a282672784c6bcaa5d9ff3fbd046f5543afa3ec93baf0b88068cf329e81e9087

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
Size

4.6MB
MD5

df0ea5a90534040eec6ac7218ccf2b11
SHA1

409b3e12f620c432f34f6b2b67232ef91a9ade84
SHA256

a282672784c6bcaa5d9ff3fbd046f5543afa3ec93baf0b88068cf329e81e9087
SHA512

884c915fa4e3d8546722512363e0fdff9657e17102d30f02c6fc04761807d9c14b49c10618e0903c78b609daaf2ef3a620f553f19b2b27582ba305eff3b7d125
SSDEEP

49152:EndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGe:O2D8siFIIm3Gob5iEuj2jF

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2880	alg.exe
1608	fxssvc.exe
1296	elevation_service.exe
528	elevation_service.exe
868	maintenanceservice.exe
4172	msdtc.exe
1308	OSE.EXE
1212	PerceptionSimulationService.exe
3912	perfhost.exe
4640	locator.exe
900	SensorDataService.exe
2364	snmptrap.exe
2772	spectrum.exe
64	ssh-agent.exe
1788	TieringEngineService.exe
5008	AgentService.exe
1568	vds.exe
2180	vssvc.exe
4704	wbengine.exe
1128	WmiApSrv.exe
3408	SearchIndexer.exe
5616	chrmstp.exe
5748	chrmstp.exe
5912	chrmstp.exe
6004	chrmstp.exe
4656	DiagnosticsHub.StandardCollector.Service.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\38eb1ddf75cb61b0.bin	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105781\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5e6c9c910cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021cc17ca10cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038c1d2c910cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000755fafc910cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c7eb4ecb10cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2bbbfc810cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c809ccc910cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b80c4c810cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ce0dfc910cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab16f9ca10cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
672	chrome.exe
672	chrome.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
4952	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
528	elevation_service.exe
528	elevation_service.exe
528	elevation_service.exe
528	elevation_service.exe
528	elevation_service.exe
528	elevation_service.exe
528	elevation_service.exe
4144	chrome.exe
4144	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
672	chrome.exe
672	chrome.exe
672	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4548	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
Token: SeAuditPrivilege	1608	fxssvc.exe
Token: SeRestorePrivilege	1788	TieringEngineService.exe
Token: SeManageVolumePrivilege	1788	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5008	AgentService.exe
Token: SeBackupPrivilege	2180	vssvc.exe
Token: SeRestorePrivilege	2180	vssvc.exe
Token: SeAuditPrivilege	2180	vssvc.exe
Token: SeBackupPrivilege	4704	wbengine.exe
Token: SeRestorePrivilege	4704	wbengine.exe
Token: SeSecurityPrivilege	4704	wbengine.exe
Token: 33	3408	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe
Token: SeCreatePagefilePrivilege	672	chrome.exe
Token: SeShutdownPrivilege	672	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
672	chrome.exe
672	chrome.exe
672	chrome.exe
5912	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 4952	4548	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe	82
PID 4548 wrote to memory of 4952	4548	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe	82
PID 4548 wrote to memory of 672	4548	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe	84
PID 4548 wrote to memory of 672	4548	2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe	84
PID 672 wrote to memory of 4988	672	chrome.exe	85
PID 672 wrote to memory of 4988	672	chrome.exe	85
PID 3408 wrote to memory of 3560	3408	SearchIndexer.exe	110
PID 3408 wrote to memory of 3560	3408	SearchIndexer.exe	110
PID 3408 wrote to memory of 2252	3408	SearchIndexer.exe	111
PID 3408 wrote to memory of 2252	3408	SearchIndexer.exe	111
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 3992	672	chrome.exe	112
PID 672 wrote to memory of 2732	672	chrome.exe	113
PID 672 wrote to memory of 2732	672	chrome.exe	113
PID 672 wrote to memory of 2876	672	chrome.exe	114
PID 672 wrote to memory of 2876	672	chrome.exe	114
PID 672 wrote to memory of 2876	672	chrome.exe	114
PID 672 wrote to memory of 2876	672	chrome.exe	114
PID 672 wrote to memory of 2876	672	chrome.exe	114
PID 672 wrote to memory of 2876	672	chrome.exe	114
PID 672 wrote to memory of 2876	672	chrome.exe	114
PID 672 wrote to memory of 2876	672	chrome.exe	114
PID 672 wrote to memory of 2876	672	chrome.exe	114
PID 672 wrote to memory of 2876	672	chrome.exe	114
PID 672 wrote to memory of 2876	672	chrome.exe	114
PID 672 wrote to memory of 2876	672	chrome.exe	114
PID 672 wrote to memory of 2876	672	chrome.exe	114
PID 672 wrote to memory of 2876	672	chrome.exe	114
PID 672 wrote to memory of 2876	672	chrome.exe	114
PID 672 wrote to memory of 2876	672	chrome.exe	114
PID 672 wrote to memory of 2876	672	chrome.exe	114
PID 672 wrote to memory of 2876	672	chrome.exe	114
PID 672 wrote to memory of 2876	672	chrome.exe	114
PID 672 wrote to memory of 2876	672	chrome.exe	114
PID 672 wrote to memory of 2876	672	chrome.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Users\Admin\AppData\Local\Temp\2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-05_df0ea5a90534040eec6ac7218ccf2b11_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2dc,0x2e0,0x2e4,0x2d0,0x2e8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabfdfab58,0x7ffabfdfab68,0x7ffabfdfab78
    3⤵
    PID:4988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1924,i,113303432653329102,12150907926021283317,131072 /prefetch:2
    3⤵
    PID:3992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1924,i,113303432653329102,12150907926021283317,131072 /prefetch:8
    3⤵
    PID:2732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1924,i,113303432653329102,12150907926021283317,131072 /prefetch:8
    3⤵
    PID:2876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1924,i,113303432653329102,12150907926021283317,131072 /prefetch:1
    3⤵
    PID:2296
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1924,i,113303432653329102,12150907926021283317,131072 /prefetch:1
    3⤵
    PID:4292
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4292 --field-trial-handle=1924,i,113303432653329102,12150907926021283317,131072 /prefetch:1
    3⤵
    PID:2856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=1924,i,113303432653329102,12150907926021283317,131072 /prefetch:8
    3⤵
    PID:5512
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1924,i,113303432653329102,12150907926021283317,131072 /prefetch:8
    3⤵
    PID:5564
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5616
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x268,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5748
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5912
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:6004
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1924,i,113303432653329102,12150907926021283317,131072 /prefetch:8
    3⤵
    PID:5904
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 --field-trial-handle=1924,i,113303432653329102,12150907926021283317,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4144

