e8293c4d8704c2cd06f17cb42136d774cba4da66a0b7f18760232eae544d55cf

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
Size

4.6MB
MD5

5f7e11447252c355a9e7447c1c93c1fb
SHA1

a1a4c9658ff46797a9b61bcb105dd1d241a7e807
SHA256

e8293c4d8704c2cd06f17cb42136d774cba4da66a0b7f18760232eae544d55cf
SHA512

ec25e48367202f23795c3c7b758e8e8671147d8cf16f0dc92f78913e9d9d1bf2718a98a9eb9b31b1f82a89700cfca280b57bad12895adf8532f6ccec80b95b80
SSDEEP

49152:UndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGM:e2D8siFIIm3Gob5iEUfEkKK90

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1964	alg.exe
2580	DiagnosticsHub.StandardCollector.Service.exe
100	fxssvc.exe
1680	elevation_service.exe
4048	elevation_service.exe
2460	maintenanceservice.exe
808	msdtc.exe
3768	OSE.EXE
2912	PerceptionSimulationService.exe
4552	perfhost.exe
3208	locator.exe
652	SensorDataService.exe
3088	snmptrap.exe
3800	spectrum.exe
2996	ssh-agent.exe
1292	TieringEngineService.exe
2648	AgentService.exe
4416	vds.exe
4068	vssvc.exe
3428	wbengine.exe
1956	WmiApSrv.exe
3504	SearchIndexer.exe
5852	chrmstp.exe
5928	chrmstp.exe
6060	chrmstp.exe
5136	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1c3e708e75cb61b0.bin	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094d962c819cfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000318ddbc919cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d5163fc819cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000736896c919cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032a87dce19cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9644dc819cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca513ac819cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008adeabc919cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3626cc819cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1908	chrome.exe
1908	chrome.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
6136	chrome.exe
6136	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3032	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
Token: SeTakeOwnershipPrivilege	5052	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
Token: SeAuditPrivilege	100	fxssvc.exe
Token: SeRestorePrivilege	1292	TieringEngineService.exe
Token: SeManageVolumePrivilege	1292	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2648	AgentService.exe
Token: SeBackupPrivilege	4068	vssvc.exe
Token: SeRestorePrivilege	4068	vssvc.exe
Token: SeAuditPrivilege	4068	vssvc.exe
Token: SeBackupPrivilege	3428	wbengine.exe
Token: SeRestorePrivilege	3428	wbengine.exe
Token: SeSecurityPrivilege	3428	wbengine.exe
Token: 33	3504	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
6060	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 5052	3032	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe	81
PID 3032 wrote to memory of 5052	3032	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe	81
PID 3032 wrote to memory of 1908	3032	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe	82
PID 3032 wrote to memory of 1908	3032	2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe	82
PID 1908 wrote to memory of 3304	1908	chrome.exe	83
PID 1908 wrote to memory of 3304	1908	chrome.exe	83
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 976	1908	chrome.exe	111
PID 1908 wrote to memory of 3256	1908	chrome.exe	112
PID 1908 wrote to memory of 3256	1908	chrome.exe	112
PID 1908 wrote to memory of 1960	1908	chrome.exe	113
PID 1908 wrote to memory of 1960	1908	chrome.exe	113
PID 1908 wrote to memory of 1960	1908	chrome.exe	113
PID 1908 wrote to memory of 1960	1908	chrome.exe	113
PID 1908 wrote to memory of 1960	1908	chrome.exe	113
PID 1908 wrote to memory of 1960	1908	chrome.exe	113
PID 1908 wrote to memory of 1960	1908	chrome.exe	113
PID 1908 wrote to memory of 1960	1908	chrome.exe	113
PID 1908 wrote to memory of 1960	1908	chrome.exe	113
PID 1908 wrote to memory of 1960	1908	chrome.exe	113
PID 1908 wrote to memory of 1960	1908	chrome.exe	113
PID 1908 wrote to memory of 1960	1908	chrome.exe	113
PID 1908 wrote to memory of 1960	1908	chrome.exe	113
PID 1908 wrote to memory of 1960	1908	chrome.exe	113
PID 1908 wrote to memory of 1960	1908	chrome.exe	113
PID 1908 wrote to memory of 1960	1908	chrome.exe	113
PID 1908 wrote to memory of 1960	1908	chrome.exe	113
PID 1908 wrote to memory of 1960	1908	chrome.exe	113
PID 1908 wrote to memory of 1960	1908	chrome.exe	113
PID 1908 wrote to memory of 1960	1908	chrome.exe	113
PID 1908 wrote to memory of 1960	1908	chrome.exe	113
PID 1908 wrote to memory of 1960	1908	chrome.exe	113
PID 1908 wrote to memory of 1960	1908	chrome.exe	113
PID 1908 wrote to memory of 1960	1908	chrome.exe	113
PID 1908 wrote to memory of 1960	1908	chrome.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-05_5f7e11447252c355a9e7447c1c93c1fb_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe2cd5ab58,0x7ffe2cd5ab68,0x7ffe2cd5ab78
    3⤵
    PID:3304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1920,i,3100394750120016683,4015400209052598014,131072 /prefetch:2
    3⤵
    PID:976
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1920,i,3100394750120016683,4015400209052598014,131072 /prefetch:8
    3⤵
    PID:3256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2196 --field-trial-handle=1920,i,3100394750120016683,4015400209052598014,131072 /prefetch:8
    3⤵
    PID:1960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1920,i,3100394750120016683,4015400209052598014,131072 /prefetch:1
    3⤵
    PID:4056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1920,i,3100394750120016683,4015400209052598014,131072 /prefetch:1
    3⤵
    PID:3112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4348 --field-trial-handle=1920,i,3100394750120016683,4015400209052598014,131072 /prefetch:1
    3⤵
    PID:3544
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 --field-trial-handle=1920,i,3100394750120016683,4015400209052598014,131072 /prefetch:8
    3⤵
    PID:5696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 --field-trial-handle=1920,i,3100394750120016683,4015400209052598014,131072 /prefetch:8
    3⤵
    PID:5740
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5852
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5928
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:6060
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1920,i,3100394750120016683,4015400209052598014,131072 /prefetch:8
    3⤵
    PID:5956
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1900 --field-trial-handle=1920,i,3100394750120016683,4015400209052598014,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6136

