory of 3200	2980	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe	82
PID 2980 wrote to memory of 4764	2980	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe	84
PID 2980 wrote to memory of 4764	2980	2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe	84
PID 4764 wrote to memory of 1228	4764	chrome.exe	85
PID 4764 wrote to memory of 1228	4764	chrome.exe	85
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 1536	4764	chrome.exe	100
PID 4764 wrote to memory of 4200	4764	chrome.exe	101
PID 4764 wrote to memory of 4200	4764	chrome.exe	101
PID 4764 wrote to memory of 4392	4764	chrome.exe	102
PID 4764 wrote to memory of 4392	4764	chrome.exe	102
PID 4764 wrote to memory of 4392	4764	chrome.exe	102
PID 4764 wrote to memory of 4392	4764	chrome.exe	102
PID 4764 wrote to memory of 4392	4764	chrome.exe	102
PID 4764 wrote to memory of 4392	4764	chrome.exe	102
PID 4764 wrote to memory of 4392	4764	chrome.exe	102
PID 4764 wrote to memory of 4392	4764	chrome.exe	102
PID 4764 wrote to memory of 4392	4764	chrome.exe	102
PID 4764 wrote to memory of 4392	4764	chrome.exe	102
PID 4764 wrote to memory of 4392	4764	chrome.exe	102
PID 4764 wrote to memory of 4392	4764	chrome.exe	102
PID 4764 wrote to memory of 4392	4764	chrome.exe	102
PID 4764 wrote to memory of 4392	4764	chrome.exe	102
PID 4764 wrote to memory of 4392	4764	chrome.exe	102
PID 4764 wrote to memory of 4392	4764	chrome.exe	102
PID 4764 wrote to memory of 4392	4764	chrome.exe	102
PID 4764 wrote to memory of 4392	4764	chrome.exe	102
PID 4764 wrote to memory of 4392	4764	chrome.exe	102
PID 4764 wrote to memory of 4392	4764	chrome.exe	102
PID 4764 wrote to memory of 4392	4764	chrome.exe	102
PID 4764 wrote to memory of 4392	4764	chrome.exe	102
PID 4764 wrote to memory of 4392	4764	chrome.exe	102
PID 4764 wrote to memory of 4392	4764	chrome.exe	102
PID 4764 wrote to memory of 4392	4764	chrome.exe	102

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-05_dd00405fe5642cf6816075401be168f6_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95532ab58,0x7ff95532ab68,0x7ff95532ab78
    3⤵
    PID:1228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1908,i,15437837910788176704,5907023419121389717,131072 /prefetch:2
    3⤵
    PID:1536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1908,i,15437837910788176704,5907023419121389717,131072 /prefetch:8
    3⤵
    PID:4200
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2156 --field-trial-handle=1908,i,15437837910788176704,5907023419121389717,131072 /prefetch:8
    3⤵
    PID:4392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1908,i,15437837910788176704,5907023419121389717,131072 /prefetch:1
    3⤵
    PID:2420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1908,i,15437837910788176704,5907023419121389717,131072 /prefetch:1
    3⤵
    PID:4272
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4052 --field-trial-handle=1908,i,15437837910788176704,5907023419121389717,131072 /prefetch:1
    3⤵
    PID:3588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 --field-trial-handle=1908,i,15437837910788176704,5907023419121389717,131072 /prefetch:8
    3⤵
    PID:6016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1908,i,15437837910788176704,5907023419121389717,131072 /prefetch:8
    3⤵
    PID:6060
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:1424
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5228
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:4212
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x26c,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5484
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=1908,i,15437837910788176704,5907023419121389717,131072 /prefetch:8
    3⤵
    PID:5272
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1860 --field-trial-handle=1908,i,15437837910788176704,5907023419121389717,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3788

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5104

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2572

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3588

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1168

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4904

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3856

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4576

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4308

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4940

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4712

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:64

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1848

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:744

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4532
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5740
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
170a96b85f34f5111d423b2d1b18ba23

SHA1
8baa3a438480610e90f01a4a5d77b443212571f4

SHA256
3a1bc337ccc60494357181057c60b86b06c19075273f57f887911122f8275ad0

SHA512
feab60e55f5750c1ade6cbae237c0a301df6f6260caafe00d899335fd5683a7ddc95219e57da83f894a395624eaa9ad393eed3052e89b7f370086a563ef2d072

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
779416de960bab8007f920bc7025540f