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4916

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1296

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:528

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:868

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4172

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1308

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1212

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3912

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4640

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:900

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2364

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2772

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:64

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:984

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1128

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3560
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2252

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0837aafae7f2eb1fb8f2fd187fa31455

SHA1
db36682d709140ebcdcd10394b02441ede2f0ef8

SHA256
a5f2b4608fcb6f1e09aeadb204719c3b5b18fde9a0cbc963f1cee56759eafca4

SHA512
cf3c3fbc5989dde0733cf527b5d7d4842fac8bb12fba998ceb2b5a773e47edd9c613c2755b5f5bda7621506c553b383ec518c5eb6c416179934d456d0b9175cb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
22f9c2ed342d40248594ab1af394e0e4

SHA1
45382b2449816c97bff3e3ff59254a8f38c1449d

SHA256
53ce2c98c1cd77e4d14bcbb2c912c4adeec57e196031cf6a4fe73eb30015c132

SHA512
b83f9982e247437335807f57cd586cd61375368c20b12145b2679c95972d08d0b23826388d1208c8b6b569a0eeeb440d13662e626a34eb93458210426e7921fc

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
ec4afe1892deb3675ee3481a5a3b7371

SHA1
b84f5e72dc9124786ebd5ec76273fee6920297ae

SHA256
c861abce1411827bf313d2ad42b518c0af84aef205c064bb5235ff58caca429a

SHA512
60304c887a5616076bead6a60a50221a6cd261bb16a6c16d995b81e55cd9f9976eab6db48bf2623bd6c1c0caf7ffc3633624acb7216ab173e0a0bef3b9e1f8f6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6d020805f2f6680b860bbed424710cc2