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1964

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4580

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:100

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1680

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4048

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2460

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:808

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3768

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2912

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3208

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:652

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3088

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3800

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3796

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1956

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3504
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5164
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9acdb0a91d59282fe6a697ef51c09c9f

SHA1
a1d875f5a14fb832984cf37aba3efadefbd550f8

SHA256
ec2604b36de2ba59692f0ccf2942c25f1b7c79ec51fc57c78fb1732f0b739d71

SHA512
782c75783c1e6f85d3160e4f3d5c952949be7f04551436e621754065f7c88617edd9f1d1e7a1fe04e9648ea74ffea7a3b01b2351edf17dc584466a9b3606be65

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
c955733b913047324530bdf9b6eb8d14

SHA1
26583e3637a3eeeab76697dd631f28a9880b2acc

SHA256
fec4bdee507e19d26f771687ef6192ed14f2bcd5d73042ac3182eddb9091212e

SHA512
9130ad7205f3d95d3ce9fe40e156fcb1b5fb03d70daaf069bfc6a48f5d9f21abab65e8b518024f0152e11f9d46f0ba091b47f30f65104d7257c3df82c11940cd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
867d8adfa56e446389e724655d00f550

SHA1
5b3b4cdb3a242434701c11c07624fd9f81f875dd

SHA256
d85fa547f259af36639a4cfc16b508afd7f18712521805b3efc60351b4b82dda

SHA512
37e86bb804204a154086b26138e20dd329a20271a9c3e80b25a4c801655dbd71238dfa2ae14ef92dbd8c62543c14ec5abe85bd9c847a8a1effd7192aebb61c96

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
fe350b9e9a88ead4ce9bcfaf85baec94