SHA1
b5a25f5ef714b6bf785da384f3987bba9f3213b0

SHA256
8f178b7e8ad9568a4a21216ff5aa4639a9de9a2cb459357ee404d487fababbc4

SHA512
944eb50ef0a8dbbb3faf8821245b12190a6cd2095d8102ace1c3d0fe2c6e18c97b695582a1ae51624187960172c7f076dd21169423f0ac1b16aff6ce569726b2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
ae4f209f120fcca37975731142c17de8

SHA1
b1a182ed8259532479c5ff284a65c2a17580fe95

SHA256
fc49559c9c280846f237c02d2ea492c76af6df1d3034cd5b8b447a0ebd986f96

SHA512
ba6bca1b018d058dfbb5db7edb5c0440f221edaefd7839413806aa2afff31ebaab7b7f3504d5d6c1a55d604680c3cec799522b20a54b1de4608e1ab516c3bd1a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
fa85cbdd5c6c88f8f38be5bd80e1009c

SHA1
dfe1dc927039dfeb3b1db4c70774bf45d8aa998d

SHA256
07e9e5b3f7b8255cbd6da7129618aca4c6157f569e91ca5750b511c88f4bc8e8

SHA512
500b4ffbea3c6268d0725695b9b7b0739ce495307424f1212a899e1b7022de0bf3619b793bbb6adbec9cf25b2ee47adc8f3a6f9bb53a1bd4312bcad4b4654776

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
596a0a42cb2ff2f863965fa8510b870d

SHA1
c8e3a85c7f47ad65a69ab7e54e65912f37b2145c

SHA256
58cf53abd512c5520be5b6eb38215c6a70959739861911073e22b38b51775821

SHA512
f96fcbf8834989c3937571f1f245c6893214884d100aaba5da0c3a83950a2c48032aa05a3f0e58fb8e835b51a1e9b1ce34f1f9c85f441a1b81147391a7dc7e0f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
c582b96da85dd2dc497329b2227e12f3

SHA1
e6a83246e5719945db69949b0b7daa4250235836

SHA256
f6efaf1d0e0617226a81ac836a0882b707d63d12ce4cfcf99fde04da343a6c20

SHA512
179c2cf033f1e4f1f8c78f5230b13a1afe920243e8b60dcab4432b880350a0a39a83ad6fe976ef224b3eb72d35ac699d3070aff99430ebf4d0121da32c62068f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
08b28f3b43295506fd35b5a7ccf51f7a

SHA1
640de0c68a9c17c28bd508d720f4c8b138ccff75

SHA256
7cde249a007ff2543a129c90cbf328b40299829075e263131c53364952e528f0

SHA512
258b7e42e642fffec9c5ea36125b1ebdce8c7c1b50497469ee2056f6489b34a0eb8523bb0f8e9e9634374a0b7a2a3be42690827f5218c1ac8e278438d37ea516

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
19d7d97f0c83ce4cb4d76da29f479358

SHA1
dc33004e7227348ad9656488b1a2fbc7e1d69eed

SHA256
c97be3c87a7726b3814b5cc7d5b15f85220a11c1597828fefcd0f320803c397c

SHA512
961bb6d0b4e64da636cd3788385eaf3a4b7d2d931fe2dae190121aa61d2d9b77ff8fa8bc80e0b2dc3d09ca2566c852f0c1424e2f511ebc6c222438831cfdc36d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
53a41aa40ad0e01b3594fe9fd83c1293

SHA1
fed56df4d6c15471f4d865ece861ce6167640fa6

SHA256
c348ec4bdab4131f2172cb41fab9b25c35277e07677a50396a352284b94d3f0f

SHA512
462f68d197408b4165fb1eef3c730d6d6703133c4c846216ee122d41a271856ad87e64d1a78d0838c27cce8247368c6db7ac25952bab66a21a1f20cc07e8a12a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
15e6883bbafe24b0737e8ec39adce56f

SHA1
98ceea3e15e17b5496d7a2fa021ddc4cb289ed93

SHA256
1b96357c2ae7324ba6e01d04cac220cce40e69bacac12f47cf46d00100ac1b2d

SHA512
f74c26a25963fe22560f233a167b0cba7270af7e1f9b1c431e0d204517aa9f4f8f6e9009f0b73115bd8841cf85f02fb4d81295a412389535319d96d2363761a4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5550de50e081f0a31fe8868bb22fa653