SHA1
d7d24bf8f6c29869efba3e42fcabc131aabd6c7c

SHA256
8124e69a737854ef0375d06a8a92e8aaca3683f415d882280a757a85556b5989

SHA512
3354d4a8267d59d464bf71f8e2e4b72b6bb3d62d8aefa1d609e09bc7a53f3ef993c956b8ea0271662ec82cae6c76ca57bc1d663da8891d310c938db7d482ede4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
49c3f9f55e09b32bf2790c281943ccde

SHA1
92735fad38ea9eccb843f8474f34746015b04fd7

SHA256
fa10067dc880c2fb041f2d19a5f4c9adfae0267320ba474e8c9c0db713fd1eb5

SHA512
28e7674e58831b13e47cedb116fcd93d741354553a4d77c73fd43aeb5bc4eb98d1cff63995c56b5f0cca128a19261f080f7344f01639151ce96d81e579e37621

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
39b9e1707842fa5959013b379d76e588

SHA1
913c782872cdb1254eb2e17e60a15332c846de94

SHA256
d79f1da300313e60f7b247543b518885c43b03219561afd2e9db89851843415a

SHA512
af647dbfbdcb94d2e00aed8185f036e09df9888d1f0c39a99f69217b9849481c2d1132f307ff569038ca797e1b8ad05db8b2bb8ca84b63118b2e6056bea1d306

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
b4518f900c4eb54c511a8e693ea95017

SHA1
85e9d33245cd9e6ec210fcf030907c3404f18626

SHA256
e77bebdd1acb7d267f10ffdd06812d5fcd8f30fca95c826d8cf455683e9a7314

SHA512
fc4dc3be8ef868aaa6e5bf98034c27cd5903b59b2babb5a6f7c780adf40c914a197ae92b9dc494c550b1860ff80b9ce98eb6cc9326e89608cbff9218962055dc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
071694f175cb8f31919d06df4e55273a

SHA1
976d1524406d836fa6a798973d0118d57625f0fa

SHA256
adf496fec90ffca43475d74b2bc7d48d604e994e6ea6093d857116c37704cf26

SHA512
f5cd3b2e0ef13cb12901929220345cbb27a78cd92f83205981c217f0d29345b3999ccbf0f1194def2ac76c56dbafe094a20ee9df8de6b02c382f215c4757488d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
3150dc95117e3e1b83c25d8c61f32a89

SHA1
838dda1b57b9ef196f3d4bb67a93454d070f7fba

SHA256
da35abfa15c4ef30c48ecc05db5813980b1f2b8d827f49c7ec0bf8f145b8cb24

SHA512
ad00c9fb9db22f77f891d5454c01ce223f7fee5fd20f15397891faa34811b43821ef1e2a4f6ad32208dd12cbc3e8f1bcc17e8660e3d9d3d5ba3658e5f1a608bd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5c535e521a1e40f4317530fdf04cb428

SHA1
53001abbda6ff6a015692c14913808bec8288f30

SHA256
a6d34e539bb0fccef2c2856e17fbd3639586094e67081409faa1b19f97e5f1b0

SHA512
68acbaa742cedecfdf41e396ec3dd15f5d90413c01a31b58e69afc5d739160aaa8fd7777ccb28fbe76dcdb1b625fbbecc7f139d91a775cf2ce8558798c557ba2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9e3ce62379c86516334a777a7280a862

SHA1
b3151dda0d1fd205552ecba7e2b83c3a0d296d79

SHA256
af753cd4a7c2a743817bf8a99c93a201245f7adde77423c54fbf170e654bda8c

SHA512
06de1870077d5043b610d29dc85e0e13df4fba3af9ef7e51ec0905fdb93083644c0145cec195a073530887f26d2d5e3e64c2473f141075324b909344bc58b25d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
cc0accf1b5848a301a93d57462ffc9e7