SHA1
2b16549de36c6e5b8cad0c8b6dc7c8f2ad181875

SHA256
958df51e28842eff5dd59960b05fc6d7495762e49603d7e5f18f623982c06d47

SHA512
26387af2a45d77a6af5f0febcfbf7bf1c5002adff071f652a5b94a351df9c402ae9cf40e0cc308763c886c4dec4edafef72b3ae121d851abda2d74111f086557

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
66c932ff0f4f685dee20b48e0d622f7f

SHA1
788957a042955d0cbba2e2afbb2f09bec5ec663e

SHA256
4fd50d157d79ca881220bfe7461a517b7effffd6eb78202d5e90c2496811fcd9

SHA512
57af50f136590579915ac212624e1789dbc159fa2456dcda8064a882833788bd61280f4e4e802d5adcd7f63e2207b71dce0aef6d9be04cde95b52f19d78f8c6f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
77766d727c30e16cd304a4230b2a88f0

SHA1
ceec4703e4d1e4327cf96c537884d8b85b665c44

SHA256
100679f4f3637da5294bdeb30886ea3da363b1a5a44e6713e9a9da407c2d30ba

SHA512
68d0ef668f8d2c625d7b875b5cc2bf5661355b72d7de26d9748b02a61dceee65754316020a176f3c2d7e79aa46bbaea35bd8463a39430de299256229ae2456e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
96cc90220f42d1c702914f0992cf4cef

SHA1
47d75c8088f5f0ecfe521057af56ded3f11abd37

SHA256
965f600ffdc0548de1f35efc3acca2154fee8759f3330a5aaf3eb27aa07609b7

SHA512
ae4d1ca4090857fc833745ad62065678504baddd41833a6880449ec1ec78da9df041e58c6e89bdb77dd01388122b4bb258cc84dc43715790ab8f9144e292cba3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4817c8728e087a159548d8f179d60b5d

SHA1
0bfa609e0e5587cd5316d5c239fa023624d6c05d

SHA256
7ac569fca6c709e433ba8e73f62b52081c8bfda6bb0f1b926fda7055868c1b3a

SHA512
a9c36ba83000f651e636937d7526f860aba35e0a16c45c1dc5acf25451f0a99a14c1ae9980515d8682d67da1fae9dbbf7df981ab036cf218a6b3cfddea5ed0a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
ff0cc67f108da773bf1feae745ff3a03

SHA1
7702d824ae5ddc0fd25a4f23990614184964b919

SHA256
f056e34f14912a3dd7d1c8523a4d9dd7700a4798a5bb653e185a58710e7fbb23

SHA512
c7774bb61fc651d3178c94a3d6e48051448cda562b2cc34b5e4b189f04065aa8df1ba9729ad5b6d497e17ec8a70beddf206b1e1adca416fdc6d40189e2ea644a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e52127e8fc8e153bdd78b76e91479cad

SHA1
e3f0594cd8800064895263be88ca3bf894e864af

SHA256
6186869da0fc637202e58f8b54a0c64d7a6c19a8ba01f24a60cd169e07b7af4a

SHA512
fbe22d84e2b0d78da548bf6898a09275cb34b0e89a85d24db254a164be1f549de5d2bd8c06da33837fdd1a47c07f30cca317301de7cec9826c4774777a402f95

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e2f1571f40df29faef4ffb21d9b66455

SHA1
af1dd51d9a1900d87497481ac7b2a5ee24845c1a

SHA256
5ac2e08317c9da36818468c9112efe780b8ba479d54a82ab0c6f1600d61faf4f

SHA512
6d9559dfafb8c895b670d1b3b9619d734e5cbf13b6197d038f29224999cdc7b713f3912f04ef10f74c324ad68e97ea9b6fbb09bd0e4dd97cd8d37e04e24f08b6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f965469a1de52aabc82d8e0a1cb8d0a8

SHA1
d0d33e1fd7355e3c621d340dbbda2b9a2ac62f17

SHA256
9bb2ffd35d6370d08a9e5310c4b8d4db4bbd6a90699d4792dec8a998cf5b551e

SHA512
2515338aced8c03c23c761293e88bf2b42c211abda161b2ee4de9b55d0df29bb32c1f84531e2b496f1e8149b5fc2aeeb17b1d25546694ce71ce8c3daf3c657f0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
9bf18e8caa891efd10df94b466312ee0