SHA1
beffe64ba3533e16a31938f1711550bb0ea4a3ce

SHA256
fa58346071583ce71ab379c21a97224333a44ce4a715f0baf547da54da47fb88

SHA512
b5fa3b611fc72a5dbe6898df0636865a49aa452aac04aed1a9e73edc264623c7fbc3c680481e5fae03ce2b695afe51d7e4435c4e43d8064a6362e4116a7733ce

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c5358291bf3d0edb71ad5c1955449c55

SHA1
57cc7f9c95a8c97b4794af7449b36c950b87fc85

SHA256
372b62318217ee18da13af1560fc1406174fef8bc3865eb5f272bb12c25d97fc

SHA512
b24aa6f31e623fc45ee70966b274ef9aab08e5909a4100094a78287422406609d39e41859730479dfd8021ed5da862f6df2077eac8a4180f30d4c6d24bdefd17

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
d51b799a1840aac0a015e4bf9d471f96

SHA1
0f3e0f8522e3dac21a00a2fbd9e2f3f849629886

SHA256
ea7e1d6f5de96ceaf7c2c1518f518c4d864296148b069da102ea7434bcb58d1a

SHA512
41a64a9e44f81f3011fb9284f74352cc54d53d43c9c32fa8726cf8ee2bdf5eeeb8401faea636daa2f96bab764cf8224d32b0c179fd1d24acb24d2ffba71a8c93

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
be9f67f907059819304b99f707dcd3bf

SHA1
a717791bf12c839814c5f2a72643f67fe95a3000

SHA256
350a6393ebaee1d93a66ac10753f5d69e2eb88fc269de38d1f056a1db4699349

SHA512
0b56cb1049b9c82a1ec2d73a8ddf1f0d3261ecf2d3a3336a07a4cffda4fff3f70976bfebfa315c0a2fd4708223a05b77fb071c78ecc92a0cfb701a78bfe15f25

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c9ee88f251750a8cdc1436b7c3f9471c

SHA1
1860ae84b3849635870d249650cbcfd9b5e932e5

SHA256
512441fca821cf9c1f0ce6f7bd19c65fa7737138e9c86cc0ea5305dac06ae1e1

SHA512
9ce0c4f134d6cf6de987072ab2d20bb98c3493811e1255e5939eb93817c419bb7cc516ef4ddc68d2452fcde73c9ae6c70562e633d183a3d1ce7cc35567b298e0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
ff53e225fad9973e9c71c23188d965dd

SHA1
17311609923b1dec0c9dade0df88d3728bbbf89c

SHA256
04ab074f4e6baa0ee93707f509f0e59e1b1594ce21df9685457435b9082bcb6c

SHA512
bf24ab2b0b2a97fda1f3c538ddbdf459eb19d84159f71ac4d92b518dd41044752f2f4b7aeabf22874ac1407bede72f7e1046808733ad778e1c3a91ad1cc86555

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
9a0a0069f12105d4f6c6cd9c76c8ee5e

SHA1
00ee813953cbb46e0dc3fa11f25456af2e3700a6

SHA256
430bee4fee3dd5201bb633469c9f1be3e9e942e701ec4bbb8e4db31069b6592b

SHA512
9aa72d9d59f58bdde78c5237a8f68ea1c65eb14f7022722dc84b4bde6afe93bc9b87ae1db497cb57523a53e936daa1ef911cbec7d14e6f36c2c367ce7abdf81f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e887c9014c2ee51935d6ffd5e5058428

SHA1
4823c7c3a70b370a39d7e80c3b200a7c8565be14

SHA256
0e85b01cf5554f804b305d049aad01cdf8724811694eafab5dba50fd68110c58

SHA512
50ad50c6e5cb70d1d7d74a169340f027cb96b107ce24b9472ef6cc696fa19d40c0fb24193c003779301f7ea41a87bb2eac3516687ce73962319f70dccf952952

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
344ab29a01726e4253cc80a2c0a99f47

SHA1
bd205017138146cb3d83a2226f8f6792e193e77f

SHA256
ee83f7d9dbeff0ad8e0dee6adca980edab25ecb236903821577cd4bba15f1fdc

SHA512
1d48556937c00c5b6dc489ada7287ff96db2f86c0861b031ef95a1b923f3ccdbe29d328e70d477004e60d0463859b7cddd16507a35f451b3de7eb18ce6ea7c97

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
65b2ad26b51192552a786232af85fc36