SHA1
cb3b6750bbe19519337e90a0c06c7e2648f5ab8b

SHA256
5f0650029e1b49a4e7a90ec2d2de94e679f9e00f28e15e15e1490dbe6469befc

SHA512
816180e6c3054ff2fe1c60055e1c43da4b05eae3cb649e725ece9fc5d42c8e9b9650ac134f767b5e2e179aa18f0349543e2b112774ad53e7c2acf26409e3aba1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
b3fb72dfc59e8ec5da97f64abe2a97d0

SHA1
5ced4c7ad94a32f75c2deca927ec3781de50dd73

SHA256
a310b06f6f4ed6dedacfdc2937ef6ed56505c1344d6ff26fb94005bf659b84d5

SHA512
1ee64eb9768f26db2c4d73d5ca6c8575104155446ab0d0776a02b67ba3d7c6362e3d0d7fa688e4aa386c169d4060a46a8f58f980dd0329bf1e2425dee2f283ab

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
95fd9e2a63332dc70312fa612026632e

SHA1
49c14c26cd4849a731252182e110419ecba76616

SHA256
091fee7b0275d7f77250140bbf8bc47295ab49683fcd206a4e1108dcb58e598f

SHA512
1d3aed877f305b20d3860e91514760e1d5fa10db93b8f4f3f144f8c49348521feca1decb2ad8f742562128ac6729b83d229fe59303bc4dad92e84cc9919ae919

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
33dfcaa83b78b62a4a62e755d9bf5015

SHA1
82173df886b4141d1c7b07695b78895c15fcd8b7

SHA256
a1883e6601a8d245e3f2189ad1cff935d08fda7f48a17dcfc481bcfc8235ef28

SHA512
e0d885cae3386317efbfb36d726d21e4f18622248e04e3032caf21b7e3dbdfce975ef4f82aa99d0e616a00264c8b7aca29e750e6590a206f6242c98ac2f4a966

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4b33359a26a246ac16a565a84b8a4b52

SHA1
9dd6bf8e5f3737b85da8160c6657cdf02507b09e

SHA256
82cbff28305e9d016f443a699670081cdbbc03aef5bd495b4bcc844490f8a09b

SHA512
bba019ddd5ac103c5487f74ca05cea565392fe02591016f9f5e4df679bce82b64cf875965cbe3336d3070c84ef523c7fb05854dd8e405812f7df807e775ce907

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
7c34e5a830b12ed863de7903d84d36a9

SHA1
eedc8406e9018555beee066e85c6f289c3265748

SHA256
59df94c371c4faebe481437aa4cae102d8dbca61038660b5f48aa7f84a3ae6b8

SHA512
9cbe90a7780a4e2747ff233e869f492b32330c1d6172c694a303924f7b40fde70f7985b5186924bd99b196c2a10e6949eedaa78c05edd10890c6728ea576cbf3

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\069716a6-384c-4a0c-98c5-6c9093597f94.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
35931eb5f89d6677d7d5502c5eb315ee

SHA1
e2d8bf5e2730659d7782376ae838f1ab614a6b3c

SHA256
09f6f07e8cc98764df49cd1671431f3516804dd32587b44928f0ef182d6fe65b

SHA512
c04edb48c727b90cb95eac2dd620a81ab3910800801d6c63cb7fb4af2123951e6c448518e9e9d57659cfc154d6b824093e882a337fe09c413ddd80bee3eb7913

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
db9d6a8370ec787900d17e4e7f0f1823

SHA1
a85b5caeec7f76a3f043def98f5c69a3db0828bd

SHA256
75f5ca3c4a8b88030c0333e735fc09fa5cc0d5e9cff9648a1763ffda29385076

SHA512
bf3871cb28e6ddb6ec50662ef6eaf51a059299cf12fe35eb7ac059bd8b3efb4d4a3094c89dd9fd0732105fe58cf4b1de5e1c654ad09feb6a3777ead7b24e610a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
fe3e82668f80310a84cb1c56f235822a

SHA1
ea0f9bf59133c96d5b0ea8f38415cee0b9d6a57c

SHA256
199ff2cae63cb8188234910ee32308c5e43243ccf5931dff76a3a36b58dfe909

SHA512
ca8fed7c63b9e507130be6a6d1f45735e6ef0220d4eeed36a94309b6c3d3dd0d4f7f369c663c91d330fb030bcdd8e4de204b58de06b0156bcb566fb05063b3cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
89a2a7c54058cee02bb5f42c87435040