SHA1
766aa56bdd186a35675ecb59e1ec735f0df886d2

SHA256
88960e966c26885256a79a35803230f01919135cee60971466499e616232f95b

SHA512
8a0a9ddc725acf5a9232d6f55240e5f4a7a3ac8d5aea87e5757d7f9f61a3bc0096ae917ba67a350c53c7cc336c89178ac9f95b0142389d5cdbe747ca3bb90d93

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
19682ae2869cf879524735dc743d8314

SHA1
93b2121bbc5ebddbe22e5a0bf97dcc62f97b7b48

SHA256
ccdaa86a32273f9044046ebb7dadaa6e004954449bc5ec956e9f7cd4c36b2b4b

SHA512
01a21f6fdbfc49a22dca0abd0368e49f6c3ddb62eca74725380cd83b1556930e24e1f8e7783ef74238306aad77e1cd695d0bff3db187f61b500424626a0c3e7f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0f0398c84ce206fa7dd6787732a084f7

SHA1
c08aec2ec8183cc7952f2bf857f69e5989bc9e8e

SHA256
57f52d3cbdff41b3e1aa82df4b23400a60a26620fc29e9a032779a7cab4c3d08

SHA512
8365b3f7cf16fb7d01192666ae1f5b4b0797d8ecc5167e61af054522c3d5019781f9d68011360ebdf41236a49b3b9dc9304010b0568688729f5483929ab47514

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
145ac190b9c932b85e844186bc5598cd

SHA1
3d900df1f2229c1989e34b9cdb5e4df15b7a5bf8

SHA256
a55057189d691359f66c809c861ed3e43e2694f1e1e995fe9949d0dc07810466

SHA512
8502c7aad8fcd9919d1b2622554e140252d5897ab360de88f89b07d94ba42595de5c51f45bd7bc25bcbebe00ee83a92f30e09cf8cf892991c84ad98717f022aa

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
eb8fc159c628d3afa96b8cf22f89ea72

SHA1
eb41cc2a8bd6e928c438d393c19c9e237d940eac

SHA256
617d0c69e22c17344a88447317842f731b4842d6de2f324d883134913dfe4a8d

SHA512
d54a1ae43a4bc97181484f8752055efde547e656457cc50b18a5f2af5a2a3683c04db477780a27d961b57f386768c7332b4c08dc9ca4eefd6ffa89aae66837e4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
5da9d0d2bf273be69cd252c3f2fb29b0

SHA1
15b848641512f79e75cff21a876e62619a3ab6c2

SHA256
6793f9a64fe188349adfb86af605316eaca600fabea015ca628eb9ae52edb210

SHA512
db96e82f6ce5bdb0f7bf7fc398b1b6c64030e25c9523721e1f36519bab9a8252e6c1d85f6fd3fc8a0d868b53484d0e5f051a2e35da39524ea4ba1e972122bcf8

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\a4fb539b-2396-4c29-8376-de0704ae57e4.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c2818aefb578a741b5f0f6527ef48758

SHA1
8f2184824b505abb708d247f37aeb902a34f3733

SHA256
b067a9420a0d1ce4a4db9911fffb1a46f0044624e16f58556245530a3c452c79

SHA512
2d21bc74c4796adf6ebfd6b3e66460d65da7aa188f7ce5d38d3892429fe51fce3f2283e5e24f6036522eac859f18ccdcde0949499d8efcd776886e29f6ace15e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
6fc74ac002a85a9c7a40e51fbded4e1a

SHA1
9219ffc6a3ea314e96ba37d9c133cad31b9e2a9d

SHA256
9bbd94e82a6916a715bb98a0e567a8e1d0c59d9c4128a5a5f0af207680d2bd53

SHA512
cacfad070bb583da8a64b534fd3bee279fc877444d272cb477b79e211dcfdd7dc8f07dc014032a85fa2710614e6c6e32a54fcb283900bfab1f9e02033d2a71c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
fe3e82668f80310a84cb1c56f235822a