SHA1
ae17c790d687b6debf06ab424be7c4d64aa3a5b4

SHA256
38e5ff92eb8f8cb9b6ab377e34a570a0c596133d48257422227423c185b10d26

SHA512
5ec9d705b001429d89e2f4e69cbd4e8621e71f79506dbec1bdcea2f0fd1378df1308b5603861cdf3269097b6b5f56e3c761b790408c3bb87f77e9d402f44345f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
f6adca5acb7814b76e54543c45699fe8

SHA1
d8717f9199057e37e257dab7cb8b7ad0ac6c26a3

SHA256
6dd376bc17fa9e8b70bb1d6208915116c630dfdda9bf0ffffccd1fca8d1dada8

SHA512
6e74fbf09293b410ee746320d7d41a25ae936c7aa3ddd093638d13716a5011edeb9ae88e44b53041ffcf9ed26625ee156f1151507c0a27bf54dfd380815f0c97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
5fbaf5d7e8be176c8afaaf213e32599a

SHA1
4d532c68b02f4fb1f0e6b4a86b00df3e4c79d84e

SHA256
57ae1529f91981bf65d6ee9ae8c1a21c1400e86a30e169a5083262e14f1d6c93

SHA512
8c8906ec32a48d2f1086cee192d6cc5d713ffae8515ea5c9a0ea73ef0751e2093a4f68f068d15f4bf7adffdb56e61aa3ef8a5d5d257bc534d8acd51fecf6fc9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
97a5ca01d7a277acea79e89174c1762a

SHA1
4890973652745a982269061775b3c2e03399184d

SHA256
27f8af9e2392c30934ed33efda905533f2d37a2ce33ea0cd22bff8df0e4a63de

SHA512
8b892b9e29362fe174f6a488eb2f0daee6a05757b5fe937d70acb0d9576d2a5eb5320ff48db858b96054f68931f2cf6129b8263c958ee0da06895541d7131eb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
81db5bde127a66d25b21aa15d3ed6804

SHA1
389ed6aa53ea8932d83adbf26fb25e106fe2693e

SHA256
4e71ff5de1d95a0539fae8c2da9a5acc15524cb518ee086e14ce6db60a03b229

SHA512
1baabcb1e5d00cea1c31b51a308cad151bd02f5225843387da55fb511dce74d4c2e0c3dad2d34f510ac0bd06c51bcd79a15e990633687051dae927537d2e8f54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\d46b1bdc-913f-434f-90bf-b461a573ae42.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
bbf57a5210fbdccee9f3576d836a0f5b

SHA1
c64314463988a824b869ebc93322fb97b26ec50e

SHA256
ad72ed88a678d5938b15b86f62305dc6d47fb5601f654140fbd5e777d349d175

SHA512
15a6bce462fc119fc4cd11c1738703e17a93d751147b8d3db34147db1d55e89eaa2b815e9da0bfa2244b626ce91f5dcf04efe0939f5d53f16f7f102513233551

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57bfd5.TMP

Filesize
2KB

MD5
4d3b86bde734dd4f78c7570405a9bf01

SHA1
fefdf70cb37b1caa044478c562bb462cdaf1239a

SHA256
a4020f53404ff5123245fe9aa42b6823608572ecd7ec60666a48cfb22c617dc4

SHA512
b9d08f86f9b303fa15ac9865e10d7c118412a696ffce6d7f2096f190f80464368306abacb2fc74f16d38370674f54894b1f87c5db03378ef1a43f5bbdf093d70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
78450346145c2264020185eb98c7e699

SHA1
3678fc5d71e0f3ab5d4382d451689de7c05b90b4

SHA256
fb6f867a97dacd5d90500c561161bd96f2003929841e550c948d19de60002ddc

SHA512
d62a60f6148d734f18d8b9f7320d9306b599d846839a37f53c84bbaf963b440a30a92876d3e40cbb136f0e5eb817a473716cdb12761262b0184149bc30e1c93d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
3c290e324cf11000a074fad323e158b7

SHA1
29ee85e0940d0118244ddad10cc12157498f6c0c

SHA256
e792828eaa89002eb4ea3d566d1d75af69d029636b55d0c8c1ec582301f138ab

SHA512
ed7b329128218110a59e957915e7937ccbeac2227a23db73977e96610322344efb6dffb22a3981c99d2f9f2a3df0b5c0d2e7265961e81395e4b23afc6da6561b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
5bfe5f36d001ed6047e30588c7ebaa1b