SHA1
6fb5dc16d93a027b70550bec09d6a5ec2ee0068b

SHA256
371107f9ebb4c906d174af8a6c7fd5be0a8a8122a1f5a897318dc0e99f3a4a71

SHA512
ea77b9435801fb6fa7efb9c8392065697787d88c268a7565467b38ea27fb0b1042bcad262bc6cbedfba761e9328c8ed9d56594afbaca7d492e0c05f01e3099b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a19be67ff15bc992179bdd64b5936a73

SHA1
5f1cd428e4e71f72556cde26728c6b5fd7a15c51

SHA256
477f0f211fcc6762c9037f397e292757d3945c125d718056e7667bb4881b91c0

SHA512
b30f7a80b19a645d76d0132ffb2d01180b51da433d5ec1ad0ec52149602f1d5bbc5571035093b6d9a24ab8b073588e34acd3176388e55405158d33eb926bcbe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
21064056619ed26a9983c9d5e0cd4787

SHA1
62660bbc010eacc26a13fb92d3410123375ba16b

SHA256
52f69f297d763f6c02e3500a1dbd5ea514515e72c0b117815a549e8cd2551ac2

SHA512
be2e44bad3df7392450b598bcfda4c2575617a782f28d5a37591228fe4736e361c797f3360375bc4174fc216d14c9ae981e8da5483caf468fbd2acf6b9d54947

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57d4b5.TMP

Filesize
2KB

MD5
b25ca487f561778fd8fa0bc3dfa08257

SHA1
73dc076d35098ffc1d305ba9a346fc609a4051c6

SHA256
0c9387e399bf74b14540544f39a3338f17a6d2e15cc0d0d3101bd4f2dbdc0bd8

SHA512
3cdca367c4406fd3a0294036a2d12ad16eb22f64a8320984a8967c47ec15ffc6f7679843f1e3d53b23e307031c92a5316e61326df4577a682f4725ca6383c481

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
08eed0b05beedd8f4ad837d704b3634b

SHA1
536da8e36af8ff1e10b9940cc3a258e12edf44a4

SHA256
d2adb20126150be747a1baa62b8df45e8c805d5f76edf2ac4ae979f0b80a6432

SHA512
a3a8d622aa1856f65d2fe0f7a79f9e03f7dd1f481e3d8b33411b595b3908972e95c5f25224aabd2ae19ab3a5042068a0fad29e55719ca44d2c7d78466d2f9f9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
b5d6802d9f0febae3e6ad00f3fe4c1e7

SHA1
f75c15ace94d9362f1ceacbdf8e251563de8aa3c

SHA256
7aecdc948c781d65f66b3c41b684dfd27d24452d01fd658b2aeb776ab63dcef8

SHA512
e2a0236853cadfa983f9436dae7bc42a461196df8ed811d16fe0d93eff563d275a6a9cb88edd8a15ac569eedaacfda67514a1dce2e18a8c44288393741b4673b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
cd1c3fac73a01759cd622053a9cf6773

SHA1
4906b0134f5fc55256290d5e8d6fefa103315e49

SHA256
4089b8ed8f5238242edaad65f077af090b5014e3c6502267f8b379449f2136ca

SHA512
af949b823a5c8d959c4eb1ac7e5482a8e97970ec8a9735e0e3f68cde36c14f6a9744f2073e189821d1541155ba37e427aeee7683ab0d24e3c691f8a40c3ca48c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
dd2a4d885d94d4297631155684ac0f8b

SHA1
d8e838658093342227dae560af4eb74587cf85b2

SHA256
ea6d9a8e112352f01617968d85533c14a20d2165a80e729ea19ca1fedcd64d2a

SHA512
23a655141373933925f7a894846c3214d2ebe9eed4402f488af3cb1f8d931cf6e7f99bf5760965a685aaae44de3d0797b9c0490e788275f02e6537e3e05e9cac