SHA1
ea0f9bf59133c96d5b0ea8f38415cee0b9d6a57c

SHA256
199ff2cae63cb8188234910ee32308c5e43243ccf5931dff76a3a36b58dfe909

SHA512
ca8fed7c63b9e507130be6a6d1f45735e6ef0220d4eeed36a94309b6c3d3dd0d4f7f369c663c91d330fb030bcdd8e4de204b58de06b0156bcb566fb05063b3cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
dd187e13e411bf896496a32becdb1ac0

SHA1
8bac0c776118173fa7d48cd8c9daee2b3affba6c

SHA256
d9531f099f4c542778414a588832cd9f3decdf1ab2f3251d74370e671708d793

SHA512
9c87eeb7c5f169e1526319cb4498a769b2c49b4b93a81ece0c7e57bdbff5067277b184b5e1e778ef224137122f88ec2d2b019a8a141b02df9cc18b1d8ab3eed1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
055e9aea7de2e4d302f65cd3b76c4a52

SHA1
589eca3d6dc1d52ac5317d63fde1888264118f49

SHA256
45fedf00a89f1d631ee35fa6d5d14968c13d46e680d81d1b86d93d4ed3f35aa3

SHA512
c8ac9d704103ef68145e1b336090e2b2f8b1c63f15edb8a7360091cebfddee7375aac22e2b76771a43c0e67deb0a3ca53f284cf57c0837c18d454d0b8b7baa75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
feac70aa1c00b8e626aa888bf3758004

SHA1
7a39393a8a6d0d02ad80fd52fe9d30130307e768

SHA256
4040e1f6e59880bf93b45b83013718a31acdc2bfd522360e63bc75cf6b4e978d

SHA512
8c93d0d20c9a78a81880231a018175c98e4bc9495c199ee7e78202556f5b34bd27eb4fc86df15c11be5d5700d456d754f2ca999fae435ab2b8177cf9887eec27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57e2af.TMP

Filesize
2KB

MD5
b25ca487f561778fd8fa0bc3dfa08257

SHA1
73dc076d35098ffc1d305ba9a346fc609a4051c6

SHA256
0c9387e399bf74b14540544f39a3338f17a6d2e15cc0d0d3101bd4f2dbdc0bd8

SHA512
3cdca367c4406fd3a0294036a2d12ad16eb22f64a8320984a8967c47ec15ffc6f7679843f1e3d53b23e307031c92a5316e61326df4577a682f4725ca6383c481

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
5d92925303ab75f822fb98af4a02b4d2

SHA1
afb6bd977ce399e6c04524eb277e9d0061e0bd06

SHA256
e9f44e9abb7b1c0b2a69d818fba4a0e3a1178da5c7dd37bbd17901711f502752

SHA512
6eec461e4ebe6f31c56b77202f88c3454e3c3aa512d3d293a4c8a25da6171a47eee3915b6299574659946ef4360655833b7cd59f912b232311468c92bc266ccd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
efcc453a5e8b31b959989d44255fe5bf

SHA1
7a5f4ee607a774f04741ddc9b54872992720659b

SHA256
0793a3adf990edce2728e2992cbd4b7143bbeaf0f56c131e89c7d72f60d40895

SHA512
d5f2dcdeff0fa5ff1097f8409495d532523ae7bec80796163bfdc920d01551881d5888efc324f293fe33353802e1ca9225dd5437472b5c5614867c2bf1859010

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
de9d3638d73e3c536796ecb3f0680046

SHA1
5d4e818166fb4ad57b8e6b536bfb59b73e355289

SHA256
f9cc915cd464964922b1ab7a73f5b21f5719e15c83905032c0d25394168950d9

SHA512
6027f3b89614e3938890cf74485bb88a9ae4b60ca24ed1cd509c9786f5bd63622a99c96f3c2a29bc7697c525da3a537148db565e3c35427de44854505dcc0498

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
b1a73b5515302f0b63824250edecad21

SHA1
b5eb2873373b5ff8a2337ef48db97fa637224c19

SHA256
f748869bd9aa9fc3310e9ce7bd1bcd77c0542f7a569ed03b34ef851bd4a862a8

SHA512
1614a67bd98f99d32d9d2b73d764acede0feedd5e1bc2014eb31828141bcdba61fed1b4ab07cab544a669b3d8a3cda3c173e44aad60ff199104e76b1dae301aa