SHA1
8a4feb7922e720e054570ae4c35936b826567dce

SHA256
4e789db37f4d5f0227b5de047982cc15ff0da9b101d4d463c0e267645f2ff5e1

SHA512
a629ea68824ef16214074539cbe8ccce9ff761699a233b90fd8fb2746a6bb2306168c52ca62dfc33c44098a9f65ba8d0735ac1852be157cedf4998b7cc33c257

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
39216142533528db76da25b2eb50c65f

SHA1
dce913a87817d3ad803105b78949917675d4e113

SHA256
3f0f2620c92382ce1aa4c5f155f6febb8765b5d4ac13462a30756be184eb9671

SHA512
1ff385a3d57ec31c2b77e4bec78c4cf4dd8d70e30b66a1ac0a8e2be4dc6e71e939c0cdf498627adb48a78e6b1b5a5e07a01ac13c852e0759643f7b198a6e929e

Download Submit
C:\Users\Admin\AppData\Roaming\13083ae4a33ac798.bin

Filesize
12KB

MD5
2457087e186e6888c8bdf6139855b239

SHA1
83f51f7b9c14e8ef17b90bbce5f020add8a45d00

SHA256
d24c834bb8ead8deb95d226c46e2127a572b93b0a606397cacc8d8a10d191165

SHA512
2808d39a14c570cf70092e25b73b15d742e8333261fa4ab1727790d78c75f9f9ad6e1cc5a96822d06737dd8669cb4b99baefbe07ffd534545a23e1021c51dcda

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
877eb95a0a5c08d08af3e886abe6c1c8

SHA1
4eede1055779317f8b7c0a39846f92e336be4774

SHA256
9b445d7fbd6cdd255ff4750c98a2d77018f4d8964f39ca94275b70b2afd25854

SHA512
19d21febcf342c767f232a446c6ac749eee0bb3320c2bd14fb9f9b2c524d4134197cdc363927c66c151b8c5ab401fb064ab42d613dbead153c04af311a0e290b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
635b762c33ce05400ffde82189e179be

SHA1
c7aa787ce74a4bf78c778bce75420adc4fac5c12

SHA256
1568e3e881f79956e1f3ab33fb86e6fcae05c5b6b995586fbe0f2a187428bd77

SHA512
57e7594fc5fe6a7e3d67f5bc860977bb50a9b9cc63887313cef5b358e00aec436741bc3621785bea6146dc4fa9e7ab25e5be7e70fb98d4780e6dec7d3927a1a0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
10d3c2ce6716b47a3fa0c1932d79e437

SHA1
cf4faebc0df87a7ff3f1b3c432856e1de0c8629f

SHA256
a8bd4cdd1e2ec39d7952c8310a0d168040a6c0ea551827a3e2a7b43fba4604e9

SHA512
d4a07d3df1b384923b5a12ee4965f8da3f2ce83c4b010fd210b67a78b2d17f0a64df369d558c1da23f9c66086a9acc1c4601ac011e11e5bfb8ed221709f3a16e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0b16bce5c8a6dd8485a13bd7468b0984

SHA1
abe394b8bc1862549132443a72cf0895f7104825

SHA256
da873fdd6e6d40f8da0dabacff6dc0f3db141eaa7a7d1226e701af60f56b6f0e

SHA512
b9bed3104d92a9cdd9d4aa38b414c14c0cce2802bb6f9285b4488a21ee3e1dc7c8c8583912a632c03693119ff0d604a985e299767c40d4b45530b5cd28c03386

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
58f223c73a64ab4bca8fa1f696bb4c76

SHA1
763bba78b475a75fcaa60fb51283e97081a06e63

SHA256
72d979887322bab97c21329aca25deb913b63b22578ee8d8bae084bffec6d499

SHA512
e27cfc7885fe14ae424d5005179ba80c8a44093281712f8f133cb6546f774e23a4d5e923fc8638098ae2465f3c40da090a9175c640e19987f099e08aa99c4acb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
1c9f1dd6d0361e4fddcfa8758c571d91

SHA1
7a895d3f36b3e8e1a517bf9ca935e084b4695b04

SHA256
9f31ebe5a9a5df5977639933f710af5f234511e1c54b2ce630a7125399f60245

SHA512
837ef9cd82c9f4dc4f20cd38103a4a5957800c42b4e8e31590e724191219443c5761147e48285aeecfd38437f01c137b38dafb94f3cd86ab6f6ef9a7e884ea55