Download Submit
C:\Users\Admin\AppData\Roaming\38eb1ddf75cb61b0.bin

Filesize
12KB

MD5
a3cfe6e16e774f39876d40858653031d

SHA1
e2759ec80c4b4e79e0e578b1b685718eba92821c

SHA256
f4339853ef5a6667172104f307ce1fe3bf11761944048342ffcd2cc510120053

SHA512
2ad43b043d97032d6e7404a159219b80efbb8baeee0b134e8294518fe4967f56d926b3f725b8d4f2ca1924a95e9680781949b701738ee6ef21ab50e1634eecaf

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
2077e08586f8fddf19c23f60bd567a87

SHA1
d529d166692f31ba2328302e8dadeabfa505014f

SHA256
200658de5b15b8b838f0e1615ee203175ca2cfa8b9ad9182c2e31cf5d52db59d

SHA512
272a0d8dfd059320c4dbc8b9f4c5c369c4241f8f08fb8373e3ec9116945d1837a4ed4996c6ff72c620fb6b50830a0e7830d15e47206d1a1e39a64a7be5483e4c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
55b3f6d3b2d21ec897ec23af1ccea690

SHA1
361fdc356997f4b0d7a501c68ae593003ec4e59c

SHA256
7b4b2ef91ea5afc5a9bca23b6e9657cb3ebfc8f62e5d010bf3ce155e73663841

SHA512
e1dcc797c5aa62dfa7ff79f6268c38c80a773a3cc38c92392bf0cdaf9c37807074d2a04556c5c72e4e77795fe8cd2a88512bc94f787a001870f9e08f4c0a8ed8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e323b2e88b2b62756b1dd8967dbd1b01

SHA1
c43f0411299bce50e36d4dbfadda4c0b7ab92bb1

SHA256
576bc815b7167abcb9c54beb8dcc353932d63187f4ca6400d67824569bfb5f08

SHA512
3ad494a26097d7791b71f81df20ad420f182fc8c1e381983fe5b9e5be2cb8bd0454fb82342220c1f5fbee85026f1f17719e4f0d86a65b5f612b19a2156c9f94c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1cdba82ede93a47dd1d900ab7a2dc803

SHA1
3114c4e117eccf050b109bcbbefd39f8a6deea8a

SHA256
853b8effaaaafac77ec411450116325cf27545267b6a9bbeb45f5a3cf38b7ff0

SHA512
a9bbdf805712bba44f313d2727f6e0d02a46c40bac4f3f9813f08a6266dc60ae29d56e887ad7ec881f18e4714593876798426409f5d8694b2c32cae340f5b56c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
510b53558c76f7199e76352408fbce02

SHA1
be3ca25ce71819528c48f64817d747b0c54dd241

SHA256
f49ef59a782553baf59754574811868be55c5076914178020c2a37070aed611b

SHA512
8474d92d1d9c970974620237284536dc97341df1b5f994b359da9ae3e180349e75304f4eaac847f91b935facd1e3ac1415794986a6d547dc0d7a35a833d8453b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
0107d251e319c4e2954f7342bd96e385

SHA1
f7bfac7d9a1ad72f41c70a9d3fdc9723a5df9ce7

SHA256
f4fc6415b09af91154d9929798ac4c75f1a1745b51b51b1dbf554a8e22c418c9

SHA512
416db5f908d814c4c6b24265d654de7447f68722a5453984c6ed35210f3486d7ac4ec12e0ca9c7e61f2736db83d948a4adb3fc36b63543a48847b03b2665dc0e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3956cbcb95296194103b941048bc73f0

SHA1
483a5dd72f56ceb20e5257ca5e354d88e669dff7

SHA256
4ae6768dd0ccc560fcd40b3aae6bec96a433ab7cfd9142c43166a344eecb7aff

SHA512
646df5a0175e51a62a1f1dfa2dbe03cfa9d58683d63480406b87654652cd262930e10f2e581f7642766fc9f2cd4e6aabd3a0041cf5ffa510408fb823605ff706

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
bcd5b22c2ac0d0195245d03b1ba16b82

SHA1
03b957f1e005d296d2525825a735f56383c3a478

SHA256
35da8641083ec6006d9ca8b0741718532e9df27f9641ed4af338364ceb39426e

SHA512
4b700ed180d4b731c4394a98097959f24290598723a8d9fe68109c9da3da43a6e69fdbba0c1f5ef5f59a9b8314449e2f46357eb08126d61d8ca887c235636ec3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2a2cccc5122480039a1530dd0fdc1d6f