Download Submit
C:\Users\Admin\AppData\Roaming\1c3e708e75cb61b0.bin

Filesize
12KB

MD5
9f2bba1791e694cbacb3b65d8b7893a0

SHA1
1b21d3baa7ab4e7c437953ae29662ff76a7618c3

SHA256
5c07e97b8323cbe34c4c43dca650fdc1371ccba5104044d1032b2623ecfa192b

SHA512
dfb4d0bbbce0c587baf7018d23ceab4c1be4ce8f3cb5611d741a1466c46f54feddb1102446dd456dc513979cb5cebfef84026e32dc68e4aca4082d66e2d0d915

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
255d74ff009fab508931e7cc63eeb3d2

SHA1
f74655f06ed1b154bb8c9cbf55da746b53662849

SHA256
bac636c1b80525f09e05953b9aa4ce3936569ef00268b82a9c52589b1f02a745

SHA512
683de84be65c52965efa4784a947822b86c77c77b12c14fa942d06861b80de014a4cf9d12a1d2d2f91ccd1af624337efacaf0b7a6cfeaa86046f32d29a8b8442

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
66f7e2d7497aac6133236ef673089077

SHA1
ffb29c85c60f6b97152ae9e2803be7bfa855b175

SHA256
11ab6822b9066feb9a1b9d37c5cab4b0347faed58bf0a74944e1685e6faf4c50

SHA512
ac620b2eb638669de35b21fadee316b96cfa8d86624c0811ca1b2b44d4f7db452ab1725148688e7aa12dd57ab5b9d1aee49058dd89e8085cd83371aba7627f90

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
ab0c9a3b36c4ebc7140789ec77c1e0fc

SHA1
528f702eeca24ce89ad7e3ceb785f456cb04fe96

SHA256
e5a2c24b7681ad26ef27a32401be394bbe1f696ba091db89e5b386d35adf3651

SHA512
acd52e8025f0cda4a8c57110eeefd5ad0954ab545dd6fd3c9c84b743912ef66f5e110fa58943c189c1f56f8fd3eb967166a0e5e5944c1fb6bd576a3a57d3888b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3315e872715869aa425198e68a7e14af

SHA1
7371dd122c19ea6bd60b9d201aac4d80e3f54bf0

SHA256
a31fbe6c87cc4a3ef554b0c524df3d6b7b79f3dd47e530d5ace6191515b7f758

SHA512
6c818ffdd30ae43d37c220581dd11163fea6730ad6797389e1047840f312efa236b50f8a08de02391da564787a9e901cb8c303f10719389acfeeee147fc2bec8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f6a805be8830699ef1d61578e9bfbdf7

SHA1
e0226489457eef2a1102f17cf222acb55160e217

SHA256
cdd3a85c8e88a938bf65db3cb1b019d1269b1113b1eb54348c5546bd078b4398

SHA512
7d2cc4c1250eed064adc37322ba9fce22755b8db58b1cfd46b66d1d0ee9f1b2ca4ff7a9569ba9ee0fcdffaf41bf1fee09be9c3fe5ef82e33b05673c345e3baf2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
93a602899348567c771372f0300b607c

SHA1
4c0dcb4efc15df9bc3e85d9cd40129dde5dc20f8

SHA256
c68e36714b8c6f55554498876e5e19b3ee8798a8497ebab8f460c6ab4ac9a3be

SHA512
cb0aeebd461ce1bdc105beebe26d6c93a2e3af87f83ab2746a2ae20414687474ff217b9cc7c5805d02fb47ab5211d8e5dab22ea0c6309f533f31dab157c305bb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
53e90da8b4acfd8f2130dbe9f0b763b5

SHA1
2655f5af727e605b4af77af495ce494baf1305ed

SHA256
04ca8caf048c9c1e46a034716482700c9a9b248f225f80b87957827a5967807e

SHA512
61dbca82d57c8d3418fb80f243a87ce95421f6ff7c90bf0bd0e13e7c3c69bf9c29e8ce690d3f259bfb5b38eb02d025cffb61c9109eb751d4019056ffd3e2b997