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
4f3d07524d33711b78bdbb56d1d8e53d

SHA1
2ff5cc7ed62e9e3d88bba99836f78d44842c2a40

SHA256
84a5e245bc34d095dd89eb7b35e28a919a2684e603c3f1103cbf27424731a967

SHA512
835ac90ed0f8d1eea9804abea8837bba379d5f31c00171d6f8c220379b90c5e1f8b5b274e4c16b20869522739bf6b97abee27607a577784b965cfc8c328f2c60

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
29bba4b324182ae3fc435167ed87c16b

SHA1
e511655eaac7e857742bbc73b015692cd742a367

SHA256
6712338e52aad1902d9eff6ce3c39077a96309f3da2733830f8a259e6db347c4

SHA512
67a9a0100da6cde47b6ce92ec669abf58e146427beffd3c2ff4e51c29b9161369537e2dc1aa8837801e99ccd548f396fa2196078005d183115848728e4e152b0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
826ffbf00ff1449a1281d915852f042f

SHA1
c7747cc06eadd465a0c6f1751f25a9860fde13c5

SHA256
84edb1c679b908cfaaddc1b9ee437ff7f665d58ee7b47829f1fa778ba0d2423c

SHA512
9765649de52d9f14f35e900087eef3075c14d54ed288d6b5881d7274bca1a3d4470fb9949b6a726ef5c4fffe8b58d6ffb51925b4ad7b47a5643d1c998cdc83ab

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
553be7317ecc08d79bf40101ed7af478

SHA1
320f86fb3a2f1e5f6be9c3450dc1ba9eee2b1248

SHA256
9406c66966516e2d4bdf889d4e260cd68a9514f8cc92537dc897b7566ba84018

SHA512
b6935ae1a3ec125c7654b9b81aa77cd6d9c7fcaf8199eaea03017299ab3a873a91fac607872939479b3357ebb71c4c8d675be89fddc661c33447cca49898adb7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
e67f4a30f78556bab3617637f9b9087c

SHA1
1049b0d6652392f736b8c0bb2526485e23b09670

SHA256
fd06b697f9a2734a4fe5ae99e0d9ac8afe3f4333b09825c22af2f07a864c5658

SHA512
9a48e9ad12077a4225c706ef6b9b527d4269f4db8fed92b68bd0f794e32cf3e744e172feda19297bdd4e5e118927a2f9fd7d43d24801e4fccb6476f7d57ee989

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b6ab918e2d1a514ef5931756b827381e

SHA1
6e18389d2ba1bc21b50df85c6615f7e665a50c41

SHA256
f069a7c6fe3da049d2632218d1a04f40035d8175f2a3bca48818eb02833af2dc

SHA512
c7f0ea3b45940d7ebba773676466de1425174602ad912db8f842ce14ccae88df87977ba1d630774f0b62f81feadc82609a9704fb4d8402a13230155755fcd98c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
06ef44461594ab137cc1599430a2737f

SHA1
3a0da048b17f5caae06383246be6f5f52f77474f

SHA256
44cb682899e4b495f2a62085059df8cee910fc23b2d6fe36bc8720c822114dd7

SHA512
ab7ba8fa7c17ef840ab8c8be4b09f2d6912fd6b3ea7f98955c3a372b936ce40e86976df5878c47309c189af5ad75ea521e8d58e530a8213147c15e44888a1e2c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
76dcb58a9adbd87636ae232c58d1e72f

SHA1
a0cdf5db84eff91d0f318e5a4eaa340ae0d98161

SHA256
0dfbffd3f9f4780f9c320d94cadb19a0546eeaed5c7d6e0c34c98c0e3b28b9d9

SHA512
166e7133a8d7f7c4eca4537862605cd33055bc4efe16b5824ad5ec1351081da0d7bd4c788fabcdd6d741cfe84190e2a86ce6904bf2f19d25473ff5653f020f1f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
0954521119b302e1679560d07976123c

SHA1
071abb1e9fb03dd958dbca8d59aef4f0e9c110d3

SHA256
98a6be9dd78c4da6e22789b353cd2ec5f80324d5e70c87619b4d903d6ad01941

SHA512
57aa937c90a3a65be42b2005399caf0cfe2d4aea7ba7d7517809dd3a78f5fb15d348709d67e3e80b8405aa3aadfc2ecb4e6b1a6c817585e916a1c7bb52fe2e76