SHA1
03d07e9fc9ac1c2b44bd14802553c826af5daf1e

SHA256
061e372bf3110f232f2cb99d8014a9e3b14901ab8653138bab3a937cfdd2cd1b

SHA512
84bb430a43dd28dee70908f91ff790f115bdbd29cfe2d2f7ddcb8a5aeb128be6080a5e309814e62873d216a14bac082fe8615d2637051e0152e75c597c035889

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
147c478129556652214e45b69cd275a5

SHA1
63d6a87f53fedf9bcdff91bd341a3624762ed066

SHA256
2ae20621e2e25e55ee8417e54f39200c27315042df2d6987ca4b933013a6a34d

SHA512
7843aa97ad8526ee1662f915133bc87fbcf78d998f1d29968db0ff6a6e66bd5318fc6abcfd258d2d7253a872fe4a37634ceb00f2d21213b3e305ab9177839eec

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
18e34df250eea9a206dbb09e766c0c54

SHA1
4dd9dff732535a3fc1a9b9dae2a66ad916c64675

SHA256
678a77ac99dfb3da13f8ae8b6d33674abb434d1d0b0a49ad5ec2969a59fbcaaf

SHA512
b116201cf5aa503854fc4c21137ae02537abb0801b0262d3cb615c9cf6d803100df3b9ddf825b0227c3c274b2428fe0707913696616cf1d33bbc38f667323dce

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d549ca2678190f900c7d6b836221f642

SHA1
60e2dae3c9631976274183c5f5c323c091fd8b65

SHA256
35a21472ce474a496ea830f29de1ee2cdb3bac2bfca59f08e99ec6da2c9fbd6e

SHA512
c9130de3b5bf3856a9fd6405192a4a5fe5ce26589f0b49f2539a4a001911062c5c2e78c5e084b73d25253972a9aa215fba7c0c963294a84a722eab09bbf85461

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
65a7c83fc6fe606621d11e75fc92d7a2

SHA1
cf21b814921080373f2eba99fc89f535a1c263f2

SHA256
91ee15f155909cf5ff2e5b70793f3bc9f442ed9cf760b273d4b58e025e363bbe

SHA512
65224e5c43fe5a0217e5d785b563c09269ecf138da9ad727cc131176fd9fcfdebf796223f5f2ff2b6fc23b7dbaf2239d5fa180de987413bb89ae258248b84063

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
9a82741cf9c3e6a666c0f60e6345fb3e

SHA1
79f348fb73ab7e009e1bbc0d82fc70f4566a8c78

SHA256
937c09a815ab5e1482c1cf18768187acfd8a2d4da86ba590da7f4bb3223df2f9

SHA512
4484db9e76849d31bfcfceffa126ee747433cef2055f5c2b2d832a012a2202c0da32555c0d07c9ac648811fb56ce7eaa050699e5c123c6d228eb0259fde01f8c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
4205230604dfaebd8e6e261515e6b7a9

SHA1
57b0f082580fc5e9e283a7e69c73247db0865fb3

SHA256
ee72d921e8003c116a5856827cdea753aa23f28a67e4bac912066336ac0f12b7

SHA512
326899c7a1c88fc7dbb25d05a83bd297bc9a52c3a68308095ed38b229aeb00dcd6e4d3d98945921097fab1eff132986d5cfe29bfc7ae3a7e52c02fcb51b29b0e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ad3227320293f3de9f8d1f1427ce959b

SHA1
550b5ab217e7e969325bf940dd4f6a1fdebc7a9c

SHA256
7b69c2de2310ea3dc958c330d56bb2a8e64be6c735decc9463c2e0f42b57213c

SHA512
ccce472031ad265f029d59553e43dc5036d2e508f730a5b53125f0d4584e4e5ea3a695257732d18c9da6b3c29220c439935a55a091a3d8d3a616c8d24bcb9142

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
f48df8bb1ae812a80ca3dd1fa1fa9e07