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3944c8627d25a56b2bae529f6421e1b4

SHA1
95a02c8a810bf5ebefb8248e8c8edf1c69540bcd

SHA256
fa9dec40e4a5c830cac396195dbf91cea7fc1e8815750b043cc22d4a62e9276f

SHA512
6ec75433997bd28d8dab6ba862f0582d45bb4607fe263695d291509d7c6bbc83f9768e94ab2a2e0ea54760916436a23d946f30d9c2c32c96d5f6bfd61ad04df6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
fca7f53571d2242d05ea167377cce4e5

SHA1
fedd27487cb6e105e5809eedd68d51c8a7062ff2

SHA256
b479f30d10317de692276eda7aee161fb0ae539fd0083fa6279c2ecd6a3811b3

SHA512
db38a3250f7009603fa7811857fa1fb728ce701190d937e5256272e2d6648c6390b19d545bb9c2371cfa710a44123b12b37943c35be67dab34b0b1ad81f10f68

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b8f0f3d98688eaa073d2cadb0136d869

SHA1
53456e5c83853ac5c41057dced86e13fda1f8873

SHA256
1730c9eeaa02a6e94c4afa4ff3cd23fb92addd004bed407f104e76164dc8ef9c

SHA512
09cd15158f02bfb1a76436c48c77850a8a642a521c893a2e8ed856eb354e89c1d6022f8195645b21bea02c7713af268df0cbffa18265177b073a48a03a148f5e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7be967c645ebc861eafe20f2ac55de73

SHA1
753db5d69a2eed3dd9d0c6a3bcba7b3309259262

SHA256
f18ebfb07760675c3515a2bc76e5a00775e90fb738071d54d0131a568bd65f4a

SHA512
4836cf130511c21199d3ad4eb264305e03fc6f7baaa83f16e9e184bb9558088d98f7f9dcf914bca1055e1f2985e069e96d0812e145de80d9012fda21f9e8ee95

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
38a238f050218b5c8c0caf93660ecbc4

SHA1
3e8fb539e00ff426a160d788f4148a423ed629cb

SHA256
3f383d669ecb85acdaf4918a006162d18a74d97e9ac9b2d2249e9ea6445d256c

SHA512
d92a65ec90ccfa2394dd108cc20d70bec8021f3f1dc6c988b713634215e9be7cb83ec06236e8c88c1051713286d58d0784f6081b54b7d2e7947336b71c0c8910

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
93006a9c09ef242cf9dafedb1980974a

SHA1
9ca3654c0b21edc8c086f00e837891b313223a69

SHA256
12554632d5d444d09b22a8f01e6374613b0d82b657fe9cd246f62760df8281ad

SHA512
bb4cf976c9dbf6d98092175eab8c3c63c6441aa28707ab05a7d9f14ba1efd3d58170e92f53b5f7fa722564c1b8c16f398e8f8f1c004bbe85a64a609ad57c5541

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
114977a2e4723517b505719599335125

SHA1
976cc7997131bbe66939a4dbc85c85bc6eb38fef

SHA256
b24718cc4393cf0af802c31fbcf2be94d7ea4eb2c8862ae0daeea74ca90ededf

SHA512
85aea86df5444ca129636974b49c38ffe42053e84af983e4d4e976571bd67bc5f1c0abe8f3983719403591618d560d2a9cc31ce314ccd64627276de77371e657

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
1de28b8c7082b0e5918248a24fe7a24e

SHA1
26b74d5d630fdbe4135c8d931dd314b5735262d4

SHA256
c60b93928de9a3f1bdb8415dadee6ec7d5cf1add4d4bc4a83f942a1a66c6fcca

SHA512
0fd8c8ce50cb7ee01f79730f74def0b6e157378dd3c468cecb9621282bfca388d0079bbc245f31482462a0ecfba211eb49713fa9c0dee86de2168c8b88ff3fc0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7cf64b9f87d8acc535e5e9a302e3322d