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ce5927ec33fab3698576b04d30e2ab0a

SHA1
b2372d5cafbac9636f48cc63e39487f1000ef455

SHA256
e09e2a765197558c43f4105195d7170f3fe7e219782fff35cb7a583dd8c8430a

SHA512
edb0eaab55bac1767141190e86dfdb1c9ed8ea7938818861d50c46d69459983e0f0f3f23be39ebad5a556fe3fbf99931d670e2ba48acb0519601d0cac201a493

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
923268994c72b78a5f2c29543cf0392a

SHA1
81f688fb73c71fc7b42c6af1a486902279b665f5

SHA256
51d83b22bf85d655f9720843e4699d473ba60bd423e408b4d6231aeba6f32dd8

SHA512
1a41a747987587dc4302979c9b196b9156f2072e7f0e9fd9a0a73cfd6318939c1e6a283d5271b4eff9f91549fe83304ade016c7ebcd60a97ac11ae2207548b21

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a3a727712158b570bb4a276d8932272c

SHA1
e988fc389c839780a3fdb96be4f639fc072ec60b

SHA256
50031c7b4f27ab051e7547efd2ee31e2c9c1398a6950bb35f19c40df4199bbcc

SHA512
6d44b9d7c8fff26a1af5a481a447e10a7e399b1b0410634bc7927697b74e44852833450237ab0120f32707c2ba2db586c807a019a27fda18e0a792e943f89557

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
f0223400e73908f6aa5fdb284cbfab2d

SHA1
257536928c8821d6d1e0bcd686b6123695c746a7

SHA256
9a2b8e721e3d715735cf5c1df5a158d39745e2f8f1e59d3d48fd050433e23d38

SHA512
964cb9394c9ed7a26e1ef20c559c4a5152974fabb79c378ee9f441b841ff1ab5669bccb6888fb64d7de4d6f52677e068a663452ce7572ffe0a2d9fdadf237a5c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c421a8223c6d915fe14614d67c4b35f4

SHA1
811f6fa5e7bf32ae1537cdec18c8576958d7ea76

SHA256
93538237a01f22a7335de4eee4d4d85ff87c1965459e6cdc26a62540f565dffb

SHA512
56971d3991570ed95e6a43f256284b29098e02bcc18ee4734d9d31754d88148b3e30d6b7d31ad808d8a6f8a3a5e250a53a9ad4cc8d785fe0b31501d588c3490b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
39af9cfdbd3b25afbe4e5e326b35627e

SHA1
83830582e91baff2687912df2734d420506f8a25

SHA256
a1f9341383995de2118922b3438f3865c7993b8aea2a8210974fa4a602baf554

SHA512
3e04342c1b39db360cd683de756e3e425735e39bdbfd7cdb1228da3576c99247c997ca58942a6f934f72f6bb2238cd9dd6a34b3c84c7e1dd6d7e281ef9abf3a7

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
a026b0bcefcfbabaa3b070f7bc3889f4

SHA1
a20619ce7fa28012890273664adba72e36d2d7aa

SHA256
4540f0ee91fd3014967fcc26ad1d3091929bdf04398d60189e75139f61df1a37

SHA512
7c5d42c6749b4f1c90e45a7166ea24b59f2b90074cf94cb9d2f88905850c162084ccd63c11084211124e90ca35f21cfe2172691022dd2ad1405a048a743be128

Download Submit
memory/64-204-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/740-306-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1028-50-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1028-44-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1028-52-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1168-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1168-88-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1168-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1168-538-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1368-224-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1424-581-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1424-523-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1668-275-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1668-672-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1848-613-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1848-205-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2168-307-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2168-673-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2188-61-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/2188-64-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2188-77-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2188-55-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/2188-75-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/2980-6-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2980-33-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2980-38-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2980-0-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2980-9-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3200-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3200-234-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3200-17-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/3588-252-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3588-90-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3588-72-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3588-66-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3664-202-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3736-669-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3736-236-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3856-198-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4172-253-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4212-545-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4212-571-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4308-200-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4472-274-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4532-674-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4532-308-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4576-199-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4712-576-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4712-203-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4904-91-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4904-92-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4904-104-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4940-201-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/5104-30-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/5104-31-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/5104-23-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/5104-493-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/5228-526-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5228-695-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5484-696-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5484-559-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download