SHA1
8afd39672643c333cd5d44ee0809d690819d5d5c

SHA256
8da3bd0d3ace0de1e13d3f08d929632d9e04b0cb5f32f5c5dec99102a1d56ff7

SHA512
1f8d5c39a7a9368e68720df4e70baafcb409fa3cfe3ffdc769c5868577113e6331853d9cb44932bd1dd193a293ba6bd60802c7563e507547769670c6cd72e2cd

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cca22f2d1353545816598fbb5644b6d4

SHA1
671d8410a6c2afcbd8be65f5a2e88e88961ec00a

SHA256
69dc46c93e8998c0768fae2600977244c58f887f80ba1ac18bacb9310158461e

SHA512
76e3a55d2bb1761ddf9a414fb1798ef365ead2c0ddba4b7d479fa1a94757908fbeeb81c07fa0a3f4150923c8378106591fd802865a5c79c5f8de419489c319a6

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
11a36547b7c7dbb1a5fcab8d367dc9de

SHA1
7a0abf6bb3a40592c8040130ce558c5694ad4758

SHA256
d79e96fb7ca66742fcf7786cefad69f62fe39d5dcbe424b2eaa595ceeac1523f

SHA512
4008a377ecd8989c357e522445234578f6412515112b54fc985a7bc79c049b80659830632670d35cd66d44b42b2999fdb54ae10cba1afca27b346fffff7d0cf8

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5e561d09cd3f7594cf719c4b73b381fc

SHA1
a81a4b8823a7fb9f5d6b97c80556f1e24a99ac79

SHA256
2d76ab81623f8cf57b4280a3b593f840defb270f378f3a5834f8d71509cf77a8

SHA512
1edf03b75859a9465a5058dce753961294ebcc18abc24f4c504f536aee5b9d704e286aa1ce2f78a025c4665146d6c250f74018f9e8fe455384f43bf213c9bc93

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
f21f3aa65b987db268f97fd7b072e397

SHA1
c3275f2d1632dbf2b4938328ca9629924029cf98

SHA256
0090af32ed9afb5fbbaef6fceaf18c8479e6a9e7f28967e6abb6ea792d8d2ff5

SHA512
292d5a0b3e89aae3a12624452f7817c2f62bba0a17419ae0e085d1e7c2553915757442de105bac45b00949217d481b78228691c34259bd63aa9b52a0d8480ed0

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Roaming\38eb1ddf75cb61b0.bin

Filesize
12KB

MD5
545bee05d08be9e39a6b2fb74513cbee

SHA1
db0afad8c9fbf4e3f9c1ffe6c76ad6d4570223f3

SHA256
5865fefd49ab0cd688d7423fe9158abb34b9adfdec0385a17fa77b65f5671e47

SHA512
f31d52f083105911982f03666f5420582d975a2fdde70630029d4bb21cbf6d2aa3ede529406ef5123ec3a64994fcafb4edddecaffcb33ee141c79732516ad546

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
f65720eadedd509232f3d20460a02001

SHA1
7fedaac20086c8fa77e7ea8aefde26e1e74479c3

SHA256
80b02a846ac2785ef148f0eecc5967255d650de6a28b6be29567f164fc8bab42

SHA512
8e57a719722dce2e19a922091d2bc8bc4527c87250b5766c1495915d4c23336d6f8edb7ce579ad56cc3115f327d605944b0cf2c530e00aecadb149063f65dc5f

Download Submit
memory/64-204-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/528-53-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/528-540-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/528-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/528-59-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/868-63-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/868-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/868-73-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/868-69-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/900-201-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/900-476-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1128-541-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1128-209-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1212-90-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/1212-96-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/1212-198-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1296-341-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1296-47-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1296-45-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1308-86-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1308-197-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1308-80-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1568-206-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1608-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1608-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1788-205-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2180-207-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2364-202-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2772-203-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2880-23-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2880-509-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3408-210-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3408-542-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3912-103-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/3912-199-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4172-196-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4548-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4548-9-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4548-29-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4548-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4640-200-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4656-583-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4704-208-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4952-20-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4952-418-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4952-18-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5008-143-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5616-417-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5616-471-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5748-419-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5748-543-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5912-428-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5912-460-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6004-450-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6004-544-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download