SHA1
f08e0ebfeade3436a5f54dc3f73d33af269f825e

SHA256
3ca8dab8a6f0f147bce236e534ea4b8372799011bc94733ef7f716f2c0328dca

SHA512
c2666f21f20736c368bf4c145a38fd44f4d6998bee16bd94ac555de7b8ecd0acc311c11c85dc9aa681d512ff665ec487fcf4145d207e6c3876de36bfb69f4f0d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
5b22d9fd4ba1613b1d47f3de973c5176

SHA1
0179408431305d21e33e3442c9957928a7bfc500

SHA256
f31c1c416cd953e117b34ca1ba13b537c649923656e2f07928d5e4f1a693a054

SHA512
2ab00a19f71515146c26ee91fd599249506decd25ba375664351ae1c2eb78d90c10a314ec48269889c839e3e244462c2a9511fea402ae2e04d9a9ac7240083ac

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5c8c51698fe6de579049e37c15b568ee

SHA1
51912d0c7d62640e520eff32df196701d7eeb11a

SHA256
9bdfb41ea1f7ce70d5ee21848675fbd11e04393e3c38e297d863ec962a8e5fc6

SHA512
b9e58a328f056f637b9a741f2180e369ede97200083b76f5fe558b0166890940d84a7ee26ce47675132ed4d3ab171bcb0e54c8ef926699acc19c693fde3336a7

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
11a36547b7c7dbb1a5fcab8d367dc9de

SHA1
7a0abf6bb3a40592c8040130ce558c5694ad4758

SHA256
d79e96fb7ca66742fcf7786cefad69f62fe39d5dcbe424b2eaa595ceeac1523f

SHA512
4008a377ecd8989c357e522445234578f6412515112b54fc985a7bc79c049b80659830632670d35cd66d44b42b2999fdb54ae10cba1afca27b346fffff7d0cf8

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
84ef588f3c647f4ab45a26aa520521a6

SHA1
96f3c07145e96a7b551241cf3be2e512e028613d

SHA256
b35b2661f0dbdf493939525c0fa1c48f64b508c2692be6de7713ddd552df2962

SHA512
f7550c09ce54ce74e9b132c17ff3dd817b04b8b75595d1abfce96e70c618d70aa736585515bf57d0b5492ce458ad38dfcdd185a3eb4020461f4ff4a12562b651

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
1cfe9f803a8afe088bab1c41bbbd8ae3

SHA1
6ab7e498fba18b406090d36fdfa4716f9efee1ab

SHA256
dc9c9f5bf463d98053cf74b68dc1607ffa96a534641d13d004690a1d1820db1f

SHA512
70d9ff1a6f905a972fe194dcb510b11eb0445d6a59bc0b316135b5139929415128ce7e1240d3103a5c856f9d504d83e1674d06fc4661b5f054c7aa7eb7a5e1e6

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
0e149c5d4222c3ec92fe383dc0b2da98

SHA1
e9d10259cd4077b9417995e2285d62d265356e63

SHA256
2d02484c2ba909287bd5554a598b5531bbf2abe61e7223905ec1cd36eedaf56c

SHA512
923f2c8d2388bbedb4a87424e86d48b7165618120323af1dd0e5849fe8b8ee5db852be3f9e0741acd7ffdb5cf433c13de65e8a13a5275add9702e4bbd8a73a73

Download Submit
memory/100-56-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/100-86-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/100-62-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/100-84-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/652-605-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/652-341-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/808-329-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1292-345-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1680-453-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1680-66-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1680-72-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1680-330-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1956-350-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1956-815-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1964-39-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1964-30-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1964-38-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1964-712-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2460-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2460-89-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/2580-44-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2580-50-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2580-52-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2580-51-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2580-813-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2648-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2912-337-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2996-344-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3032-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3032-10-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3032-24-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3032-6-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3088-342-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3208-340-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3428-349-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3504-351-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3504-816-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3768-336-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3800-343-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4048-334-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4048-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4048-814-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4048-76-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4068-348-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4416-347-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4552-339-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5052-11-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/5052-17-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/5052-548-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/5052-19-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/5136-818-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5136-549-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5852-582-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5852-518-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5928-532-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5928-817-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6060-546-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6060-569-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download